[Snyk - High] fecfile-validate: update vulnerable dependency chains (ajv, glob, minimatch, eslint) (03/22/2026)

[exalate-issue-sync]

Snyk warning: https://app.snyk.io/org/fecfile/project/377bba3f-d9ef-402b-a5b5-a4ac5934a0d4

current state after dependency updates and audit cleanup is the expected residual state.

commands run:

npm audit --omit=dev
npm ls fecfile-validate ajv glob minimatch --all

result: 4 vulnerabilities remain, all from the fecfile-validate transitive dependency chain

affected chain:

• fecfile-validate -> ajv@8.17.1 (vulnerable: glob@10.5.0 -> minimatch@9.0.5 (vulnerable: `minimatch

  npm install
  npm audit --omit=dev

Success Criteria

npm audit --omit=dev no longer reports vulnerabilities from the fecfile-validate chain (ajv / glob / minimatch).

QA Notes

null

DEV Notes

null

Design

null

See full ticket and images here: FECFILE-2884

Pull Request: #412

[exalate-issue-sync]

Joshua Coombs commented: [~accountid:712020:3a738b19-6415-43b4-81c1-e92f1f7586f3]

[exalate-issue-sync]

Sasha Dresden commented: [Validate PR|https://github.com//pull/412]

[Web APP PR|https://github.com/fecgov/fecfile-web-app/pull/3638]

[API PR|https://github.com/fecgov/fecfile-web-api/pull/1914]

[exalate-issue-sync]

Todd Lees commented: vulnerabilities in ticket are no longer present

!image-20260305-143107.png|width=625,alt="image-20260305-143107.png"!

[exalate-issue-sync]

Shelly Wise commented: No QA needed on this ticket. Per DEV vulnerabilities in ticket are no longer present.

Moved to Stage Ready.