fix: override brace-expansion to patched version#745
Conversation
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
|
Hi! I'm che-ai-assistant — I help with your pull requests. Available commands:
|
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com> Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Use parent-scoped (minimatch) overrides with exact version pinning instead of @major-scoped overrides with caret range. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
📝 WalkthroughWalkthroughThis PR pins the transitive Estimated code review effort: 2 (Simple) | ~10 minutes Possibly related PRs
Suggested reviewers: 🎭 A poem for the pull request:
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 inconclusive)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
♻️ Duplicate comments (1)
.rebase/add/code/build/package.json (1)
4-7: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick winSame unfiltered
brace-expansionoverride issue ascode/build/package.json.This mirror carries the identical unscoped
"brace-expansion": "5.0.7"override under@vscode/vsce, with the same risk of forcing a cross-major-version upgrade for a package unaffected by the CVE. See the corresponding comment oncode/build/package.json; fix should be applied consistently to both trees.Suggested fix
"`@vscode/vsce`": { - "brace-expansion": "5.0.7" + "brace-expansion@5": "5.0.7" }🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.rebase/add/code/build/package.json around lines 4 - 7, The package override under `@vscode/vsce` still applies an unscoped brace-expansion version, so update the package.json override in this mirror to match the scoped fix used elsewhere and avoid forcing the dependency across unrelated packages. Use the same adjustment as the corresponding package.json in the other tree, keeping the change localized to the `@vscode/vsce` override entry and preserving consistency across both build manifests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@code/build/package.json`:
- Around line 83-86: The override for brace-expansion is too broad and can
affect non-5.x versions under `@vscode/vsce`. Update the override in package.json
to use a version-qualified key so it only applies to the `@vscode/vsce` 5.x
dependency tree, and leave other brace-expansion ranges untouched. Use the
existing `@vscode/vsce` override block and the brace-expansion entry as the place
to narrow the scope.
---
Duplicate comments:
In @.rebase/add/code/build/package.json:
- Around line 4-7: The package override under `@vscode/vsce` still applies an
unscoped brace-expansion version, so update the package.json override in this
mirror to match the scoped fix used elsewhere and avoid forcing the dependency
across unrelated packages. Use the same adjustment as the corresponding
package.json in the other tree, keeping the change localized to the `@vscode/vsce`
override entry and preserving consistency across both build manifests.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 3ed96702-f05f-4751-8c54-5c41b81ae882
⛔ Files ignored due to path filters (7)
code/build/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/copilot/chat-lib/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/copilot/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/css-language-features/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/html-language-features/package-lock.jsonis excluded by!**/package-lock.jsoncode/extensions/json-language-features/package-lock.jsonis excluded by!**/package-lock.jsoncode/package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (16)
.rebase/CHANGELOG.md.rebase/add/code/build/package.json.rebase/add/code/extensions/copilot/chat-lib/package.json.rebase/add/code/extensions/copilot/package.json.rebase/add/code/extensions/css-language-features/package.json.rebase/add/code/extensions/html-language-features/package.json.rebase/add/code/extensions/json-language-features/package.json.rebase/add/code/package.jsoncode/build/package.jsoncode/extensions/copilot/chat-lib/package.jsoncode/extensions/copilot/package.jsoncode/extensions/css-language-features/package.jsoncode/extensions/html-language-features/package.jsoncode/extensions/json-language-features/package.jsoncode/package.jsonrebase.sh
| "qs": "6.15.2", | ||
| "@vscode/vsce": { | ||
| "brace-expansion": "5.0.7" | ||
| } |
There was a problem hiding this comment.
🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Confirm which brace-expansion major version `@vscode/vsce` actually resolves to.
fd package-lock.json code/build -x jq '.packages | to_entries[] | select(.key | test("vsce.*node_modules/brace-expansion$|node_modules/brace-expansion$")) | {path: .key, version: .value.version}' {} 2>/dev/nullRepository: che-incubator/che-code
Length of output: 1996
🌐 Web query:
npm overrides version selector package.json nested dependency brace-expansion@5 syntax
💡 Result:
To override a nested dependency like brace-expansion using the npm overrides field in your package.json, you can specify either a global override or a scoped, nested override [1][2]. For a global override, which forces all instances of the dependency to a specific version regardless of where it appears in the dependency tree, use this syntax [1][3]: { "overrides": { "brace-expansion": "5.0.6" } } If you need to target a nested dependency only when it is a dependency of a specific parent package, use nested object syntax [1][2]: { "overrides": { "parent-package": { "brace-expansion": "5.0.6" } } } Key points regarding this syntax: - Placement: The overrides field must be located in the root package.json file of your project [1]. - Version Values: You can use exact versions (e.g., 5.0.6) or version ranges (e.g., ^5.0.5) [4][3][2]. - Granularity: Nested rule sets apply to all direct and transitive dependencies starting from the specified parent package [1]. - Applying Changes: After updating your package.json, you should run npm install to update your package-lock.json [3][2]. In some cases, if the override does not automatically resolve, you may need to delete your node_modules directory and package-lock.json file, then run npm install again to force a clean resolution [3]. Note: The npm overrides feature is designed to replace a package in your dependency tree with another version or package entirely [5][6]. Avoid attempting to override a direct dependency to a different version unless you use the $ reference syntax, as this can lead to errors [7].
