brace-expansion@1.1.13 has the CVE-2026-25547 issue.
Will the development team will upgrade the multimatch version?
Thanks
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
+-- javascript-obfuscator@5.4.1
| -- multimatch@5.0.0 | -- minimatch@3.1.5
| `-- brace-expansion@1.1.13
brace-expansion@1.1.13 has the CVE-2026-25547 issue.
Will the development team will upgrade the multimatch version?
Thanks
@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.
+-- javascript-obfuscator@5.4.1
|
-- multimatch@5.0.0 |-- minimatch@3.1.5| `-- brace-expansion@1.1.13