Merged
Conversation
vnbaaij
approved these changes
Nov 6, 2025
vnbaaij
added a commit
that referenced
this pull request
Feb 12, 2026
* Update NuGet package for fixing CVE. See dotnet/announcements#327 * Non-altering change to force mirroring * Clean up issue tester * Small text formatting change to force deploy * Update workflows * Update README * Update to latest JavaScript SDK * Add global.json * Update workflow to use .NET 9 * Remove net10.0 TFM for now * Set dotnet 9.0.204 * Update deploy_demo.yml to use 9.0.204 * Update home page * Also *temporarily* remove .NET 10 TFM for DataGrid Adapters * Update workflows * Try to get preview docs up again * Use latest .NET 9 SDK for GH Actions * Remove mention of v3 site * Update global.json * Test deploy to new SWA * Update JavaScript SDK * Try older JavaScript SDK * Use .204 SDK on all actions * Newer JavaScript SDK with .NET .204 SDK * Deploy demo to 2 SWAs * Fix id's * Evrything tied to .204 and add sub subscription * Get sources copied * Try again * Tweak message * Try again * Try again * Try swa.config.json * Try extension * Revert config.json change * Use correct codeql action * Include build step in actions * Set SDK for ADO pipelines * Add es metadata (#4131) * Merge pull request 53130 from invBootstrap into main * Update TSAOptions codebaseName (#4196) * Update TSAOptions codebaseName * Try to start the Mirroring * Update pipeline for real signing with PME enforcement * Add a trigger on main and a tag (v*) * Overwrite FocusAsync in FluentAutoComplete (#4230) Co-authored-by: Vincent Baaij <vnbaaij@outlook.com> * Update whats new after cherry pick * Try to fix deploy error * Different fix * Take 3 * Take 4 * Take 5 * Take 6 * Disable main brancg in the All-lib YAML file * Fix CVE-2025-5889 (#4292) * Update version and update publish local script * Use correct version in global.json * ADO Pipelines no longer need to be tied to specific net 9 sdk * Delete global.json --------- Co-authored-by: Denis Voituron <dvoituron@outlook.com> Co-authored-by: MerlinBot <MerlinBot> Co-authored-by: Marvin Klein <32510006+MarvinKlein1508@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
[main] Fix CVE-2025-5889
Description
A vulnerability was found in juliangruber brace-expansion up to 1.1.11/2.0.1/3.0.0/4.0.0. It has been rated as problematic. Affected by this issue is the function expand of the file index.js. The manipulation leads to inefficient regular expression complexity. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.12, 2.0.2, 3.0.1 and 4.0.1 is able to address this issue. The name of the patch is a5b98a4f30d7813266b221435e1eaaf25a1b0ac5. It is recommended to upgrade the affected component.
Recommendation
Upgrade brace-expansion from 1.1.11 to 1.1.12 to fix the vulnerability.