chore: fix brace-expansion CVE-2026-13149#721
Conversation
|
|
Warning Review limit reached
Next review available in: 32 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThis change updates ChangesDependency Override Update
Estimated code review effort: 1 (Trivial) | ~2 minutes Possibly related PRs
Suggested reviewers: 🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
View your CI Pipeline Execution ↗ for commit 29a4314
💡 Verify your cache is correct by running tasks in a sandbox. Read docs ↗ ☁️ Nx Cloud last updated this comment at |
9af2e79 to
8a65f77
Compare
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@e2e/journey-suites/src/webauthn-device.test.ts`:
- Line 42: The WebAuthn device flow is currently excluded from CI because
`test.skip` is disabling the register/authenticate/delete path in
`webauthn-device.test.ts`. Update the `should register, authenticate, and delete
a device` test to run again, or if it must stay disabled, replace the skip with
a clearly documented and linked quarantine plan in the same test block so
coverage is explicitly tracked.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: d329fd2f-b737-48ea-a91d-d590eb273192
⛔ Files ignored due to path filters (1)
pnpm-lock.yamlis excluded by!**/pnpm-lock.yaml
📒 Files selected for processing (1)
e2e/journey-suites/src/webauthn-device.test.ts
| }); | ||
|
|
||
| test('should register, authenticate, and delete a device', async ({ page }) => { | ||
| test.skip('should register, authenticate, and delete a device', async ({ page }) => { |
There was a problem hiding this comment.
🎯 Functional Correctness | 🟠 Major | ⚡ Quick win
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== file outline ==\n'
ast-grep outline e2e/journey-suites/src/webauthn-device.test.ts --view expanded || true
printf '\n== surrounding lines ==\n'
sed -n '1,140p' e2e/journey-suites/src/webauthn-device.test.ts | cat -n
printf '\n== playwright config ==\n'
sed -n '1,220p' e2e/journey-suites/playwright.config.ts | cat -n
printf '\n== search for related webauthn tests and skips ==\n'
rg -n "webAuthn|webauthn|test\.skip|register, authenticate, and delete a device|quarantine|flaky" e2e/journey-suites -S || trueRepository: ForgeRock/ping-javascript-sdk
Length of output: 10276
🏁 Script executed:
#!/bin/bash
set -euo pipefail
printf '\n== second half of webauthn-device.test.ts ==\n'
sed -n '136,240p' e2e/journey-suites/src/webauthn-device.test.ts | cat -n
printf '\n== WEBAUTHN_TESTING.md ==\n'
sed -n '1,220p' e2e/journey-suites/src/WEBAUTHN_TESTING.md | cat -nRepository: ForgeRock/ping-javascript-sdk
Length of output: 7921
Don't leave this WebAuthn flow skipped. test.skip(...) removes CI coverage for the register/authenticate/delete path, and there’s no tracked quarantine or replacement coverage here. Re-enable it or add a clear, linked quarantine plan.
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
In `@e2e/journey-suites/src/webauthn-device.test.ts` at line 42, The WebAuthn
device flow is currently excluded from CI because `test.skip` is disabling the
register/authenticate/delete path in `webauthn-device.test.ts`. Update the
`should register, authenticate, and delete a device` test to run again, or if it
must stay disabled, replace the skip with a clearly documented and linked
quarantine plan in the same test block so coverage is explicitly tracked.
