brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889) #966
Description
Current Behavior
- Installing
@semantic-release/npmreports a low severity vulnerability npm audit fixreports that it cannot be fixed and refers to GHSA-v6h2-p8h4-qcjw (CVE-2025-5889 - brace-expansion Regular Expression Denial of Service vulnerability)
Expected Behavior
Installing @semantic-release/npm with npm should not report any vulnerabilities, and if there are any reported vulnerabilities, they should be fixable with npm audit fix.
Steps to Reproduce
cd $(mktemp -d) npm init -y npm install @semantic-release/npm@latest npm audit fixLogs
added 279 packages, and audited 495 packages in 13s 100 packages are looking for funding run `npm fund` for details 1 low severity vulnerability To address all issues, run: npm audit fix $ npm audit fix npm warn audit fix brace-expansion@2.0.1 node_modules/npm/node_modules/brace-expansion npm warn audit fix brace-expansion@2.0.1 is a bundled dependency of npm warn audit fix brace-expansion@2.0.1 npm@10.9.2 at node_modules/npm npm warn audit fix brace-expansion@2.0.1 It cannot be fixed automatically. npm warn audit fix brace-expansion@2.0.1 Check for updates to the npm package. up to date, audited 495 packages in 3s 100 packages are looking for funding run `npm fund` for details # npm audit report brace-expansion 2.0.0 - 2.0.1 brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw fix available via `npm audit fix` node_modules/npm/node_modules/brace-expansion 1 low severity vulnerability To address all issues, run: npm audit fix