fix: update picomatch to resolve CVE-2026-33672

[dannyneira]

Summary

• Updates transitive picomatch lockfile entries to patched versions for CVE-2026-33672.
• Resolves both vulnerable dependency ranges currently present in package-lock.json:
  • picomatch 2.x: 2.3.1 -> 2.3.2
  • picomatch 4.x under tinyglobby: 4.0.3 -> 4.0.4

Vulnerability details

• Advisory: GHSA-3v7f-55p6-f55p
• CVE: CVE-2026-33672
• Dependabot alerts:
  • https://github.com/warpdotdev/commands.dev/security/dependabot/63
  • https://github.com/warpdotdev/commands.dev/security/dependabot/66
• Dependency relationship: transitive development dependency via package-lock.json.
• Workaround applied: none; existing semver ranges already allowed the patched releases, so this is a lockfile-only update.

Verification

• npm audit --json no longer reports picomatch / GHSA-3v7f-55p6-f55p. Remaining audit findings are unrelated and covered separately.
• npm run lint
• npx tsc lib/*.ts
• NEXT_PUBLIC_ALGOLIA_APP_ID=dummy NEXT_PUBLIC_ALGOLIA_SEARCH_API_KEY=dummy npx next build

Conversation: https://staging.warp.dev/conversation/550fab81-e5b7-4938-ab82-c93ffa1e7e21
Run: https://oz.staging.warp.dev/runs/019e36aa-77c6-72a5-a14f-feba903dc2f2
This PR was generated with Oz.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
commands-dev	Ready	Preview, Comment	May 27, 2026 7:24pm

[jefflloyd]

Had to kick Vercel but looks good