Skip to content

fix: override brace-expansion to patched version#745

Open
sbouchet wants to merge 8 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-45149
Open

fix: override brace-expansion to patched version#745
sbouchet wants to merge 8 commits into
che-incubator:mainfrom
sbouchet:CVE-2026-45149

Conversation

@sbouchet

@sbouchet sbouchet commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

What does this PR do?

This PR fixes CVE-2026-45149

brace-expansion version is updated to 5.0.7

What issues does this PR fix?

https://redhat.atlassian.net/browse/CRW-11453

How to test this PR?

Does this PR contain changes that override default upstream Code-OSS behavior?

  • the PR contains changes in the code folder (you can skip it if your changes are placed in a che extension )
  • the corresponding items were added to the CHANGELOG.md file
  • rules for automatic git rebase were added to the .rebase folder

Summary by CodeRabbit

  • Bug Fixes

    • Improved dependency resolution by pinning a transitive package to a safer version across multiple components.
    • Expanded conflict handling so package changes in more language features are applied automatically during rebases.
  • Chores

    • Updated the changelog with the latest merge entry and related affected areas.

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Click here to review and test in web IDE: Contribute

@github-actions

github-actions Bot commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@tolusha

tolusha commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Hi! I'm che-ai-assistant — I help with your pull requests.

Available commands:

  • /che-ai-assistant generate-che-doc — Generate a documentation PR based on this PR's changes
  • /che-ai-assistant ok-pr-review — Run a comprehensive PR review (summary, code review, deep review, impact analysis)
  • /che-ai-assistant check-pr-test-failures — Analyze failing CI checks, identify root causes, and suggest fixes
  • /che-ai-assistant help — Show this help message

sbouchet and others added 3 commits July 6, 2026 12:26
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Use parent-scoped (minimatch) overrides with exact version pinning
instead of @major-scoped overrides with caret range.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

sbouchet added 4 commits July 7, 2026 14:19
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Signed-off-by: Stephane Bouchet <sbouchet@redhat.com>
@sbouchet sbouchet marked this pull request as ready for review July 7, 2026 13:46
@coderabbitai

coderabbitai Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

This PR pins the transitive brace-expansion dependency to version 5.0.7 via npm overrides blocks across multiple package.json files (root, build, copilot, chat-lib, css/html/json-language-features), applied consistently in both code/ and .rebase/add/code/ trees. rebase.sh's resolve_conflicts function is extended with new branches routing the three language-feature extension manifests through apply_package_changes_by_path. A changelog entry documenting PR #745 is also added.

Estimated code review effort: 2 (Simple) | ~10 minutes

Possibly related PRs

  • che-incubator/che-code#659: Both PRs update dependency overrides in the same language-feature package.json files and modify rebase.sh conflict-resolution for those extensions.
  • che-incubator/che-code#720: Both PRs extend rebase.sh's apply_package_changes_by_path handling for additional package.json conflict paths.
  • che-incubator/che-code#722: Both PRs modify the same resolve_conflicts logic to recognize additional package.json conflict paths.

Suggested reviewers: rgrunber, azatsarynnyy, vitaliy-guliy, RomanNikitenko

🎭 A poem for the pull request:

A bunny hopped through npm's tangled roots,
Pinning versions in overrides' boots,
brace-expansion tamed at five-point-oh-seven,
Fourteen manifests, aligned like heaven,
rebase.sh nods, three new paths in its scripts,
Changelog whispers of conflicts thus fixed. 🐰

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name Status Explanation Resolution
Rebase Rules For Upstream Changes ❓ Inconclusive Repository clone failed, so this custom check could not run with code access. Retry the review run. If this persists, inspect pre-merge custom-check logs for infrastructure or agent runtime failures.
✅ Passed checks (4 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise, imperative, and accurately describes the brace-expansion override update.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

♻️ Duplicate comments (1)
.rebase/add/code/build/package.json (1)

4-7: 🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

Same unfiltered brace-expansion override issue as code/build/package.json.

This mirror carries the identical unscoped "brace-expansion": "5.0.7" override under @vscode/vsce, with the same risk of forcing a cross-major-version upgrade for a package unaffected by the CVE. See the corresponding comment on code/build/package.json; fix should be applied consistently to both trees.

Suggested fix
         "`@vscode/vsce`": {
-            "brace-expansion": "5.0.7"
+            "brace-expansion@5": "5.0.7"
         }
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.rebase/add/code/build/package.json around lines 4 - 7, The package override
under `@vscode/vsce` still applies an unscoped brace-expansion version, so update
the package.json override in this mirror to match the scoped fix used elsewhere
and avoid forcing the dependency across unrelated packages. Use the same
adjustment as the corresponding package.json in the other tree, keeping the
change localized to the `@vscode/vsce` override entry and preserving consistency
across both build manifests.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@code/build/package.json`:
- Around line 83-86: The override for brace-expansion is too broad and can
affect non-5.x versions under `@vscode/vsce`. Update the override in package.json
to use a version-qualified key so it only applies to the `@vscode/vsce` 5.x
dependency tree, and leave other brace-expansion ranges untouched. Use the
existing `@vscode/vsce` override block and the brace-expansion entry as the place
to narrow the scope.

