[MLIR][lldb-dap][utils] CVE-2025-5889 reported for brace-expansion 1.1.11 and 2.0.1 dependencies

[StephanTLavavej]

CVE-2025-5889 is a low-severity vulnerability in brace-expansion 1.1.11 and 2.0.1, published on 2025-06-09:

A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0.
[...]
Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.

LLVM has a few dependencies on these versions; can they be updated?

llvm-project/mlir/utils/tree-sitter-mlir/package-lock.json

Lines 25 to 26 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "2.0.1",

llvm-project/mlir/utils/vscode/package-lock.json

Lines 290 to 291 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/lldb/tools/lldb-dap/package-lock.json

Lines 709 to 710 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/llvm/utils/vscode/llvm/package-lock.json

Lines 95 to 96 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

The MSVC repo has llvm-project as a submodule - actually twice - and this is being reported by Microsoft's automated dependency scans, which is how it came to my attention.

[llvmbot]

@llvm/issue-subscribers-mlir

Author: Stephan T. Lavavej (StephanTLavavej)

[CVE-2025-5889](https://nvd.nist.gov/vuln/detail/CVE-2025-5889) is a low-severity vulnerability in brace-expansion 1.1.11 and 2.0.1, published on 2025-06-09:

> A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0.
> [...]
> Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.

LLVM has a few dependencies on these versions; can they be updated?

llvm-project/mlir/utils/tree-sitter-mlir/package-lock.json

Lines 25 to 26 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "2.0.1",

llvm-project/mlir/utils/vscode/package-lock.json

Lines 290 to 291 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/lldb/tools/lldb-dap/package-lock.json

Lines 709 to 710 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/llvm/utils/vscode/llvm/package-lock.json

Lines 95 to 96 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

The MSVC repo has llvm-project as a submodule - actually twice - and this is being reported by Microsoft's automated dependency scans, which is how it came to my attention.

[llvmbot]

@llvm/issue-subscribers-lldb-dap

Author: Stephan T. Lavavej (StephanTLavavej)

[CVE-2025-5889](https://nvd.nist.gov/vuln/detail/CVE-2025-5889) is a low-severity vulnerability in brace-expansion 1.1.11 and 2.0.1, published on 2025-06-09:

> A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0.
> [...]
> Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.

LLVM has a few dependencies on these versions; can they be updated?

llvm-project/mlir/utils/tree-sitter-mlir/package-lock.json

Lines 25 to 26 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "2.0.1",

llvm-project/mlir/utils/vscode/package-lock.json

Lines 290 to 291 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/lldb/tools/lldb-dap/package-lock.json

Lines 709 to 710 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

llvm-project/llvm/utils/vscode/llvm/package-lock.json

Lines 95 to 96 in e1d45b1

	"node_modules/brace-expansion": {
	"version": "1.1.11",

The MSVC repo has llvm-project as a submodule - actually twice - and this is being reported by Microsoft's automated dependency scans, which is how it came to my attention.