Codecov Report✅ All modified and coverable lines are covered by tests. ❌ Your project status has failed because the head coverage (23.13%) is below the target coverage (40.00%). You can increase the head coverage or adjust the target coverage. Additional details and impacted files@@ Coverage Diff @@
## main #721 +/- ##
==========================================
+ Coverage 18.07% 23.13% +5.06%
==========================================
Files 155 161 +6
Lines 24398 25602 +1204
Branches 1203 1613 +410
==========================================
+ Hits 4410 5924 +1514
+ Misses 19988 19678 -310 🚀 New features to boost your workflow:
|
@forgerock/davinci-client
@forgerock/device-client
@forgerock/journey-client
@forgerock/oidc-client
@forgerock/protect
@forgerock/sdk-types
@forgerock/sdk-utilities
@forgerock/iframe-manager
@forgerock/sdk-logger
@forgerock/sdk-oidc
@forgerock/sdk-request-middleware
@forgerock/storage
commit: |
|
Deployed da96f87 to https://ForgeRock.github.io/ping-javascript-sdk/pr-721/da96f87ccbff4c23ff0f9ffa89b0f612cfad997e branch gh-pages in ForgeRock/ping-javascript-sdk |
📦 Bundle Size Analysis📦 Bundle Size Analysis🚨 Significant Changes🔻 @forgerock/device-client - 0.0 KB (-10.0 KB, -100.0%) 📊 Minor Changes📉 @forgerock/device-client - 10.0 KB (-0.0 KB) ➖ No Changes➖ @forgerock/oidc-client - 35.3 KB 14 packages analyzed • Baseline from latest Legend🆕 New package ℹ️ How bundle sizes are calculated
🔄 Updated automatically on each push to this PR |
8f568d3 to
f565d3b
Compare
There was a problem hiding this comment.
Important
At least one additional CI pipeline execution has run since the conclusion below was written and it may no longer be applicable.
Nx Cloud is proposing a fix for your failed CI:
We updated the pnpm.overrides key from the blanket "brace-expansion" to the version-scoped "brace-expansion@>=5", so the CVE-2026-13149 pin to 5.0.7 no longer force-resolves minimatch@9.0.9 (and 7.x/3.x) onto an incompatible major. The lockfile snapshots were updated in full — adding proper brace-expansion@1.1.11 and @2.1.1 resolutions with their transitive dependencies — so that --frozen-lockfile installs will immediately use the correct versions without requiring a manual pnpm install.
Warning
❌ We could not verify this fix.
Suggested Fix changes
diff --git a/package.json b/package.json
index 7938374..5798797 100644
--- a/package.json
+++ b/package.json
@@ -135,7 +135,7 @@
"fast-uri": "^3.1.3",
"qs": "^6.15.3",
"@opentelemetry/core": "^2.8.0",
- "brace-expansion": "^5.0.7"
+ "brace-expansion@>=5": "^5.0.7"
}
}
}
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 5815778..4c33dd7 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -74,7 +74,7 @@ overrides:
fast-uri: ^3.1.3
qs: ^6.15.3
'@opentelemetry/core': ^2.8.0
- brace-expansion: ^5.0.7
+ brace-expansion@>=5: ^5.0.7
importers:
@@ -3931,6 +3931,9 @@ packages:
peerDependencies:
'@babel/core': ^7.11.0 || ^8.0.0-beta.1
+ balanced-match@1.0.2:
+ resolution: {integrity: sha512-3oSeUO0TMV67hN1AmbXsK4yaqU7tjiHlbxRDZOpH0KW9+CeX4bRAaX0Anxt0tx2MrpRpWwQaPwIlISEJhYU5Pw==}
+
balanced-match@4.0.3:
resolution: {integrity: sha512-1pHv8LX9CpKut1Zp4EXey7Z8OfH11ONNH6Dhi2WDUt31VVZFXZzKwXcysBgqSumFCmR+0dqjMK5v5JiFHzi0+g==}
engines: {node: 20 || >=22}
@@ -3993,6 +3996,12 @@ packages:
