From c309805cb12895d8ec4695c4ae9e5ea6b9f6d0e7 Mon Sep 17 00:00:00 2001 From: Toby Hede Date: Mon, 30 Mar 2026 14:39:26 +1100 Subject: [PATCH] fix(deps): patch brace-expansion to >= 5.0.5 (CVE-2026-33750) Infinite loop DoS via zero step value in brace patterns. Refs: CIP-2938 --- package.json | 1 + pnpm-lock.yaml | 9 +++++---- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/package.json b/package.json index 0155e07a..844d1124 100644 --- a/package.json +++ b/package.json @@ -49,6 +49,7 @@ "overrides": { "@cipherstash/protect-ffi": "0.21.0", "@babel/runtime": "7.26.10", + "brace-expansion@^5": ">=5.0.5", "body-parser": "2.2.1", "vite": "catalog:security", "pg": "^8.16.3", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index e9e1a1c5..497bbb21 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -26,6 +26,7 @@ catalogs: overrides: '@cipherstash/protect-ffi': 0.21.0 '@babel/runtime': 7.26.10 + brace-expansion@^5: '>=5.0.5' body-parser: 2.2.1 vite: 6.4.1 pg: ^8.16.3 @@ -1254,8 +1255,8 @@ packages: resolution: {integrity: sha512-pbnl5XzGBdrFU/wT4jqmJVPn2B6UHPBOhzMQkY/SPUPB6QtUXtmBHBIwCbXJol93mOpGMnQyP/+BB19q04xj7g==} engines: {node: '>=4'} - brace-expansion@5.0.3: - resolution: {integrity: sha512-fy6KJm2RawA5RcHkLa1z/ScpBeA762UF9KmZQxwIbDtRJrgLzM10depAiEQ+CXYcoiqW1/m96OAAoke2nE9EeA==} + brace-expansion@5.0.5: + resolution: {integrity: sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==} engines: {node: 18 || 20 || >=22} braces@3.0.3: @@ -3292,7 +3293,7 @@ snapshots: dependencies: is-windows: 1.0.2 - brace-expansion@5.0.3: + brace-expansion@5.0.5: dependencies: balanced-match: 4.0.4 @@ -3717,7 +3718,7 @@ snapshots: minimatch@10.2.4: dependencies: - brace-expansion: 5.0.3 + brace-expansion: 5.0.5 minimist@1.2.8: {}