[Snyk] Fix for 1 vulnerabilities

[Eric-Guo]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Regular Expression Denial of Service (ReDoS) SNYK-JS-MINIMATCH-15309438

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: bc1ff14ac9

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Regenerate pnpm lockfile after dependency bumps

This commit changes package.json dependency specifiers but does not update pnpm-lock.yaml, which still records patch-package as ^6.5.1 and webpack-dev-server as ^4.15.2; in this repo, CI runs pnpm install --frozen-lockfile (.github/workflows/rubyonrails.yml:54), so the install step will fail as soon as it detects the lockfile is out of sync with these new ranges. Please regenerate and commit pnpm-lock.yaml with these version updates.

Useful? React with 👍 / 👎.

[Copilot]

Pull request overview

This Snyk-generated PR aims to remediate a reported minimatch ReDoS vulnerability by upgrading JavaScript toolchain dependencies in package.json.

Changes:

• Upgraded patch-package from ^6.5.1 to ^8.0.1
• Upgraded webpack-dev-server from ^4.15.2 to ^5.1.0

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The PR description mentions “yarn dependencies” / updating yarn.lock, but this project appears pnpm-based (packageManager: pnpm@... and pnpm-lock.yaml is present). Please ensure Snyk is configured for pnpm and that the pnpm lockfile (not yarn.lock) is updated as part of this remediation.

[Copilot]

Shakapacker@9.5.0 declares a peer dependency on webpack-dev-server of ^4.15.2 || ^5.2.2 (see pnpm-lock.yaml). Setting this to ^5.1.0 allows resolving to 5.1.x, which is outside that peer range and can cause peer warnings or install issues depending on pnpm settings. Consider bumping the minimum to ^5.2.2 to satisfy the peer constraint.

Suggested change

	"webpack-dev-server": "^5.1.0",
	"webpack-dev-server": "^5.2.2",

[Copilot]

package.json is updated, but the repo uses pnpm (packageManager is pnpm and CI runs pnpm install --frozen-lockfile). Without updating/committing pnpm-lock.yaml, installs will fail in CI and the vulnerable transitive deps may remain pinned to the old versions. Please re-run pnpm install and commit the updated lockfile (and any related cache artifacts, if applicable).