merge queue: embarking main (b6e0665) and [#1948 + #1949] together

[mergify]

🎉 This combination of pull requests has been checked successfully and will be merged soon. 🎉

Branch main (b6e0665) and [#1948 + #1949] are embarked together for merge.

This pull request has been created by Mergify to speculatively check the mergeability of [#1948 + #1949].
You don't need to do anything. Mergify will close this pull request automatically when it is complete.

Required conditions of queue rule Github Actions Updates for merge:

• any of [🛡 GitHub repository ruleset rule main]:
  • check-neutral = Mergify Merge Protections
  • check-skipped = Mergify Merge Protections
  • check-success = Mergify Merge Protections

Required conditions to stay in the queue:

• author = renovate[bot]
  • Update docker/metadata-action action to v6.1.0 #1948
  • Update github/codeql-action action to v4.36.0 #1949
• any of:
  • files ~= ^.github/workflows
    • Update docker/metadata-action action to v6.1.0 #1948
    • Update github/codeql-action action to v4.36.0 #1949
  • files ~= action.yaml$
    • Update docker/metadata-action action to v6.1.0 #1948
    • Update github/codeql-action action to v4.36.0 #1949
• any of [🛡 GitHub repository ruleset rule main]:
  • check-neutral = Mergify Merge Protections
    • Update docker/metadata-action action to v6.1.0 #1948
    • Update github/codeql-action action to v4.36.0 #1949
  • check-skipped = Mergify Merge Protections
    • Update docker/metadata-action action to v6.1.0 #1948
    • Update github/codeql-action action to v4.36.0 #1949
  • check-success = Mergify Merge Protections
    • Update docker/metadata-action action to v6.1.0 #1948
    • Update github/codeql-action action to v4.36.0 #1949

---
checking_base_sha: b6e0665e994e06680c450b3f65d66ac430c87509
previous_failed_batches: []
pull_requests:
  - number: 1948
    scopes: []
  - number: 1949
    scopes: []
scopes: []
...

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.github/workflows/.lint.yaml	17% smaller
.github/workflows/daily-malicious-code-scan.lock.yml	17% smaller
.github/workflows/.docker.yaml	16% smaller

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR updates GitHub Actions workflow dependencies by bumping docker/metadata-action and github/codeql-action/upload-sarif to newer pinned SHAs across build, lint, container scanning, and daily malicious code scan workflows as part of a merge-queue batch for #1948 and #1949.

Flow diagram for updated GitHub Actions security scanning and SARIF upload

flowchart TD
    subgraph Build_and_Scan_Workflows
        A[Docker_build_and_scan_workflows]
        B[Lint_and_SAST_workflows]
        C[Daily_malicious_code_scan]
    end

    A --> D[docker/metadata-action_v6_1_0]

    A --> E[Anchore_scan]
    A --> F[Trivy_image_scan]
    A --> G[Dockle_scan]

    B --> H[Ruff_scan]
    B --> I[Anchore_scan_lint]
    B --> J[Trivy_scan_lint]
    B --> K[Hadolint_scan]

    C --> L[GH_AW_scanners]

    E --> M[github/codeql-action/upload-sarif_v4_36_0]
    F --> M
    G --> M
    H --> M
    I --> M
    J --> M
    K --> M
    L --> M

    M --> N[GitHub_Code_Scanning_and_Security_tab]

Loading

File-Level Changes

Change	Details	Files
Bump docker/metadata-action used in Docker workflow to v6.1.0.	Update pinned SHA of docker/metadata-action from v6.0.0 to v6.1.0 for Docker image metadata generation in CI	.github/workflows/.docker.yaml
Bump github/codeql-action/upload-sarif to v4.36.0 across CI workflows.	Update pinned SHA for upload-sarif in Docker scanning jobs (Anchore, Trivy, Dockle) to v4.36.0 Update pinned SHA for upload-sarif in lint workflow for Ruff, Anchore, Trivy, and Hadolint SARIF uploads to v4.36.0 Update pinned SHA for upload-sarif in daily malicious code scan lock workflow to v4.36.0	.github/workflows/.docker.yaml .github/workflows/.lint.yaml .github/workflows/daily-malicious-code-scan.lock.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[MH0386]

