fix: bump brace-expansion + picomatch to patched versions (S360 CVEs)#1399
Merged
Conversation
Closes 4 PPBT S360 work items on KPI 240c2bea (BIC Component Governance): - ADO #6364952 brace-expansion 1.1.12 -> 1.1.15 (target 1.1.13, CVE-2026-33750) - ADO #6364953 brace-expansion 2.0.2 -> 2.0.3 (CVE-2026-33750) - ADO #6364954 picomatch 2.3.1 -> 2.3.2 (CVE-2026-33672) - ADO #6364955 brace-expansion 5.0.4 -> 5.0.6 (target 5.0.5, CVE-2026-33750) - ADO #6408700 brace-expansion 5.0.4 -> 5.0.6 (CVE-2026-45149, same package paths) Mechanism: - package.json overrides: minimatch -> brace-expansion ^5.0.6 (handles 5.x paths in cli-wrapper, tfx-cli, glob, mocha, readdir-glob). - package.json existing brace-expansion dep at ^2.0.3 (handles root 2.x hoist). - Lock-file patches for inBundle: true paths that npm overrides cannot reach: - @microsoft/powerplatform-cli-wrapper bundled brace-expansion 5.0.4 -> 5.0.6 - azure-pipelines-task-lib bundled minimatch@3.x's brace-expansion 1.1.12 -> 1.1.15 - hoisted picomatch (inBundle=true) 2.3.1 -> 2.3.2 Verification: - npm audit no longer reports brace-expansion or picomatch findings - compile + lint + pac CLI 2.7.4 restore pass - Pre-existing Node 24 unit-test ts-strip incompatibility is unrelated to this change
2 tasks
brflood
approved these changes
Jun 8, 2026
jbujula
added a commit
that referenced
this pull request
Jun 8, 2026
…ceeds (#1403) The official build pipeline now creates a published GitHub Release automatically on successful run (PR #1399's tooling change). Update both skills so contributors know to look for the release at /releases/tag/v<version> after their PR ships: - create-pr SKILL.md: Step 4 prompt now mentions the auto-release URL and what to do if it doesn't appear (token scope / SSO check). - pac-cli-update SKILL.md: Step 9 final summary now includes the same guidance.
jbujula
added a commit
that referenced
this pull request
Jun 8, 2026
…ceeds (#1402) The official build pipeline now creates a published GitHub Release automatically on successful run (PR #1399's tooling change). Update both skills so contributors know to look for the release at /releases/tag/v<version> after their PR ships: - create-pr SKILL.md: Step 4 prompt now mentions the auto-release URL and what to do if it doesn't appear (token scope / SSO check). - pac-cli-update SKILL.md: Step 9 final summary now includes the same guidance.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes 4 PPBT S360 work items on KPI 240c2bea-0698-48c7-8e78-f9beac31a861 (BIC Component Governance - Low/Medium action items):
Bonus coverage on AB#6408700 (brace-expansion 5.0.4 → 5.0.6, CVE-2026-45149) — same 5.x paths.
Mechanism
package.jsonoverridesbrace-expansion: "^2.0.3"direct dep fixes the hoisted root 2.x."minimatch": { "brace-expansion": "^5.0.6" }— overrides every minimatch's brace-expansion to ≥5.0.6, fixingglob,mocha,readdir-glob,tfx-cli.Lock-file patches for
inBundle: truepathsnpm overrides do not reach packages marked
inBundle: true(memory: dependency hard rules). Manually updated:node_modules/@microsoft/powerplatform-cli-wrapper/node_modules/brace-expansion: 5.0.4 → 5.0.6node_modules/minimatch/node_modules/brace-expansion(azure-pipelines-task-lib bundled): 1.1.12 → 1.1.15node_modules/picomatch(inBundle=true): 2.3.1 → 2.3.2Each patch includes the npm-published `integrity` hash.
Result
All brace-expansion entries in `package-lock.json`:
All picomatch entries:
Test plan
Not in this PR
🤖 Generated with Claude Code