Build(deps-dev): Bump brace-expansion from 1.1.12 to 5.0.6 by dependabot[bot] · Pull Request #291 · github/local-action

dependabot · 2026-05-22T10:34:45Z

Bumps brace-expansion from 1.1.12 to 5.0.6.

Release notes

Sourced from brace-expansion's releases.

v4.0.1

fmt 5a5cc17

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 0b6a978

juliangruber/brace-expansion@v4.0.0...v4.0.1

v4.0.0

feat: use string replaces instead of splits (#64) 278132b

fmt dd72a59

add tea.yaml 70e4c1b

juliangruber/brace-expansion@v3.0.0...v4.0.0

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.1

pkg: publish on tag 3.x 3059c07

fmt 8229e6f

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 15f9b3c

juliangruber/brace-expansion@v3.0.0...v3.0.1

v3.0.0

Switch to ES Modules and balanced-match 3.0.0 (#62) c0360e8

added jsdoc (#55) 68c0e37

node 16 is EOL 9e781e9

add standard 3494c4d

use const and let (#57) dd5a4cb

docs 6dad209

remove test e3dd8ae

ci: update node versions d23ede9

docs: add @lanodan to contributors 1eb3fa4

docs 1e7c9cd

switch from tape to test module (#60) 2520537

Bump minimist from 1.2.5 to 1.2.6 (#59) 61a94f1

Bump path-parse from 1.0.6 to 1.0.7 (#51) dc741cf

docs: add back ci badge 8ee5626

Add github actions, remove travis. Closes #52 (#53) 5c8756a

CI: Drop unused sudo: false Travis directive (#50) 05978a7

juliangruber/brace-expansion@v2.0.1...v3.0.0

v2.0.2

pkg: publish on tag 2.x 14f1d91

fmt ed7780a

Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#65) 36603d5

... (truncated)

Commits

46317b5 5.0.6
c0b095b Merge commit from fork
ec56020 Bump picomatch from 4.0.3 to 4.0.4 (#93)
8793901 5.0.5
9a02af5 Merge commit from fork
daa71bc Bump tar from 7.5.10 to 7.5.11 (#92)
799e5f7 Bump tar from 7.5.9 to 7.5.10 (#90)
012c230 5.0.4
243c491 Fix handling of brackets. Closes #87
609f858 Correct incorrect brace-expansion import (#89)
Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [brace-expansion](https://github.com/juliangruber/brace-expansion) from 1.1.12 to 5.0.6. - [Release notes](https://github.com/juliangruber/brace-expansion/releases) - [Commits](juliangruber/brace-expansion@v1.1.12...v5.0.6) --- updated-dependencies: - dependency-name: brace-expansion dependency-version: 5.0.6 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

github-actions · 2026-05-22T10:38:18Z

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5	0	0	0.21s
❌ ACTION	zizmor	5	1	0	1.35s
❌ JAVASCRIPT	eslint	19	19	0	14.37s
✅ JAVASCRIPT	prettier	19	0	0	0.88s
✅ JSON	npm-package-json-lint	yes	no	no	0.37s
✅ JSON	prettier	29	0	0	0.62s
✅ MARKDOWN	markdownlint	10	0	0	0.49s
✅ REPOSITORY	checkov	yes	no	no	29.79s
✅ REPOSITORY	gitleaks	yes	no	no	1.38s
✅ REPOSITORY	git_diff	yes	no	no	0.02s
❌ REPOSITORY	grype	yes	5	no	69.23s
❌ REPOSITORY	osv-scanner	yes	12	no	2.2s
✅ REPOSITORY	secretlint	yes	no	no	1.65s
✅ REPOSITORY	syft	yes	no	no	3.89s
❌ REPOSITORY	trivy	yes	1	no	14.84s
✅ REPOSITORY	trivy-sbom	yes	no	no	4.71s
✅ REPOSITORY	trufflehog	yes	no	no	30.26s
❌ TYPESCRIPT	eslint	108	26	0	9.89s
✅ TYPESCRIPT	prettier	108	0	0	3.85s
✅ YAML	prettier	25	0	0	0.91s
✅ YAML	yamllint	25	0	0	0.82s

Detailed Issues

❌ JAVASCRIPT / eslint - 19 errors

__fixtures__/javascript-esm/no-import/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/no-import/src/index.js

__fixtures__/javascript-esm/no-import/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/no-import/src/main.js

__fixtures__/javascript-esm/success/post/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/post/index.js

__fixtures__/javascript-esm/success/post/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/post/main.js

__fixtures__/javascript-esm/success/pre/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/pre/index.js

__fixtures__/javascript-esm/success/pre/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/pre/main.js

__fixtures__/javascript-esm/success/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/src/index.js

__fixtures__/javascript-esm/success/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript-esm/success/src/main.js

__fixtures__/javascript/no-export/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-export/src/index.js

__fixtures__/javascript/no-export/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-export/src/main.js

__fixtures__/javascript/no-import/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-import/src/index.js

__fixtures__/javascript/no-import/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/no-import/src/main.js

__fixtures__/javascript/success/post/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/post/index.js

__fixtures__/javascript/success/post/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/post/main.js

__fixtures__/javascript/success/pre/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/pre/index.js

__fixtures__/javascript/success/pre/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/pre/main.js

__fixtures__/javascript/success/src/index.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/src/index.js

__fixtures__/javascript/success/src/main.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/javascript/success/src/main.js

bin/local-action.js
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): bin/local-action.js

