Skip to content

Bump brace-expansion and 4 dev dependencies#3891

Draft
navntoft wants to merge 2 commits into
mainfrom
navntoft/dep/remove-brace-expansion-override
Draft

Bump brace-expansion and 4 dev dependencies#3891
navntoft wants to merge 2 commits into
mainfrom
navntoft/dep/remove-brace-expansion-override

Conversation

@navntoft
Copy link
Copy Markdown
Contributor

@navntoft navntoft commented May 12, 2026

Bumps the following transitive dependencies:

Package Before → After Scope
brace-expansion (under readdir-glob) 2.0.2 → 2.1.0 runtime
picomatch (under micromatch) 2.3.1 → 2.3.2 dev
picomatch (top level) 4.0.3 → 4.0.4 dev
flatted 3.3.3 → 3.4.2 dev
js-yaml (under supertap) 3.14.1 → 3.14.2 dev

Compatibility

I reviewed the upstream changelogs / commit logs for each transition:

  • brace-expansion 2.0.2 → 2.1.0: no API changes. One behavior change — {1..2..0}-style zero-step inputs no longer hang — doesn't affect archiver's glob usage.
  • picomatch 2.3.1 → 2.3.2 and 4.0.3 → 4.0.4: patch-only releases, no API changes.
  • flatted 3.3.3 → 3.4.2: parse() rewritten from recursion to iterative worklist; public signature unchanged.
  • js-yaml 3.14.1 → 3.14.2: backport-only release on the 3.x line, no API changes.

Risk assessment

Low risk. Lockfile-level dependency resolution change. Build passes.

Which use cases does this change impact?

Workflow types: none specifically — applies to all.

Products: none specifically.

Environments: Testing/None — this is a build-tooling change; only brace-expansion is in runtime scope (transitive via archiver).

How did/will you validate this change?

  • Unit tests + End-to-end tests via the existing PR checks.

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback — revert the PR.

How will you know if something goes wrong after this change is released?

  • Other — any regression would surface as test failures or runtime errors in archiver's zip handling (the only runtime path that touches brace-expansion).

Are there any special considerations for merging or releasing this change?

  • No special considerations.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change. (Skipped — no user-facing change; current UNRELEASED section already reads "No user facing changes.")
  • Confirm the readme and docs have been updated if necessary. (N/A.)

navntoft added 2 commits May 12, 2026 15:59
@navntoft
Bump five transitive dependencies
12c1d88 
Bumps the following to their latest patched versions:

brace-expansion (under readdir-glob): 2.0.2 → 2.1.0
picomatch (under micromatch): 2.3.1 → 2.3.2
picomatch (top level): 4.0.3 → 4.0.4
flatted: 3.3.3 → 3.4.2
js-yaml (under supertap): 3.14.1 → 3.14.2

The brace-expansion bump requires removing the brace-expansion override
in package.json, which had been pinning resolution below the existing
^2.0.1 constraint declared by readdir-glob.
@navntoft
Rebuild
2ca0fbd
@navntoft navntoft requested a review from Copilot May 12, 2026 14:00
@github-actions github-actions Bot added the size/XS Should be very easy to review label May 12, 2026
Copilot AI reviewed May 12, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s npm dependency resolution to pick up newer patch/minor releases for brace-expansion (runtime, via readdir-glob) and several dev-only transitive dependencies, with corresponding lockfile updates.

Changes:

  • Updated package-lock.json to resolve brace-expansion (via readdir-glob) to 2.1.0, and bumped flatted, picomatch (both the hoisted and micromatch-nested copies), and js-yaml (via supertap).
  • Removed the now-unnecessary overrides pin for brace-expansion@2.0.1 -> 2.0.2 from package.json.
  • Updated generated lib/* artifacts reflecting the new dependency tree.
Show a summary per file
File Description
package.json Removes a no-longer-needed overrides entry related to brace-expansion.
package-lock.json Captures updated resolved versions/integrity for the bumped dependencies.
lib/upload-sarif-action-post.js Generated output updated due to dependency bump (not reviewed as source).
lib/start-proxy-action-post.js Generated output updated due to dependency bump (not reviewed as source).
lib/init-action-post.js Generated output updated due to dependency bump (not reviewed as source).
lib/analyze-action-post.js Generated output updated due to dependency bump (not reviewed as source).

Copilot's findings

  • Files reviewed: 1/6 changed files
  • Comments generated: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/XS Should be very easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@navntoft