🔍 Vulnerabilities of ghcr.io/alphaspheredotai/chattr:e31b540-pr-1951

📦 Image Reference ghcr.io/alphaspheredotai/chattr:e31b540-pr-1951

digest	sha256:1c286f404744f2ad66b24eab187563c7aa22bc836af3e18a5683088a2cb04132
vulnerabilities
platform	linux/amd64
size	269 MB
packages	425

glibc-locale-posix 2.43-r6 (apk) pkg:apk/wolfi/glibc-locale-posix@2.43-r6?arch=x86_64&distro=wolfi # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

ld-linux 2.43-r6 (apk) pkg:apk/wolfi/ld-linux@2.43-r6?arch=x86_64&origin=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

libcrypt1 2.43-r6 (apk) pkg:apk/wolfi/libcrypt1@2.43-r6?arch=x86_64&distro=wolfi-20230201&upstream=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

ld-linux 2.43-r6 (apk) pkg:apk/wolfi/ld-linux@2.43-r6?arch=x86_64&distro=wolfi-20230201&upstream=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

glibc-locale-posix 2.43-r6 (apk) pkg:apk/wolfi/glibc-locale-posix@2.43-r6?arch=x86_64&distro=wolfi-20230201&upstream=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

glibc-locale-posix 2.43-r6 (apk) pkg:apk/wolfi/glibc-locale-posix@2.43-r6?arch=x86_64&origin=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

libcrypt1 2.43-r6 (apk) pkg:apk/wolfi/libcrypt1@2.43-r6?arch=x86_64&distro=wolfi # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

glibc 2.43-r6 (apk) pkg:apk/wolfi/glibc@2.43-r6?arch=x86_64&origin=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

libcrypt1 2.43-r6 (apk) pkg:apk/wolfi/libcrypt1@2.43-r6?arch=x86_64&origin=glibc # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

ld-linux 2.43-r6 (apk) pkg:apk/wolfi/ld-linux@2.43-r6?arch=x86_64&distro=wolfi # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

glibc 2.43-r6 (apk) pkg:apk/wolfi/glibc@2.43-r6?arch=x86_64&distro=wolfi # Dockerfile (1:14) FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS builder ARG INSTALL_SOURCE ARG PYTHON_VERSION # skipcq: DOK-DL3018 RUN apk add --no-cache build-base git uv USER nonroot RUN --mount=type=cache,target=/root/.cache/uv \ uv tool install ${INSTALL_SOURCE} --python ${PYTHON_VERSION} FROM cgr.dev/chainguard/wolfi-base:latest@sha256:1af610c4a70668dad46159ee178b20378c79a49b554f76405670fc442d30183a AS production Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.049% EPSS Percentile 15th percentile Description Affected range <2.43-r7 Fixed version 2.43-r7 EPSS Score 0.046% EPSS Percentile 14th percentile Description

