fix(deps): bump brace-expansion to 5.0.6 (CVE-2026-45149)#430
Closed
simon-lowes wants to merge 1 commit into
Closed
fix(deps): bump brace-expansion to 5.0.6 (CVE-2026-45149)#430simon-lowes wants to merge 1 commit into
simon-lowes wants to merge 1 commit into
Conversation
Updates the transitive brace-expansion 5.0.5 inside minimatch to 5.0.6+, patching the DoS via large numeric range expansion (GHSA-jxxr-4gwj-5jf2). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Owner
Author
|
@dependabot rebase |
Owner
Author
|
Obsolete: main already resolves brace-expansion to 1.1.15 / 2.1.1 / 5.0.6 — at or above the patched versions this PR targets (1.1.14 / 5.0.6), pulled in by later updates. Merging would downgrade 1.1.15→1.1.14. CVE-2026-45149 is already remediated on main. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Patches Dependabot security alert #31 by bumping the transitive
brace-expansion5.0.5 insidenode_modules/minimatchto 5.0.6.maxoption applied too late; large numeric ranges allocate ~505 MB before being trimmed.Only
package-lock.jsonis touched.package.jsondoes not need changes because the affected package is transitive (viaminimatch).Test plan
npm install --package-lock-onlyruns cleanlybrace-expansion@5.0.5is now5.0.6in the lockfileCo-Authored-By: Claude Opus 4.6 noreply@anthropic.com