Skip to content

[WIP] Upgrade brace-expansion to 5.0.7#2178

Closed
kyoto wants to merge 1 commit into
openshift:mainfrom
kyoto:brace-expansion-5.0.7
Closed

[WIP] Upgrade brace-expansion to 5.0.7#2178
kyoto wants to merge 1 commit into
openshift:mainfrom
kyoto:brace-expansion-5.0.7

Conversation

@kyoto

@kyoto kyoto commented Jul 7, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Updated dependency resolution to use a fixed version of brace-expansion, helping ensure more consistent builds and installs.

@kyoto kyoto added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 7, 2026
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

This change adds a single overrides entry to package.json, pinning the brace-expansion dependency to version 5.0.7.

Changes

Dependency Override Update

Layer / File(s) Summary
Add brace-expansion override
package.json
Adds an overrides mapping pinning brace-expansion to version 5.0.7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Title check ✅ Passed The title clearly matches the change, pinning brace-expansion to version 5.0.7.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from joshuawilson and syedriko July 7, 2026 07:42
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci

openshift-ci Bot commented Jul 7, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 74: The global brace-expansion override in package.json is forcing all
consumers to 5.0.7 and breaking the minimatch@3.1.5 subtree. Update the
overrides so only the newer dependency paths get brace-expansion 5.x, and keep
the legacy minimatch path on a compatible 1.1.x release; use the existing
override entry in package.json to scope it narrowly.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: fa28f19e-c9e9-463f-9297-2c8c0df110fb

📥 Commits

Reviewing files that changed from the base of the PR and between 2d7e7a6 and 324f10a.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
"webpack-dev-server": "5.2.5"
},
"overrides": {
"brace-expansion": "5.0.7",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
npm ls brace-expansion minimatch

Repository: openshift/lightspeed-console

Length of output: 1610


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect the override and the affected lockfile paths.
python3 - <<'PY'
import json
from pathlib import Path

pkg = json.loads(Path('package.json').read_text())
print('package.json overrides:', pkg.get('overrides', {}))

lock = json.loads(Path('package-lock.json').read_text())
packages = lock.get('packages', {})

for path in [
    '',
    'node_modules/brace-expansion',
    'node_modules/minimatch',
    'node_modules/eslint-plugin-react/node_modules/minimatch',
    'node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch',
    'node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion',
]:
    p = packages.get(path)
    if p is not None:
        print(f'\n[{path or "root"}]')
        for k in ('version', 'dependencies', 'optionalDependencies'):
            if k in p:
                print(k, p[k])

PY

Repository: openshift/lightspeed-console

Length of output: 1441


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Read package manifests for the relevant packages to compare declared ranges.
for f in \
  node_modules/minimatch/package.json \
  node_modules/brace-expansion/package.json \
  node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch/package.json \
  node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion/package.json
do
  if [ -f "$f" ]; then
    echo "== $f =="
    python3 - <<'PY' "$f"
import json, sys
from pathlib import Path
p = Path(sys.argv[1])
data = json.loads(p.read_text())
for k in ('name', 'version', 'dependencies', 'exports', 'main'):
    if k in data:
        print(k, data[k])
PY
    echo
  fi
done

Repository: openshift/lightspeed-console

Length of output: 1311


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json
from pathlib import Path

pkg = json.loads(Path('package.json').read_text())
print('overrides:', pkg.get('overrides', {}))

lock = json.loads(Path('package-lock.json').read_text())
for key in ['node_modules/minimatch', 'node_modules/brace-expansion', 'node_modules/eslint-plugin-react/node_modules/minimatch']:
    if key in lock.get('packages', {}):
        print(f'\n{key}:')
        for k, v in lock['packages'][key].items():
            if k in ('version', 'dependencies'):
                print(k, v)
PY

Repository: openshift/lightspeed-console

Length of output: 463


🌐 Web query:

brace-expansion 5.0.7 breaking changes minimatch 3.1.5 compatibility

💡 Result:

Minimatch 3.1.5 does not use brace-expansion 5.0.7; it depends on brace-expansion 1.1.7 [1][2]. There is no direct compatibility between minimatch 3.1.5 and brace-expansion 5.0.7 because minimatch 3.1.5 is a legacy version (v3 branch) that remains locked to the 1.x series of brace-expansion [3][1][2]. The 5.x series of brace-expansion represents a significant major version jump—introducing changes such as ESM-only support [4] and modified behavior for brace parsing [5][6]—which is incompatible with the legacy architecture of minimatch 3.x. If you are seeing security recommendations to upgrade brace-expansion to 5.0.7 or higher while using minimatch 3.1.5 [7], this typically indicates a dependency conflict. Since minimatch 3.1.5 cannot utilize brace-expansion 5.x, you are generally required to either: 1. Upgrade to a modern version of minimatch (v9 or higher, which supports updated dependencies). 2. Accept that the legacy minimatch 3.x branch cannot be patched to use brace-expansion 5.x, and if you are maintaining a project relying on minimatch 3.1.5, you may need to apply specific patches to the 1.x version of brace-expansion if they are backported, or migrate away from the legacy library entirely [7][8]. Brace-expansion 5.x introduced critical fixes, such as sanitizing zero-step numeric sequences (e.g., {1..2..0}) to prevent infinite loops and memory exhaustion [5]. These vulnerabilities were also backported to brace-expansion 1.1.15 [5][9][4], which is the recommended version for projects that must remain on the legacy 1.x line.

Citations:


Scope the brace-expansion override in package.json:74

This global override breaks the legacy minimatch@3.1.5 subtree, which still requires brace-expansion@^1.1.7. Keep the override limited to the newer consumers or leave the old path on a compatible 1.x release.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 74, The global brace-expansion override in package.json
is forcing all consumers to 5.0.7 and breaking the minimatch@3.1.5 subtree.
Update the overrides so only the newer dependency paths get brace-expansion 5.x,
and keep the legacy minimatch path on a compatible 1.1.x release; use the
existing override entry in package.json to scope it narrowly.

@kyoto kyoto removed the lgtm Indicates that a PR is ready to be merged. label Jul 10, 2026
@kyoto kyoto changed the title Upgrade brace-expansion to 5.0.7 [WIP] Upgrade brace-expansion to 5.0.7 Jul 10, 2026
@openshift-ci openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 10, 2026
@kyoto

kyoto commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

Superseded by #2210

@kyoto kyoto closed this Jul 14, 2026
@kyoto kyoto deleted the brace-expansion-5.0.7 branch July 14, 2026 07:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant