From a134948b87e69d30508cc585ceb2296f899f11e9 Mon Sep 17 00:00:00 2001
From: Henry Mercer <henrymercer@github.com>
Date: Wed, 20 May 2026 15:17:16 +0100
Subject: [PATCH] Bump `brace-expansion`

Address https://github.com/juliangruber/brace-expansion/security/advisories/GHSA-jxxr-4gwj-5jf2
---
 lib/entry-points.js | 22 ++++++++++++----------
 package-lock.json   | 18 +++++++++---------
 2 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/lib/entry-points.js b/lib/entry-points.js
index 482b2f9bb..b05cde9c8 100644
--- a/lib/entry-points.js
+++ b/lib/entry-points.js
@@ -31025,13 +31025,15 @@ var require_brace_expansion = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -31045,7 +31047,7 @@ var require_brace_expansion = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m || /\$$/.test(m.pre)) return [str2];
@@ -31056,7 +31058,7 @@ var require_brace_expansion = __commonJS({
       if (!isSequence && !isOptions) {
         if (m.post.match(/,(?!,).*\}/)) {
           str2 = m.pre + "{" + m.body + escClose + m.post;
-          return expand2(str2);
+          return expand2(str2, max, true);
         }
         return [str2];
       }
@@ -31066,9 +31068,9 @@ var require_brace_expansion = __commonJS({
       } else {
         n = parseCommaParts(m.body);
         if (n.length === 1) {
-          n = expand2(n[0], false).map(embrace);
+          n = expand2(n[0], max, false).map(embrace);
           if (n.length === 1) {
-            var post = m.post.length ? expand2(m.post, false) : [""];
+            var post = m.post.length ? expand2(m.post, max, false) : [""];
             return post.map(function(p) {
               return m.pre + n[0] + p;
             });
@@ -31076,7 +31078,7 @@ var require_brace_expansion = __commonJS({
         }
       }
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       var N;
       if (isSequence) {
         var x = numeric(n[0]);
@@ -31114,11 +31116,11 @@ var require_brace_expansion = __commonJS({
         }
       } else {
         N = concatMap(n, function(el) {
-          return expand2(el, false);
+          return expand2(el, max, false);
         });
       }
       for (var j = 0; j < N.length; j++) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && expansions.length < max; k++) {
           var expansion = pre + N[j] + post[k];
           if (!isTop || isSequence || expansion)
             expansions.push(expansion);
@@ -102244,7 +102246,7 @@ var require_commonjs19 = __commonJS({
           }
           const pad = n.some(isPadded);
           N = [];
-          for (let i = x; test(i, y); i += incr) {
+          for (let i = x; test(i, y) && N.length < max; i += incr) {
             let c;
             if (isAlphaSequence) {
               c = String.fromCharCode(i);
diff --git a/package-lock.json b/package-lock.json
index deacbcaef..0a03bbb82 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3795,9 +3795,9 @@
       "license": "MIT"
     },
     "node_modules/brace-expansion": {
-      "version": "1.1.13",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.13.tgz",
-      "integrity": "sha512-9ZLprWS6EENmhEOpjCYW2c8VkmOvckIJZfkr7rBW6dObmfgJ/L1GpSYW5Hpo9lDz4D1+n0Ckz8rU7FwHDQiG/w==",
+      "version": "1.1.14",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.14.tgz",
+      "integrity": "sha512-MWPGfDxnyzKU7rNOW9SP/c50vi3xrmrua/+6hfPbCS2ABNWfx24vPidzvC7krjU/RTo235sV776ymlsMtGKj8g==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0",
@@ -5122,9 +5122,9 @@
       }
     },
     "node_modules/eslint-plugin-import-x/node_modules/brace-expansion": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
       "dev": true,
       "license": "MIT",
       "dependencies": {
@@ -6078,9 +6078,9 @@
       }
     },
     "node_modules/glob/node_modules/brace-expansion": {
-      "version": "5.0.5",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.5.tgz",
-      "integrity": "sha512-VZznLgtwhn+Mact9tfiwx64fA9erHH/MCXEUfB/0bX/6Fz6ny5EGTXYltMocqg4xFAQZtnO3DHWWXi8RiuN7cQ==",
+      "version": "5.0.6",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-5.0.6.tgz",
+      "integrity": "sha512-kLpxurY4Z4r9sgMsyG0Z9uzsBlgiU/EFKhj/h91/8yHu0edo7XuixOIH3VcJ8kkxs6/jPzoI6U9Vj3WqbMQ94g==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^4.0.2"