Security: Critical npm vulnerability in @isaacs/brace-expansion blocks CI

[WilliamBerryiii]

Summary

The CI build for PR #401 failed due to a critical npm security vulnerability in @isaacs/brace-expansion@5.0.0. This package has an Uncontrolled Resource Consumption vulnerability that causes npm audit to fail with exit code 1.

Vulnerability Details

Field	Value
Package	@isaacs/brace-expansion
Version	5.0.0
Severity	Critical
Advisory	GHSA-7h2j-956f-4vf2
Vulnerability Type	Uncontrolled Resource Consumption (CWE-400)
Fix Available	Yes (npm audit fix)

Impact

• CI Pipeline: Blocks all PR merges due to npm audit --audit-level=moderate check failure
• Security Risk: Applications using affected version may be vulnerable to denial-of-service through resource exhaustion
• Dependency Chain: Package is located at node_modules/@isaacs/brace-expansion (likely transitive dependency)

Reproduction

npm audit --audit-level=moderate

Output:

# npm audit report

@isaacs/brace-expansion  5.0.0
Severity: critical
@isaacs/brace-expansion has Uncontrolled Resource Consumption - https://github.com/advisories/GHSA-7h2j-956f-4vf2
fix available via `npm audit fix`
node_modules/@isaacs/brace-expansion

1 critical severity vulnerability

Resolution Steps

1. Run npm audit fix to apply automatic fix
2. If automatic fix fails, investigate dependency tree with npm ls @isaacs/brace-expansion
3. Update parent package(s) that depend on vulnerable version
4. Regenerate package-lock.json with fixed versions
5. Verify fix with npm audit --audit-level=moderate

Acceptance Criteria

• npm audit --audit-level=moderate passes with no critical/high vulnerabilities
• package-lock.json updated with patched dependency versions
• CI pipeline passes security audit check
• No functionality regressions from dependency update

References

• GitHub Advisory: GHSA-7h2j-956f-4vf2
• Blocked PR: refactor(scripts): align linting and tests with CIHelpers #401
• Related Issue: refactor(scripts): refactor linting scripts to use CIHelpers module #351