Summary
npm audit reports a new moderate-severity advisory (GHSA-jxxr-4gwj-5jf2) affecting the transitive dependency brace-expansion@5.0.5. The previous heartbeat deep check on 2026-05-15 reported 0 vulnerabilities, so this is recent drift.
Advisory
- CVE/Advisory: GHSA-jxxr-4gwj-5jf2
- Title: brace-expansion: Large numeric range defeats documented
max DoS protection
- Severity: moderate (CVSS 6.5, CWE-400 — Uncontrolled Resource Consumption)
- Affected range:
>=5.0.0 <5.0.6
- Fix available: yes (bump to
>=5.0.6)
Where it lives
The vulnerable copy is pulled in transitively via typescript-eslint:
proofsnap-extension@1.3.1
└─┬ typescript-eslint@8.57.0
└─┬ @typescript-eslint/typescript-estree@8.57.0
└─┬ minimatch@10.2.4
└── brace-expansion@5.0.5
(eslint@9.39.4 also brings in brace-expansion@1.1.14, but the 1.x line is unaffected.)
Impact
- Runtime: none —
typescript-eslint is a devDependency, the vulnerability does not ship in the built extension that loads in users' browsers.
- Build/CI: low — a malicious glob string could cause CPU exhaustion in lint/typecheck workflows, but the inputs are repo-controlled.
Treating as a hygiene fix to keep npm audit clean and avoid drift compounding.
Suggested fix
npm audit fix
# or, if minimatch still resolves to a vulnerable 5.x range:
npm update brace-expansion --depth 10
Then verify:
npm audit
npm ls brace-expansion
The expected outcome is brace-expansion@5.0.6+ and npm audit reporting 0 vulnerabilities.
Files likely touched
package-lock.json only — no package.json change should be required.
Filed by Heartbeat Deep Check on 2026-05-22 (see previous beat for 0-vulnerability baseline).
Summary
npm auditreports a new moderate-severity advisory (GHSA-jxxr-4gwj-5jf2) affecting the transitive dependencybrace-expansion@5.0.5. The previous heartbeat deep check on 2026-05-15 reported 0 vulnerabilities, so this is recent drift.Advisory
maxDoS protection>=5.0.0 <5.0.6>=5.0.6)Where it lives
The vulnerable copy is pulled in transitively via
typescript-eslint:(
eslint@9.39.4also brings inbrace-expansion@1.1.14, but the 1.x line is unaffected.)Impact
typescript-eslintis adevDependency, the vulnerability does not ship in the built extension that loads in users' browsers.Treating as a hygiene fix to keep
npm auditclean and avoid drift compounding.Suggested fix
npm audit fix # or, if minimatch still resolves to a vulnerable 5.x range: npm update brace-expansion --depth 10Then verify:
The expected outcome is
brace-expansion@5.0.6+andnpm auditreporting 0 vulnerabilities.Files likely touched
package-lock.jsononly — nopackage.jsonchange should be required.Filed by Heartbeat Deep Check on 2026-05-22 (see previous beat for 0-vulnerability baseline).