[BUG] CVE CVE-2026-25547 @isaacs/brace-expansion version 5.0.0

[huakaibird]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Our security scan tool reported this CVE: CVE-2026-25547 @isaacs/brace-expansion version 5.0.0

https://nvd.nist.gov/vuln/detail/CVE-2026-25547

@isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1.

Expected Behavior

No response

Steps To Reproduce

Environment

• npm: 11.10.1

[pancakeslp]

Could you explain how this is different to your issue #8958 ?
as CVE-2026-25547 and GHSA-7h2j-956f-4vf2 point to the same issue

Also when I install npm 11.10.1, and I dont see @isaacs/brace-expansion included
Replication

mkdir /tmp/npmtest
cd /tmp/npmtest
npm install npm@11.10.1
npm ls @isaacs/brace-expansion

npm ls output

MINGW64 /tmp/npmtest
$ npm ls @isaacs/brace-expansion
npmtest@ C:\Users\606461649\AppData\Local\Temp\npmtest
`-- (empty)