Update brace-expansion to ^5.0.5

[koolmonke]

Also small safe updates from npm audit fix

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[Nefari0uss]

In case it helps anyone as Google seems to have abandoned this package, here is what I did in lieu of forking and publishing it with the change as I wanted to address the security issue and still use wireit. (Turbo/NX all seem heavy when all I really wanted is the depends-on for scripts along with some caching to prevent unnecessary builds.)

Note:

• I've got a monorepo setup.
• I'm using wireit@^0.14.12 in the PNPM catalog.
• All packages / workspace root uses wireit:catalog: as a devDependency.
• I've already run pnpm audit --fix so this was the last step to resolve the breaking change specifically with wireit.

If you don't have a monorepo, all you need is the patch and then audit to verify.

Make a PNPM patch with the changes in this PR via pnpm patch wireit. Commit the patch as instructed. It'll look something like this as a <monorepo-root>/patches/wireit.patch file:

diff --git a/lib/util/glob.js b/lib/util/glob.js
index 71a9dca7fda4fe0706b76716df760fe8d58f5c4c..d09c94bbd584c17b50876f874a57916893a1da54 100644
--- a/lib/util/glob.js
+++ b/lib/util/glob.js
@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import fastGlob from 'fast-glob';
-import braces from 'brace-expansion';
+import {expand as braces} from 'brace-expansion';
 import * as pathlib from 'path';
 /**
  * The error raised when {@link glob} matches a path that is outside of
diff --git a/package.json b/package.json
index 7fe8aa4db44ed822be2fd514a6a6e43c27c4007a..a3ae0ede916a52c66e64c12751adb3392b276788 100644
--- a/package.json
+++ b/package.json
@@ -417,7 +417,6 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.10.0",
-    "@types/brace-expansion": "^1.1.2",
     "@types/node": "^22.5.4",
     "@types/node-forge": "^1.3.0",
     "@types/proper-lockfile": "^4.1.2",
@@ -448,7 +447,7 @@
     "bracketSpacing": false
   },
   "dependencies": {
-    "brace-expansion": "^4.0.0",
+    "brace-expansion": "^5.0.6",
     "chokidar": "^3.5.3",
     "fast-glob": "^3.2.11",
     "jsonc-parser": "^3.0.0",

Then in the PNPM workspace config, I added the overrides property specifically for updating brace-expansion dependency of wireit:

catalog:
  wireit: ^0.14.12

overrides:
  "wireit>brace-expansion": "^5.0.6

patchedDependencies:
  wireit: patches/wireit.patch

Run an install with pnpm and you should be good (atleast with breaking changes specific to the brace-expansion update).

[koolmonke]

In case it helps anyone as Google seems to have abandoned this package, here is what I did in lieu of forking and publishing it with the change as I wanted to address the security issue and still use wireit. (Turbo/NX all seem heavy when all I really wanted is the depends-on for scripts along with some caching to prevent unnecessary builds.)

Note:

* I've got a monorepo setup.

* I'm using `wireit@^0.14.12` in the PNPM catalog.

* All packages / workspace root uses `wireit:catalog:` as a devDependency.

* I've already run `pnpm audit --fix` so this was the last step to resolve the breaking change specifically with wireit.

If you don't have a monorepo, all you need is the patch and then audit to verify.

Make a PNPM patch with the changes in this PR via pnpm patch wireit. Commit the patch as instructed. It'll look something like this as a <monorepo-root>/patches/wireit.patch file:

diff --git a/lib/util/glob.js b/lib/util/glob.js
index 71a9dca7fda4fe0706b76716df760fe8d58f5c4c..d09c94bbd584c17b50876f874a57916893a1da54 100644
--- a/lib/util/glob.js
+++ b/lib/util/glob.js
@@ -4,7 +4,7 @@
  * SPDX-License-Identifier: Apache-2.0
  */
 import fastGlob from 'fast-glob';
-import braces from 'brace-expansion';
+import {expand as braces} from 'brace-expansion';
 import * as pathlib from 'path';
 /**
  * The error raised when {@link glob} matches a path that is outside of
diff --git a/package.json b/package.json
index 7fe8aa4db44ed822be2fd514a6a6e43c27c4007a..a3ae0ede916a52c66e64c12751adb3392b276788 100644
--- a/package.json
+++ b/package.json
@@ -417,7 +417,6 @@
   },
   "devDependencies": {
     "@eslint/js": "^9.10.0",
-    "@types/brace-expansion": "^1.1.2",
     "@types/node": "^22.5.4",
     "@types/node-forge": "^1.3.0",
     "@types/proper-lockfile": "^4.1.2",
@@ -448,7 +447,7 @@
     "bracketSpacing": false
   },
   "dependencies": {
-    "brace-expansion": "^4.0.0",
+    "brace-expansion": "^5.0.6",
     "chokidar": "^3.5.3",
     "fast-glob": "^3.2.11",
     "jsonc-parser": "^3.0.0",

Then in the PNPM workspace config, I added the overrides property specifically for updating brace-expansion dependency of wireit:

catalog:
  wireit: ^0.14.12

overrides:
  "wireit>brace-expansion": "^5.0.6

patchedDependencies:
  wireit: patches/wireit.patch

Run an install with pnpm and you should be good (atleast with breaking changes specific to the brace-expansion update).

That's exactly what I did at my work. You can also patch dependecies with patch-package or yarn