CVE 2017-18077
index.js in brace-expansion before 1.1.7 is vulnerable to Regular Expression Denial of Service (ReDoS) attacks, as demonstrated by an expand argument containing many comma characters.
See the 
CVE page on Mitre.org
for more details.
