## NPM Security Alert: High-Severity Vulnerabilities in picomatch and brace-expansion Threaten Build Toolchains
A critical npm audit has exposed high-severity security vulnerabilities in two widely used JavaScript packages, picomatch and brace-expansion, posing a direct threat to development and build toolchains. The flaws, which include method injection and ReDoS (Regular Expression Denial of Service) vectors, could allow attackers to trigger incorrect glob matching, process hangs, and memory exhaustion, effectively crippling dependent applications.

The picomatch library, used for glob pattern matching, is affected in versions <=2.3.1 and 4.0.0 through 4.0.3. It harbors two distinct high-severity issues: a method injection vulnerability in POSIX character classes (GHSA-3v7f-55p6-f55p) and a ReDoS vulnerability via extglob quantifiers (GHSA-c2c7-rcm5-vvqj). Concurrently, the brace-expansion package, used for expanding expressions like `{a,b,c}`, contains a moderate-severity flaw (GHSA-f886-m6hf-6m8v) in versions <1.1.13 and >=2.0.0 <2.0.3 that can cause a zero-step sequence to hang a process and exhaust memory.

These vulnerabilities are not theoretical; they are present in the `node_modules` of affected projects. The immediate impact is a risk of denial-of-service within the build and development pipeline. While fixes are available via the standard `npm audit fix` command without breaking changes, the disclosure underscores the persistent fragility of the open-source software supply chain and the operational risk posed by transitive dependencies in critical tooling.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: npm, security, vulnerability, ReDoS, JavaScript
- **Credibility**: unverified
- **Published**: 2026-03-30 01:26:59
- **ID**: 40218
- **URL**: https://whisperx.ai/en/intel/40218