chore: audit brace-expansion cp-13.25.0

[DDDDDanica]

Description

Upgrades brace-expansion from 5.0.3 to 5.0.5 in the lockfile to resolve a moderate-severity ReDoS advisory [GHSA-f886-m6hf-6m8v]. Also picks up incidental patch bumps to brace-expansion v1 and v2.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Lockfile-only dependency bumps; main risk is unexpected tooling/build behavior changes from the updated transitive package versions.

Overview
Updates yarn.lock to bump brace-expansion across supported ranges (^1.1.7, ^2.0.1, ^5.0.2) to newer patch versions (notably 5.0.3 → 5.0.5), refreshing the associated resolved tarballs and checksums to pick up the security advisory fix.

^{Written by Cursor Bugbot for commit 08903ce. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metamaskbotv2]

Builds ready [08903ce]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
  • content-script: 0
  • offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Load New Account	load_new_account	301	270	335	22	312	335
	total	301	270	335	22	312	335
Confirm Tx	confirm_tx	6072	6061	6097	15	6066	6097
	total	6072	6061	6097	15	6066	6097
Bridge User Actions	bridge_load_page	220	205	232	11	229	232
	bridge_load_asset_picker	284	257	332	31	288	332
	bridge_search_token	753	727	778	19	767	778
	total	1258	1246	1274	12	1274	1274

🔌 Startup Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Chrome Browserify Startup Standard Home	uiStartup	1496	1262	1853	104	1534	1685
	load	1240	1032	1464	88	1273	1428
	domContentLoaded	1233	1025	1451	86	1269	1398
	domInteractive	30	18	120	21	26	87
	firstPaint	151	71	397	73	215	267
	backgroundConnect	226	205	281	11	231	246
	firstReactRender	21	13	49	5	23	32
	initialActions	2	0	7	1	2	4
	loadScripts	1021	826	1220	85	1055	1185
	setupStore	13	7	36	5	16	22
	numNetworkReqs	39	31	85	15	39	78
Chrome Browserify Startup Power User Home	uiStartup	4592	2245	10832	1920	5889	7769
	load	1375	1152	3780	273	1417	1594
	domContentLoaded	1351	1147	3766	272	1381	1577
	domInteractive	43	21	276	37	39	126
	firstPaint	265	92	1763	202	311	406
	backgroundConnect	1597	307	7643	1511	2601	4225
	firstReactRender	28	19	53	7	29	41
	initialActions	1	0	7	1	1	4
	loadScripts	1136	949	3548	268	1159	1358
	setupStore	17	6	52	9	20	33
	numNetworkReqs	130	71	289	40	136	229

🧭 User Journey Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Onboarding Import Wallet	importWalletToSocialScreen	218	217	219	1	218	219
	srpButtonToSrpForm	98	91	108	7	105	108
	confirmSrpToPwForm	22	21	22	0	22	22
	pwFormToMetricsScreen	15	15	15	0	15	15
	metricsToWalletReadyScreen	16	16	16	0	16	16
	doneButtonToHomeScreen	535	531	537	3	537	537
	openAccountMenuToAccountListLoaded	3003	2916	3141	100	3109	3141
	total	3843	3820	3869	21	3858	3869
Onboarding New Wallet	createWalletToSocialScreen	220	218	222	1	221	222
	srpButtonToPwForm	108	106	111	2	109	111
	createPwToRecoveryScreen	8	8	8	0	8	8
	skipBackupToMetricsScreen	38	37	38	0	38	38
	agreeButtonToOnboardingSuccess	16	15	16	0	16	16
	doneButtonToAssetList	582	496	706	88	672	706
	total	975	884	1094	84	1057	1094
Asset Details	assetClickToPriceChart	99	93	103	4	102	103
	total	99	93	103	4	102	103
Solana Asset Details	assetClickToPriceChart	65	56	79	9	70	79
	total	65	56	79	9	70	79
Import Srp Home	loginToHomeScreen	2242	2182	2288	38	2251	2288
	openAccountMenuAfterLogin	56	40	72	12	63	72
	homeAfterImportWithNewWallet	1587	281	2666	1009	2304	2666
	total	3984	2508	5482	1159	4651	5482
Send Transactions	openSendPageFromHome	36	31	42	4	38	42
	selectTokenToSendFormLoaded	35	33	36	1	36	36
	reviewTransactionToConfirmationPage	988	730	1383	226	1074	1383
	total	968	797	1146	124	966	1146
Swap	openSwapPageFromHome	83	27	140	38	105	140
	fetchAndDisplaySwapQuotes	2693	2688	2698	3	2693	2698
	total	2783	2752	2838	31	2793	2838

🌐 Dapp Page Load Benchmarks

Current Commit: 08903ce | Date: 3/26/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.05s (±79ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
• domContentLoaded-> current mean value: 745ms (±87ms) 🟢 | historical mean value: 732ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 91ms (±126ms) 🟢 | historical mean value: 85ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.05s	79ms	1.01s	1.42s	1.32s	1.42s
domContentLoaded	745ms	87ms	706ms	1.28s	1.00s	1.28s
firstPaint	91ms	126ms	64ms	1.35s	92ms	1.35s
firstContentfulPaint	91ms	126ms	64ms	1.35s	92ms	1.35s
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 5 Bytes (0%)
• common: 20 Bytes (0%)