build(deps): Bump @sentry/node and force minimatch to fix GHSA-3ppc-4f35-3m26 (#207)

* build(deps): Bump @sentry/node and force minimatch to fix GHSA-3ppc-4f35-3m26

Two instances of vulnerable minimatch (9.0.0–9.0.5) were present:

1. @sentry/node@10.0.0 pulled in minimatch@^9.0.0 (resolved to 9.0.5) as
   a production dependency. @sentry/node@10.40.0 drops minimatch entirely,
   so bumping to that version removes the production-side exposure.
   @sentry/profiling-node is bumped in lockstep to match.

2. @typescript-eslint/typescript-estree@6.16.0 (via eslint-config-sentry-app)
   hard-pins minimatch@9.0.3 (exact, not a range). Yarn v1 selective
   resolutions cannot override exact-version pins in transitive deps, so a
   broad resolution "minimatch": "9.0.6" is used instead — the same approach
   taken for json5. minimatch 9.x exposes the same CJS API as 3.x, so all
   consumers (eslint, jest, glob, @fastify/otel) remain compatible.

All tests pass.

Co-Authored-By: Claude <noreply@anthropic.com>

* build(deps): Bump minimatch resolution to 9.0.9

9.0.6 itself has two additional ReDoS vulnerabilities (GHSA-23c5-xmqv-rm74,
GHSA-7r86-cg39-jmmj) caught by the dependency-review CI check. 9.0.9 is the
latest 9.x release and has no known advisories.

Co-Authored-By: Claude <noreply@anthropic.com>

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: oioki

package.json

@@ -20,8 +20,8 @@
     "README"
   ],
   "dependencies": {
-    "@sentry/node": "10.0.0",
-    "@sentry/profiling-node": "10.0.0",
+    "@sentry/node": "10.40.0",
+    "@sentry/profiling-node": "10.40.0",
     "canvas": "^3.2.0",
     "dotenv": "^8.2.0",
     "echarts": "6.0.0",
@@ -48,7 +48,8 @@
     "typescript": "^5.3.3"
   },
   "resolutions": {
-    "json5": "^2.2.3"
+    "json5": "^2.2.3",
+    "minimatch": "9.0.9"
   },
   "volta": {
     "node": "20.20.0",