Patch brace-expansion vulnerability

[tarngerine]

openapi-typescript version

7.8.0

Node.js version

N/A

OS + version

N/A

Description

7.8.0 depends on brace-expansion 2.0.1 which as a vulnerability: https://osv.dev/vulnerability/GHSA-v6h2-p8h4-qcjw

which was patched here: juliangruber/brace-expansion#65, latest version is 4.0.1

this is a pretty deep dependency so i understand its not a straight forward fix, but worth flagging

 brace-expansion@1.1.11:
    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}

  brace-expansion@2.0.1:
    resolution: {integrity: sha512-XnAIvQ8eM+kC6aULx6wuQiwVsnzsi9d3WxzV3FpWTGA19F621kwdbsAcFKXgKUHZWsy+mY6iL1sHTxWEFCytDA==}

Reproduction

look at pnpm lock: https://github.com/openapi-ts/openapi-typescript/blob/main/pnpm-lock.yaml
find "brace-expansion"

search osv: https://osv.dev/list?q=brace-expansion

Expected result

should update, brace-expansion a dependency of minimatch

  minimatch@3.1.2:
    dependencies:
      brace-expansion: 1.1.11

  minimatch@5.1.6:
    dependencies:
      brace-expansion: 2.0.1

  minimatch@9.0.5:
    dependencies:
      brace-expansion: 2.0.1

which is depended on by:

  '@redocly/openapi-core@1.34.3(supports-color@10.0.0)':
    dependencies:
      '@redocly/ajv': 8.11.2
      '@redocly/config': 0.22.2
      colorette: 1.4.0
      https-proxy-agent: 7.0.6(supports-color@10.0.0)
      js-levenshtein: 1.1.6
      js-yaml: 4.1.0
      minimatch: 5.1.6
      pluralize: 8.0.0
      yaml-ast-parser: 0.0.43
    transitivePeerDependencies:
      - supports-color

'@vue/language-core@2.2.10(typescript@5.8.3)':
    dependencies:
      '@volar/language-core': 2.4.13
      '@vue/compiler-dom': 3.5.13
      '@vue/compiler-vue2': 2.7.16
      '@vue/shared': 3.5.13
      alien-signals: 1.0.13
      minimatch: 9.0.5
      muggle-string: 0.4.1
      path-browserify: 1.0.1
    optionalDependencies:
      typescript: 5.8.3

  '@vue/language-core@2.2.4(typescript@5.8.3)':
    dependencies:
      '@volar/language-core': 2.4.13
      '@vue/compiler-dom': 3.5.15
      '@vue/compiler-vue2': 2.7.16
      '@vue/shared': 3.5.15
      alien-signals: 1.0.13
      minimatch: 9.0.5
      muggle-string: 0.4.1
      path-browserify: 1.0.1
    optionalDependencies:
      typescript: 5.8.3

glob@10.4.5:
    dependencies:
      foreground-child: 3.3.1
      jackspeak: 3.4.3
      minimatch: 9.0.5
      minipass: 7.1.2
      package-json-from-dist: 1.0.1
      path-scurry: 1.11.1

  glob@7.2.3:
    dependencies:
      fs.realpath: 1.0.0
      inflight: 1.0.6
      inherits: 2.0.4
      minimatch: 3.1.2
      once: 1.4.0
      path-is-absolute: 1.0.1

Required

• My OpenAPI schema is valid and passes the Redocly validator (npx @redocly/cli@latest lint)

Extra

• I’m willing to open a PR (see CONTRIBUTING.md)