Skip to content

Update dependency brace-expansion to v5#2215

Closed
red-hat-konflux[bot] wants to merge 1 commit into
release-4.19from
konflux/mintmaker/release-4.19/brace-expansion-5.x
Closed

Update dependency brace-expansion to v5#2215
red-hat-konflux[bot] wants to merge 1 commit into
release-4.19from
konflux/mintmaker/release-4.19/brace-expansion-5.x

Conversation

@red-hat-konflux

@red-hat-konflux red-hat-konflux Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
brace-expansion 1.1.165.0.7 age confidence

Release Notes

juliangruber/brace-expansion (brace-expansion)

v5.0.7

Compare Source

v5.0.6

Compare Source

v5.0.5

Compare Source

v5.0.4

Compare Source

v5.0.3

Compare Source

v5.0.2

Compare Source

v4.0.1

Compare Source


v4.0.0

Compare Source

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.2

Compare Source

v3.0.1

Compare Source


v3.0.0

Compare Source

v2.1.2

Compare Source

v2.1.1

Compare Source


v2.1.0

Compare Source

v2.0.3

Compare Source

v2.0.2

Compare Source


v2.0.1

Compare Source

v2.0.0

Compare Source


Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • Every minute (* * * * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

To execute skipped test pipelines write comment /ok-to-test.


Documentation

Find out how to configure dependency updates in MintMaker documentation or see all available configuration options in Renovate documentation.

Summary by CodeRabbit

  • Chores
    • Updated an internal package override to use a newer version of brace-expansion.

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
📝 Walkthrough

Walkthrough

The package override for brace-expansion is updated from version 1.1.16 to 5.0.7.

Changes

Dependency override

Layer / File(s) Summary
Update brace-expansion override
package.json
The forced brace-expansion version changes from 1.1.16 to 5.0.7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested labels: lgtm, approved

Suggested reviewers: joshuawilson, syedriko

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the dependency update from brace-expansion 1.1.16 to v5.0.7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch konflux/mintmaker/release-4.19/brace-expansion-5.x

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint install failed. For unrecoverable errors, disable the tool in CodeRabbit configuration.


Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from kyoto and syedriko July 14, 2026 08:17
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign kyoto for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 76: Update the brace-expansion dependency entry in package.json to use a
1.x-compatible pin for minimatch 3 consumers, or remove the override so their
expected CommonJS API is preserved; do not retain the current 5.0.7 override.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 5ba7e40e-56c3-42a1-b887-8b8078b15f4a

📥 Commits

Reviewing files that changed from the base of the PR and between 7c6e83b and 6b7f63f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
},
"overrides": {
"brace-expansion": "1.1.16",
"brace-expansion": "5.0.7",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
rg -n '"engines"|node-version|NODE_VERSION|\.nvmrc|\.node-version|\.tool-versions|FROM node' \
  package.json package-lock.json .github Dockerfile* 2>/dev/null

rg -n "brace-expansion|minimatch|expand\\(|makeRe\\(|replace" \
  --glob '!package-lock.json' --glob '!node_modules/**' .

Repository: openshift/lightspeed-console

Length of output: 28904


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- package.json (top + deps area) ---'
sed -n '1,120p' package.json | cat -n

echo
echo '--- package-lock.json brace-expansion/minimatch entries ---'
python3 - <<'PY'
import json, re
from pathlib import Path

data = json.loads(Path('package-lock.json').read_text())
pkgs = data.get('packages', {})
for name in ['', 'node_modules/brace-expansion', 'node_modules/minimatch']:
    obj = pkgs.get(name)
    print(f'[{name or "root"}]')
    if obj is None:
        print('MISSING')
    else:
        for k in ('version', 'engines', 'dependencies', 'peerDependencies'):
            if k in obj:
                print(f'{k}: {obj[k]}')
    print()

