[WIP] Upgrade brace-expansion to 5.0.7#2178
Conversation
📝 WalkthroughWalkthroughThis change adds a single ChangesDependency Override Update
Estimated code review effort: 1 (Trivial) | ~2 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
1 similar comment
|
[APPROVALNOTIFIER] This PR is APPROVED Approval requirements bypassed by manually added approval. This pull-request has been approved by: The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 74: The global brace-expansion override in package.json is forcing all
consumers to 5.0.7 and breaking the minimatch@3.1.5 subtree. Update the
overrides so only the newer dependency paths get brace-expansion 5.x, and keep
the legacy minimatch path on a compatible 1.1.x release; use the existing
override entry in package.json to scope it narrowly.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: fa28f19e-c9e9-463f-9297-2c8c0df110fb
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
package.json
| "webpack-dev-server": "5.2.5" | ||
| }, | ||
| "overrides": { | ||
| "brace-expansion": "5.0.7", |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
npm ls brace-expansion minimatchRepository: openshift/lightspeed-console
Length of output: 1610
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Inspect the override and the affected lockfile paths.
python3 - <<'PY'
import json
from pathlib import Path
pkg = json.loads(Path('package.json').read_text())
print('package.json overrides:', pkg.get('overrides', {}))
lock = json.loads(Path('package-lock.json').read_text())
packages = lock.get('packages', {})
for path in [
'',
'node_modules/brace-expansion',
'node_modules/minimatch',
'node_modules/eslint-plugin-react/node_modules/minimatch',
'node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch',
'node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion',
]:
p = packages.get(path)
if p is not None:
print(f'\n[{path or "root"}]')
for k in ('version', 'dependencies', 'optionalDependencies'):
if k in p:
print(k, p[k])
PYRepository: openshift/lightspeed-console
Length of output: 1441
🏁 Script executed:
#!/bin/bash
set -euo pipefail
# Read package manifests for the relevant packages to compare declared ranges.
for f in \
node_modules/minimatch/package.json \
node_modules/brace-expansion/package.json \
node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch/package.json \
node_modules/@typescript-eslint/typescript-estree/node_modules/brace-expansion/package.json
do
if [ -f "$f" ]; then
echo "== $f =="
python3 - <<'PY' "$f"
import json, sys
from pathlib import Path
p = Path(sys.argv[1])
data = json.loads(p.read_text())
for k in ('name', 'version', 'dependencies', 'exports', 'main'):
if k in data:
print(k, data[k])
PY
echo
fi
doneRepository: openshift/lightspeed-console
Length of output: 1311
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json
from pathlib import Path
pkg = json.loads(Path('package.json').read_text())
print('overrides:', pkg.get('overrides', {}))
lock = json.loads(Path('package-lock.json').read_text())
for key in ['node_modules/minimatch', 'node_modules/brace-expansion', 'node_modules/eslint-plugin-react/node_modules/minimatch']:
if key in lock.get('packages', {}):
print(f'\n{key}:')
for k, v in lock['packages'][key].items():
if k in ('version', 'dependencies'):
print(k, v)
PYRepository: openshift/lightspeed-console
Length of output: 463
🌐 Web query:
brace-expansion 5.0.7 breaking changes minimatch 3.1.5 compatibility
💡 Result:
Minimatch 3.1.5 does not use brace-expansion 5.0.7; it depends on brace-expansion 1.1.7 [1][2]. There is no direct compatibility between minimatch 3.1.5 and brace-expansion 5.0.7 because minimatch 3.1.5 is a legacy version (v3 branch) that remains locked to the 1.x series of brace-expansion [3][1][2]. The 5.x series of brace-expansion represents a significant major version jump—introducing changes such as ESM-only support [4] and modified behavior for brace parsing [5][6]—which is incompatible with the legacy architecture of minimatch 3.x. If you are seeing security recommendations to upgrade brace-expansion to 5.0.7 or higher while using minimatch 3.1.5 [7], this typically indicates a dependency conflict. Since minimatch 3.1.5 cannot utilize brace-expansion 5.x, you are generally required to either: 1. Upgrade to a modern version of minimatch (v9 or higher, which supports updated dependencies). 2. Accept that the legacy minimatch 3.x branch cannot be patched to use brace-expansion 5.x, and if you are maintaining a project relying on minimatch 3.1.5, you may need to apply specific patches to the 1.x version of brace-expansion if they are backported, or migrate away from the legacy library entirely [7][8]. Brace-expansion 5.x introduced critical fixes, such as sanitizing zero-step numeric sequences (e.g., {1..2..0}) to prevent infinite loops and memory exhaustion [5]. These vulnerabilities were also backported to brace-expansion 1.1.15 [5][9][4], which is the recommended version for projects that must remain on the legacy 1.x line.
Citations:
- 1: https://npmx.dev/package/minimatch/v/3.1.5
- 2: isaacs/minimatch@v3.0.4...v3.1.5
- 3: isaacs/minimatch@v3.1.2...v3.1.5
- 4: https://npmx.dev/package-timeline/brace-expansion/v/5.0.5
- 5: GHSA-f886-m6hf-6m8v
- 6: https://devupdate.io/explore/juliangruber/brace-expansion
- 7: https://snyk.io/test/github/vufind-org/vufind
- 8: [v3] Update dependency to fix vulnerability isaacs/minimatch#295
- 9: https://npmx.dev/package-changelog/brace-expansion/v/5.0.5
Scope the brace-expansion override in package.json:74
This global override breaks the legacy minimatch@3.1.5 subtree, which still requires brace-expansion@^1.1.7. Keep the override limited to the newer consumers or leave the old path on a compatible 1.x release.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 74, The global brace-expansion override in package.json
is forcing all consumers to 5.0.7 and breaking the minimatch@3.1.5 subtree.
Update the overrides so only the newer dependency paths get brace-expansion 5.x,
and keep the legacy minimatch path on a compatible 1.1.x release; use the
existing override entry in package.json to scope it narrowly.
|
Superseded by #2210 |
Summary by CodeRabbit
brace-expansion, helping ensure more consistent builds and installs.