chore: bump glob to 9.3.5 #304
Conversation
| @@ -18,8 +16,13 @@ async function determineFileType (filename) { | |||
|
|
|||
| module.exports = async function (dir, options) { | |||
| const metadata = {} | |||
| const crawled = await glob(dir, options) | |||
| let crawled = await glob(dir, options || {}) | |||
There was a problem hiding this comment.
I did try async function (dir, options = {}) but tests would fail with that.
wonder if using ?? {} would be better.
There was a problem hiding this comment.
This needs to be marked as a breaking change (add BREAKING CHANGE: ... in the body of the commit message) so that it would trigger a v4 release on merge.
If we're going to do a breaking change we probably want to just jump to Node v18 rather than v16 which is already EOL.
But I'm not sure if we consider this worth introducing a breaking change to address.
|
Tests appear to be failing on Windows. |
|
@dsanders11 Addressed the comments. |
There was a problem hiding this comment.
I'm not sure if this is a complete solution for the purposes of resolving security scanner warnings because we still have dependencies to [email protected], glob@^7.0.5, glob@^7.1.3 as per the yarn.lock file via various transient dependencies.
The transients are only on devDeps though. At least for our scanner, it only cares about deps for node_module installs. |
BREAKING CHANGE: require Node 18.18.0
There was a problem hiding this comment.
The code changes LGTM, approving on that part.
@dsanders11 is right about the node bump / breaking change question. I don't have a strong opinion there except that we probably shouldn't depend on EOL packages
@erickzhao is right that there are still other devdep vectors do depend on old versions of glob, but fixing one is better than fixing zero 🤷♂️
This updates the project to use
[email protected](not using glob@10 as that looks to be ESM-only and this project does not have ESM support).The reason for updating
globis older versions ofglobusesinflight, which has a medium-level vulun that triggers our Vanta SOC2 compliance monitoring for security issues.This version of glob no longer works for node 14, so I bumped the engine requirements to 18.