picomatch 4.0.3 (npm) pkg:npm/picomatch@4.0.3 # Dockerfile (28:28) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Inefficient Regular Expression Complexity Affected range >=4.0.0 <4.0.4 Fixed version 4.0.4 CVSS Score 7.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H EPSS Score 0.019% EPSS Percentile 5th percentile Description Impact picomatch is vulnerable to Regular Expression Denial of Service (ReDoS) when processing crafted extglob patterns. Certain patterns using extglob quantifiers such as +() and *(), especially when combined with overlapping alternatives or nested extglobs, are compiled into regular expressions that can exhibit catastrophic backtracking on non-matching input. Examples of problematic patterns include +(a|aa), +(*|?), +(+(a)), *(+(a)), and +(+(+(a))). In local reproduction, these patterns caused multi-second event-loop blocking with relatively short inputs. For example, +(a|aa) compiled to ^(?:(?=.)(?:a|aa)+)$ and took about 2 seconds to reject a 41-character non-matching input, while nested patterns such as +(+(a)) and *(+(a)) took around 29 seconds to reject a 33-character input on a modern M1 MacBook. Applications are impacted when they allow untrusted users to supply glob patterns that are passed to picomatch for compilation or matching. In those cases, an attacker can cause excessive CPU consumption and block the Node.js event loop, resulting in a denial of service. Applications that only use trusted, developer-controlled glob patterns are much less likely to be exposed in a security-relevant way. Patches This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. Workarounds If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include: disable extglob support for untrusted patterns by using noextglob: true reject or sanitize patterns containing nested extglobs or extglob quantifiers such as +() and *() enforce strict allowlists for accepted pattern syntax run matching in an isolated worker or separate process with time and resource limits apply application-level request throttling and input validation for any endpoint that accepts glob patterns Resources Picomatch repository: https://github.com/micromatch/picomatch lib/parse.js and lib/constants.js are involved in generating the vulnerable regex forms Comparable ReDoS precedent: CVE-2024-4067 (micromatch) Comparable generated-regex precedent: CVE-2024-45296 (path-to-regexp) Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Affected range >=4.0.0 <4.0.4 Fixed version 4.0.4 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N EPSS Score 0.057% EPSS Percentile 18th percentile Description Impact picomatch is vulnerable to a method injection vulnerability (CWE-1321) affecting the POSIX_REGEX_SOURCE object. Because the object inherits from Object.prototype, specially crafted POSIX bracket expressions (e.g., [[:constructor:]]) can reference inherited method names. These methods are implicitly converted to strings and injected into the generated regular expression. This leads to incorrect glob matching behavior (integrity impact), where patterns may match unintended filenames. The issue does not enable remote code execution, but it can cause security-relevant logic errors in applications that rely on glob matching for filtering, validation, or access control. All users of affected picomatch versions that process untrusted or user-controlled glob patterns are potentially impacted. Patches This issue is fixed in picomatch 4.0.4, 3.0.2 and 2.3.2. Users should upgrade to one of these versions or later, depending on their supported release line. Workarounds If upgrading is not immediately possible, avoid passing untrusted glob patterns to picomatch. Possible mitigations include: Sanitizing or rejecting untrusted glob patterns, especially those containing POSIX character classes like [[:...:]]. Avoiding the use of POSIX bracket expressions if user input is involved. Manually patching the library by modifying POSIX_REGEX_SOURCE to use a null prototype: const POSIX_REGEX_SOURCE = { __proto__: null, alnum: 'a-zA-Z0-9', alpha: 'a-zA-Z', // ... rest unchanged }; Resources fix for similar issue: fix: exception when glob pattern contains constructor micromatch/picomatch#144 picomatch repository https://github.com/micromatch/picomatch

pdfjs-dist 3.11.174 (npm) pkg:npm/pdfjs-dist@3.11.174 # Dockerfile (28:28) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Improper Check for Unusual or Exceptional Conditions Affected range <=4.1.392 Fixed version 4.2.67 CVSS Score 8.8 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H EPSS Score 38.342% EPSS Percentile 97th percentile Description Impact If pdf.js is used to load a malicious PDF, and PDF.js is configured with isEvalSupported set to true (which is the default value), unrestricted attacker-controlled JavaScript will be executed in the context of the hosting domain. Patches The patch removes the use of eval: mozilla/pdf.js#18015 Workarounds Set the option isEvalSupported to false. References https://bugzilla.mozilla.org/show_bug.cgi?id=1893645

brace-expansion 5.0.4 (npm) pkg:npm/brace-expansion@5.0.4 # Dockerfile (28:28) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Uncontrolled Resource Consumption Affected range >=5.0.0 <5.0.6 Fixed version 5.0.6 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H Description The max option was being applied too late: When expanding a single large numeric range like {1..10000000}, the sequence generation loop generates all 10 million intermediate elements before the max limit is applied With max=10, the output is correctly limited to 10 items, but the process still allocates ~505 MB and spends ~800ms building the full intermediate array. Workaround Ensure the string to be expanded doesn't contain more values than the desired max item count. Uncontrolled Resource Consumption Affected range >=4.0.0 <5.0.5 Fixed version 5.0.5 CVSS Score 6.5 CVSS Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H EPSS Score 0.024% EPSS Percentile 7th percentile Description Impact A brace pattern with a zero step value (e.g., {1..2..0}) causes the sequence generation loop to run indefinitely, making the process hang for seconds and allocate heaps of memory. The loop in question: https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L184 test() is one of https://github.com/juliangruber/brace-expansion/blob/daa71bcb4a30a2df9bcb7f7b8daaf2ab30e5794a/src/index.ts#L107-L113 The increment is computed as Math.abs(0) = 0, so the loop variable never advances. On a test machine, the process hangs for about 3.5 seconds and allocates roughly 1.9 GB of memory before throwing a RangeError. Setting max to any value has no effect because the limit is only checked at the output combination step, not during sequence generation. This affects any application that passes untrusted strings to expand(), or by error sets a step value of 0. That includes tools built on minimatch/glob that resolve patterns from CLI arguments or config files. The input needed is just 10 bytes. Patches Upgrade to versions 5.0.5+ A step increment of 0 is now sanitized to 1, which matches bash behavior. Workarounds Sanitize strings passed to expand() to ensure a step value of 0 is not used.

