From ca46400e27651e31a93d48c973f9dc6dcfaf0fa3 Mon Sep 17 00:00:00 2001 From: Matt Raible Date: Tue, 21 Apr 2026 11:38:12 -0600 Subject: [PATCH 1/2] Fix CVE: add brace-expansion 1.1.13 override Fixes ReDoS vulnerability (GHSA-f886-m6hf-6m8v). --- ui/extensions/hello/package.json | 1 + 1 file changed, 1 insertion(+) diff --git a/ui/extensions/hello/package.json b/ui/extensions/hello/package.json index da6c32f..c665c94 100644 --- a/ui/extensions/hello/package.json +++ b/ui/extensions/hello/package.json @@ -75,6 +75,7 @@ "picomatch@2": "2.3.2", "picomatch@4": "4.0.4", "yaml@1": "1.10.3", + "brace-expansion@1": "1.1.13", "brace-expansion@2": "2.0.3" } } From 5b5b400b66d2e09f6ae288afc25f66fbdc95591c Mon Sep 17 00:00:00 2001 From: Matt Raible Date: Tue, 21 Apr 2026 13:24:58 -0600 Subject: [PATCH 2/2] Regenerate package-lock.json to sync with brace-expansion override npm ci requires the lockfile to match package.json overrides. The previous commit added the override but didn't regenerate the lockfile. --- ui/extensions/hello/package-lock.json | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/ui/extensions/hello/package-lock.json b/ui/extensions/hello/package-lock.json index d026da7..7414e98 100644 --- a/ui/extensions/hello/package-lock.json +++ b/ui/extensions/hello/package-lock.json @@ -8997,9 +8997,9 @@ } }, "node_modules/purgecss/node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz", + "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==", "license": "MIT", "dependencies": { "balanced-match": "^1.0.0", @@ -10052,9 +10052,9 @@ } }, "node_modules/test-exclude/node_modules/brace-expansion": { - "version": "1.1.12", - "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz", - "integrity": "sha512-9T9UjW3r0UW5c1Q7GTwllptXwhvYmEzFhzMfZ9H7FQWt+uZePjZPjBP/W1ZEyZ1twGWom5/56TF4lPcqjnDHcg==", + "version": "1.1.13", + "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz", + "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==", "dev": true, "license": "MIT", "dependencies": {