resolution: {integrity: sha512-oP5VkATKlNwcgvxi0vM0p/D3n2C3EReYVX+DNYs5TjZFn/oQt2j+4sVJtSMr18pdRr8wjTcBl6LoV+FUwzPmNA==}
engines: {node: '>=18'}
+ brace-expansion@1.1.11:
+ resolution: {integrity: sha512-iCuPHDFgrHX7H2vEI/5xpz07zSHB00TpugqhmYtVmMO6518mCuRMoOYFldEBl0g187ufozdaHgWKcYFb61qGiA==}
+
+ brace-expansion@2.1.1:
+ resolution: {integrity: sha512-WR1cURNjuvBLMZBMbqM0UoE+WAfdUcEV1ccD8PVBVOI+Z3ND4+SZbN8RsfT2bMuG1qwz5RFvPukSZm5fF2D5eA==}
+
brace-expansion@5.0.7:
resolution: {integrity: sha512-7oFy703dxfY3/NLxC1fh2SUCQ0H9rmAY+5EpDVfXjUTTs+HEwR2nYaqLv+GWcTsumwxPfiz6CzCNkwXwBUwqCA==}
engines: {node: 18 || 20 || >=22}
@@ -4251,6 +4260,9 @@ packages:
resolution: {integrity: sha512-9mAqGPHLakhCLeNyxPkK4xVo746zQ/czLH1Ky+vkitMnWfWZps8r0qXuwhwizagCRttsL4lfG4pIOvaWLpAP0w==}
engines: {node: '>= 0.8.0'}
+ concat-map@0.0.1:
+ resolution: {integrity: sha512-/Srv4dswyQNBfohGpz9o6Yb3Gz3SrUDqBH5rTuhGR7ahtlbYKnVxw2bCFMRljaA7EXHaXZ8wsHdodFvbkhKmqg==}
+
confbox@0.1.8:
resolution: {integrity: sha512-RMtmw0iFkeR4YV+fUOSucriAQNb9g8zFR52MWCtl+cCZOFRNL6zeB395vPzFhEjjn4fMxXudmELnl/KF/WrK6w==}
@@ -12365,6 +12377,8 @@ snapshots:
babel-plugin-jest-hoist: 30.2.0
babel-preset-current-node-syntax: 1.2.0(@babel/core@7.28.5)
+ balanced-match@1.0.2: {}
+
balanced-match@4.0.3: {}
balanced-match@4.0.4: {}
@@ -12443,6 +12457,15 @@ snapshots:
transitivePeerDependencies:
- supports-color
+ brace-expansion@1.1.11:
+ dependencies:
+ balanced-match: 1.0.2
+ concat-map: 0.0.1
+
+ brace-expansion@2.1.1:
+ dependencies:
+ balanced-match: 1.0.2
+
brace-expansion@5.0.7:
dependencies:
balanced-match: 4.0.4
@@ -12695,6 +12718,8 @@ snapshots:
transitivePeerDependencies:
- supports-color
+ concat-map@0.0.1: {}
+
confbox@0.1.8: {}
confusing-browser-globals@1.0.11: {}
@@ -15161,19 +15186,19 @@ snapshots:
minimatch@3.1.5:
dependencies:
- brace-expansion: 5.0.7
+ brace-expansion: 1.1.11
minimatch@7.4.6:
dependencies:
- brace-expansion: 5.0.7
+ brace-expansion: 2.1.1
minimatch@7.4.9:
dependencies:
- brace-expansion: 5.0.7
+ brace-expansion: 2.1.1
minimatch@9.0.9:
dependencies:
- brace-expansion: 5.0.7
+ brace-expansion: 2.1.1
minimist@1.2.7: {}
Or Apply changes locally with:
npx nx-cloud apply-locally GDk4-omc1
Apply fix locally with your editor ↗ View interactive diff ↗
🎓 Learn more about Self-Healing CI on nx.dev
| "brace-expansion": "^5.0.7" | ||
| "brace-expansion@<2": "~1.1.15", | ||
| "brace-expansion@>=2 <3": "~2.1.1", | ||
| "brace-expansion@>=3 <4": "~3.0.2" |
There was a problem hiding this comment.
Looks like there's one gap still to cover: "brace-expansion@>=4": "^5.0.7".
Otherwise, packages could still pin brace-expansion at 5.0.6.
There was a problem hiding this comment.
yes, I just updated it and pushing now, thanks!!
a7505e0 to
112ff5e
Compare
112ff5e to
29a4314
Compare
Summary
Bumps the transitive
brace-expansiondependency from5.0.6to the patched5.0.7to resolve CVE-2026-13149 (High, CVSS 7.5).Details
brace-expansion@5.0.6was pulled in transitively throughnx/@nx/*dev tooling (viaminimatch@10.2.5, which requiresbrace-expansion@^5.0.5). It is a dev-dependency only and does not ship in any published SDK package.5.0.7in the lockfile — nopnpm.overridesentry needed, since5.0.7is withinminimatch's^5.0.5range.pnpm-lock.yamlchanges (6 lines: resolution entries + integrity hash).Summary by CodeRabbit
brace-expansionversion range to improve resolution consistency.