Skip to content

chore: fix brace-expansion CVE-2026-13149#721

Merged
vatsalparikh merged 1 commit into
mainfrom
fix-brace-expansion-cve
Jul 7, 2026
Merged

chore: fix brace-expansion CVE-2026-13149#721
vatsalparikh merged 1 commit into
mainfrom
fix-brace-expansion-cve

Conversation

@vatsalparikh

@vatsalparikh vatsalparikh commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps the transitive brace-expansion dependency from 5.0.6 to the patched 5.0.7 to resolve CVE-2026-13149 (High, CVSS 7.5).

Details

  • brace-expansion@5.0.6 was pulled in transitively through nx / @nx/* dev tooling (via minimatch@10.2.5, which requires brace-expansion@^5.0.5). It is a dev-dependency only and does not ship in any published SDK package.
  • Fixed by resolving to 5.0.7 in the lockfile — no pnpm.overrides entry needed, since 5.0.7 is within minimatch's ^5.0.5 range.
  • Only pnpm-lock.yaml changes (6 lines: resolution entries + integrity hash).

Summary by CodeRabbit

  • Chores
    • Updated dependency override rules to better control compatible versions, including a pinned brace-expansion version range to improve resolution consistency.

@changeset-bot

changeset-bot Bot commented Jul 6, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 29a4314

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@vatsalparikh, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 32 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: fabb7e32-12a6-41af-8b45-244ea5cde28d

📥 Commits

Reviewing files that changed from the base of the PR and between 112ff5e and 29a4314.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json
📝 Walkthrough

Walkthrough

This change updates package.json pnpm.overrides to add several brace-expansion version-range overrides, including a >=5 pin to ~5.0.7, alongside the existing @opentelemetry/core override.

Changes

Dependency Override Update

Layer / File(s) Summary
Add brace-expansion pnpm overrides
package.json
Multiple brace-expansion override ranges are added to pnpm.overrides, including the >=5 entry pinned to ~5.0.7.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Possibly related PRs

Suggested reviewers: ancheetah, SteinGabriel

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name Status Explanation Resolution
Description check ⚠️ Warning The description explains the change, but it does not follow the required template sections or include the JIRA Ticket/changeset prompts. Reformat the PR description to match the template: add a JIRA Ticket section and a Description section that covers the change and changeset status.
✅ Passed checks (4 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: fixing the brace-expansion CVE with a dependency update.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix-brace-expansion-cve

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@nx-cloud

nx-cloud Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

View your CI Pipeline Execution ↗ for commit 29a4314

Command Status Duration Result
nx run-many -t build --no-agents ✅ Succeeded <1s View ↗
nx affected -t build lint test typecheck e2e-ci ✅ Succeeded 48s View ↗

💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗


☁️ Nx Cloud last updated this comment at 2026-07-07 00:28:39 UTC

nx-cloud[bot]

This comment was marked as outdated.

nx-cloud[bot]

This comment was marked as outdated.

@vatsalparikh vatsalparikh force-pushed the fix-brace-expansion-cve branch from 9af2e79 to 8a65f77 Compare July 6, 2026 21:46

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@e2e/journey-suites/src/webauthn-device.test.ts`:
- Line 42: The WebAuthn device flow is currently excluded from CI because
`test.skip` is disabling the register/authenticate/delete path in
`webauthn-device.test.ts`. Update the `should register, authenticate, and delete
a device` test to run again, or if it must stay disabled, replace the skip with
a clearly documented and linked quarantine plan in the same test block so
coverage is explicitly tracked.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d329fd2f-b737-48ea-a91d-d590eb273192

📥 Commits

Reviewing files that changed from the base of the PR and between 2f91101 and 8a65f77.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • e2e/journey-suites/src/webauthn-device.test.ts

});

test('should register, authenticate, and delete a device', async ({ page }) => {
test.skip('should register, authenticate, and delete a device', async ({ page }) => {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🎯 Functional Correctness | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== file outline ==\n'
ast-grep outline e2e/journey-suites/src/webauthn-device.test.ts --view expanded || true

printf '\n== surrounding lines ==\n'
sed -n '1,140p' e2e/journey-suites/src/webauthn-device.test.ts | cat -n

printf '\n== playwright config ==\n'
sed -n '1,220p' e2e/journey-suites/playwright.config.ts | cat -n

printf '\n== search for related webauthn tests and skips ==\n'
rg -n "webAuthn|webauthn|test\.skip|register, authenticate, and delete a device|quarantine|flaky" e2e/journey-suites -S || true

Repository: ForgeRock/ping-javascript-sdk

Length of output: 10276


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== second half of webauthn-device.test.ts ==\n'
sed -n '136,240p' e2e/journey-suites/src/webauthn-device.test.ts | cat -n

printf '\n== WEBAUTHN_TESTING.md ==\n'
sed -n '1,220p' e2e/journey-suites/src/WEBAUTHN_TESTING.md | cat -n

Repository: ForgeRock/ping-javascript-sdk

Length of output: 7921


Don't leave this WebAuthn flow skipped. test.skip(...) removes CI coverage for the register/authenticate/delete path, and there’s no tracked quarantine or replacement coverage here. Re-enable it or add a clear, linked quarantine plan.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/journey-suites/src/webauthn-device.test.ts` at line 42, The WebAuthn
device flow is currently excluded from CI because `test.skip` is disabling the
register/authenticate/delete path in `webauthn-device.test.ts`. Update the
`should register, authenticate, and delete a device` test to run again, or if it
must stay disabled, replace the skip with a clearly documented and linked
quarantine plan in the same test block so coverage is explicitly tracked.

