chore(deps): update dependency brace-expansion to v4 - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
brace-expansion	~1.1.12 → ~4.0.0

---

Release Notes

juliangruber/brace-expansion (brace-expansion)

v4.0.1

Compare Source

• fmt 5a5cc17
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 0b6a978

---

v4.0.0

Compare Source

• feat: use string replaces instead of splits (#​64) 278132b
• fmt dd72a59
• add tea.yaml 70e4c1b

As a precaution to not risk breaking anything with 278132b, this is a new semver major release

v3.0.1

Compare Source

• pkg: publish on tag 3.x 3059c07
• fmt 8229e6f
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 15f9b3c

---

v3.0.0

Compare Source

• Switch to ES Modules and balanced-match 3.0.0 (#​62) c0360e8
• added jsdoc (#​55) 68c0e37
• node 16 is EOL 9e781e9
• add standard 3494c4d
• use const and let (#​57) dd5a4cb
• docs 6dad209
• remove test e3dd8ae
• ci: update node versions d23ede9
• docs: add @​lanodan to contributors 1eb3fa4
• docs 1e7c9cd
• switch from tape to test module (#​60) 2520537
• Bump minimist from 1.2.5 to 1.2.6 (#​59) 61a94f1
• Bump path-parse from 1.0.6 to 1.0.7 (#​51) dc741cf
• docs: add back ci badge 8ee5626
• Add github actions, remove travis. Closes #​52 (#​53) 5c8756a
• CI: Drop unused sudo: false Travis directive (#​50) 05978a7

v2.0.2

Compare Source

• pkg: publish on tag 2.x 14f1d91
• fmt ed7780a
• Fix potential ReDoS Vulnerability or Inefficient Regular Expression (#​65) 36603d5

---

v2.0.1

Compare Source

v2.0.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

---

Note

Medium Risk
Major-version dependency bump with updated transitive deps and new Node engine constraints (e.g., brace-expansion requires Node >=18), which could break installs/builds on older Node versions.

Overview
Updates the UI build dependency override for brace-expansion from ~1.1.12 to ~4.0.0.

Regenerates package-lock.json to pull in brace-expansion@4.0.1, which updates transitive dependencies (e.g., balanced-match to 3.0.1) and drops concat-map, and introduces stricter Node engine requirements for these packages.

^{Written by Cursor Bugbot for commit 97b4a14. This will update automatically on new commits. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

ESM-only override breaks CommonJS minimatch consumers

High Severity

The brace-expansion override to ~4.0.0 forces all consumers—including minimatch@3.x—to use v4, which is ESM-only (v3 switched to ES Modules). minimatch@3.x is CommonJS and uses require('brace-expansion'), which will throw ERR_REQUIRE_ESM at runtime on Node < 22. Multiple critical dev tools depend on minimatch@3.x (@eslint/eslintrc, @eslint/config-array, glob@7, postcss-url), and the lock file confirms only a single hoisted brace-expansion@4.0.1 copy exists with no nested v1 fallback.

Additional Locations (1)

• ui/package-lock.json#L2526-L2537