feat: upgrade minimatch to v10.0.3 (#5291)

* feat: upgrade minimatch to v10.0.3

- Update minimatch dependency from ~3.0.3 to 10.0.3 across monorepo
- Update @types/minimatch from 3.0.5 to 6.0.0
- Fix breaking API changes: switch from default import to named import
  - api-extractor: `import minimatch from 'minimatch'` → `import { minimatch } from 'minimatch'`
  - webpack4-localization-plugin: same import pattern update
- Centralize version management via common-versions.json preferredVersions
- Update lock files and repo state hashes for both subspaces

Breaking change: minimatch v10 uses named exports instead of default export

* add change log

* update lock file

* chore: remove @types/minimatch

* fix: update IMinimatch interface to Minimatch class in package-extractor

- minimatch v10 renamed IMinimatch interface to Minimatch class
- Update type annotations to use the new class name

---------

Co-authored-by: Rob De Feo <[email protected]>

Author: robdefeo

apps/api-extractor/package.json

@@ -45,7 +45,7 @@
     "@rushstack/terminal": "workspace:*",
     "@rushstack/ts-command-line": "workspace:*",
     "lodash": "~4.17.15",
-    "minimatch": "~3.0.3",
+    "minimatch": "10.0.3",
     "resolve": "~1.22.1",
     "semver": "~7.5.4",
     "source-map": "~0.6.1",
@@ -54,7 +54,6 @@
   "devDependencies": {
     "@rushstack/heft": "0.74.1",
     "@types/lodash": "4.14.116",
-    "@types/minimatch": "3.0.5",
     "@types/resolve": "1.20.2",
     "@types/semver": "7.5.0",
     "decoupled-local-node-rig": "workspace:*",

apps/api-extractor/src/collector/Collector.ts

@@ -11,7 +11,7 @@ import {
   PackageName
 } from '@rushstack/node-core-library';
 import { ReleaseTag } from '@microsoft/api-extractor-model';
-import minimatch from 'minimatch';
+import { minimatch } from 'minimatch';
 
 import { ExtractorMessageId } from '../api/ExtractorMessageId';
 

common/changes/@microsoft/api-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@microsoft/api-extractor",
+      "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@microsoft/api-extractor"
+}

common/changes/@rushstack/package-extractor/upgrade-minimatch-to-v10_2025-07-30-18-10.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/package-extractor",
+      "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/package-extractor"
+}

common/changes/@rushstack/webpack4-localization-plugin/upgrade-minimatch-to-v10_2025-07-30-18-10.json

@@ -0,0 +1,10 @@
+{
+  "changes": [
+    {
+      "packageName": "@rushstack/webpack4-localization-plugin",
+      "comment": "Upgrades the minimatch dependency from ~3.0.3 to 10.0.3 across the entire Rush monorepo to address a Regular Expression Denial of Service (ReDoS) vulnerability in the underlying brace-expansion dependency.",
+      "type": "patch"
+    }
+  ],
+  "packageName": "@rushstack/webpack4-localization-plugin"
+}

common/config/subspaces/build-tests-subspace/pnpm-lock.yaml

@@ -1,6 +1,6 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "4bb96db65ecb99ad3935e230ad704251a845e134",
+  "pnpmShrinkwrapHash": "05243847c45ec913c83e0cb41b32a208240813a6",
   "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
-  "packageJsonInjectedDependenciesHash": "6988efb70a621746799ba9bb6049c05da8fa6752"
+  "packageJsonInjectedDependenciesHash": "d69fad25449ad576c80f4959f15d9b087083c579"
 }

common/config/subspaces/build-tests-subspace/repo-state.json

@@ -32,7 +32,10 @@
     "typescript": "~5.8.2",
 
     // This should be the ESLint version that's used to build most of the projects in the repo.
-    "eslint": "~9.25.1"
+    "eslint": "~9.25.1",
+
+    // Updated minimatch and its types to latest major version to resolve ReDoS vulnerability
+    "minimatch": "10.0.3"
   },
 
   /**