---

Duplicate comments:
In @.rebase/add/code/build/package.json:
- Around line 4-7: The package override under `@vscode/vsce` still applies an
unscoped brace-expansion version, so update the package.json override in this
mirror to match the scoped fix used elsewhere and avoid forcing the dependency
across unrelated packages. Use the same adjustment as the corresponding
package.json in the other tree, keeping the change localized to the `@vscode/vsce`
override entry and preserving consistency across both build manifests.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 3ed96702-f05f-4751-8c54-5c41b81ae882

📥 Commits

Reviewing files that changed from the base of the PR and between 828719e and 3083d62.

⛔ Files ignored due to path filters (7)
  • code/build/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/chat-lib/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/copilot/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/css-language-features/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/html-language-features/package-lock.json is excluded by !**/package-lock.json
  • code/extensions/json-language-features/package-lock.json is excluded by !**/package-lock.json
  • code/package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (16)
  • .rebase/CHANGELOG.md
  • .rebase/add/code/build/package.json
  • .rebase/add/code/extensions/copilot/chat-lib/package.json
  • .rebase/add/code/extensions/copilot/package.json
  • .rebase/add/code/extensions/css-language-features/package.json
  • .rebase/add/code/extensions/html-language-features/package.json
  • .rebase/add/code/extensions/json-language-features/package.json
  • .rebase/add/code/package.json
  • code/build/package.json
  • code/extensions/copilot/chat-lib/package.json
  • code/extensions/copilot/package.json
  • code/extensions/css-language-features/package.json
  • code/extensions/html-language-features/package.json
  • code/extensions/json-language-features/package.json
  • code/package.json
  • rebase.sh

Comment thread code/build/package.json
Comment on lines +83 to +86
"qs": "6.15.2",
"@vscode/vsce": {
"brace-expansion": "5.0.7"
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🗄️ Data Integrity & Integration | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Confirm which brace-expansion major version `@vscode/vsce` actually resolves to.
fd package-lock.json code/build -x jq '.packages | to_entries[] | select(.key | test("vsce.*node_modules/brace-expansion$|node_modules/brace-expansion$")) | {path: .key, version: .value.version}' {} 2>/dev/null

Repository: che-incubator/che-code

Length of output: 1996


🌐 Web query:

npm overrides version selector package.json nested dependency brace-expansion@5 syntax

💡 Result:

To override a nested dependency like brace-expansion using the npm overrides field in your package.json, you can specify either a global override or a scoped, nested override [1][2]. For a global override, which forces all instances of the dependency to a specific version regardless of where it appears in the dependency tree, use this syntax [1][3]: { "overrides": { "brace-expansion": "5.0.6" } } If you need to target a nested dependency only when it is a dependency of a specific parent package, use nested object syntax [1][2]: { "overrides": { "parent-package": { "brace-expansion": "5.0.6" } } } Key points regarding this syntax: - Placement: The overrides field must be located in the root package.json file of your project [1]. - Version Values: You can use exact versions (e.g., 5.0.6) or version ranges (e.g., ^5.0.5) [4][3][2]. - Granularity: Nested rule sets apply to all direct and transitive dependencies starting from the specified parent package [1]. - Applying Changes: After updating your package.json, you should run npm install to update your package-lock.json [3][2]. In some cases, if the override does not automatically resolve, you may need to delete your node_modules directory and package-lock.json file, then run npm install again to force a clean resolution [3]. Note: The npm overrides feature is designed to replace a package in your dependency tree with another version or package entirely [5][6]. Avoid attempting to override a direct dependency to a different version unless you use the $ reference syntax, as this can lead to errors [7].

Citations:


🌐 Web query:

npm overrides version-qualified key name@version syntax supported

💡 Result:

Yes, the npm overrides feature supports the name@version syntax in the override key [1][2][3]. The overrides field in package.json allows you to use a version or a version range within the key to target specific dependencies in your dependency tree [1][4][2]. This is commonly used to restrict an override to only apply when a package is a child of a specific version of another package [1][3]. For example, to override foo to 1.0.0, but only when it is a dependency of bar at version 2.0.0, you can use the following configuration [1][2]: { "overrides": { "bar@2.0.0": { "foo": "1.0.0" } } } The key in an override must be a package specifier that includes the name, and it supports the same version range syntax used elsewhere in npm for package specifiers [4][5]. An override rule matches if the dependency being resolved satisfies the specifier provided in the key [4]. Note that while the key supports version-qualified syntax, the actual functionality is designed to target specific parts of the dependency graph [1][4].

Citations:


Scope the brace-expansion override to @vscode/vsce’s 5.x line. The unfiltered key will also replace any 1.x–4.x instance under that subtree, turning a targeted CVE fix into a potential major-version bump. npm supports version-qualified override keys, so this can be narrowed safely.

Suggested fix
     "`@vscode/vsce`": {
-      "brace-expansion": "5.0.7"
+      "brace-expansion@5": "5.0.7"
     }
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"qs": "6.15.2",
"@vscode/vsce": {
"brace-expansion": "5.0.7"
}
"qs": "6.15.2",
"`@vscode/vsce`": {
"brace-expansion@5": "5.0.7"
}
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@code/build/package.json` around lines 83 - 86, The override for
brace-expansion is too broad and can affect non-5.x versions under `@vscode/vsce`.
Update the override in package.json to use a version-qualified key so it only
applies to the `@vscode/vsce` 5.x dependency tree, and leave other brace-expansion
ranges untouched. Use the existing `@vscode/vsce` override block and the
brace-expansion entry as the place to narrow the scope.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

3 similar comments
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants