[llvm-bugs] [Bug 151598] [MLIR][lldb-dap][utils] CVE-2025-5889 reported for brace-expansion 1.1.11 and 2.0.1 dependencies

LLVM Bugs via llvm-bugs Thu, 31 Jul 2025 14:45:35 -0700

Issue	151598
Summary	[MLIR][lldb-dap][utils] CVE-2025-5889 reported for brace-expansion 1.1.11 and 2.0.1 dependencies
Labels	mlir
Assignees
Reporter	StephanTLavavej

    [CVE-2025-5889](https://nvd.nist.gov/vuln/detail/CVE-2025-5889) is a low-severity vulnerability in brace-expansion 1.1.11 and 2.0.1, published on 2025-06-09:


> A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0.
> [...]
> Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.

LLVM has a few dependencies on these versions; can they be updated?

https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/mlir/utils/tree-sitter-mlir/package-lock.json#L25-L26
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/mlir/utils/vscode/package-lock.json#L290-L291
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/lldb/tools/lldb-dap/package-lock.json#L709-L710
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/llvm/utils/vscode/llvm/package-lock.json#L95-L96

The MSVC repo has llvm-project as a submodule - actually twice - and this is being reported by Microsoft's automated dependency scans, which is how it came to my attention.

_______________________________________________
llvm-bugs mailing list
llvm-bugs@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-bugs

[llvm-bugs] [Bug 151598] [MLIR][lldb-dap][utils] CVE-2025-5889 reported for brace-expansion 1.1.11 and 2.0.1 dependencies

Reply via email to