Critical Security Patch: brace-expansion@2 Updated to 5.0.5 to Fix Infinite Loop Vulnerability (CVE-2026-33750)

A critical security vulnerability in the widely used `brace-expansion` npm package has triggered an urgent dependency update. The flaw, tracked as CVE-2026-33750, allows a maliciously crafted brace pattern with a zero step value—such as `{1..2..0}`—to cause the sequence generation loop to run indefinitely. This creates a denial-of-service (DoS) vector, potentially crashing or hanging any application that processes untrusted input using the vulnerable library.

The update, documented in a GitHub pull request, jumps the dependency from version 2.0.3 directly to 5.0.5, a major version leap that underscores the severity of the fix. The patch is flagged with a high-priority [SECURITY] tag, and the PR references an official GitHub Security Advisory (GHSA-f886-m6hf-6m8v) for the CVE. Notably, the automated update process encountered issues, with a warning stating that some dependencies could not be looked up, pointing developers to a Dependency Dashboard for further investigation.

This vulnerability poses a significant supply chain risk. `brace-expansion` is a fundamental utility for filename and string expansion, embedded in countless build tools, development environments, and backend services. Any project still relying on the outdated `brace-expansion@2` branch is now exposed. The silent, resource-exhaustion nature of the attack makes it a potent threat for systems that parse user-generated data, requiring immediate remediation by development and security teams to prevent potential service disruption.