brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889)

[MikeMcC399]

• replaces brace-expansion@2.0.1 unfixable low vulnerability (CVE-2025-5889) semantic-release#3777

Current Behavior

• Installing @semantic-release/npm reports a low severity vulnerability
• npm audit fix reports that it cannot be fixed and refers to GHSA-v6h2-p8h4-qcjw (CVE-2025-5889 - brace-expansion Regular Expression Denial of Service vulnerability)

Expected Behavior

Installing @semantic-release/npm with npm should not report any vulnerabilities, and if there are any reported vulnerabilities, they should be fixable with npm audit fix.

Steps to Reproduce

cd $(mktemp -d)
npm init -y
npm install @semantic-release/npm@latest
npm audit fix

Logs

added 279 packages, and audited 495 packages in 13s

100 packages are looking for funding
  run `npm fund` for details

1 low severity vulnerability

To address all issues, run:
  npm audit fix


$ npm audit fix
npm warn audit fix brace-expansion@2.0.1 node_modules/npm/node_modules/brace-expansion
npm warn audit fix brace-expansion@2.0.1 is a bundled dependency of
npm warn audit fix brace-expansion@2.0.1 npm@10.9.2 at node_modules/npm
npm warn audit fix brace-expansion@2.0.1 It cannot be fixed automatically.
npm warn audit fix brace-expansion@2.0.1 Check for updates to the npm package.

up to date, audited 495 packages in 3s

100 packages are looking for funding
  run `npm fund` for details

# npm audit report

brace-expansion  2.0.0 - 2.0.1
brace-expansion Regular Expression Denial of Service vulnerability - https://github.com/advisories/GHSA-v6h2-p8h4-qcjw
fix available via `npm audit fix`
node_modules/npm/node_modules/brace-expansion

1 low severity vulnerability

To address all issues, run:
  npm audit fix

Version

@semantic-release/npm@12.0.1

Related

• [BUG] v10 bundled dependency brace-expansion@2.0.1 is vulnerable to ReDoS npm/cli#8366

[travi]

Is this fixed in npm v11? If so, we have an open renovate pr for that upgrade, but it will require us to drop some currently supported node versions, making it a breaking change. We will likely be releasing a major version soon due to these sorts of upgrades, but I don't have a timeline to provide at the moment

[MikeMcC399]

@travi

Is this fixed in npm v11? If so, we have an open renovate pr for that upgrade, but it will require us to drop some currently supported node versions, making it a breaking change. We will likely be releasing a major version soon due to these sorts of upgrades, but I don't have a timeline to provide at the moment

• The renovate PR fix(deps): update npm to v11 #909 would fix this issue, as it updates to npm@11.4.2 where
  npm@11.4.2 updated to brace-expansion@2.0.2 and this fixes the vulnerability.

• I asked in [BUG] v10 bundled dependency brace-expansion@2.0.1 is vulnerable to ReDoS npm/cli#8366 (comment) if it is possible to backport the fix to npm@10.x, so I suggest monitoring that issue for the response from the npm team.

[travi]

thanks for the follow up, @MikeMcC399. if the patch is applied to npm v10, that would be in-range for our dependency on npm and would allow consumers to resolve this without a change to this plugin. it sounds like a very low risk vulnerability, so that will depend on the npm team's decision around whether they decide to apply the patch to v10

[MikeMcC399]

@travi

After reading npm's Release process I would assume that there won't be any fix released for npm 10.x, but still I would wait to see if there is a definitive decision response in npm/cli#8366 (comment).

[MikeMcC399]

@travi

Although there was no definitive response in npm/cli#8366 (comment) from the npm maintainers, the issue has in fact been fixed through PR npm/cli#8378 in v10.9.3.