@codecov-commenter

codecov-commenter commented Jul 6, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 23.13%. Comparing base (eafe277) to head (29a4314).
⚠️ Report is 42 commits behind head on main.

❌ Your project status has failed because the head coverage (23.13%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files
@@            Coverage Diff             @@
##             main     #721      +/-   ##
==========================================
+ Coverage   18.07%   23.13%   +5.06%     
==========================================
  Files         155      161       +6     
  Lines       24398    25602    +1204     
  Branches     1203     1613     +410     
==========================================
+ Hits         4410     5924    +1514     
+ Misses      19988    19678     -310     

see 16 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@pkg-pr-new

pkg-pr-new Bot commented Jul 6, 2026

Copy link
Copy Markdown

Open in StackBlitz

@forgerock/davinci-client

pnpm add https://pkg.pr.new/@forgerock/davinci-client@721

@forgerock/device-client

pnpm add https://pkg.pr.new/@forgerock/device-client@721

@forgerock/journey-client

pnpm add https://pkg.pr.new/@forgerock/journey-client@721

@forgerock/oidc-client

pnpm add https://pkg.pr.new/@forgerock/oidc-client@721

@forgerock/protect

pnpm add https://pkg.pr.new/@forgerock/protect@721

@forgerock/sdk-types

pnpm add https://pkg.pr.new/@forgerock/sdk-types@721

@forgerock/sdk-utilities

pnpm add https://pkg.pr.new/@forgerock/sdk-utilities@721

@forgerock/iframe-manager

pnpm add https://pkg.pr.new/@forgerock/iframe-manager@721

@forgerock/sdk-logger

pnpm add https://pkg.pr.new/@forgerock/sdk-logger@721

@forgerock/sdk-oidc

pnpm add https://pkg.pr.new/@forgerock/sdk-oidc@721

@forgerock/sdk-request-middleware

pnpm add https://pkg.pr.new/@forgerock/sdk-request-middleware@721

@forgerock/storage

pnpm add https://pkg.pr.new/@forgerock/storage@721

commit: 29a4314

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Deployed da96f87 to https://ForgeRock.github.io/ping-javascript-sdk/pr-721/da96f87ccbff4c23ff0f9ffa89b0f612cfad997e branch gh-pages in ForgeRock/ping-javascript-sdk

@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

📦 Bundle Size Analysis

📦 Bundle Size Analysis

🚨 Significant Changes

🔻 @forgerock/device-client - 0.0 KB (-10.0 KB, -100.0%)
🔻 @forgerock/journey-client - 0.0 KB (-92.6 KB, -100.0%)

📊 Minor Changes

📉 @forgerock/device-client - 10.0 KB (-0.0 KB)

➖ No Changes

@forgerock/oidc-client - 35.3 KB
@forgerock/sdk-types - 9.1 KB
@forgerock/davinci-client - 54.4 KB
@forgerock/sdk-utilities - 18.6 KB
@forgerock/journey-client - 92.6 KB
@forgerock/protect - 144.6 KB
@forgerock/iframe-manager - 3.2 KB
@forgerock/sdk-logger - 1.6 KB
@forgerock/storage - 1.5 KB
@forgerock/sdk-request-middleware - 4.6 KB
@forgerock/sdk-oidc - 5.7 KB


14 packages analyzed • Baseline from latest main build

Legend

🆕 New package
🔺 Size increased
🔻 Size decreased
➖ No change

ℹ️ How bundle sizes are calculated
  • Current Size: Total gzipped size of all files in the package's dist directory
  • Baseline: Comparison against the latest build from the main branch
  • Files included: All build outputs except source maps and TypeScript build cache
  • Exclusions: .map, .tsbuildinfo, and .d.ts.map files

🔄 Updated automatically on each push to this PR

@vatsalparikh vatsalparikh force-pushed the fix-brace-expansion-cve branch 2 times, most recently from 8f568d3 to f565d3b Compare July 6, 2026 22:57

@nx-cloud nx-cloud Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Important

At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.

Nx Cloud is proposing a fix for your failed CI:

We updated the pnpm.overrides key from the blanket "brace-expansion" to the version-scoped "brace-expansion@>=5", so the CVE-2026-13149 pin to 5.0.7 no longer force-resolves minimatch@9.0.9 (and 7.x/3.x) onto an incompatible major. The lockfile snapshots were updated in full — adding proper brace-expansion@1.1.11 and @2.1.1 resolutions with their transitive dependencies — so that --frozen-lockfile installs will immediately use the correct versions without requiring a manual pnpm install.