✖ 19 problems (19 errors, 0 warnings)

❌ TYPESCRIPT / eslint - 26 errors

has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-export/src/index.ts

__fixtures__/typescript-esm/no-export/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-export/src/main.ts

__fixtures__/typescript-esm/no-import/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-import/src/index.ts

__fixtures__/typescript-esm/no-import/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/no-import/src/main.ts

__fixtures__/typescript-esm/success/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/post/index.ts

__fixtures__/typescript-esm/success/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/post/main.ts

__fixtures__/typescript-esm/success/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/pre/index.ts

__fixtures__/typescript-esm/success/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/pre/main.ts

__fixtures__/typescript-esm/success/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/src/index.ts

__fixtures__/typescript-esm/success/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/success/src/main.ts

__fixtures__/typescript-esm/tsconfig-comments/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/tsconfig-comments/src/index.ts

__fixtures__/typescript-esm/tsconfig-comments/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript-esm/tsconfig-comments/src/main.ts

__fixtures__/typescript/no-import/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/no-import/src/index.ts

__fixtures__/typescript/no-import/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/no-import/src/main.ts

__fixtures__/typescript/success-yaml/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/post/index.ts

__fixtures__/typescript/success-yaml/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/post/main.ts

__fixtures__/typescript/success-yaml/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/pre/index.ts

__fixtures__/typescript/success-yaml/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/pre/main.ts

__fixtures__/typescript/success-yaml/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/src/index.ts

__fixtures__/typescript/success-yaml/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success-yaml/src/main.ts

__fixtures__/typescript/success/post/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/post/index.ts

__fixtures__/typescript/success/post/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/post/main.ts

__fixtures__/typescript/success/pre/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/pre/index.ts

__fixtures__/typescript/success/pre/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/pre/main.ts

__fixtures__/typescript/success/src/index.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/src/index.ts

__fixtures__/typescript/success/src/main.ts
  0:0  error  Parsing error: "parserOptions.project" has been provided for @typescript-eslint/parser.
The file was not found in any of the provided project(s): __fixtures__/typescript/success/src/main.ts

✖ 26 problems (26 errors, 0 warnings)

(Truncated to last 6666 characters out of 6769)

❌ REPOSITORY / grype - 5 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
NAME              INSTALLED  FIXED IN  TYPE  VULNERABILITY        SEVERITY  EPSS           RISK   
lodash            4.17.23    4.18.0    npm   GHSA-r5fr-rjxr-66jc  High      < 0.1% (13th)  < 0.1  
yaml              2.8.2      2.8.3     npm   GHSA-48c2-rrv3-qjmp  Medium    < 0.1% (19th)  < 0.1  
fast-xml-builder  1.1.4      1.1.7     npm   GHSA-5wm8-gmm8-39j9  High      < 0.1% (9th)   < 0.1  
fast-xml-parser   5.5.7      5.7.0     npm   GHSA-gh4j-gqv2-49f6  Medium    < 0.1% (10th)  < 0.1  
lodash            4.17.23    4.18.0    npm   GHSA-f23m-r3pf-42rh  Medium    < 0.1% (7th)   < 0.1
[0069] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / osv-scanner - 12 errors

Scanning dir .
Starting filesystem walk for root: /
Scanned package-lock.json file and found 609 packages
End status: 121 dirs visited, 384 inodes visited, 1 Extract calls, 36.179651ms elapsed, 36.179902ms wall time

Total 8 packages affected by 12 known vulnerabilities (0 Critical, 7 High, 5 Medium, 0 Low, 0 Unknown) from 1 ecosystem.
12 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+------------------+---------+---------------+-------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE          | VERSION | FIXED VERSION | SOURCE            |
+-------------------------------------+------+-----------+------------------+---------+---------------+-------------------+
| https://osv.dev/GHSA-5wm8-gmm8-39j9 | 8.7  | npm       | fast-xml-builder | 1.1.4   | 1.1.7         | package-lock.json |
| https://osv.dev/GHSA-gh4j-gqv2-49f6 | 6.1  | npm       | fast-xml-parser  | 5.5.7   | 5.7.0         | package-lock.json |
| https://osv.dev/GHSA-25h7-pfq9-p65f | 7.5  | npm       | flatted (dev)    | 3.3.3   | 3.4.0         | package-lock.json |
| https://osv.dev/GHSA-rf6f-7fwh-wjgh | 8.9  | npm       | flatted (dev)    | 3.3.3   | 3.4.2         | package-lock.json |
| https://osv.dev/GHSA-f23m-r3pf-42rh | 6.5  | npm       | lodash           | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-r5fr-rjxr-66jc | 8.1  | npm       | lodash           | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)  | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)  | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)  | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)  | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-w5hq-g745-h8pq | 7.5  | npm       | uuid (dev)       | 8.3.2   | 11.1.1        | package-lock.json |
| https://osv.dev/GHSA-48c2-rrv3-qjmp | 4.3  | npm       | yaml             | 2.8.2   | 2.8.3         | package-lock.json |
+-------------------------------------+------+-----------+------------------+---------+---------------+-------------------+

