Skip to content

fix(deps): update vulnerable transient dependencies#1714

Merged
jennifer-shehane merged 1 commit intocypress-io:masterfrom
MikeMcC399:audit-fix
Mar 31, 2026
Merged

fix(deps): update vulnerable transient dependencies#1714
jennifer-shehane merged 1 commit intocypress-io:masterfrom
MikeMcC399:audit-fix

Conversation

@MikeMcC399
Copy link
Copy Markdown
Collaborator

@MikeMcC399 MikeMcC399 commented Mar 31, 2026
edited by cursor bot
Loading

Situation

npm audit reports vulnerabilities:

$ npm audit
# npm audit report

brace-expansion  <1.1.13 || >=4.0.0 <5.0.5
Severity: moderate
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
brace-expansion: Zero-step sequence causes process hang and memory exhaustion - https://github.com/advisories/GHSA-f886-m6hf-6m8v
fix available via `npm audit fix`
node_modules/@eslint/config-array/node_modules/brace-expansion
node_modules/brace-expansion
node_modules/eslint/node_modules/brace-expansion

picomatch  <=2.3.1 || 4.0.0 - 4.0.3
Severity: high
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching - https://github.com/advisories/GHSA-3v7f-55p6-f55p
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
Picomatch has a ReDoS vulnerability via extglob quantifiers - https://github.com/advisories/GHSA-c2c7-rcm5-vvqj
fix available via `npm audit fix`
node_modules/@stylistic/eslint-plugin/node_modules/picomatch
node_modules/picomatch

2 vulnerabilities (1 moderate, 1 high)

To address all issues, run:
  npm audit fix

Change

Execute npm audit fix and rebuild action.

Note

Medium Risk
Updates glob/brace parsing logic via dependency bumps and regenerated dist/index.js, which could subtly change pattern matching behavior and impact which files are selected at runtime. Changes are security-motivated but touch regex/parsing paths that are easy to regress without coverage.

Overview
Updates transient dependencies flagged by npm audit (notably brace-expansion and picomatch) and regenerates the bundled dist/index.js.

The rebuilt bundle incorporates upstream hardening: brace-expansion now prevents zero-step numeric ranges from hanging by clamping the sequence increment to at least 1, and picomatch adds prototype-safe POSIX tables plus new detection/mitigation for risky repeated +(...)/*(...) extglob patterns to avoid ReDoS/misparsing.

Written by Cursor Bugbot for commit 7a436f7. This will update automatically on new commits. Configure here.

@MikeMcC399
fix(deps): update vulnerable transient dependencies
7a436f7 
Updates
brace-expansion to 1.1.13 & 5.0.5
picomatch to 2.3.2 & 4.0.4
@cypress-app-bot
Copy link
Copy Markdown

cypress-app-bot commented Mar 31, 2026

@MikeMcC399 MikeMcC399 added bug Something isn't working type: dependencies labels Mar 31, 2026
@MikeMcC399 MikeMcC399 self-assigned this Mar 31, 2026
@MikeMcC399 MikeMcC399 marked this pull request as ready for review March 31, 2026 12:11
@jennifer-shehane jennifer-shehane merged commit 783cb3f into cypress-io:master Mar 31, 2026
88 checks passed
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 31, 2026

🎉 This PR is included in version 7.1.9 🎉

The release is available on:

Your semantic-release bot 📦🚀

@MikeMcC399 MikeMcC399 deleted the audit-fix branch March 31, 2026 14:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jennifer-shehane jennifer-shehane jennifer-shehane approved these changes

@mschile mschile Awaiting requested review from mschile

Assignees

@MikeMcC399 MikeMcC399

Labels

bug Something isn't working released type: dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MikeMcC399 @cypress-app-bot @jennifer-shehane