chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]#33275
Open
renovate[bot] wants to merge 1 commit into26_1from
Open
chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]#33275renovate[bot] wants to merge 1 commit into26_1from
renovate[bot] wants to merge 1 commit into26_1from
Conversation
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
bfb65d7 to
0297052
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
0297052 to
dbe20be
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
dbe20be to
ac64b26
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
ac64b26 to
3db2792
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
3db2792 to
2733f18
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
2733f18 to
208c638
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
208c638 to
844b2db
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
844b2db to
dd011f2
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
dd011f2 to
bc714d6
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
04445b1 to
3918e60
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
3918e60 to
d3ec620
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
d3ec620 to
fb41cdf
Compare
renovate
bot
force-pushed
the
renovate/npm-brace-expansion-1.1.13-vulnerability
branch
from
fb41cdf to
f2386ba
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^1.1.13→^5.0.5Warning
Some dependencies could not be looked up. Check the Dependency Dashboard for more information.
GitHub Vulnerability Alerts
CVE-2026-33750
Impact
A brace pattern with a zero step value (e.g.,
{1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.The loop in question:
https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184
test()is one ofhttps://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
The increment is computed as
Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing aRangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.This affects any application that passes untrusted strings to expand(), or by error sets a step value of
0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.Patches
Upgrade to versions
A step increment of 0 is now sanitized to 1, which matches bash behavior.
Workarounds
Sanitize strings passed to
expand()to ensure a step value of0is not used.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:HRelease Notes
juliangruber/brace-expansion (brace-expansion@<1.1.13)
v5.0.5Compare Source
v5.0.4Compare Source
v5.0.3Compare Source
v5.0.2Compare Source
v4.0.1Compare Source
5a5cc170b6a978v4.0.0Compare Source
278132bdd72a59tea.yaml70e4c1bAs a precaution to not risk breaking anything with
278132b, this is a new semver major releasev3.0.2Compare Source
v3.0.1Compare Source
3059c078229e6f15f9b3cv3.0.0Compare Source
c0360e868c0e379e781e93494c4ddd5a4cb6dad209teste3dd8aed23ede91eb3fa41e7c9cd252053761a94f1dc741cf8ee56265c8756a05978a7v2.1.0Compare Source
v2.0.3Compare Source
v2.0.2Compare Source
14f1d91ed7780a36603d5v2.0.1Compare Source
v2.0.0Compare Source
v1.1.14Compare Source
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.