Warning

We could not verify this fix.

Suggested Fix changes
diff --git a/package.json b/package.json
index 7938374..5798797 100644
--- a/package.json
+++ b/package.json
@@ -135,7 +135,7 @@
       "fast-uri": "^3.1.3",
       "qs": "^6.15.3",
       "@opentelemetry/core": "^2.8.0",
-      "brace-expansion": "^5.0.7"
+      "brace-expansion@>=5": "^5.0.7"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 5815778..4c33dd7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -74,7 +74,7 @@ overrides:
   fast-uri: ^3.1.3
   qs: ^6.15.3
   '@opentelemetry/core': ^2.8.0
-  brace-expansion: ^5.0.7
+  brace-expansion@>=5: ^5.0.7
 
 importers:
 
@@ -3931,6 +3931,9 @@ packages:
     peerDependencies:
       '@babel/core': ^7.11.0 || ^8.0.0-beta.1
 
+  balanced-match@1.0.2:
+    resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
+
   balanced-match@4.0.3:
     resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==}
     engines: {node: 20 || >=22}
@@ -3993,6 +3996,12 @@ packages:
     resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
     engines: {node: '>=18'}
 
+  brace-expansion@1.1.11:
+    resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+
+  brace-expansion@2.1.1:
+    resolution: {integrity: sha512-WR1cURNjuvBLMZBMbqM0UoE+WAfdUcEV1ccD8PVBVOI+Z3ND4+SZbN8RsfT2bMuG1qwz5RFvPukSZm5fF2D5eA==}
+
   brace-expansion@5.0.7:
     resolution: {integrity: sha512-7oFy703dxfY3/NLxC1fh2SUCQ0H9rmAY+5EpDVfXjUTTs+HEwR2nYaqLv+GWcTsumwxPfiz6CzCNkwXwBUwqCA==}
     engines: {node: 18 || 20 || >=22}
@@ -4251,6 +4260,9 @@ packages:
     resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==}
     engines: {node: '>= 0.8.0'}
 
+  concat-map@0.0.1:
+    resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
+
   confbox@0.1.8:
     resolution: {integrity: sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==}
 
@@ -12365,6 +12377,8 @@ snapshots:
       babel-plugin-jest-hoist: 30.2.0
       babel-preset-current-node-syntax: 1.2.0(@babel/core@7.28.5)
 
+  balanced-match@1.0.2: {}
+
   balanced-match@4.0.3: {}
 
   balanced-match@4.0.4: {}
@@ -12443,6 +12457,15 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  brace-expansion@1.1.11:
+    dependencies:
+      balanced-match: 1.0.2
+      concat-map: 0.0.1
+
+  brace-expansion@2.1.1:
+    dependencies:
+      balanced-match: 1.0.2
+
   brace-expansion@5.0.7:
     dependencies:
       balanced-match: 4.0.4
@@ -12695,6 +12718,8 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
+  concat-map@0.0.1: {}
+
   confbox@0.1.8: {}
 
   confusing-browser-globals@1.0.11: {}
@@ -15161,19 +15186,19 @@ snapshots:
 
   minimatch@3.1.5:
     dependencies:
-      brace-expansion: 5.0.7
+      brace-expansion: 1.1.11
 
   minimatch@7.4.6:
     dependencies:
-      brace-expansion: 5.0.7
+      brace-expansion: 2.1.1
 
   minimatch@7.4.9:
     dependencies:
-      brace-expansion: 5.0.7
+      brace-expansion: 2.1.1
 
   minimatch@9.0.9:
     dependencies:
-      brace-expansion: 5.0.7
+      brace-expansion: 2.1.1
 
   minimist@1.2.7: {}
 

Apply fix via Nx Cloud  Reject fix via Nx Cloud


Or Apply changes locally with:

npx nx-cloud apply-locally GDk4-omc1

Apply fix locally with your editor ↗   View interactive diff ↗



🎓 Learn more about Self-Healing CI on nx.dev

Comment thread package.json Outdated
"brace-expansion": "^5.0.7"
"brace-expansion@<2": "~1.1.15",
"brace-expansion@>=2 <3": "~2.1.1",
"brace-expansion@>=3 <4": "~3.0.2"

@SteinGabriel SteinGabriel Jul 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like there's one gap still to cover: "brace-expansion@>=4": "^5.0.7".
Otherwise, packages could still pin brace-expansion at 5.0.6.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, I just updated it and pushing now, thanks!!

@vatsalparikh vatsalparikh force-pushed the fix-brace-expansion-cve branch 2 times, most recently from a7505e0 to 112ff5e Compare July 6, 2026 23:58
@vatsalparikh vatsalparikh force-pushed the fix-brace-expansion-cve branch from 112ff5e to 29a4314 Compare July 7, 2026 00:26
@vatsalparikh vatsalparikh merged commit 85fadf4 into main Jul 7, 2026
9 checks passed
@vatsalparikh vatsalparikh deleted the fix-brace-expansion-cve branch July 7, 2026 00:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Development

Successfully merging this pull request may close these issues.

3 participants