Skip to content

fix: bump brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2)#88

Draft
Copilot wants to merge 2 commits into
mainfrom
copilot/bump-brace-expansion-to-5-0-6
Draft

fix: bump brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2)#88
Copilot wants to merge 2 commits into
mainfrom
copilot/bump-brace-expansion-to-5-0-6

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 22, 2026
edited
Loading

brace-expansion@5.0.5 has a moderate-severity DoS vulnerability (GHSA-jxxr-4gwj-5jf2, CVSS 6.5) where large numeric ranges bypass the documented max protection. Pulled in transitively via typescript-eslintminimatch@10.2.4.

Changes

  • package-lock.json: npm audit fix resolves brace-expansion to 5.0.6 in the typescript-eslint subtree

No package.json changes required. Dev-only impact; nothing vulnerable ships in the built extension.

└─┬ typescript-eslint@8.57.0
  └─┬ @typescript-eslint/typescript-estree@8.57.0
    └─┬ minimatch@10.2.4
      └── brace-expansion@5.0.6  ✓  (was 5.0.5)

npm audit now reports 0 vulnerabilities.

Copilot AI linked an issue May 22, 2026 that may be closed by this pull request
[Security][Medium] Bump brace-expansion to fix GHSA-jxxr-4gwj-5jf2 (DoS via large numeric range) #87
Open
Copilot AI changed the title [WIP] Bump brace-expansion to fix GHSA-jxxr-4gwj-5jf2 fix: bump brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2) May 22, 2026
Copilot AI requested a review from numbers-official May 22, 2026 23:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@numbers-official numbers-official Awaiting requested review from numbers-official

Assignees

@numbers-official numbers-official

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security][Medium] Bump brace-expansion to fix GHSA-jxxr-4gwj-5jf2 (DoS via large numeric range)

2 participants

@numbers-official