Skip to content

Use brace-expansion >= 2.0.1 #3065

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Use brace-expansion >= 2.0.1 #3065

wants to merge 1 commit into from

Conversation

redsun82
Copy link
Contributor

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@redsun82 redsun82 requested a review from a team as a code owner August 29, 2025 14:53
@Copilot Copilot AI review requested due to automatic review settings August 29, 2025 14:53
Copilot
Copilot AI reviewed Aug 29, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR updates the brace-expansion dependency to require version >= 2.0.1, which appears to address a security vulnerability by updating the regular expression pattern used in the brace expansion logic.

  • Updates package.json to add explicit brace-expansion dependency with minimum version 2.0.1
  • Updates compiled JavaScript files to reflect the new brace-expansion implementation with improved regex pattern
  • Fixes a potential ReDoS (Regular Expression Denial of Service) vulnerability in the comma-matching pattern

Reviewed Changes

Copilot reviewed 11 out of 13 changed files in this pull request and generated no comments.

File Description
package.json Adds explicit brace-expansion dependency with version constraint >=2.0.1
lib/*.js (multiple files) Generated JavaScript code reflecting the updated brace-expansion package with security fix
Files not reviewed (1)
  • package-lock.json: Language not supported

mbg
mbg reviewed Aug 29, 2025
View reviewed changes
package.json
@@ -52,7 +52,8 @@
"path": "^0.12.7",
"semver": "^7.7.2",
"uuid": "^11.1.0",
"zlib": "^1.0.5"
"zlib": "^1.0.5",
"brace-expansion": ">=2.0.1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor: I believe the dependencies are in alphabetical order, so it would be good if this addition maintained that order.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We don't depend on brace-expansion ourselves, right? Perhaps best to try to update the dependency that pulls in the outdated library version.

henrymercer
henrymercer reviewed Aug 29, 2025
View reviewed changes
package-lock.json
Comment on lines +7214 to +7215
"node_modules/minimatch/node_modules/brace-expansion": {
"version": "1.1.12",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Note that we're still pulling in v1.1.12 here — if we want to override this I think we need to modify the overrides property in package.json.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Either that or update all the dependencies that rely on old versions of brace-expansion

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right, if we can update minimatch, that's better. We've had situations before where we've wanted to bump a transient dependency before the direct dependency had bumped it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Aha, now I see why dependabot didn't manage to do this update. I'll get back to it on Monday.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mbg mbg mbg left review comments

@aibaars aibaars aibaars left review comments

@henrymercer henrymercer henrymercer left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@redsun82 @mbg @aibaars @henrymercer