fix: bump minimatch to v9 (CN-1004) (#780)

Two options are now passed to generatePathMatcher to preserve existing behavior across the v3→v9 breaking changes:

windowsPathsNoEscape: true — In v9, backslashes are treated as escape characters by default (e.g. \* means a literal *). This option restores the v3 behavior where backslashes are path separators only, replaced with / before matching. Since we match file paths inside container layers (which can include \ from Windows images), leaving this off would cause v9 to misinterpret those backslashes and break glob matching.

optimizationLevel: 0 — v9 defaults to level 1, which rewrites patterns containing .. (e.g. a/b/../* becomes a/*). Level 0 disables that rewriting so patterns are matched literally against the path string rather than being silently transformed.

Author: parker-snyk

.snyk

@@ -5,15 +5,15 @@ ignore:
   SNYK-JS-TAR-15307072:
     - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
         reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-04-03T00:00:00.000Z
+        expires: 2026-05-06T00:00:00.000Z
   SNYK-JS-TAR-15416075:
     - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
         reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-04-03T00:00:00.000Z
+        expires: 2026-05-06T00:00:00.000Z
   SNYK-JS-TAR-15456201:
     - 'snyk-nodejs-lockfile-parser > @yarnpkg/core > tar':
         reason: 'Indirect dependency from snyk-nodejs-lockfile-parser, waiting for upstream fix'
-        expires: 2026-04-03T00:00:00.000Z
+        expires: 2026-05-06T00:00:00.000Z
   SNYK-JS-LODASH-15869625:
     - '*':
         reason: 'Indirect dependency, waiting for upstream fix'

lib/inputs/file-pattern/static.ts

@@ -1,4 +1,4 @@
-import * as minimatch from "minimatch";
+import { minimatch, MinimatchOptions } from "minimatch";
 import * as path from "path";
 
 import { ExtractAction, ExtractedLayers } from "../../extractor/types";
@@ -13,12 +13,17 @@ function generatePathMatcher(
   globsInclude: string[],
   globsExclude: string[],
 ): (filePath: string) => boolean {
+  const matchOptions: MinimatchOptions = {
+    windowsPathsNoEscape: true,
+    optimizationLevel: 0,
+  };
+
   return (filePath: string): boolean => {
-    if (globsExclude.some((glob) => minimatch(filePath, glob))) {
+    if (globsExclude.some((glob) => minimatch(filePath, glob, matchOptions))) {
       return false;
     }
 
-    return globsInclude.some((glob) => minimatch(filePath, glob));
+    return globsInclude.some((glob) => minimatch(filePath, glob, matchOptions));
   };
 }