[GHSA-v6h2-p8h4-qcjw] brace-expansion Regular Expression Denial of Service vulnerability

[davidhornmarkINGKA]

Updates

• Affected products
• CVSS v3
• CVSS v4

Comments
https://github.com/juliangruber/brace-expansion/releases has released patched versions and published them to npm.

[Copilot]

Pull Request Overview

This PR updates the GitHub advisory for the brace-expansion Regular Expression Denial of Service issue by adjusting timestamps, severity scoring, and splitting affected version ranges per major release.

• Updated the modified timestamp.
• Replaced CVSS v3 entry with a CVSS v4 score.
• Expanded ranges into separate blocks for each major version and added database_specific metadata.

Comments suppressed due to low confidence (1)

advisories/github-reviewed/2025/06/GHSA-v6h2-p8h4-qcjw/GHSA-v6h2-p8h4-qcjw.json:13

• The original CVSS v3 entry was removed; to preserve full severity context you should retain both CVSS v3 and CVSS v4 objects in the severity array.

"type": "CVSS_V4",

[Copilot]

This range block is intended for versions <2.0.2; use "introduced": "2.0.0" instead of "0" to avoid overlap with the 0–1.x block.

Suggested change

	"introduced": "0"
	"introduced": "2.0.0"

[Copilot]

For the 3.x range, set "introduced": "3.0.0" rather than "0" to clearly delimit the affected versions.

Suggested change

	"introduced": "0"
	"introduced": "3.0.0"

[Copilot]

For the 4.x range, use "introduced": "4.0.0" instead of "0" to avoid unintentional overlap with earlier ranges.

Suggested change

	"introduced": "0"
	"introduced": "4.0.0"

[davidhornmarkINGKA]

Not sure why it instantly gives error to the vector string when trying to improve advisory: