feat: replace glob and minimatch with fast-glob and picomatch

[mrgrain]

The glob and minimatch packages have been long-standing dependencies in this project, but they have become problematic for two reasons.

First, there are known security vulnerabilities in the currently pinned versions. For example, dependabot alert #67 flags an issue that requires upgrading. However, upgrading to the latest major versions of glob and minimatch is not a viable path forward because newer releases have moved to the BlueOak-1.0.0 license, which is not compatible with the licensing requirements of this project.

Second, these packages come with a significant transitive dependency tree that includes jackspeak, path-scurry, minipass, and foreground-child among others. These packages are maintained by the same author and have historically seen frequent major version bumps that require attention from dependabot and manual review, creating ongoing maintenance overhead.

This change replaces glob with fast-glob and minimatch with picomatch across all packages in the monorepo. Both are well-established, MIT-licensed alternatives that provide equivalent functionality with a smaller dependency footprint. The picomatch library was already a transitive dependency through chokidar, and toolkit-lib already had a direct dependency on picomatch@^4, so this change consolidates the glob matching implementation rather than introducing something entirely new.

The API migration is straightforward. For globbing, glob.sync('**', options) becomes globSync('**', options) from fast-glob, with option names updated to match the fast-glob API (e.g. nodir → onlyFiles, follow → followSymbolicLinks). For pattern matching, minimatch(str, pattern) becomes isMatch(str, pattern) from picomatch, and minimatch.filter(expression) is replaced with a compiled picomatch(expression) matcher function, which is actually more efficient since it avoids recompiling the pattern for each test.

The yarn.lock cleanup removes several packages that are no longer needed: glob@^11, glob@^9, minimatch@10.0.1, minimatch@^8, jackspeak@^4, minipass@^4, and path-scurry@^2. This reduces the overall dependency count and install size.

Checklist

• This change contains a major version upgrade for a dependency and I confirm all breaking changes are addressed
  • Release notes for the new version:

---

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 87.76%. Comparing base (87f56d1) to head (580b5c7).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #1165      +/-   ##
==========================================
+ Coverage   87.75%   87.76%   +0.01%     
==========================================
  Files          72       72              
  Lines       10135    10137       +2     
  Branches     1338     1338              
==========================================
+ Hits         8894     8897       +3     
+ Misses       1216     1215       -1     
  Partials       25       25              

Flag	Coverage Δ
suite.unit	87.76% <100.00%> (+0.01%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Total lines changed 1516 is greater than 1000. Please consider breaking this PR down.