ip-address 10.1.0 (npm) pkg:npm/ip-address@10.1.0 # Dockerfile (28:28) COPY --from=builder --chown=nonroot:nonroot --chmod=555 /home/nonroot/.local/ /home/nonroot/.local/ Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Affected range <=10.1.0 Fixed version 10.1.1 CVSS Score 5.3 CVSS Vector CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N EPSS Score 0.036% EPSS Percentile 11th percentile Description Summary Address6.group() and Address6.link() do not HTML-escape attacker-controlled content before embedding it in the HTML strings they return, and AddressError.parseMessage (emitted by the Address6 constructor for invalid input) can contain unescaped attacker-controlled content in one branch. An application that (1) passes untrusted input to Address6 and (2) renders the output of these methods, or the thrown error's parseMessage, as HTML (e.g. via innerHTML) is vulnerable to cross-site scripting. A related issue in v6.helpers.spanAll() produced malformed markup but was not exploitable; it is hardened in the same release for consistency. Details Four related issues were identified and fixed together: Address6.group(): zone ID injection. The Address6 constructor stores the raw input (including any IPv6 zone ID) in this.address before zone stripping. group() then passed this.address to helpers.simpleGroup(), which wrapped each :-separated segment in a <span> element without HTML-escaping the content. A zone ID containing HTML markup was embedded verbatim. Address6.link({ prefix, className }): attribute-value injection. link() concatenated user-supplied prefix and className into the href="…" and class="…" attributes without escaping. A caller passing untrusted content through these options could inject event handlers (e.g. onmouseover) and achieve XSS. Address6 constructor: leading-zero IPv4 error path. The leading-zero branch in parse4in6() built AddressError.parseMessage by concatenating the raw address through String.replace(). Because parse4in6() runs before the bad-character check, any characters in the groups preceding the IPv4 suffix flowed into the error's HTML unescaped. Consumers who render parseMessage as HTML (its documented purpose — it already contains <span class="parse-error"> markup) could be XSS'd by a crafted input such as <img src=x onerror=alert(1)>:10.0.01.1. v6.helpers.spanAll(): attribute-value injection (defense in depth). spanAll() embedded each character of its input into a class="digit value-${n} …" attribute without escaping. Because split('') limits n to a single character this was not exploitable in practice, but it produced malformed markup and is fixed for consistency. Affected Versions All versions up to and including 10.1.0. Patched Version 10.1.1. Impact Real-world exposure is believed to be extremely limited. Analysis of all 425 dependent npm packages as well as GitHub code search found zero consumers of group(), link(), or spanAll(): these HTML-emitting surfaces appear to be unused across published npm packages and public repositories. Applications using only the address-parsing and comparison APIs (isValid, correctForm, isInSubnet, bigInt, etc.) are not affected. Consumers who do render the output of group(), link(), spanAll(), or AddressError.parseMessage as HTML against untrusted input should upgrade. PoC const { Address6 } = require('ip-address'); const addr = new Address6('fe80::1%<img src=x onerror=alert(1)>'); document.body.innerHTML = addr.group(); // fires the onerror handler in 10.1.0 Workarounds If users cannot upgrade immediately: Do not pass untrusted input to the Address6 constructor, or Never render the output of group(), link(), or spanAll(), nor the parseMessage field of any thrown AddressError, as HTML; treat these values as text only, or run them through DOMPurify before inserting into the DOM (DOMPurify's default configuration preserves the library's intended <span> wrapping while stripping any injected event handlers), or Validate input with Address6.isValid() and reject anything that contains a zone identifier (a % character) or characters outside [0-9a-fA-F:/] before passing it to the constructor. Lack of separate CVEs Given the evidence that these methods are not used, and given that they are all of the same construction, maintainers do not think it's relevant or useful to create a separate CVE for each library method. Credit ip-address thanks @scovetta for reporting this issue.