From 12c1d88854f69bb8872b08e1f9e976d083e204f2 Mon Sep 17 00:00:00 2001
From: Mads Navntoft <navntoft@github.com>
Date: Tue, 12 May 2026 15:32:54 +0200
Subject: [PATCH 1/2] Bump five transitive dependencies
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Bumps the following to their latest patched versions:

brace-expansion (under readdir-glob): 2.0.2 → 2.1.0
picomatch (under micromatch): 2.3.1 → 2.3.2
picomatch (top level): 4.0.3 → 4.0.4
flatted: 3.3.3 → 3.4.2
js-yaml (under supertap): 3.14.1 → 3.14.2

The brace-expansion bump requires removing the brace-expansion override
in package.json, which had been pinning resolution below the existing
^2.0.1 constraint declared by readdir-glob.
---
 package-lock.json | 31 ++++++++++++++++---------------
 package.json      |  1 -
 2 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 638458e325..2692749f82 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5806,9 +5806,9 @@
       }
     },
     "node_modules/flatted": {
-      "version": "3.3.3",
-      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.3.3.tgz",
-      "integrity": "sha512-GX+ysw4PBCz0PzosHDepZGANEuFCMLrnRTiEy9McGjmkCQYwRq4A/X786G/fjM/+OjsWSU1ZrY5qyARZmO/uwg==",
+      "version": "3.4.2",
+      "resolved": "https://registry.npmjs.org/flatted/-/flatted-3.4.2.tgz",
+      "integrity": "sha512-PjDse7RzhcPkIJwy5t7KPWQSZ9cAbzQXcafsetQoD7sOJRQlGikNbx7yZp2OotDnJyrDcbyRq3Ttb18iYOqkxA==",
       "dev": true,
       "license": "ISC"
     },
@@ -7341,9 +7341,9 @@
       }
     },
     "node_modules/micromatch/node_modules/picomatch": {
-      "version": "2.3.1",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.1.tgz",
-      "integrity": "sha512-JU3teHTNjmE2VCGFzuY8EXzCDVwEqB2a8fsIvwaStHhAWJEeVd1o1QD80CU6+ZdEXXSLbSsuLwJjkCBWqRQUVA==",
+      "version": "2.3.2",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-2.3.2.tgz",
+      "integrity": "sha512-V7+vQEJ06Z+c5tSye8S+nHUfI51xoXIXjHQ99cQtKUkQqqO1kO/KCJUfZXuB47h/YBlDhah2H3hdUGXn8ie0oA==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -7889,9 +7889,9 @@
       "license": "ISC"
     },
     "node_modules/picomatch": {
-      "version": "4.0.3",
-      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.3.tgz",
-      "integrity": "sha512-5gTmgEY/sqK6gFXLIsQNH19lWb4ebPDLA4SdLP7dsWkIXHWlG66oPuVvXSGFPppYZz8ZDZq0dYYrbHfBCVUb1Q==",
+      "version": "4.0.4",
+      "resolved": "https://registry.npmjs.org/picomatch/-/picomatch-4.0.4.tgz",
+      "integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
       "dev": true,
       "license": "MIT",
       "engines": {
@@ -8064,9 +8064,9 @@
       }
     },
     "node_modules/readdir-glob/node_modules/brace-expansion": {
-      "version": "2.0.2",
-      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.0.2.tgz",
-      "integrity": "sha512-Jt0vHyM+jmUBqojB7E1NIYadt0vI0Qxjxd2TErW94wDz+E2LAm5vKMXXwg6ZZBTHPuUlDgQHKXvjGBdfcF1ZDQ==",
+      "version": "2.1.0",
+      "resolved": "https://registry.npmjs.org/brace-expansion/-/brace-expansion-2.1.0.tgz",
+      "integrity": "sha512-TN1kCZAgdgweJhWWpgKYrQaMNHcDULHkWwQIspdtjV4Y5aurRdZpjAqn6yX3FPqTA9ngHCc4hJxMAMgGfve85w==",
       "license": "MIT",
       "dependencies": {
         "balanced-match": "^1.0.0"
@@ -8883,10 +8883,11 @@
       }
     },
     "node_modules/supertap/node_modules/js-yaml": {
-      "version": "3.14.1",
-      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz",
-      "integrity": "sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==",
+      "version": "3.14.2",
+      "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
+      "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
       "dev": true,
+      "license": "MIT",
       "dependencies": {
         "argparse": "^1.0.7",
         "esprima": "^4.0.0"
diff --git a/package.json b/package.json
index e40fedf976..3bd6d87ec0 100644
--- a/package.json
+++ b/package.json
@@ -89,7 +89,6 @@
     "eslint-plugin-jsx-a11y": {
       "semver": ">=6.3.1"
     },
-    "brace-expansion@2.0.1": "2.0.2",
     "glob": "^11.1.0",
     "undici": "^6.24.0"
   }