❌ REPOSITORY / trivy - 1 error

[--------------------------------------------->] 100.00% 101.02 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [--------------------------------------------->] 100.00% 101.02 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [--------------------------------------------->] 100.00% 101.02 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 94.51 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 94.51 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 94.51 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 88.41 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 88.41 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 88.41 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [---------------------------------------------->] 100.00% 82.71 MiB p/s ETA 0s93.52 MiB / 93.52 MiB [-------------------------------------------------] 100.00% 16.74 MiB p/s 5.8s2026-05-22T10:37:14Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-05-22T10:37:14Z	INFO	[vuln] Vulnerability scanning is enabled
2026-05-22T10:37:14Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-05-22T10:37:14Z	INFO	[checks-client] Need to update the checks bundle
2026-05-22T10:37:14Z	INFO	[checks-client] Downloading the checks bundle...
234.65 KiB / 234.65 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-05-22T10:37:21Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-05-22T10:37:21Z	INFO	Number of language-specific files	num=1
2026-05-22T10:37:21Z	INFO	[npm] Detecting vulnerabilities...
2026-05-22T10:37:21Z	INFO	Detected config files	num=0

Report Summary

┌───────────────────┬──────┬─────────────────┬───────────────────┐
│      Target       │ Type │ Vulnerabilities │ Misconfigurations │
├───────────────────┼──────┼─────────────────┼───────────────────┤
│ package-lock.json │ npm  │        5        │         -         │
└───────────────────┴──────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/docs/v0.70/guide/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 5 (UNKNOWN: 0, LOW: 0, MEDIUM: 3, HIGH: 2, CRITICAL: 0)

┌──────────────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬──────────────────────────────────────────────────────────────┐
│     Library      │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                            Title                             │
├──────────────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ fast-xml-builder │ CVE-2026-44665 │ HIGH     │ fixed  │ 1.1.4             │ 1.1.7         │ fast-xml-builder: fast-xml-builder: Attribute injection      │
│                  │                │          │        │                   │               │ leading to information disclosure or content manipulation    │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-44665                   │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ fast-xml-parser  │ CVE-2026-41650 │ MEDIUM   │        │ 5.5.7             │ 5.7.0         │ fast-xml-parser: fast-xml-parser: XML injection via improper │
│                  │                │          │        │                   │               │ escaping of comment and CDATA sequences...                   │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-41650                   │
├──────────────────┼────────────────┼──────────┤        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ lodash           │ CVE-2026-4800  │ HIGH     │        │ 4.17.23           │ 4.18.0        │ lodash: lodash: Arbitrary code execution via untrusted input │
│                  │                │          │        │                   │               │ in template imports                                          │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-4800                    │
│                  ├────────────────┼──────────┤        │                   │               ├──────────────────────────────────────────────────────────────┤
│                  │ CVE-2026-2950  │ MEDIUM   │        │                   │               │ lodash: Lodash: Prototype pollution allows deletion of       │
│                  │                │          │        │                   │               │ built-in prototype properties via array...                   │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-2950                    │
├──────────────────┼────────────────┤          │        ├───────────────────┼───────────────┼──────────────────────────────────────────────────────────────┤
│ yaml             │ CVE-2026-33532 │          │        │ 2.8.2             │ 2.8.3, 1.10.3 │ yaml: yaml: Denial of Service via deeply nested YAML         │
│                  │                │          │        │                   │               │ document parsing                                             │
│                  │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2026-33532                   │
└──────────────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴──────────────────────────────────────────────────────────────┘

(Truncated to last 6666 characters out of 8706)

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/codeql-analysis.yml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

dependabot Bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels May 22, 2026

dependabot Bot requested a review from ncalteen as a code owner May 22, 2026 10:34

dependabot Bot added dependabot Dependabot issues and PRs npm Node.js issues and PRs labels May 22, 2026

dependabot Bot mentioned this pull request May 22, 2026

Build(deps-dev): Bump brace-expansion from 1.1.12 to 1.1.14 #284

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Build(deps-dev): Bump brace-expansion from 1.1.12 to 5.0.6#291

Build(deps-dev): Bump brace-expansion from 1.1.12 to 5.0.6#291
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/brace-expansion-5.0.6

dependabot Bot commented on behalf of github May 22, 2026

Uh oh!

github-actions Bot commented May 22, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 22, 2026

v4.0.1

v4.0.0

v3.0.1

v3.0.0

v2.0.2

Uh oh!

github-actions Bot commented May 22, 2026

❌MegaLinter analysis: Error

Detailed Issues

Notices

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants