fix: bump brace-expansion from 5.0.3 to 5.0.5 to address CVE-2026-33750#37379
Conversation
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
github-actions
Bot
added
p2
beginning-contributor
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
|
Hoping to get a release out when/if this gets merged so that I can have a build inclusive of this change as well as #37354. Not urgent, but trying to cleanup some Moderate/Low CVE noise without suppressing or installing from a branch/commit. |
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
added
the
pr/needs-further-review
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
added
the
pr/needs-community-review
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aemada-aws
changed the title
aws-cdk-automation
removed
the
pr/needs-community-review
aws-cdk-automation
left a comment
aws-cdk-automation
left a comment
There was a problem hiding this comment.
The pull request linter fails with the following errors:
❌ Fixes must contain a change to a test file.
❌ Fixes must contain a change to an integration test file and the resulting snapshot.
If you believe this pull request should receive an exemption, please comment and provide a justification. A comment requesting an exemption should contain the text Exemption Request. Additionally, if clarification is needed, add Clarification Request to a comment.
aws-cdk-automation
temporarily deployed
to
automation
GitHub Actions
Inactive
aemada-aws
added
pr-linter/exempt-readme
aemada-aws
added
the
pr-linter/exempt-integ-test
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@Mergifyio queue |
🛑 Pull request from fork cannot be queuedDetailsThis pull request comes from a fork, and Mergify needs the author's permission to update its branch. |
aemada-aws
removed
the
pr/needs-further-review
|
@Mergifyio merge |
❌ Sorry but I didn't understand the command. Please consult the commands documentation 📚. |
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
@davidkonigsberg could you enable edits from maintainers to your fork so mergify can merge the PR?
|
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
davidkonigsberg
temporarily deployed
to
automation
GitHub Actions
Inactive
mergify
Bot
dismissed
aemada-aws’s stale review
Pull request has been modified.
|
@aemada-aws I don't see that option anywhere in this PR or in my Fork'd repo. Feel free to just copy paste this code if needed. I don't have the bandwidth to futz with GH this afternoon :) 
|
|
Thank you for contributing! Your pull request will be updated from main and then merged automatically (do not update manually, and be sure to allow changes to be pushed to your fork). |
|
Comments on closed issues and PRs are hard for our team to see. |
3 participants
Fixes: #37390
Reason for this change
Current build uses brace-expansion version with CVE
Description of changes
bump brace-expansion from 5.0.3 to 5.0.5 to address CVE-2026-33750
Describe any new or updated permissions being added
N/A
Description of how you validated changes
patch version bump, hoping to rely on CI
Checklist
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license