update minimatch to v10

[isaacs]

This fixes a ReDOS and gets onto a supported version

[MikeMcC399]

This would partially fix issue #2305 Edit: now closed

https://github.com/actions/toolkit/blob/main/README.md#note however says:

Note

Thank you for your interest in this GitHub repo, however, right now we are not taking contributions.

Hopefully maintainers will take account of the suggestion in any case.

[matherm-aboehm]

@MikeMcC399
At the same time https://github.com/actions/toolkit/security says:

If you discover a security issue in this repo, please submit it through the GitHub Security Bug Bounty

Thanks for helping make GitHub Actions safe for everyone.

Maybe it's better to report it there to get attention?

[MikeMcC399]

@matherm-aboehm

Maybe it's better to report it there to get attention?

That normally only applies to unpublished security issues and that is a different process. I would not expect going through that route would speed anything up.

This issue requires attention from maintainers of this repo. It's their responsibility to monitor the repo and to respond.

[MikeMcC399]

Also, I notice that minimatch@3.1.5 is now installed, which remediates the vulnerability. So this PR is still relevant for good housekeeping purposes, however the criticality is now lower.