Citations:
- 1: https://github.com/npm/rfcs/blob/main/implemented/0036-overrides.md
- 2: https://www.geeksforgeeks.org/node-js/how-to-override-nested-npm-dependency-versions/
- 3: [agent] chore(deps): pin brace-expansion to 5.0.6 (GHSA-jxxr-4gwj-5jf2) mongodb-js/devtools-shared#754
- 4: [DOCS] package.json "overrides" should be explicit about supporting version range syntax npm/cli#9475
- 5: https://docs.npmjs.com/files/package.json/
- 6: https://docs.npmjs.com/cli/v9/configuring-npm/package-json/
- 7: https://stackoverflow.com/questions/75340053/confused-about-overrides-in-package-json
🌐 Web query:
npm overrides version-qualified key name@version syntax supported
💡 Result:
Yes, the npm overrides feature supports the name@version syntax in the override key [1][2][3]. The overrides field in package.json allows you to use a version or a version range within the key to target specific dependencies in your dependency tree [1][4][2]. This is commonly used to restrict an override to only apply when a package is a child of a specific version of another package [1][3]. For example, to override foo to 1.0.0, but only when it is a dependency of bar at version 2.0.0, you can use the following configuration [1][2]: { "overrides": { "bar@2.0.0": { "foo": "1.0.0" } } } The key in an override must be a package specifier that includes the name, and it supports the same version range syntax used elsewhere in npm for package specifiers [4][5]. An override rule matches if the dependency being resolved satisfies the specifier provided in the key [4]. Note that while the key supports version-qualified syntax, the actual functionality is designed to target specific parts of the dependency graph [1][4].
Citations:
- 1: https://docs.npmjs.com/cli/v9/configuring-npm/package-json/?v=true
- 2: https://docs.npmjs.com/files/package.json/
- 3: https://docs.npmjs.com/cli/v8/configuring-npm/package-json/
- 4: https://github.com/npm/rfcs/blob/main/implemented/0036-overrides.md
- 5: https://docs.npmjs.com/cli/v11/using-npm/package-spec/
Scope the brace-expansion override to @vscode/vsce’s 5.x line. The unfiltered key will also replace any 1.x–4.x instance under that subtree, turning a targeted CVE fix into a potential major-version bump. npm supports version-qualified override keys, so this can be narrowed safely.
Suggested fix
"`@vscode/vsce`": {
- "brace-expansion": "5.0.7"
+ "brace-expansion@5": "5.0.7"
}📝 Committable suggestion
‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.
| "qs": "6.15.2", | |
| "@vscode/vsce": { | |
| "brace-expansion": "5.0.7" | |
| } | |
| "qs": "6.15.2", | |
| "`@vscode/vsce`": { | |
| "brace-expansion@5": "5.0.7" | |
| } |
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@code/build/package.json` around lines 83 - 86, The override for
brace-expansion is too broad and can affect non-5.x versions under `@vscode/vsce`.
Update the override in package.json to use a version-qualified key so it only
applies to the `@vscode/vsce` 5.x dependency tree, and leave other brace-expansion
ranges untouched. Use the existing `@vscode/vsce` override block and the
brace-expansion entry as the place to narrow the scope.
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
3 similar comments
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
|
Pull Request images published ✨ Editor amd64: quay.io/che-incubator-pull-requests/che-code:pr-745-amd64 |
What does this PR do?
This PR fixes CVE-2026-45149
brace-expansionversion is updated to5.0.7What issues does this PR fix?
https://redhat.atlassian.net/browse/CRW-11453
How to test this PR?
Does this PR contain changes that override default upstream Code-OSS behavior?
git rebasewere added to the .rebase folderSummary by CodeRabbit
Bug Fixes
Chores