Skip to content

Override brace-expansion version to 1.1.16#2210

Open
kyoto wants to merge 1 commit into
openshift:mainfrom
kyoto:brace-expansion
Open

Override brace-expansion version to 1.1.16#2210
kyoto wants to merge 1 commit into
openshift:mainfrom
kyoto:brace-expansion

Conversation

@kyoto

@kyoto kyoto commented Jul 13, 2026

Copy link
Copy Markdown
Member

Summary by CodeRabbit

  • Chores
    • Pinned a transitive dependency to a specific version to improve stability and security.

@kyoto kyoto added lgtm Indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jul 13, 2026
@coderabbitai

coderabbitai Bot commented Jul 13, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 842db61c-7351-4cb4-b273-5ff581dae98a

📥 Commits

Reviewing files that changed from the base of the PR and between 548cc5f and d750a40.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • package.json

📝 Walkthrough

Walkthrough

package.json adds an overrides entry pinning the transitive brace-expansion dependency to version 1.1.16.

Changes

Dependency Override

Layer / File(s) Summary
Pin brace-expansion version
package.json
Adds an override resolving the transitive brace-expansion dependency to version 1.1.16.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: joshuawilson, syedriko

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the only change: pinning brace-expansion to version 1.1.16.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested review from joshuawilson and syedriko July 13, 2026 07:37
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci

openshift-ci Bot commented Jul 13, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by:

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@package.json`:
- Line 74: Update the package.json brace-expansion dependency or override so it
does not globally pin version 1.1.16; use a compatible 5.x version for
minimatch@10.2.5, or scope the 1.x override only to packages that require it.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: ef08f387-67c0-4475-b8ca-f267b28ba893

📥 Commits

Reviewing files that changed from the base of the PR and between 968d19d and 548cc5f.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json

Comment thread package.json
"webpack-dev-server": "5.2.5"
},
"overrides": {
"brace-expansion": "1.1.16",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

npm ls minimatch brace-expansion --all
npm explain brace-expansion
npm view minimatch@10.2.5 dependencies engines
npm view brace-expansion@1.1.16 main exports
npm view brace-expansion@5.0.5 main exports

Repository: openshift/lightspeed-console

Length of output: 22499


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Show the relevant manifest section and all brace-expansion references in the lockfile.
sed -n '60,85p' package.json
rg -n '"brace-expansion"|brace-expansion@|brace-expansion":' package-lock.json package.json

# Inspect the installed package manifests for the two affected versions.
node - <<'JS'
const fs = require('fs');
for (const p of [
  'node_modules/minimatch/package.json',
  'node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch/package.json',
  'node_modules/brace-expansion/package.json',
  'node_modules/@typescript-eslint/typescript-estree/node_modules/minimatch/node_modules/brace-expansion/package.json',
]) {
  try {
    const pkg = JSON.parse(fs.readFileSync(p, 'utf8'));
    console.log('\n' + p);
    console.log({
      name: pkg.name,
      version: pkg.version,
      dependencies: pkg.dependencies,
      exports: pkg.exports,
      main: pkg.main,
    });
  } catch (e) {
    console.log('\n' + p + ' [missing]');
  }
}
JS

Repository: openshift/lightspeed-console

Length of output: 2374


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Compare the public API surfaces of brace-expansion 1.x vs 5.x from npm metadata.
npm view brace-expansion@1.1.16 dependencies peerDependencies optionalDependencies engines main exports bin
npm view brace-expansion@5.0.5 dependencies peerDependencies optionalDependencies engines main exports bin

# Pull the package README snippets that describe the module entry/API.
npm view brace-expansion@1.1.16 readme --json | node - <<'JS'
let input = '';
process.stdin.on('data', d => input += d);
process.stdin.on('end', () => {
  const txt = JSON.parse(input);
  console.log('\n--- brace-expansion@1.1.16 readme excerpt ---');
  console.log(String(txt).split('\n').slice(0, 40).join('\n'));
});
JS

Repository: openshift/lightspeed-console

Length of output: 1070


🏁 Script executed:

#!/bin/bash
set -euo pipefail

# If available, inspect the repository diff around the override to see any adjacent rationale.
git diff -- package.json package-lock.json --stat

Repository: openshift/lightspeed-console

Length of output: 166


Avoid globally pinning brace-expansion to 1.1.16
minimatch@10.2.5 declares brace-expansion:^5.0.5, so this override forces an older major into that subtree and breaks its semver contract. Use a 5.x version here, or scope the 1.x override to the packages that still require it.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@package.json` at line 74, Update the package.json brace-expansion dependency
or override so it does not globally pin version 1.1.16; use a compatible 5.x
version for minimatch@10.2.5, or scope the 1.x override only to packages that
require it.

Source: MCP tools

@kyoto kyoto force-pushed the brace-expansion branch from 548cc5f to d750a40 Compare July 14, 2026 01:58
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 14, 2026
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

New changes are detected. LGTM label has been removed.

@kyoto

kyoto commented Jul 14, 2026

Copy link
Copy Markdown
Member Author

/lgtm

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown

@kyoto: you cannot LGTM your own PR.

Details

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@kyoto kyoto added the lgtm Indicates that a PR is ready to be merged. label Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant