Remove ts-jest and add dependency overrides for glob utilities#9
Remove ts-jest and add dependency overrides for glob utilities#9
Conversation
- Remove unused ts-jest devDependency (eliminates handlebars@4.7.8 CVE) - Add npm overrides to pin patched versions of transitive dependencies: - minimatch@3.1.5 (fixes CVE-2026-26996, CVE-2026-27904, CVE-2026-27903) - picomatch@4.0.4 (fixes CVE-2026-33671, CVE-2026-33672) - brace-expansion@5.0.5 (fixes CVE-2026-33750) - glob@13.0.6 (replaces deprecated glob@7.2.3, eliminates inflight@1.0.6) https://claude.ai/code/session_01VB7YaJhrDqVX8SShoFocPt
There was a problem hiding this comment.
Code Review
This pull request updates the project version to 1.0.1, removes the ts-jest dependency and its associated transitive packages, and introduces several version overrides in package.json. Feedback was provided regarding a version mismatch in the overrides section, specifically noting that pinning minimatch to 3.1.5 conflicts with the requirements of the newly updated glob package, which expects version 10.2.2 or higher.
| "typescript": "^5.9.3" | ||
| }, | ||
| "overrides": { | ||
| "minimatch": "3.1.5", |
There was a problem hiding this comment.
The glob package (version 13.0.6) in package-lock.json declares a dependency on minimatch: "^10.2.2". However, the overrides section explicitly pins minimatch to 3.1.5. This forces glob to use an older version of minimatch than it expects, which could lead to unexpected behavior or compatibility issues. It is recommended to align the minimatch override with the version range expected by glob to ensure stability and predictable behavior.
| "minimatch": "3.1.5", | |
| "minimatch": "10.2.2", |
| "overrides": { | ||
| "minimatch": "3.1.5", | ||
| "picomatch": "4.0.4", | ||
| "brace-expansion": "5.0.5", | ||
| "glob": "13.0.6" | ||
| } |
There was a problem hiding this comment.
Bug: The overrides in package.json force an incompatible version of the minimatch dependency, which will cause Jest's test discovery process to fail at runtime.
Severity: HIGH
Suggested Fix
Remove the overrides for minimatch and brace-expansion from package.json. This will allow npm to install versions that are compatible with the project's dependencies, such as glob, resolving the API mismatch and allowing the test suite to run correctly.
Prompt for AI Agent
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.
Location: package.json#L30-L35
Potential issue: The `overrides` in `package.json` force `minimatch` to version `3.1.5`,
but a dependency, `glob@13.0.6`, requires an incompatible major version (`^10.2.2`).
This version mismatch introduces breaking API changes. When `npm test` is executed, Jest
uses `glob` to discover test files, which in turn calls `minimatch`. Due to the API
incompatibility, this process will fail at runtime, preventing the test suite from
running.
Did we get this right? 👍 / 👎 to inform future reviews.
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 4af3246e9e
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "minimatch": "3.1.5", | ||
| "picomatch": "4.0.4", | ||
| "brace-expansion": "5.0.5", | ||
| "glob": "13.0.6" |
There was a problem hiding this comment.
Drop major glob override until Jest deps are upgraded
The new overrides.glob = "13.0.6" forces Jest 29’s transitive packages (which still declare glob: ^7.1.x) onto an unsupported major, and the resulting lockfile shows a broken combination (glob@13 expects minimatch:^10.2.2 while the override pins minimatch to 3.1.5). This can break Jest file matching/test discovery paths at runtime in CI and local runs; keep the Jest dependency chain on glob 7 or upgrade Jest packages together before applying this override.
Useful? React with 👍 / 👎.
Address PR review feedback: removed glob and brace-expansion overrides that caused cross-major version incompatibilities (glob@13 requires minimatch@^10 but minimatch was pinned to 3.x; minimatch@3 requires brace-expansion@^1 but it was pinned to 5.x). Changes: - Remove unused ts-jest devDependency (eliminates handlebars@4.7.8 CVE) - Override minimatch to 3.1.5 (fixes CVE-2026-26996, CVE-2026-27904, CVE-2026-27903) - API-compatible within 3.x line - Override picomatch to 4.0.4 (fixes CVE-2026-33671, CVE-2026-33672) Remaining moderate-severity brace-expansion@1.1.12 (CVE-2026-33750) cannot be fixed without breaking Jest 29 compatibility - minimatch@3.x requires brace-expansion@^1, and no patched 1.x exists. This is a dev-only transitive dependency; full resolution requires upgrading to Jest 30+. https://claude.ai/code/session_01VB7YaJhrDqVX8SShoFocPt
Summary
Updated package.json to remove the ts-jest dependency and introduce npm overrides for glob-related packages to ensure consistent versions across the dependency tree.
Changes
ts-jest(^29.1.0) from devDependenciesoverridessection to pin specific versions of:minimatchto 3.1.5picomatchto 4.0.4brace-expansionto 5.0.5globto 13.0.6Details
The removal of ts-jest suggests a shift away from ts-jest as the Jest transformer, likely in favor of an alternative TypeScript compilation strategy. The addition of dependency overrides ensures that glob-related utilities maintain consistent versions across the project's dependency tree, which helps prevent version conflicts and ensures predictable behavior in file matching operations.
https://claude.ai/code/session_01VB7YaJhrDqVX8SShoFocPt