A vulnerable version (3.0.2) of the braces package is embedded in: - openSUSE:Factory/xpra-html5 Upstream issue: https://github.com/micromatch/braces/issues/35