Bump brace-expansion from 1.1.12 to 1.1.13

[dependabot]

Bumps brace-expansion from 1.1.12 to 1.1.13.

Commits

• 6c353ca 1.1.13
• 7fd684f Backport fix for GHSA-f886-m6hf-6m8v (#95)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

Note

Low Risk
Low risk lockfile-only dependency patch update; main impact is potential minor changes in transitive glob/brace parsing behavior.

Overview
Updates the package-lock.json entry for brace-expansion from 1.1.12 to 1.1.13, including the new tarball URL and integrity hash.

^{Written by Cursor Bugbot for commit 3a78826. This will update automatically on new commits. Configure here.}

[github-actions]

🤖 Cursor Dependency Analysis

Here's my review:

---

Dependabot PR Review: brace-expansion 1.1.12 → 1.1.13

1. Where the dependency is used

brace-expansion is not a direct dependency of this project. It is a transitive dependency pulled in via minimatch (which requires brace-expansion ^1.1.7). It appears only in package-lock.json.

2. API intersection with the change

The fix is a single-line change in index.js:

- ? Math.abs(numeric(n[2]))
+ ? Math.max(Math.abs(numeric(n[2])), 1)

This ensures the step value in numeric brace sequences (e.g., {1..10..0}) is always at least 1, preventing an infinite loop. No API surface changes, no new exports, no behavioral changes for valid inputs. Only previously-pathological zero-step input is affected.

3. Risks / unknowns

• Risk: Very low. The change is a one-line guard (Math.max(..., 1)) on an internal computation. It cannot alter behavior for any step value ≥ 1 — only the zero-step edge case is affected.
• The fix addresses GHSA-f886-m6hf-6m8v (CVE-2026-33750 / CVE-2025-5889): a zero-step brace sequence causes an infinite loop and memory exhaustion with as few as ~10 bytes of input. Severity: CVSS 6.5 (Medium).
• This is a patch release on the v1 line (1.1.12 → 1.1.13), semver-compatible.
• brace-expansion is only used transitively via minimatch; the project does not call it directly.

4. Recommendation

Merge. This is a minimal, targeted security fix with zero risk to existing functionality. No caveats needed.

[dependabot]

Looks like brace-expansion is up-to-date now, so this is no longer needed.