fix: upgrade brace-expansion to 5.0.5 to address CVE-2026-33750

devin-ai-integration[bot] · davidkonigsberg · devin-ai-integration[bot] · commit dc0b77948bb8 · 2026-03-30T14:28:48.000Z
Add brace-expansion override to resolve Dependabot alert #20. brace-expansion >= 4.0.0, < 5.0.5 is vulnerable to a zero-step sequence causing process hang and memory exhaustion (CWE-400). Rebuild dist to include the patched dependency. Co-Authored-By: David Konigsberg <davidakonigsberg@gmail.com>
diff --git a/dist/index.js b/dist/index.js
@@ -40261,7 +40261,7 @@ const slashPattern = /\\\\/g;
 const openPattern = /\\{/g;
 const closePattern = /\\}/g;
 const commaPattern = /\\,/g;
-const periodPattern = /\\./g;
+const periodPattern = /\\\./g;
 exports.EXPANSION_MAX = 100_000;
 function numeric(str) {
     return !isNaN(str) ? parseInt(str, 10) : str.charCodeAt(0);
@@ -40388,7 +40388,9 @@ function expand_(str, max, isTop) {
             const x = numeric(n[0]);
             const y = numeric(n[1]);
             const width = Math.max(n[0].length, n[1].length);
-            let incr = n.length === 3 && n[2] !== undefined ? Math.abs(numeric(n[2])) : 1;
+            let incr = n.length === 3 && n[2] !== undefined ?
+                Math.max(Math.abs(numeric(n[2])), 1)
+                : 1;
             let test = lte;
             const reverse = y < x;
             if (reverse) {
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -35,6 +35,7 @@
     "vitest": "^4.0.18"
   },
   "overrides": {
-    "undici": "^6.24.1"
+    "undici": "^6.24.1",
+    "brace-expansion": "^5.0.5"
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -35,6 +35,7 @@`
`35`	`35`	`"vitest": "^4.0.18"`
`36`	`36`	`},`
`37`	`37`	`"overrides": {`
`38`		`- "undici": "^6.24.1"`
	`38`	`+ "undici": "^6.24.1",`
	`39`	`+ "brace-expansion": "^5.0.5"`
`39`	`40`	`}`
`40`	`41`	`}`