<table border="1" cellspacing="0" cellpadding="8">
    <tr>
        <th>Issue</th>
        <td>
            <a href=https://github.com/llvm/llvm-project/issues/151598>151598</a>
        </td>
    </tr>

    <tr>
        <th>Summary</th>
        <td>
            [MLIR][lldb-dap][utils] CVE-2025-5889 reported for brace-expansion 1.1.11 and 2.0.1 dependencies
        </td>
    </tr>

    <tr>
      <th>Labels</th>
      <td>
            mlir
      </td>
    </tr>

    <tr>
      <th>Assignees</th>
      <td>
      </td>
    </tr>

    <tr>
      <th>Reporter</th>
      <td>
          StephanTLavavej
      </td>
    </tr>
</table>

<pre>
    [CVE-2025-5889](https://nvd.nist.gov/vuln/detail/CVE-2025-5889) is a low-severity vulnerability in brace-expansion 1.1.11 and 2.0.1, published on 2025-06-09:

> A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0.
> [...]
> Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue.

LLVM has a few dependencies on these versions; can they be updated?

https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/mlir/utils/tree-sitter-mlir/package-lock.json#L25-L26
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/mlir/utils/vscode/package-lock.json#L290-L291
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/lldb/tools/lldb-dap/package-lock.json#L709-L710
https://github.com/llvm/llvm-project/blob/e1d45b1b97c1f18e5a5fb9db8621ae4b34ba0ab1/llvm/utils/vscode/llvm/package-lock.json#L95-L96

The MSVC repo has llvm-project as a submodule - actually twice - and this is being reported by Microsoft's automated dependency scans, which is how it came to my attention.
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJzEVE2P2zYU_DX0hRDBD9OWDjpksxFQwHtp0r3z49nihiYFkpLrf19Q9na72ebQSwoYkEiL8-YN543K2Z0CQI_kA5KPGzWXMab-a4FpVOHbQS1qgZeNjvZaP_n8_KXhlMtGtm2H5CPi7VjKlJH4hPiA-BAWS4LLhZzigviwzD4gPlgoynnEh_fneYddxgr7eGkyLJBcueJ6BJLSzteVC1gnZaCBPycVsosBM8IIY1gFizmhhCH-GU-z9i6PYHEMeC1Adw3tKi26_sQX_OkH6IvK-BjnYGuRl9k7FU5p1pA-VJwnXOK9LuLDveogCCUU8WFbn-ReBckHQkiV5rb-YzolZV04VYgF0lsLvBKvWOtLBbs1tV3fqjDaQz2lrE2QMy6jy9jlPAO5dXU4PD_hUVUJj3DBFiYIFoJxkKsOZYQMrzUzEg_YqHX3ijXgebKqgEViuIG9v8eTK-OsiYlnxAfvl9dHM6X4AqYgPmgfNeIDMLuVmulub9iRtSCVPOrO6nbHmYKtFlutqNJVsLN3CfFhLs5nxIeSAJrsSoHU3P-alPmuTtD4aL6TlxwD4uLAZXPgu_-F4pJNtPBTYh1tDrxjv4aa97aeKDGu1OqysWr6Gbk97ZrDntFfRW7F-aDbff9fGXayOXS7m_u-jYCfvj5_xgmmuHr6n5Tw6vE863O0swfcYGXKrLy_4nJxZt0I9nVAsIY6bxUpFbBYX_GTMynmeCyI7zNWc4nnav63kbnibFTIdRIvozNjhRnjBbuCjTqvY3i-YlUKhOJiIBvbC9uJTm2gZ3spuq4Vgm_GXrQ7eWRgjWnpbicF3Qol2r2y-9YwOMqN62s-0b1gnG2l4GSvaUe1ZkBBdFtm0JbCWTlPqgIkptNmnfmeSSa7duOVBp_XvOb8Zldekzv1q2J6PmW0pd7lkt8Qiit-zfinw2-_13CSD3_7Z13dLk4-4ncJ_abhMX6MxR-D-F0Abebk-_9svLXTaqB7s0vP_woAAP__x6EXJg">