Skip to content

OCPBUGS-94165: Upgrade brace-expansion to 5.0.7#237

Open
pcbailey wants to merge 1 commit into
openshift:mainfrom
pcbailey:cve/94165--CVE-2026-13148--brace-expansation--main
Open

OCPBUGS-94165: Upgrade brace-expansion to 5.0.7#237
pcbailey wants to merge 1 commit into
openshift:mainfrom
pcbailey:cve/94165--CVE-2026-13148--brace-expansation--main

Conversation

@pcbailey

@pcbailey pcbailey commented Jul 8, 2026

Copy link
Copy Markdown

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Summary by CodeRabbit

  • Bug Fixes
    • Updated a dependency pin to use a specific brace-expansion version for more consistent installs.
    • Changed the default console image to a fixed release tag instead of latest, making startup behavior more predictable.

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jul 8, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@pcbailey: This pull request references Jira Issue OCPBUGS-94165, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lkladnit

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: pcbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 8, 2026
@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Walkthrough

This PR pins brace-expansion to version 5.0.7 in package.json overrides and changes the default CONSOLE_IMAGE in start-console.sh from the latest tag to the pinned 4.22 tag.

Changes

Version Pinning Updates

Layer / File(s) Summary
Package override for brace-expansion
package.json
Adds an override entry forcing brace-expansion to version 5.0.7.
Console image default version
start-console.sh
Changes default CONSOLE_IMAGE from quay.io/openshift/origin-console:latest to quay.io/openshift/origin-console:4.22.

Estimated code review effort: 1 (Trivial) | ~2 minutes

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: upgrading brace-expansion to 5.0.7.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed No Ginkgo test titles were added or changed; the PR only updates dependency pins and a shell default.
Test Structure And Quality ✅ Passed No Ginkgo test code changed in this PR; only dependency pins and a shell default were updated.
Microshift Test Compatibility ✅ Passed No new Ginkgo tests or test files were added; only package and startup script changes are present.
Single Node Openshift (Sno) Test Compatibility ✅ Passed No new Ginkgo e2e tests were added or modified; the diff only changes package.json, package-lock.json, and start-console.sh.
Topology-Aware Scheduling Compatibility ✅ Passed PR only updates package overrides and a local console-image default; no deployment manifests, operator code, or controllers were changed.
Ote Binary Stdout Contract ✅ Passed PR only updates package metadata and a launcher shell script; no changed main/TestMain/suite setup code adds stdout writes.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests were added; the diff only touches package.json, package-lock.json, and start-console.sh.
No-Weak-Crypto ✅ Passed The diff only pins brace-expansion and changes a console image default; no MD5/SHA1/DES/RC4/3DES/Blowfish, custom crypto, or secret comparisons appear.
Container-Privileges ✅ Passed PR only updates package metadata and a console image default; no changed manifest adds privileged/root/allowPrivilegeEscalation settings.
No-Sensitive-Data-In-Logs ✅ Passed PR only pins brace-expansion and changes the console image default; no new logging or sensitive-data exposure was added.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci-robot

Copy link
Copy Markdown

@pcbailey: This pull request references Jira Issue OCPBUGS-94165, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @lkladnit

Details

In response to this:

Upgrade brace-expansion to 5.0.7 to address CVE-2026-13149.

jira: https://redhat.atlassian.net/browse/OCPBUGS-94165

Summary by CodeRabbit

  • Bug Fixes
  • Updated a dependency pin to use a specific brace-expansion version for more consistent installs.
  • Changed the default console image to a fixed release tag instead of latest, making startup behavior more predictable.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@start-console.sh`:
- Line 71: The console image default is out of sync between the startup script
and the documentation. Update either the CONSOLE_IMAGE default in
start-console.sh or the README’s published default so they match, and make sure
the referenced default value is consistent across the start-console.sh logic and
any user-facing docs.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 46e821b0-f9b8-4f6e-9b65-9da75409a6ee

📥 Commits

Reviewing files that changed from the base of the PR and between 19c58a7 and 5c85d96.

⛔ Files ignored due to path filters (1)
  • package-lock.json is excluded by !**/package-lock.json
📒 Files selected for processing (2)
  • package.json
  • start-console.sh

Comment thread start-console.sh
done

CONSOLE_IMAGE=${CONSOLE_IMAGE:-"quay.io/openshift/origin-console:latest"}
CONSOLE_IMAGE=${CONSOLE_IMAGE:-"quay.io/openshift/origin-console:4.22"}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== start-console.sh ==\n'
nl -ba start-console.sh | sed -n '60,80p'

printf '\n== README.md mentions of CONSOLE_IMAGE/origin-console ==\n'
rg -n 'CONSOLE_IMAGE|origin-console|latest|4\.22' README.md

Repository: openshift/nmstate-console-plugin

Length of output: 234


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n== start-console.sh ==\n'
sed -n '60,80p' start-console.sh | awk '{printf "%6d  %s\n", NR+59, $0}'

printf '\n== README.md mentions of CONSOLE_IMAGE/origin-console ==\n'
rg -n 'CONSOLE_IMAGE|origin-console|latest|4\.22' README.md

Repository: openshift/nmstate-console-plugin

Length of output: 1431


Keep the console image default in sync

start-console.sh defaults to quay.io/openshift/origin-console:4.22, but README.md still says ...:latest. Update the docs or the script so the published default matches.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@start-console.sh` at line 71, The console image default is out of sync
between the startup script and the documentation. Update either the
CONSOLE_IMAGE default in start-console.sh or the README’s published default so
they match, and make sure the referenced default value is consistent across the
start-console.sh logic and any user-facing docs.

@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

@pcbailey: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants