Brace-expansion vulnerability

[haggishunt56]

A dependency used by Minimatch (brace-expansion) has a vulnerability, CVE-2025-5889 which is patched in the latest version. Minimatch version must be updated when the fix is available.

isaacs/minimatch#255 (review)

[carlos-verdes]

@isaacs node-glob should update minimatch dependency to avoid this issue

[alumni]

Projects using node-glob should update their transitive dependencies. minimatch requires brace-expansion@^2.0.1 which can be resolved to 2.0.2 which is patched.

This issue should be closed.

Honestly, the bigger problem is glob@7.2.3 is still quite used by a lot of packages and brings in inflight 😏