chore: Clear minimatch ReDoS advisories from audit ignore list (#12177)

* chore: Resolve minimatch ReDoS advisories via dep bumps and resolutions

Bump glob (8→11), rimraf (2→6), babel-jest, jest-environment-jsdom (29→30),
and lint-staged (13→16) to drop several vulnerable transitive chains. Pin
remaining minimatch and brace-expansion descriptors via resolutions so all
in-tree copies are on their latest patched release. Removes 9 ignored
advisory IDs from .yarnrc.yml.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* fix: Make routeHelpers.urlify origin testable for jsdom 26

jsdom 26 (jest-environment-jsdom@30) makes window.location and
location.origin non-configurable, breaking the previous test that
redefined them via Object.defineProperty.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

* chore: Align jest-cli to ^30.3.0 with other jest packages

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

.yarnrc.yml

@@ -12,15 +12,6 @@ npmPreapprovedPackages:
 npmAuditIgnoreAdvisories:
   - "1113517" # GHSA-mw96-cpmx-2vgc rollup <2.80.0 path traversal (workbox-build, build-time)
   - "1113686" # GHSA-5c6j-r48x-rmvq serialize-javascript RCE (@rollup/plugin-terser, build-time)
-  - "1113459" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113461" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113465" # GHSA-3ppc-4f35-3m26 minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113538" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113540" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113544" # GHSA-7r86-cg39-jmmj minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113546" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113548" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
-  - "1113552" # GHSA-23c5-xmqv-rm74 minimatch ReDoS (glob/editorconfig, build/test tooling)
   - "1115552" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
   - "1115554" # GHSA-c2c7-rcm5-vvqj picomatch ReDoS (babel-plugin-styled-components, dotenvx CLI)
   - "1115805" # GHSA-r5fr-rjxr-66jc lodash-es _.template injection (mermaid; not exposed to user-controlled template keys)

app/utils/routeHelpers.test.ts

@@ -1,7 +1,7 @@
 import { sharedModelPath, desktopify } from "./routeHelpers";
 
 describe("#sharedDocumentPath", () => {
-  test("should return share path for a document", () => {
+  it("should return share path for a document", () => {
     const shareId = "1c922644-40d8-41fe-98f9-df2b67239d45";
     const docPath = "/doc/test-DjDlkBi77t";
     expect(sharedModelPath(shareId)).toBe(
@@ -14,22 +14,14 @@ describe("#sharedDocumentPath", () => {
 });
 
 describe("#desktopify", () => {
-  test("should replace https protocol with outline://", () => {
-    Object.defineProperty(window, "location", {
-      value: { origin: "https://app.getoutline.com" },
-      writable: true,
-    });
-    expect(desktopify("/doc/test-DjDlkBi77t")).toBe(
-      "outline://app.getoutline.com/doc/test-DjDlkBi77t"
-    );
+  it("should replace https protocol with outline://", () => {
+    expect(
+      desktopify("/doc/test-DjDlkBi77t", "https://app.getoutline.com")
+    ).toBe("outline://app.getoutline.com/doc/test-DjDlkBi77t");
   });
 
-  test("should replace http protocol with outline://", () => {
-    Object.defineProperty(window, "location", {
-      value: { origin: "http://localhost:3000" },
-      writable: true,
-    });
-    expect(desktopify("/doc/test-DjDlkBi77t")).toBe(
+  it("should replace http protocol with outline://", () => {
+    expect(desktopify("/doc/test-DjDlkBi77t", "http://localhost:3000")).toBe(
       "outline://localhost:3000/doc/test-DjDlkBi77t"
     );
   });

app/utils/routeHelpers.ts

@@ -175,18 +175,22 @@ export function sharedModelPath(shareId: string, modelPath?: string) {
   return modelPath ? `/s/${shareId}${modelPath}` : `/s/${shareId}`;
 }
 
-export function urlify(path: string): string {
-  return `${window.location.origin}${path}`;
+export function urlify(
+  path: string,
+  origin: string = window.location.origin
+): string {
+  return `${origin}${path}`;
 }
 
 /**
  * Converts a path to a desktop app URL using the outline:// protocol.
  *
  * @param path The path to convert.
+ * @param origin Optional origin to use instead of `window.location.origin`.
  * @returns The desktop app URL.
  */
-export function desktopify(path: string): string {
-  return urlify(path).replace(/^https?:\/\//, "outline://");
+export function desktopify(path: string, origin?: string): string {
+  return urlify(path, origin).replace(/^https?:\/\//, "outline://");
 }
 
 export const matchCollectionSlug =

package.json

@@ -135,7 +135,7 @@
     "franc": "^6.2.0",
     "fs-extra": "^11.3.4",
     "fuzzy-search": "^3.2.1",
-    "glob": "^8.1.0",
+    "glob": "^11.1.0",
     "hot-shots": "^12.1.0",
     "http-errors": "2.0.1",
     "https-proxy-agent": "^7.0.6",
@@ -347,7 +347,7 @@
     "@types/utf8": "^3.0.3",
     "@types/validator": "^13.15.10",
     "@types/yauzl": "^2.10.3",
-    "babel-jest": "^29.7.0",
+    "babel-jest": "^30.3.0",
     "babel-plugin-styled-components": "^2.1.4",
     "babel-plugin-transform-inline-environment-variables": "^0.4.4",
     "babel-plugin-transform-typescript-metadata": "^0.4.0",
@@ -358,16 +358,16 @@
     "husky": "^8.0.3",
     "i18next-parser": "^8.13.0",
     "ioredis-mock": "^8.13.1",
-    "jest-cli": "^30.2.0",
-    "jest-environment-jsdom": "^29.7.0",
+    "jest-cli": "^30.3.0",
+    "jest-environment-jsdom": "^30.3.0",
     "jest-fetch-mock": "^3.0.3",
-    "lint-staged": "^13.3.0",
+    "lint-staged": "^16.4.0",
     "nodemon": "^3.1.14",
     "oxlint": "1.11.2",
     "oxlint-tsgolint": "^0.1.6",
     "prettier": "^3.6.2",
     "react-refresh": "^0.18.0",
-    "rimraf": "^2.5.4",
+    "rimraf": "^6.1.3",
     "rollup-plugin-webpack-stats": "2.1.11",
     "terser": "^5.44.1",
     "typescript": "^5.9.3"
@@ -392,7 +392,15 @@
     "@types/markdown-it": "14.1.1",
     "underscore": "^1.13.8",
     "tar": "^7.5.13",
-    "@hono/node-server": "^1.19.10"
+    "@hono/node-server": "^1.19.10",
+    "minimatch@npm:^3.0.2": "^3.1.5",
+    "minimatch@npm:^3.0.4": "^3.1.5",
+    "minimatch@npm:^3.1.1": "^3.1.5",
+    "minimatch@npm:^5.0.1": "^5.1.9",
+    "minimatch@npm:9.0.1": "9.0.9",
+    "minimatch@npm:^9.0.4": "^9.0.9",
+    "brace-expansion@npm:^1.1.7": "^1.1.13",
+    "brace-expansion@npm:^2.0.1": "^2.0.3"
   },
   "version": "1.7.0",
   "packageManager": "yarn@4.11.0"