chore(deps): update dependency brace-expansion@<1.1.13 to v5 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
brace-expansion@<1.1.13	^1.1.13 → ^5.0.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

brace-expansion: Large numeric range defeats documented max DoS protection

CVE-2026-45149 / GHSA-jxxr-4gwj-5jf2

More information

Details

The max option was being applied too late:

When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array.

Workaround

Ensure the string to be expanded doesn't contain more values than the desired max item count.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

References

• https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
• https://github.com/juliangruber/brace-expansion/commit/c0b095bdc52bc4c36dc88deddbadabc49f8371e5
• https://github.com/advisories/GHSA-jxxr-4gwj-5jf2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

juliangruber/brace-expansion (brace-expansion@<1.1.13)

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v4.0.1

Compare Source

• fmt 5a5cc17
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 0b6a978

---

v4.0.0

Compare Source

• feat: use string replaces instead of splits (#​64) 278132b
• fmt dd72a59
• add tea.yaml 70e4c1b

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.2

Compare Source

v3.0.1

Compare Source

• pkg: publish on tag 3.x 3059c07
• fmt 8229e6f
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 15f9b3c

---

v3.0.0

Compare Source

• Switch to ES Modules and balanced-match 3.0.0 (#​62) c0360e8
• added jsdoc (#​55) 68c0e37
• node 16 is EOL 9e781e9
• add standard 3494c4d
• use const and let (#​57) dd5a4cb
• docs 6dad209
• remove test e3dd8ae
• ci: update node versions d23ede9
• docs: add @​lanodan to contributors 1eb3fa4
• docs 1e7c9cd
• switch from tape to test module (#​60) 2520537
• Bump minimist from 1.2.5 to 1.2.6 (#​59) 61a94f1
• Bump path-parse from 1.0.6 to 1.0.7 (#​51) dc741cf
• docs: add back ci badge 8ee5626
• Add github actions, remove travis. Closes #​52 (#​53) 5c8756a
• CI: Drop unused sudo: false Travis directive (#​50) 05978a7

v2.1.0

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 36603d5

---

v2.0.1

Compare Source

v2.0.0

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.