Skip to content

[lexical] Security: Fix @isaacs/brace-expansion vulnerability (CVE-2026-25547)#8175

Merged
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/brace-expansion-vulnerability-fix
Feb 27, 2026
Merged

[lexical] Security: Fix @isaacs/brace-expansion vulnerability (CVE-2026-25547)#8175
thatmichael85 merged 1 commit intomainfrom
users/thatmichael85/brace-expansion-vulnerability-fix

Conversation

@thatmichael85
Copy link
Contributor

@thatmichael85 thatmichael85 commented Feb 26, 2026

Description

Resolves Dependabot alerts #462, #463, #464 for @isaacs/brace-expansion@5.0.0 (Uncontrolled Resource Consumption, HIGH severity, CVE-2026-25547).

Changes

  • Added pnpm override "@isaacs/brace-expansion": ">=5.0.1" in root package.json to force the patched version
  • Regenerated root pnpm-lock.yaml (resolves to @isaacs/brace-expansion@5.0.1)
  • Regenerated example lockfiles for extension-vanilla-tailwind and extension-vanilla-react-plugin-host which now resolve to the non-scoped brace-expansion@5.0.3 (no longer affected)

Test plan

Before

  • @isaacs/brace-expansion@5.0.0 present in root lockfile and 2 example lockfiles
  • 3 open Dependabot alerts for CVE-2026-25547

After

  • Root lockfile resolves to @isaacs/brace-expansion@5.0.1
  • Example lockfiles resolve to brace-expansion@5.0.3 (vulnerability eliminated)
  • All unit tests pass (2581 passed, 1 skipped)

@vercel
Copy link

vercel bot commented Feb 26, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Feb 27, 2026 2:28am
lexical-playground Ready Ready Preview, Comment Feb 27, 2026 2:28am

Request Review

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Feb 26, 2026
@etrepum etrepum added the extended-tests Run extended e2e tests on a PR label Feb 26, 2026
@thatmichael85
[lexical] Security: Fix @isaacs/brace-expansion vulnerability (CVE-20…
69829e4 
…26-25547)

Resolve Dependabot alerts for @isaacs/brace-expansion@5.0.0 (Uncontrolled
Resource Consumption, HIGH severity).

- Added pnpm override for @isaacs/brace-expansion >= 5.0.1 in root package.json
- Regenerated root lockfile (resolves to @isaacs/brace-expansion@5.0.1)
- Regenerated example lockfiles which now resolve to the non-scoped
  brace-expansion@5.0.3 (no longer affected)
@thatmichael85 thatmichael85 force-pushed the users/thatmichael85/brace-expansion-vulnerability-fix branch from 027d06a to 69829e4 Compare February 27, 2026 02:26
@thatmichael85 thatmichael85 added this pull request to the merge queue Feb 27, 2026
Merged via the queue into main with commit 4fc8b17 Feb 27, 2026
34 of 36 checks passed
@etrepum etrepum mentioned this pull request Mar 19, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@potatowagon potatowagon Awaiting requested review from potatowagon potatowagon is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. extended-tests Run extended e2e tests on a PR

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@thatmichael85 @etrepum