From 2ca0fbdca8acc748377789ee1d0ae1b4af4b8d9a Mon Sep 17 00:00:00 2001
From: Mads Navntoft <navntoft@github.com>
Date: Tue, 12 May 2026 15:33:04 +0200
Subject: [PATCH 2/2] Rebuild

---
 lib/analyze-action-post.js      | 22 ++++++++++++----------
 lib/init-action-post.js         | 22 ++++++++++++----------
 lib/start-proxy-action-post.js  | 22 ++++++++++++----------
 lib/upload-sarif-action-post.js | 22 ++++++++++++----------
 4 files changed, 48 insertions(+), 40 deletions(-)

diff --git a/lib/analyze-action-post.js b/lib/analyze-action-post.js
index 0f1b660594..c45eaf6017 100644
--- a/lib/analyze-action-post.js
+++ b/lib/analyze-action-post.js
@@ -85670,13 +85670,15 @@ var require_brace_expansion2 = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -85690,14 +85692,14 @@ var require_brace_expansion2 = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m) return [str2];
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
           var expansion = pre + "{" + m.body + "}" + post[k];
           expansions.push(expansion);
         }
@@ -85709,7 +85711,7 @@ var require_brace_expansion2 = __commonJS({
         if (!isSequence && !isOptions) {
           if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
           }
           return [str2];
         }
@@ -85719,7 +85721,7 @@ var require_brace_expansion2 = __commonJS({
         } else {
           n = parseCommaParts(m.body);
           if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
             if (n.length === 1) {
               return post.map(function(p) {
                 return m.pre + n[0] + p;
@@ -85732,7 +85734,7 @@ var require_brace_expansion2 = __commonJS({
           var x = numeric(n[0]);
           var y = numeric(n[1]);
           var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
           var test = lte;
           var reverse = y < x;
           if (reverse) {
@@ -85765,11 +85767,11 @@ var require_brace_expansion2 = __commonJS({
         } else {
           N = [];
           for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
           }
         }
         for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
             var expansion = pre + N[j] + post[k];
             if (!isTop || isSequence || expansion)
               expansions.push(expansion);
diff --git a/lib/init-action-post.js b/lib/init-action-post.js
index b972b1ece8..d15e63d1a0 100644
--- a/lib/init-action-post.js
+++ b/lib/init-action-post.js
@@ -85670,13 +85670,15 @@ var require_brace_expansion2 = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -85690,14 +85692,14 @@ var require_brace_expansion2 = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m) return [str2];
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
           var expansion = pre + "{" + m.body + "}" + post[k];
           expansions.push(expansion);
         }
@@ -85709,7 +85711,7 @@ var require_brace_expansion2 = __commonJS({
         if (!isSequence && !isOptions) {
           if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
           }
           return [str2];
         }
@@ -85719,7 +85721,7 @@ var require_brace_expansion2 = __commonJS({
         } else {
           n = parseCommaParts(m.body);
           if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
             if (n.length === 1) {
               return post.map(function(p) {
                 return m.pre + n[0] + p;
@@ -85732,7 +85734,7 @@ var require_brace_expansion2 = __commonJS({
           var x = numeric(n[0]);
           var y = numeric(n[1]);
           var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
           var test = lte;
           var reverse = y < x;
           if (reverse) {
@@ -85765,11 +85767,11 @@ var require_brace_expansion2 = __commonJS({
         } else {
           N = [];
           for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
           }
         }
         for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
             var expansion = pre + N[j] + post[k];
             if (!isTop || isSequence || expansion)
               expansions.push(expansion);
diff --git a/lib/start-proxy-action-post.js b/lib/start-proxy-action-post.js
index 6f70d70937..bb020051dc 100644
--- a/lib/start-proxy-action-post.js
+++ b/lib/start-proxy-action-post.js
@@ -84282,13 +84282,15 @@ var require_brace_expansion2 = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -84302,14 +84304,14 @@ var require_brace_expansion2 = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m) return [str2];
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
           var expansion = pre + "{" + m.body + "}" + post[k];
