chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
brace-expansion@>=1.0.0 <=1.1.11	[>=1.1.12 → >=5.0.5](https://renovatebot.com/diffs/npm/brace-expansion@>=1.0.0 <=1.1.11/1.1.12/5.0.5)

GitHub Vulnerability Alerts

CVE-2026-33750

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

• 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

---

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

CVE-2026-33750 / GHSA-f886-m6hf-6m8v

More information

Details

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

• 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

• https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v
• https://nvd.nist.gov/vuln/detail/CVE-2026-33750
• https://github.com/juliangruber/brace-expansion/issues/98
• https://github.com/juliangruber/brace-expansion/pull/95
• https://github.com/juliangruber/brace-expansion/pull/96
• https://github.com/juliangruber/brace-expansion/pull/97
• https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5
• https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2
• https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a
• https://github.com/juliangruber/brace-expansion
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113
• https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

juliangruber/brace-expansion (brace-expansion@>=1.0.0 <=1.1.11)

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v4.0.1

Compare Source

• fmt 5a5cc17
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 0b6a978

---

v4.0.0

Compare Source

• feat: use string replaces instead of splits (#​64) 278132b
• fmt dd72a59
• add tea.yaml 70e4c1b

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.2

Compare Source

v3.0.1

Compare Source

• pkg: publish on tag 3.x 3059c07
• fmt 8229e6f
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 15f9b3c

---

v3.0.0

Compare Source

• Switch to ES Modules and balanced-match 3.0.0 (#​62) c0360e8
• added jsdoc (#​55) 68c0e37
• node 16 is EOL 9e781e9
• add standard 3494c4d
• use const and let (#​57) dd5a4cb
• docs 6dad209
• remove test e3dd8ae
• ci: update node versions d23ede9
• docs: add @​lanodan to contributors 1eb3fa4
• docs 1e7c9cd
• switch from tape to test module (#​60) 2520537
• Bump minimist from 1.2.5 to 1.2.6 (#​59) 61a94f1
• Bump path-parse from 1.0.6 to 1.0.7 (#​51) dc741cf
• docs: add back ci badge 8ee5626
• Add github actions, remove travis. Closes #​52 (#​53) 5c8756a
• CI: Drop unused sudo: false Travis directive (#​50) 05978a7

v2.0.3

Compare Source

v2.0.2

Compare Source

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 36603d5

---

v2.0.1

Compare Source

v2.0.0

Compare Source

v1.1.13

Compare Source

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - Monday through Friday ( * * * * 1-5 ) in timezone America/New_York.

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: pnpm-lock.yaml

 ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE  Invalid value in minimumReleaseAgeExclude: Invalid versions union. Found: "brace-expansion@>=1.0.0 <=1.1.11@5.0.5". Use exact versions only.

[vaibhavrajsingh2001]

Fixing in #834

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.