Skip to content

Update brace-expansion for CVE-2026-33750#7457

Merged
peterwald merged 3 commits intomainfrom
copilot/fix-brace-expansion-cve-2026-33750
Apr 9, 2026
Merged

Update brace-expansion for CVE-2026-33750#7457
peterwald merged 3 commits intomainfrom
copilot/fix-brace-expansion-cve-2026-33750

Conversation

@SamMonoRT
Copy link
Copy Markdown
Member

@SamMonoRT SamMonoRT commented Apr 8, 2026
edited by dotnet-policy-service bot
Loading

Summary

  • update the vulnerable �race-expansion lockfile entry under @typescript-eslint/typescript-estree from 2.0.2 to 2.0.3n- update the vulnerable �race-expansion lockfile entry under glob from 5.0.4 to 5.0.5n

Verification

  • confirmed the previous vulnerable tarball references are no longer present in src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/package-lock.json`n- validated the edited package-lock.json contains no JSON errors
Microsoft Reviewers: Open in CodeFlow

@SamMonoRT SamMonoRT requested a review from a team as a code owner April 8, 2026 18:34
Copilot AI review requested due to automatic review settings April 8, 2026 18:34
@github-actions github-actions bot added the area-ai-eval Microsoft.Extensions.AI.Evaluation and related label Apr 8, 2026
Copilot AI reviewed Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • src/Libraries/Microsoft.Extensions.AI.Evaluation.Reporting/TypeScript/package-lock.json: Language not supported

shyamnamboodiripad
shyamnamboodiripad approved these changes Apr 8, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@shyamnamboodiripad shyamnamboodiripad left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for fixing!

@SamMonoRT
Copy link
Copy Markdown
Member Author

SamMonoRT commented Apr 8, 2026

@shyamnamboodiripad - any ideas why dependabot wouldn't update these like in #7440 ? Also, I'm not sure how to resolve the CI errors

@shyamnamboodiripad
Copy link
Copy Markdown
Contributor

shyamnamboodiripad commented Apr 9, 2026

@shyamnamboodiripad - any ideas why dependabot wouldn't update these like in #7440 ? Also, I'm not sure how to resolve the CI errors

@SamMonoRT I suspect the failures may be happening because some of these packages may not exist in the dotnet-public-npm feed. See this earlier comment

There was also this dependabot PR #7456 which was failing originally - but started passing subsequently. @peterwald did you just clone the branch locally and run the script mentioned in the above comment to get the missing packages downloaded into the feed? Can @SamMonoRT run the same to unblock the current PR?

@peterwald
Copy link
Copy Markdown
Member

peterwald commented Apr 9, 2026

There was also this dependabot PR #7456 which was failing originally - but started passing subsequently. @peterwald did you just clone the branch locally and run the script mentioned in the above comment to get the missing packages downloaded into the feed? Can @SamMonoRT run the same to unblock the current PR?

On the referenced PR, it was building just fine locally. It was a file permissions failure in CI. I just retried it and eventually it worked. I've updated the branch, so it will try again and we'll see.

@peterwald peterwald enabled auto-merge (squash) April 9, 2026 13:56
@peterwald
Copy link
Copy Markdown
Member

peterwald commented Apr 9, 2026

Something is not right with the package in the public feed. I see that the hashes don't match and that is what is failing the build now.

@peterwald peterwald disabled auto-merge April 9, 2026 15:28
@peterwald peterwald enabled auto-merge (squash) April 9, 2026 19:50
@peterwald peterwald merged commit 5f78522 into main Apr 9, 2026
6 checks passed
@peterwald peterwald deleted the copilot/fix-brace-expansion-cve-2026-33750 branch April 9, 2026 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@shyamnamboodiripad shyamnamboodiripad shyamnamboodiripad approved these changes

Assignees

@SamMonoRT SamMonoRT

Labels

area-ai-eval Microsoft.Extensions.AI.Evaluation and related

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SamMonoRT @shyamnamboodiripad @peterwald