Brace expansion is a lightweight npm package providing brace expansion functionality, mirroring the behavior found in popular shells like sh and bash. Version 1.1.4, released on May 1st, 2016, builds upon the previous stable version 1.1.3, released on February 11th, 2016, with notable dependency updates. The core functionality remains the same, offering developers a simple way to expand brace expressions into a list of possible strings. This is particularly useful in scenarios involving file system operations, command-line argument parsing, or any application requiring string generation based on patterns.
The key difference lies within the dependencies of these versions. While both rely on concat-map at version 0.0.1, the balanced-match dependency is upgraded from version ^0.3.0 in 1.1.3 to ^0.4.1 in 1.1.4. Similarly, the tape devDependency jumps from version 4.4.0 to 4.5.1. This balanced-match update likely addresses bug fixes or performance improvements within that specific related package which handles matching balanced pairs of characters (like parentheses or braces). These updates suggest a focus on stability and improved compatibility. Developers should evaluate if changes in balanced-match and new tape version (developer dependency) are important and would like to update their package from 1.1.3 to 1.1.4. Both versions are MIT licensed and have the same author and repository.
All the vulnerabilities related to the version 1.1.4 of the package
ReDoS in brace-expansion
Affected versions of brace-expansion are vulnerable to a regular expression denial of service condition.
var expand = require('brace-expansion');
expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}');
Update to version 1.1.7 or later.
brace-expansion Regular Expression Denial of Service vulnerability
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.