           expansions.push(expansion);
         }
@@ -84321,7 +84323,7 @@ var require_brace_expansion2 = __commonJS({
         if (!isSequence && !isOptions) {
           if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
           }
           return [str2];
         }
@@ -84331,7 +84333,7 @@ var require_brace_expansion2 = __commonJS({
         } else {
           n = parseCommaParts(m.body);
           if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
             if (n.length === 1) {
               return post.map(function(p) {
                 return m.pre + n[0] + p;
@@ -84344,7 +84346,7 @@ var require_brace_expansion2 = __commonJS({
           var x = numeric(n[0]);
           var y = numeric(n[1]);
           var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
           var test = lte;
           var reverse = y < x;
           if (reverse) {
@@ -84377,11 +84379,11 @@ var require_brace_expansion2 = __commonJS({
         } else {
           N = [];
           for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
           }
         }
         for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
             var expansion = pre + N[j] + post[k];
             if (!isTop || isSequence || expansion)
               expansions.push(expansion);
diff --git a/lib/upload-sarif-action-post.js b/lib/upload-sarif-action-post.js
index 11873a244c..aa194bb317 100644
--- a/lib/upload-sarif-action-post.js
+++ b/lib/upload-sarif-action-post.js
@@ -76458,13 +76458,15 @@ var require_brace_expansion = __commonJS({
       parts.push.apply(parts, p);
       return parts;
     }
-    function expandTop(str2) {
+    function expandTop(str2, options) {
       if (!str2)
         return [];
+      options = options || {};
+      var max = options.max == null ? Infinity : options.max;
       if (str2.substr(0, 2) === "{}") {
         str2 = "\\{\\}" + str2.substr(2);
       }
-      return expand2(escapeBraces(str2), true).map(unescapeBraces);
+      return expand2(escapeBraces(str2), max, true).map(unescapeBraces);
     }
     function embrace(str2) {
       return "{" + str2 + "}";
@@ -76478,14 +76480,14 @@ var require_brace_expansion = __commonJS({
     function gte6(i, y) {
       return i >= y;
     }
-    function expand2(str2, isTop) {
+    function expand2(str2, max, isTop) {
       var expansions = [];
       var m = balanced("{", "}", str2);
       if (!m) return [str2];
       var pre = m.pre;
-      var post = m.post.length ? expand2(m.post, false) : [""];
+      var post = m.post.length ? expand2(m.post, max, false) : [""];
       if (/\$$/.test(m.pre)) {
-        for (var k = 0; k < post.length; k++) {
+        for (var k = 0; k < post.length && k < max; k++) {
           var expansion = pre + "{" + m.body + "}" + post[k];
           expansions.push(expansion);
         }
@@ -76497,7 +76499,7 @@ var require_brace_expansion = __commonJS({
         if (!isSequence && !isOptions) {
           if (m.post.match(/,(?!,).*\}/)) {
             str2 = m.pre + "{" + m.body + escClose + m.post;
-            return expand2(str2);
+            return expand2(str2, max, true);
           }
           return [str2];
         }
@@ -76507,7 +76509,7 @@ var require_brace_expansion = __commonJS({
         } else {
           n = parseCommaParts(m.body);
           if (n.length === 1) {
-            n = expand2(n[0], false).map(embrace);
+            n = expand2(n[0], max, false).map(embrace);
             if (n.length === 1) {
               return post.map(function(p) {
                 return m.pre + n[0] + p;
@@ -76520,7 +76522,7 @@ var require_brace_expansion = __commonJS({
           var x = numeric(n[0]);
           var y = numeric(n[1]);
           var width = Math.max(n[0].length, n[1].length);
-          var incr = n.length == 3 ? Math.abs(numeric(n[2])) : 1;
+          var incr = n.length == 3 ? Math.max(Math.abs(numeric(n[2])), 1) : 1;
           var test = lte;
           var reverse = y < x;
           if (reverse) {
@@ -76553,11 +76555,11 @@ var require_brace_expansion = __commonJS({
         } else {
           N = [];
           for (var j = 0; j < n.length; j++) {
-            N.push.apply(N, expand2(n[j], false));
+            N.push.apply(N, expand2(n[j], max, false));
           }
         }
         for (var j = 0; j < N.length; j++) {
-          for (var k = 0; k < post.length; k++) {
+          for (var k = 0; k < post.length && expansions.length < max; k++) {
             var expansion = pre + N[j] + post[k];
             if (!isTop || isSequence || expansion)
               expansions.push(expansion);