chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
brace-expansion@>=1.0.0 <=1.1.11	[^1.1.12 → ^5.0.5](https://renovatebot.com/diffs/npm/brace-expansion@>=1.0.0 <=1.1.11/1.1.12/5.0.5)

GitHub Vulnerability Alerts

CVE-2026-33750

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

• 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

---

Release Notes

juliangruber/brace-expansion (brace-expansion@>=1.0.0 <=1.1.11)

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v4.0.1

Compare Source

• fmt 5a5cc17
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 0b6a978

---

v4.0.0

Compare Source

• feat: use string replaces instead of splits (#​64) 278132b
• fmt dd72a59
• add tea.yaml 70e4c1b

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.2

Compare Source

v3.0.1

Compare Source

• pkg: publish on tag 3.x 3059c07
• fmt 8229e6f
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 15f9b3c

---

v3.0.0

Compare Source

• Switch to ES Modules and balanced-match 3.0.0 (#​62) c0360e8
• added jsdoc (#​55) 68c0e37
• node 16 is EOL 9e781e9
• add standard 3494c4d
• use const and let (#​57) dd5a4cb
• docs 6dad209
• remove test e3dd8ae
• ci: update node versions d23ede9
• docs: add @​lanodan to contributors 1eb3fa4
• docs 1e7c9cd
• switch from tape to test module (#​60) 2520537
• Bump minimist from 1.2.5 to 1.2.6 (#​59) 61a94f1
• Bump path-parse from 1.0.6 to 1.0.7 (#​51) dc741cf
• docs: add back ci badge 8ee5626
• Add github actions, remove travis. Closes #​52 (#​53) 5c8756a
• CI: Drop unused sudo: false Travis directive (#​50) 05978a7

v2.1.0

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 36603d5

---

v2.0.1

Compare Source

v2.0.0

Compare Source

v1.1.14

Compare Source

v1.1.13

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.