Skip to content

Fix CVEs related to brace-expansion in eng sys scripts#3046

Open
vukelich wants to merge 2 commits into
mainfrom
users/vukelich/bracedep
Open

Fix CVEs related to brace-expansion in eng sys scripts#3046
vukelich wants to merge 2 commits into
mainfrom
users/vukelich/bracedep

Conversation

@vukelich

@vukelich vukelich commented Jul 15, 2026

Copy link
Copy Markdown
Member

What does this PR do?

Regenerated package-lock.json to pick up @vscode/vsce 3.9.2. As an added bonus, this vsce version simplifies its transitive dependencies so that we only pull in one minimatch and brace-expansion version.

Before and after npm explain brace-expansion to see the resolution and dependency graph:

Before. minimatch has the direct dependency on brace-expansion and varies by minimatch version. vsce directly depends on minimatch, but a different version than what glob depends on:

[PS] Q:\c\microsoft-mcp\eng\vsix-tools>npm explain brace-expansion
brace-expansion@1.1.12 dev
node_modules/brace-expansion
  brace-expansion@"^1.1.7" from minimatch@3.1.5
  node_modules/minimatch
    minimatch@"^3.0.3" from @vscode/vsce@3.7.1
    node_modules/@vscode/vsce
      dev @vscode/vsce@"~3" from the root project

brace-expansion@5.0.4 dev
node_modules/glob/node_modules/brace-expansion
  brace-expansion@"^5.0.2" from minimatch@10.2.4
  node_modules/glob/node_modules/minimatch
    minimatch@"^10.1.1" from glob@11.1.0
    node_modules/glob
      glob@"^11.0.0" from @vscode/vsce@3.7.1
      node_modules/@vscode/vsce
        dev @vscode/vsce@"~3" from the root project

After. vsce and glob depend on the same version of minimatch and thus same version of brace-expansion

[PS] Q:\c\microsoft-mcp-bracedep\eng\vsix-tools [users/vukelich/bracedep +0 ~1 -0 ~]>npm explain brace-expansion
brace-expansion@5.0.7 dev
node_modules/brace-expansion
  brace-expansion@"^5.0.5" from minimatch@10.2.5
  node_modules/minimatch
    minimatch@"^10.2.2" from @vscode/vsce@3.9.2
    node_modules/@vscode/vsce
      dev @vscode/vsce@"~3" from the root project
    minimatch@"^10.2.2" from glob@13.0.6
    node_modules/glob
      glob@"^13.0.6" from @vscode/vsce@3.9.2
      node_modules/@vscode/vsce
        dev @vscode/vsce@"~3" from the root project

GitHub issue number?

Fixes #3045. See for list of CVEs and links to Component Governance findings.

Pre-merge Checklist

  • Required for All PRs
    • Read contribution guidelines
    • PR title clearly describes the change
    • Commit history is clean with descriptive messages (cleanup guide)
    • Added comprehensive tests for new/modified functionality
    • Created a changelog entry if the change falls among the following: new feature, bug fix, UI/UX update, breaking change, or updated dependencies. Follow the changelog entry guide
  • For MCP tool changes:
    • One tool per PR: This PR adds or modifies only one MCP tool for faster review cycles
    • Updated servers/Azure.Mcp.Server/README.md and/or servers/Fabric.Mcp.Server/README.md documentation
    • Validate README.md changes running the script ./eng/scripts/Process-PackageReadMe.ps1. See Package README
    • For new or modified tool descriptions, ran ToolDescriptionEvaluator and obtained a score of 0.4 or more and a top 3 ranking for all related test prompts
    • For tools with new names, including new tools or renamed tools, update consolidated-tools.json
    • For renamed tools, follow the Tool Rename Checklist and tag the PR with the breaking-change label
    • For new tools associated with Azure services or publicly available tools/APIs/products, add URL to documentation in the PR description
  • Extra steps for Azure MCP Server tool changes:
    • Updated command list in servers/Azure.Mcp.Server/docs/azmcp-commands.md
    • Ran ./eng/scripts/Update-AzCommandsMetadata.ps1 to update tool metadata in azmcp-commands.md (required for CI)
    • Updated test prompts in servers/Azure.Mcp.Server/docs/e2eTestPrompts.md
    • 👉 For Community (non-Microsoft team member) PRs:
      • Security review: Reviewed code for security vulnerabilities, malicious code, or suspicious activities before running tests (crypto mining, spam, data exfiltration, etc.)
      • Manual tests run: added comment /azp run mcp - pullrequest - live to run Live Test Pipeline

…g package-lock.json to pick up @vscode/vsce 3.9.2. As an added bonus, this vsce version simplifies its transitive dependencies so that we only pull in one minimatch and brace-expansion version.
Copilot AI review requested due to automatic review settings July 15, 2026 17:46
@vukelich vukelich requested review from a team as code owners July 15, 2026 17:46
@azure-pipelines

Copy link
Copy Markdown
Azure Pipelines:
Successfully started running 1 pipeline(s).
There may be pipelines that require an authorized user to comment /azp run to run.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • eng/vsix-tools/package-lock.json: Generated file

Comment thread eng/vsix-tools/package-lock.json
…les to use Node 22. This mirrors the previous commit's updated vsce trasitive dependencies. This choice is purely subjective by vukelich. This change does not modify the various build pipelines that install Node 24.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

CVEs for transitive brace-expansion NPM dependency

3 participants