Update dependency brace-expansion to v5#2215
Conversation
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
📝 WalkthroughWalkthroughThe package override for ChangesDependency override
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested labels: Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Warning There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure. 🔧 ESLint
ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration. Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@package.json`:
- Line 76: Update the brace-expansion dependency entry in package.json to use a
1.x-compatible pin for minimatch 3 consumers, or remove the override so their
expected CommonJS API is preserved; do not retain the current 5.0.7 override.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Enterprise
Run ID: 5ba7e40e-56c3-42a1-b887-8b8078b15f4a
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
package.json
| }, | ||
| "overrides": { | ||
| "brace-expansion": "1.1.16", | ||
| "brace-expansion": "5.0.7", |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
rg -n '"engines"|node-version|NODE_VERSION|\.nvmrc|\.node-version|\.tool-versions|FROM node' \
package.json package-lock.json .github Dockerfile* 2>/dev/null
rg -n "brace-expansion|minimatch|expand\\(|makeRe\\(|replace" \
--glob '!package-lock.json' --glob '!node_modules/**' .Repository: openshift/lightspeed-console
Length of output: 28904
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- package.json (top + deps area) ---'
sed -n '1,120p' package.json | cat -n
echo
echo '--- package-lock.json brace-expansion/minimatch entries ---'
python3 - <<'PY'
import json, re
from pathlib import Path
data = json.loads(Path('package-lock.json').read_text())
pkgs = data.get('packages', {})
for name in ['', 'node_modules/brace-expansion', 'node_modules/minimatch']:
obj = pkgs.get(name)
print(f'[{name or "root"}]')
if obj is None:
print('MISSING')
else:
for k in ('version', 'engines', 'dependencies', 'peerDependencies'):
if k in obj:
print(f'{k}: {obj[k]}')
print()
# Also print top-level package resolutions if present
for key in ('dependencies', 'packages'):
pass
PYRepository: openshift/lightspeed-console
Length of output: 5763
🏁 Script executed:
#!/bin/bash
set -euo pipefail
echo '--- package-lock direct dependency graph around minimatch/brace-expansion ---'
python3 - <<'PY'
import json
from pathlib import Path
data = json.loads(Path('package-lock.json').read_text())
pkgs = data['packages']
for path in ['node_modules/minimatch', 'node_modules/brace-expansion']:
p = pkgs.get(path)
print(path)
if not p:
print(' MISSING')
continue
for k,v in p.items():
if k in ('version','engines','dependencies','optional','dev'):
print(f' {k}: {v}')
print()
PYRepository: openshift/lightspeed-console
Length of output: 488
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json
from pathlib import Path
data = json.loads(Path('package-lock.json').read_text())
root = data.get('packages', {}).get('', {})
print("root.engines =", root.get('engines'))
print("root.packageManager =", root.get('packageManager'))
print("root.dependencies brace-expansion =", data.get('dependencies', {}).get('brace-expansion'))
print("root.dependencies minimatch =", data.get('dependencies', {}).get('minimatch'))
PYRepository: openshift/lightspeed-console
Length of output: 306
🌐 Web query:
brace-expansion 5.0.7 minimatch 3.1.5 compatibility API behavior semver
💡 Result:
Minimatch 3.1.5 is fundamentally incompatible with brace-expansion 5.x [1][2][3]. Compatibility Details: - Minimatch 3.1.5 is designed to work with brace-expansion 1.x (specifically ^1.1.7) [4][5]. - Brace-expansion 5.x introduced a breaking change in its module structure by shifting to an ESM-only shape, which lacks the callable default export (module.exports = expand) expected by Minimatch 3 [1][2]. - When brace-expansion 5.x is used with Minimatch 3.1.5—often caused by overly aggressive package manager overrides or forced resolutions—the application will throw a TypeError: expand is not a function at runtime whenever a pattern requiring brace expansion is processed [1][2][3]. API Behavior and SemVer: - Minimatch 3.1.5 maintains its legacy API surface [6], but it relies on the CommonJS-compatible behavior of brace-expansion 1.x [2]. - Brace-expansion 5.x follows a different major version line [2] and is not a drop-in replacement for 1.x. - To resolve dependency conflicts where package managers force 5.x on 3.x consumers, you must use dependency overrides or resolutions to pin brace-expansion to a 1.x version (e.g., ^1.1.13) [7][2] or 2.x (if applicable and compatible) [3]. In summary, brace-expansion 5.0.7 is not compatible with Minimatch 3.1.5 [1][2][3]. Any configuration that forces this combination will result in a runtime crash [1][3].
Citations:
- 1: fix(SDK-6463): survive glob/minimatch crash from incompatible brace-expansion (0-test builds) browserstack/browserstack-cypress-cli#1138
- 2: madfam-org/dhanam@5e14f81
- 3: levante-hub/levante@c89e5ea
- 4: https://npmx.dev/package/minimatch/v/3.1.5
- 5: isaacs/minimatch@v3.0.4...v3.1.5
- 6: isaacs/minimatch@v3.1.2...v3.1.5
- 7: [v3] Update dependency to fix vulnerability isaacs/minimatch#295
🏁 Script executed:
#!/bin/bash
set -euo pipefail
python3 - <<'PY'
import json
from pathlib import Path
data = json.loads(Path('package-lock.json').read_text())
pkgs = data.get('packages', {})
hits = []
for path, meta in pkgs.items():
deps = meta.get('dependencies', {}) or {}
if 'minimatch' in deps:
hits.append((path or '[root]', deps['minimatch'], meta.get('version'), meta.get('dev'), meta.get('optional')))
for item in hits:
print(item)
PYRepository: openshift/lightspeed-console
Length of output: 698
Keep brace-expansion on a 1.x line for minimatch 3
package.json:76 — This repo already requires Node >=22.22.2, so the engine range is fine. The override still forces brace-expansion@5.0.7 into minimatch@3.1.5 consumers (eslint, glob, etc.), which expect the 1.x CommonJS API and can fail when expanding braces. Use a 1.x pin or drop the override.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@package.json` at line 76, Update the brace-expansion dependency entry in
package.json to use a 1.x-compatible pin for minimatch 3 consumers, or remove
the override so their expected CommonJS API is preserved; do not retain the
current 5.0.7 override.
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
1.1.16→5.0.7Release Notes
juliangruber/brace-expansion (brace-expansion)
v5.0.7Compare Source
v5.0.6Compare Source
v5.0.5Compare Source
v5.0.4Compare Source
v5.0.3Compare Source
v5.0.2Compare Source
v4.0.1Compare Source
5a5cc170b6a978v4.0.0Compare Source
278132bdd72a59tea.yaml70e4c1bAs a precaution to not risk breaking anything with
278132b, this is a new semver major releasev3.0.2Compare Source
v3.0.1Compare Source
3059c078229e6f15f9b3cv3.0.0Compare Source
c0360e868c0e379e781e93494c4ddd5a4cb6dad209teste3dd8aed23ede91eb3fa41e7c9cd252053761a94f1dc741cf8ee56265c8756a05978a7v2.1.2Compare Source
v2.1.1Compare Source
c3a817cv2.1.0Compare Source
v2.0.3Compare Source
v2.0.2Compare Source
14f1d91ed7780a36603d5v2.0.1Compare Source
v2.0.0Compare Source
Configuration
📅 Schedule: (in timezone UTC)
* * * * *)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
To execute skipped test pipelines write comment
/ok-to-test.Documentation
Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.
Summary by CodeRabbit
brace-expansion.