Skip to content

Bump brace-expansion to 5.0.6 to resolve Dependabot alert#987

Merged
oalders merged 1 commit into
mainfrom
bump-brace-expansion-5.0.6
Jul 8, 2026
Merged

Bump brace-expansion to 5.0.6 to resolve Dependabot alert#987
oalders merged 1 commit into
mainfrom
bump-brace-expansion-5.0.6

Conversation

@oalders

@oalders oalders commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the single open Dependabot alert (#102) — a medium-severity DoS advisory in brace-expansion where a large numeric range defeats the documented max protection. Affected range is >= 5.0.0, < 5.0.6.

brace-expansion is a transitive dependency, pinned at 5.0.5 in three places in the lockfile (via eslint, editorconfig, and @eslint/config-array). This bumps those three entries to 5.0.6, reusing the resolved URL and integrity hash already present in the lockfile (markdownlint-cli already resolves 5.0.6). The bump satisfies the existing ^5.0.5 ranges, and the balanced-match ^4.0.2 dependency is already met at 4.0.4.

The top-level brace-expansion at 1.1.13 is v1 and outside the affected range, so it is untouched.

Notes

  • Edited the lockfile directly rather than via npm audit fix because the sandbox blocks the npm registry. Only version/resolved/integrity changed — 9 lines, no reformat.
  • node_modules is not reconciled by this change; a plain npm install will sync the installed tree.

🤖 Generated with Claude Code

Resolves a medium-severity DoS advisory where a large numeric range
defeats brace-expansion's documented `max` protection (vulnerable
< 5.0.6). Bumps the three transitive 5.0.5 entries (via eslint,
editorconfig, @eslint/config-array) in the lockfile to 5.0.6.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@oalders oalders merged commit 6a546ac into main Jul 8, 2026
3 checks passed
@oalders oalders deleted the bump-brace-expansion-5.0.6 branch July 8, 2026 11:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant