Bump brace-expansion resolution to 5.0.5 to remediate CVE-2026-33750

[Copilot]

Dependabot flagged brace-expansion@5.0.2 (GHSA-f886-m6hf-6m8v / CVE-2026-33750), where zero-step brace sequences can trigger an unbounded expansion loop and memory exhaustion. This PR pins the repository to the lowest patched version (5.0.5) with minimal dependency churn.

• Dependency remediation

  • Updated root Yarn resolution in package.json:
    • brace-expansion: 5.0.2 → 5.0.5
  • Regenerated yarn.lock so the resolved entry is now brace-expansion@npm:5.0.5 (vulnerable 5.0.2 entry removed).

• Reachability Assessment

  • Advisory impact is tied to brace expansion parsing/sequence generation.
  • No direct runtime call sites to brace-expansion were found in gateway serving packages.
  • glob usage appears in internal tooling paths (internal/e2e/src/tenv.ts, internal/examples/src/convert.ts), not production request handling.
  • Assessment: no confirmed active production exposure; update primarily removes scanner-detected vulnerable resolution.
  • Confidence: High.

{
  "resolutions": {
    "brace-expansion": "5.0.5"
  }
}

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>brace-expansion: Zero-step sequence causes process hang and memory exhaustion</alert_title>
<alert_description>### Impact

A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory.

The loop in question:

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184

test() is one of

https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113

The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation.

This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes.

Patches

Upgrade to versions

• 5.0.5+

A step increment of 0 is now sanitized to 1, which matches bash behavior.

Workarounds

Sanitize strings passed to expand() to ensure a step value of 0 is not used.</alert_description>

moderate
GHSA-f886-m6hf-6m8v, CVE-2026-33750
brace-expansion
npm
<vulnerable_versions>5.0.2</vulnerable_versions>
<patched_version>5.0.5</patched_version>
<manifest_path>yarn.lock</manifest_path>

https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-f886-m6hf-6m8v https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 https://github.com/juliangruber/brace-expansion/issues/98 https://github.com/juliangruber/brace-expansion/pull/95 https://github.com/juliangruber/brace-expansion/pull/96 https://github.com/juliangruber/brace-expansion/pull/97 https://github.com/juliangruber/brace-expansion/commit/311ac0d54994158c0a384e286a7d6cbb17ee8ed5 https://github.com/juliangruber/brace-expansion/commit/7fd684f89fdde3549563d0a6522226a9189472a2 https://github.com/juliangruber/brace-expansion/commit/b9cacd9e55e7a1fa588fe4b7bb1159d52f1d902a https://nvd.nist.gov/vuln/detail/CVE-2026-33750 https://github.com/advisories/GHSA-f886-m6hf-6m8v

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that mitigate the vulnerability without a version update. If a workaround is available, apply it and leave a code comment referencing the advisory identifier explaining it is a temporary mitigation. If neither a patch nor a workaround is available, explain in the PR description why the alert cannot be resolved automatically so a human reviewer can take over. Inspect the repository to determine which package manager is used (e.g. lock files, config files, build scripts) and use that tooling to perform the update — do not edit lock files directly. If the version constraint in the manifest (e.g. package.json, Gemfile, pyproject.toml) caps ...

• Resolves graphql-hive/gateway alert Fix CI #701

[theguild-bot]

🚀 Snapshot Release (alpha)

The latest changes of this PR are available as alpha on npm (based on the declared changesets):

Package	Version	Info
@graphql-tools/executor-http	3.3.0-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-tools/federation	4.4.2-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-mesh/fusion-runtime	1.10.2-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/gateway	2.7.1-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/nestjs	2.0.71-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/plugin-aws-sigv4	2.0.45-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/plugin-opentelemetry	1.4.25-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-mesh/plugin-prometheus	2.1.43-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/router-runtime	1.4.6-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/gateway-runtime	2.9.2-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-hive/gateway-testing	8.0.2-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎
@graphql-mesh/transport-http	1.1.0-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6	npm ↗︎ unpkg ↗︎

[qodo-code-review]

Review Summary by Qodo

Bump brace-expansion to 5.0.5 for CVE-2026-33750

🐞 Bug fix

Walkthroughs

Description

• Bump brace-expansion from 5.0.2 to 5.0.5
• Remediate CVE-2026-33750 zero-step sequence vulnerability
• Prevent unbounded expansion loop and memory exhaustion
• Update Yarn resolution to enforce patched version

Diagram

flowchart LR
  A["brace-expansion 5.0.2<br/>CVE-2026-33750"] -- "update resolution" --> B["brace-expansion 5.0.5<br/>Patched"]
  B -- "sanitizes zero-step" --> C["Prevents memory<br/>exhaustion"]

Loading

File Changes

1. package.json Dependencies +1/-1

Update brace-expansion resolution to patched version

• Updated brace-expansion resolution from 5.0.2 to 5.0.5
• Enforces patched version across dependency tree
• Mitigates CVE-2026-33750 vulnerability detection

package.json

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

Great, no issues found!

Qodo reviewed your code and found no material issues that require review

[theguild-bot]

🚀 Snapshot Release (Binary for Linux-X64)

The latest changes of this PR are available for download (based on the declared changesets).

[theguild-bot]

🚀 Snapshot Release (Binary for Linux-ARM64)

The latest changes of this PR are available for download (based on the declared changesets).

[theguild-bot]

🚀 Snapshot Release (Binary for macOS-ARM64)

The latest changes of this PR are available for download (based on the declared changesets).

[Copilot]

Pull request overview

Pins the transitive dependency brace-expansion to the lowest patched release to remediate GHSA-f886-m6hf-6m8v / CVE-2026-33750 and remove the vulnerable lockfile resolution from the repo.

Changes:

• Updated root package.json Yarn resolutions entry for brace-expansion from 5.0.2 to 5.0.5.
• Regenerated yarn.lock so the resolved package entry is now brace-expansion@npm:5.0.5 and the 5.0.2 entry is removed.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates Yarn resolution to pin brace-expansion to 5.0.5 (patched).
yarn.lock	Reflects the updated resolved version and checksum for brace-expansion@5.0.5.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[theguild-bot]

🚀 Snapshot Release (Binary for Windows-X64)

The latest changes of this PR are available for download (based on the declared changesets).

[theguild-bot]

🚀 Snapshot Release (Binary for macOS-X64)

The latest changes of this PR are available for download (based on the declared changesets).

[theguild-bot]

🚀 Snapshot Release (Bun Docker Image)

The latest changes of this PR are available as image on GitHub Container Registry (based on the declared changesets):

ghcr.io/graphql-hive/gateway:2.7.1-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6-bun

[theguild-bot]

🚀 Snapshot Release (Node Docker Image)

The latest changes of this PR are available as image on GitHub Container Registry (based on the declared changesets):

ghcr.io/graphql-hive/gateway:2.7.1-alpha-e2cd8aecc2cf75598a574e5eaf98122368e2daf6