From 3b06c68df9551a9cb272517890f45f669f5a962b Mon Sep 17 00:00:00 2001
From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com>
Date: Sat, 21 Mar 2026 10:29:59 +0000
Subject: [PATCH 1/2] Bump flatted from 3.3.3 to 3.4.2 in /webapp

Bumps [flatted](https://github.com/WebReflection/flatted) from 3.3.3 to 3.4.2.
- [Commits](https://github.com/WebReflection/flatted/compare/v3.3.3...v3.4.2)

---
updated-dependencies:
- dependency-name: flatted
  dependency-version: 3.4.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
---
 webapp/package-lock.json | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/webapp/package-lock.json b/webapp/package-lock.json
index 78f67a1f..423a32d5 100644
--- a/webapp/package-lock.json
+++ b/webapp/package-lock.json
@@ -6988,7 +6988,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true,
       "license": "ISC"
     },

From f42a00df595e84a6282ec1e0d0ffdc5c5fa59d62 Mon Sep 17 00:00:00 2001
From: Nevyana Angelova <nevyangelova@192.168.100.24>
Date: Mon, 23 Mar 2026 15:10:28 +0200
Subject: [PATCH 2/2] Exclude webapp/node_modules from go vet scans

Third-party npm packages (e.g. flatted v3.4.2) can ship .go files
that fail the Mattermost license header check. Filter go vet to
only scan server packages.

Made-with: Cursor
---
 Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Makefile b/Makefile
index a6520a6d..eb4174cd 100644
--- a/Makefile
+++ b/Makefile
@@ -199,9 +199,9 @@ endif
 # weird reports at golangci-lint step
 ifneq ($(HAS_SERVER),)
 	@echo Running golangci-lint
-	$(GO) vet ./...
+	$(GO) vet $$($(GO) list ./... | grep -v /webapp/)
 	$(GOBIN)/golangci-lint run ./...
-	$(GO) vet -vettool=$(GOBIN)/mattermost-govet -license -license.year=2017 ./...
+	$(GO) vet -vettool=$(GOBIN)/mattermost-govet -license -license.year=2017 $$($(GO) list ./... | grep -v /webapp/)
 endif
 
 ## Builds the server, if it exists, for all supported architectures, unless MM_SERVICESETTINGS_ENABLEDEVELOPER is set