Impossible to update braces to ^3.0.3

[quasiDigi]

Describe the bug

On my local machine

After running npm audit and npm audit fix I get the warning:

1 high severity vulnerability

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
quasi@quasiBlip astro-ananda % npm audit
# npm audit report

braces  <3.0.3
Severity: high
Uncontrolled resource consumption in braces - https://github.com/advisories/GHSA-grv7-fg5c-xmjg
fix available via `npm audit fix`
node_modules/netlify-cli/node_modules/braces

1 high severity vulnerability

To address all issues, run:
  npm audit fix

When checking the braces package in node_modules/netlify-cli/node_modules/, I see it's version's 3.0.2

On GitHub

Also trying to solve the issue through Dependabot throws an error:

 Dependabot encountered an unknown error

Steps to reproduce

1. In the netlify UI, I've created an Astro site with the astro-netlify-platform-starter
2. Installed the netlify-cli on my local machine by running npm install netlify-cli --save-dev
3. Linked my local project to the Astro site on Netlify, to an empty repo on Github, and linked the Netlify site to the repo.
4. Updated my local installation through npm update
5. I get the above mentioned error.

Configuration

[[redirects]]
from = "/es/*"
to = "/es/404.html"
status = 404

[[redirects]]
from = "/*"
to = "/404.html"
status = 404

Environment

Had to use npx node_modules/netlify-cli/node_modules/envinfo --system --binaries --npmPackages netlify-cli --npmGlobalPackages netlify-cli

  System:
    OS: macOS 14.5
    CPU: (12) x64 Intel(R) Core(TM) i7-8850H CPU @ 2.60GHz
    Memory: 809.07 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 21.5.0 - /usr/local/bin/node
    Yarn: 1.22.22 - /usr/local/bin/yarn
    npm: 10.2.4 - /usr/local/bin/npm
    pnpm: 9.0.6 - /usr/local/bin/pnpm
  npmPackages:
    netlify-cli: ^17.29.0 => 17.30.0 

Here's the content of the package.json:

{
  "name": "astro-netlify-platform-starter",
  "type": "module",
  "version": "0.1.0",
  "scripts": {
    "dev": "astro dev",
    "start": "astro dev",
    "build": "astro build",
    "preview": "astro preview",
    "astro": "astro"
  },
  "dependencies": {
    "@astrojs/netlify": "^5.2.0",
    "@astrojs/partytown": "^2.1.1",
    "@astrojs/react": "^3.3.0",
    "@astrojs/sitemap": "^3.1.6",
    "@astrojs/tailwind": "^5.1.0",
    "@fontsource-variable/montserrat": "^5.0.19",
    "@fontsource/inter": "^5.0.18",
    "@netlify/blobs": "^7.3.0",
    "@netlify/functions": "^2.8.0",
    "@types/react": "^18.2.79",
    "@types/react-dom": "^18.2.25",
    "aos": "^2.3.4",
    "astro": "^4.6.2",
    "astro-favicons": "^2.0.2",
    "blobshape": "^1.0.0",
    "marked": "^13.0.0",
    "marked-shiki": "^1.1.0",
    "netlify-cli": "^17.29.0",
    "node-html-parser": "^6.1.13",
    "react": "^18.2.0",
    "react-dom": "^18.2.0",
    "sass": "^1.77.6",
    "swiper": "^11.1.4",
    "tailwindcss": "^3.4.3",
    "unique-names-generator": "^4.7.1"
  },
  "devDependencies": {
    "@types/blobshape": "^1.0.3",
    "@types/node": "^20.12.7",
    "daisyui": "^4.10.2"
  }
}

[G-Rath]

cc @sarahetter

[G-Rath]

fwiw this has been around for about a month - I was hoping the new tooling mentioned in #6508 would have meant this got addressed in a timely fashion, but it has not 😞

Related: #6704

[DavidWaters-AP]

I have the same issue.

I tried removing the CLI including manually removing Netlify CLI from modules and package.json to reinstall and the problem just comes back.

[G-Rath]

@DavidWaters-AP it's because Netlify use npm-shrinkwrap.json so it locks every dependency in its entire tree, which npm does not allow you to ignore so we're reliant on Netlify to keep their dependencies up to date

[sarahetter]

Closing as resolved for braces (has been updated) and as duplicate topic for #6731