Debian Node-Anymatch vulnerabilities

CVE-2026-33671 [HIGH] CVE-2026-33671: node-anymatch - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, ... Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as `+()` and `*()`, especially when combined with overlapping alternatives or nested extglobs, are compiled into regula

CVE-2026-33672 [MEDIUM] CVE-2026-33672: node-anymatch - Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, ... Picomatch is a glob matcher written JavaScript. Versions prior to 4.0.4, 3.0.2, and 2.3.2 are vulnerable to a method injection vulnerability affecting the `POSIX_REGEX_SOURCE` object. Because the object inherits from `Object.prototype`, specially crafted POSIX bracket expressions (e.g., `[[:constructor:]]`) can reference inherited method names. These methods