Skip to content

chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security]#61

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability
Open

chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security]#61
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 27, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
brace-expansion@>=1.0.0 <=1.1.11 [^1.1.12^5.0.6](https://renovatebot.com/diffs/npm/brace-expansion@>=1.0.0 <=1.1.11/1.1.12/5.0.6) age confidence

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

CVE-2026-33750 / GHSA-f886-m6hf-6m8v

More information

Details

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

  • 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

brace-expansion: Large numeric range defeats documented max DoS protection

CVE-2026-45149 / GHSA-jxxr-4gwj-5jf2

More information

Details

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

Workaround

Ensure the string to be expanded doesn't contain more values than the desired max item count.

Severity

  • CVSS Score: 6.5 / 10 (Medium)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

juliangruber/brace-expansion (brace-expansion@>=1.0.0 <=1.1.11)

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v4.0.1

Compare Source

v4.0.0

Compare Source

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.2

Compare Source

v3.0.1

Compare Source

v3.0.0

Compare Source

v2.1.1

Compare Source

v2.1.0

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

v2.0.1

Compare Source

v2.0.0

Compare Source

v1.1.15

Compare Source

v1.1.14

Compare Source

v1.1.13

Compare Source

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 3 times, most recently from 2fede2b to 5dd7ab8 Compare April 1, 2026 22:10
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 3 times, most recently from 4fb05f7 to 4eb2632 Compare April 15, 2026 09:38
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 5 times, most recently from bd2cf29 to 779e501 Compare April 21, 2026 23:07
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 2 times, most recently from 1fc8b60 to 6eec54b Compare April 23, 2026 16:50
@renovate renovate Bot changed the title chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security] chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot deleted the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch April 27, 2026 17:21
@renovate renovate Bot changed the title chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security] - autoclosed chore(deps): update dependency brace-expansion@>=1.0.0 <=1.1.11 to v5 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 6 times, most recently from f256f1f to 9aed9dd Compare April 30, 2026 22:36
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 6 times, most recently from 0adec97 to 1e7ff74 Compare May 18, 2026 21:59
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch 4 times, most recently from b5d05b5 to fa14659 Compare May 29, 2026 00:54
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch from fa14659 to ee03015 Compare June 1, 2026 22:39
@renovate renovate Bot force-pushed the renovate/npm-brace-expansion-=1.0.0-=1.1.11-vulnerability branch from ee03015 to f2572d8 Compare June 2, 2026 03:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants