chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]#149

Closed

renovate[bot] wants to merge 1 commit into

mainfrom

renovate/npm-brace-expansion-1.1.13-vulnerability

Contributor

renovate Bot commented May 4, 2026 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
brace-expansion@<1.1.13	`>=1.1.13` → `>=5.0.5`

brace-expansion: Zero-step sequence causes process hang and memory exhaustion

CVE-2026-33750 / GHSA-f886-m6hf-6m8v

More information

Details

Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.

Severity

CVSS Score: 6.5 / 10 (Medium)
Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

juliangruber/brace-expansion (brace-expansion@<1.1.13)

`v5.0.5`

`v5.0.4`

`v5.0.3`

`v5.0.2`

`v4.0.1`

fmt 5a5cc17
Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 0b6a978

`v4.0.0`

feat: use string replaces instead of splits (#64) 278132b
fmt dd72a59
add tea.yaml 70e4c1b

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

`v3.0.2`

`v3.0.1`

pkg: publish on tag 3.x 3059c07
fmt 8229e6f
Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 15f9b3c

`v3.0.0`

Switch to ES Modules and balanced-match 3.0.0 (#62) c0360e8
added jsdoc (#55) 68c0e37
node 16 is EOL 9e781e9
add standard 3494c4d
use const and let (#57) dd5a4cb
docs 6dad209
remove test e3dd8ae
ci: update node versions d23ede9
docs: add @lanodan to contributors 1eb3fa4
docs 1e7c9cd
switch from tape to test module (#60) 2520537
Bump minimist from 1.2.5 to 1.2.6 (#59) 61a94f1
Bump path-parse from 1.0.6 to 1.0.7 (#51) dc741cf
docs: add back ci badge 8ee5626
Add github actions, remove travis. Closes #52 (#53) 5c8756a
CI: Drop unused sudo: false Travis directive (#50) 05978a7

`v2.1.0`

`v2.0.3`

`v2.0.2`

pkg: publish on tag 2.x 14f1d91
fmt ed7780a
Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

`v2.0.1`

`v2.0.0`

`v1.1.14`

Configuration

📅 Schedule: (in timezone Europe/Zurich)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate Bot added the security label

changeset-bot Bot commented May 4, 2026 •

edited

Loading

⚠️ No Changeset found

Latest commit: c18cd62

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR


          chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]

c18cd62

renovate Bot changed the title ~~chore(deps): update dependency brace-expansion@<1.1.13 to >=1.1.14 [security]~~ chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]

renovate Bot force-pushed the renovate/npm-brace-expansion-1.1.13-vulnerability branch from f585a30 to c18cd62 Compare

May 4, 2026 10:51

SamuelAlev closed this

Contributor Author

renovate Bot commented May 4, 2026

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

renovate Bot deleted the renovate/npm-brace-expansion-1.1.13-vulnerability branch

May 4, 2026 10:54

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels