fix: bump minimatch to v9 (CN-1004)

[parker-snyk]

• Ready for review
• Follows CONTRIBUTING rules
• Reviewed by Snyk internal team

What does this PR do?

Upgrades minimatch from v3 to v9 and drops @types/minimatch since v9 ships its own types. The import style changes from import * as minimatch to a named import since v9 uses a different module export style.

Two options are now passed to generatePathMatcher to preserve existing behavior across the v3→v9 breaking changes:

• windowsPathsNoEscape: true — In v9, backslashes are treated as escape characters by default (e.g. \* means a literal *). This option restores the v3 behavior where backslashes are path separators only, replaced with / before matching. Since we match file paths inside container layers (which can include \ from Windows images), leaving this off would cause v9 to misinterpret those backslashes and break glob matching.

• optimizationLevel: 0 — v9 defaults to level 1, which rewrites patterns containing .. (e.g. a/b/../* becomes a/*). Level 0 disables that rewriting so patterns are matched literally against the path string rather than being silently transformed.

Also bumps the .snyk ignore expiry dates for the tar vulns (from snyk-nodejs-lockfile-parser > @yarnpkg/core > tar). They expired April 3 and were blocking CI. Still waiting on an upstream fix.

Where should the reviewer start?

lib/inputs/file-pattern/static.ts — only file that uses minimatch.

How should this be manually tested?

npm run test:unit
npm run test:system

The glob matching tests already cover what generatePathMatcher does. If you want to poke at it more, try scanning an image with files that have backslashes in their layer paths.

Any background context you want to provide?

minimatch v3 is from 2014. The v9 README documents windowsPathsNoEscape explicitly as restoring the "buggy" behavior of earlier versions on Windows — so we're intentionally opting into it to stay compatible with how this code has always worked.

What are the relevant tickets?

CN-1004

Screenshots

N/A

Additional questions

None

[d3vco]

lgtm, thanks for the clear pr description

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 PR contains tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 12 relevant code sections from 3 files (average relevance: 0.67) package-lock.json (10 segments, lines 13582-13783) lib/inputs/file-pattern/static.ts (lines 1-67) package.json (lines 1-102)

[snyksec]

🎉 This PR is included in version 9.5.7 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