From 66da06fc006f4ce97693881764be6308e9b42848 Mon Sep 17 00:00:00 2001 From: Aakash Hotchandani Date: Wed, 27 May 2026 16:11:02 +0530 Subject: [PATCH] fix(security): bump braces 3.0.2 -> 3.0.3 to fix ReDoS (SDK-6068) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit braces < 3.0.3 is vulnerable to uncontrolled resource consumption (ReDoS) via malformed brace expansion — GHSA-grv7-fg5c-xmjg (CWE-400, CVSS 6.5). It reaches this repo transitively (nightwatch -> chokidar -> braces) and is used during nightwatch test-path glob expansion. Surgical lockfile-only edit (lockfileVersion 1 preserved): - braces 3.0.2 -> 3.0.3 (requires fill-range ^7.1.1) - fill-range 7.0.1 -> 7.1.1 (braces 3.0.3's pinned dependency; to-regex-range dep unchanged) Verified: `npm ci` succeeds against the edited lockfile and resolves braces@3.0.3 / fill-range@7.1.1 — vulnerable braces@3.0.2 is gone. Co-Authored-By: Claude Opus 4.7 (1M context) --- package-lock.json | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/package-lock.json b/package-lock.json index 1c9eb9e..385158c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -203,11 +203,11 @@ } }, "braces": { - "version": "3.0.2", - "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.2.tgz", - "integrity": "sha512-b8um+L1RzM3WDSzvhm6gIz1yfTbBt6YTlcEKAvsmqCZZFw46z626lVj9j1yEPW33H5H+lBQpZMP1k8l+78Ha0A==", + "version": "3.0.3", + "resolved": "https://registry.npmjs.org/braces/-/braces-3.0.3.tgz", + "integrity": "sha512-yQbXgO/OSZVD2IsiLlro+7Hf6Q18EJrKSEsdoMzKePKXct3gvD8oLcOQdIzGupr5Fj+EDe8gO/lxc1BzfMpxvA==", "requires": { - "fill-range": "^7.0.1" + "fill-range": "^7.1.1" } }, "browser-process-hrtime": { @@ -623,9 +623,9 @@ } }, "fill-range": { - "version": "7.0.1", - "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.0.1.tgz", - "integrity": "sha512-qOo9F+dMUmC2Lcb4BbVvnKJxTPjCm+RRpe4gDuGrzkL7mEVl/djYSu2OdQ2Pa302N4oqkSg9ir6jaLWJ2USVpQ==", + "version": "7.1.1", + "resolved": "https://registry.npmjs.org/fill-range/-/fill-range-7.1.1.tgz", + "integrity": "sha512-YsGpe3WHLK8ZYi4tWDg2Jy3ebRz2rXowDxnld4bkQB00cc/1Zw9AWnC0i9ztDJitivtQvaI9KaLyKrc+hBW0yg==", "requires": { "to-regex-range": "^5.0.1" }