From ca1ac9321ffb2e45aef83d811bf7b19275fc3ddd Mon Sep 17 00:00:00 2001 From: fro-bot <80104189+fro-bot@users.noreply.github.com> Date: Sat, 28 Mar 2026 05:11:35 +0000 Subject: [PATCH] fix(security): update brace-expansion override to >=5.0.5 Addresses GHSA-v6vh-hvxj-x9wh - brace-expansion vulnerable to Zero-step sequence causing process hang and memory exhaustion - brace-expansion is a transitive dependency via minimatch > eslint - Override forces resolution to patched version >=5.0.5 --- package.json | 1 + pnpm-lock.yaml | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 89845f149..8c0308ebb 100644 --- a/package.json +++ b/package.json @@ -44,6 +44,7 @@ "pnpm": { "overrides": { "ajv@8": "8.18.0", + "brace-expansion": ">=5.0.5", "flatted": ">=3.4.2", "minimatch": ">=10.2.3", "undici": ">=7.24.0", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index c057dae75..cdffa5176 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -6,6 +6,7 @@ settings: overrides: ajv@8: 8.18.0 + brace-expansion: '>=5.0.5' flatted: '>=3.4.2' minimatch: '>=10.2.3' undici: '>=7.24.0' @@ -451,8 +452,8 @@ packages: resolution: {integrity: sha512-Sg0xJUNDU1sJNGdfGWhVHX0kkZ+HWcvmVymJbj6NSgZZmW/8S9Y2HQ5euytnIgakgxN6papOAWiwDo1ctFDcoQ==} hasBin: true - brace-expansion@5.0.3: - resolution: {integrity: sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==} + brace-expansion@5.0.5: + resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} engines: {node: 18 || 20 || >=22} browserslist@4.28.1: @@ -1826,7 +1827,7 @@ snapshots: baseline-browser-mapping@2.9.11: {} - brace-expansion@5.0.3: + brace-expansion@5.0.5: dependencies: balanced-match: 4.0.4 @@ -2697,7 +2698,7 @@ snapshots: minimatch@10.2.4: dependencies: - brace-expansion: 5.0.3 + brace-expansion: 5.0.5 minimist@1.2.8: {}