# Also print top-level package resolutions if present
for key in ('dependencies', 'packages'):
    pass
PY

Repository: openshift/lightspeed-console

Length of output: 5763


🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo '--- package-lock direct dependency graph around minimatch/brace-expansion ---'
python3 - <<'PY'
import json
from pathlib import Path

data = json.loads(Path('package-lock.json').read_text())
pkgs = data['packages']
for path in ['node_modules/minimatch', 'node_modules/brace-expansion']:
    p = pkgs.get(path)
    print(path)
    if not p:
        print('  MISSING')
        continue
    for k,v in p.items():
        if k in ('version','engines','dependencies','optional','dev'):
            print(f'  {k}: {v}')
    print()
PY

Repository: openshift/lightspeed-console

Length of output: 488


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json
from pathlib import Path

data = json.loads(Path('package-lock.json').read_text())
root = data.get('packages', {}).get('', {})
print("root.engines =", root.get('engines'))
print("root.packageManager =", root.get('packageManager'))
print("root.dependencies brace-expansion =", data.get('dependencies', {}).get('brace-expansion'))
print("root.dependencies minimatch =", data.get('dependencies', {}).get('minimatch'))
PY

Repository: openshift/lightspeed-console

Length of output: 306


🌐 Web query:

brace-expansion 5.0.7 minimatch 3.1.5 compatibility API behavior semver

💡 Result:

Minimatch 3.1.5 is fundamentally incompatible with brace-expansion 5.x [1][2][3]. Compatibility Details: - Minimatch 3.1.5 is designed to work with brace-expansion 1.x (specifically ^1.1.7) [4][5]. - Brace-expansion 5.x introduced a breaking change in its module structure by shifting to an ESM-only shape, which lacks the callable default export (module.exports = expand) expected by Minimatch 3 [1][2]. - When brace-expansion 5.x is used with Minimatch 3.1.5—often caused by overly aggressive package manager overrides or forced resolutions—the application will throw a TypeError: expand is not a function at runtime whenever a pattern requiring brace expansion is processed [1][2][3]. API Behavior and SemVer: - Minimatch 3.1.5 maintains its legacy API surface [6], but it relies on the CommonJS-compatible behavior of brace-expansion 1.x [2]. - Brace-expansion 5.x follows a different major version line [2] and is not a drop-in replacement for 1.x. - To resolve dependency conflicts where package managers force 5.x on 3.x consumers, you must use dependency overrides or resolutions to pin brace-expansion to a 1.x version (e.g., ^1.1.13) [7][2] or 2.x (if applicable and compatible) [3]. In summary, brace-expansion 5.0.7 is not compatible with Minimatch 3.1.5 [1][2][3]. Any configuration that forces this combination will result in a runtime crash [1][3].

Citations:


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
import json
from pathlib import Path

data = json.loads(Path('package-lock.json').read_text())
pkgs = data.get('packages', {})
hits = []
for path, meta in pkgs.items():
    deps = meta.get('dependencies', {}) or {}
    if 'minimatch' in deps:
        hits.append((path or '[root]', deps['minimatch'], meta.get('version'), meta.get('dev'), meta.get('optional')))
for item in hits:
    print(item)
PY

Repository: openshift/lightspeed-console

Length of output: 698


Keep brace-expansion on a 1.x line for minimatch 3
package.json:76 — This repo already requires Node >=22.22.2, so the engine range is fine. The override still forces brace-expansion@5.0.7 into minimatch@3.1.5 consumers (eslint, glob, etc.), which expect the 1.x CommonJS API and can fail when expanding braces. Use a 1.x pin or drop the override.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 76, Update the brace-expansion dependency entry in
package.json to use a 1.x-compatible pin for minimatch 3 consumers, or remove
the override so their expected CommonJS API is preserved; do not retain the
current 5.0.7 override.

@kyoto kyoto closed this Jul 14, 2026
@kyoto kyoto deleted the konflux/mintmaker/release-4.19/brace-expansion-5.x branch July 14, 2026 08:40
@red-hat-konflux

Copy link
Copy Markdown
Contributor Author

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 5.x releases. But if you manually upgrade to 5.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant