Skip to content

OCPBUGS-94165: Upgrade brace-expansion to 5.0.7#237

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
pcbailey:cve/94165--CVE-2026-13148--brace-expansation--main
Jul 9, 2026
Merged

OCPBUGS-94165: Upgrade brace-expansion to 5.0.7#237
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
pcbailey:cve/94165--CVE-2026-13148--brace-expansation--main

Conversation

@pcbailey

@pcbailey pcbailey commented Jul 8, 2026

Copy link
Copy Markdown

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Summary by CodeRabbit

  • Chores
    • Updated a dependency override to improve build stability and consistency.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 8, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@pcbailey: This pull request references Jira Issue OCPBUGS-94165, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lkladnit

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pcbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e5600627-06d6-417e-ac8e-98cb3ca1dea2

📥 Commits

Reviewing files that changed from the base of the PR and between 5c85d96 and 65e4299.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (1)
  • package.json
🚧 Files skipped from review as they are similar to previous changes (1)
  • package.json

Walkthrough

Added a single entry to the overrides section of package.json pinning the brace-expansion dependency to version 5.0.7. No other fields or dependencies were changed.

Changes

Dependency Override

Layer / File(s) Summary
Add brace-expansion override
package.json
Adds an overrides entry pinning brace-expansion to version 5.0.7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the dependency upgrade to brace-expansion 5.0.7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Diff only updates package.json/package-lock for brace-expansion; no test files or Ginkgo titles were changed.
Test Structure And Quality ✅ Passed No Ginkgo test files were changed; the PR only updates package.json/package-lock.json, so this test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed No new Ginkgo/e2e tests were added; only package.json and package-lock.json changed to pin brace-expansion, so the MicroShift check is not applicable.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No Ginkgo/e2e tests were added; the PR only changes package.json/package-lock.json dependency pins, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Diff only changes package.json and package-lock.json to pin brace-expansion; no manifests, controllers, or scheduling logic were modified.
Ote Binary Stdout Contract ✅ Passed HEAD only changes package.json and package-lock.json; no process-level code paths or stdout writes are introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only package.json/package-lock.json changed to pin brace-expansion; no Ginkgo/e2e tests or network code were added.
No-Weak-Crypto ✅ Passed Diff only updates brace-expansion and its lockfile; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons found.
Container-Privileges ✅ Passed PR only updates package.json/package-lock.json for brace-expansion; no container/K8s manifests or privilege flags were touched.
No-Sensitive-Data-In-Logs ✅ Passed Only package.json/package-lock.json changed to pin brace-expansion; no logging code or sensitive log strings were added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci-robot

Copy link
Copy Markdown

@pcbailey: This pull request references Jira Issue OCPBUGS-94165, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lkladnit

Details

In response to this:

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Summary by CodeRabbit

  • Bug Fixes
  • Updated a dependency pin to use a specific brace-expansion version for more consistent installs.
  • Changed the default console image to a fixed release tag instead of latest, making startup behavior more predictable.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@start-console.sh`:
- Line 71: The console image default is out of sync between the startup script
and the documentation. Update either the CONSOLE_IMAGE default in
start-console.sh or the README’s published default so they match, and make sure
the referenced default value is consistent across the start-console.sh logic and
any user-facing docs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 46e821b0-f9b8-4f6e-9b65-9da75409a6ee

📥 Commits

Reviewing files that changed from the base of the PR and between 19c58a7 and 5c85d96.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • package.json
  • start-console.sh

Comment thread start-console.sh Outdated
done

CONSOLE_IMAGE=${CONSOLE_IMAGE:-"quay.io/openshift/origin-console:latest"}
CONSOLE_IMAGE=${CONSOLE_IMAGE:-"quay.io/openshift/origin-console:4.22"}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== start-console.sh ==\n'
nl -ba start-console.sh | sed -n '60,80p'

printf '\n== README.md mentions of CONSOLE_IMAGE/origin-console ==\n'
rg -n 'CONSOLE_IMAGE|origin-console|latest|4\.22' README.md

Repository: openshift/nmstate-console-plugin

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== start-console.sh ==\n'
sed -n '60,80p' start-console.sh | awk '{printf "%6d  %s\n", NR+59, $0}'

printf '\n== README.md mentions of CONSOLE_IMAGE/origin-console ==\n'
rg -n 'CONSOLE_IMAGE|origin-console|latest|4\.22' README.md

Repository: openshift/nmstate-console-plugin

Length of output: 1431


Keep the console image default in sync

start-console.sh defaults to quay.io/openshift/origin-console:4.22, but README.md still says ...:latest. Update the docs or the script so the published default matches.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@start-console.sh` at line 71, The console image default is out of sync
between the startup script and the documentation. Update either the
CONSOLE_IMAGE default in start-console.sh or the README’s published default so
they match, and make sure the referenced default value is consistent across the
start-console.sh logic and any user-facing docs.

@pcbailey pcbailey force-pushed the cve/94165--CVE-2026-13148--brace-expansation--main branch from 5c85d96 to 65e4299 Compare July 9, 2026 11:26
@Parthivk100

Copy link
Copy Markdown

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 9, 2026
@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

@pcbailey: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit c647d25 into openshift:main Jul 9, 2026
4 checks passed
@openshift-ci-robot

Copy link
Copy Markdown

@pcbailey: Jira Issue OCPBUGS-94165: All pull requests linked via external trackers have merged:

Jira Issue OCPBUGS-94165 has been moved to the MODIFIED state.

Details

In response to this:

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Summary by CodeRabbit

  • Chores
  • Updated a dependency override to improve build stability and consistency.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@pcbailey

Copy link
Copy Markdown
Author

/cherry-pick release-4.22

@openshift-cherrypick-robot

Copy link
Copy Markdown

@pcbailey: new pull request created: #238

Details

In response to this:

/cherry-pick release-4.22

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants