-
Notifications
You must be signed in to change notification settings - Fork 250
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore: bump glob to 9.3.5 #304
Conversation
@@ -18,8 +16,13 @@ async function determineFileType (filename) { | |||
|
|||
module.exports = async function (dir, options) { | |||
const metadata = {} | |||
const crawled = await glob(dir, options) | |||
let crawled = await glob(dir, options || {}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I did try async function (dir, options = {})
but tests would fail with that.
wonder if using ?? {}
would be better.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be marked as a breaking change (add BREAKING CHANGE: ...
in the body of the commit message) so that it would trigger a v4 release on merge.
If we're going to do a breaking change we probably want to just jump to Node v18 rather than v16 which is already EOL.
But I'm not sure if we consider this worth introducing a breaking change to address.
Tests appear to be failing on Windows. |
@dsanders11 Addressed the comments. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure if this is a complete solution for the purposes of resolving security scanner warnings because we still have dependencies to glob@7.2.0, glob@^7.0.5, glob@^7.1.3
as per the yarn.lock
file via various transient dependencies.
The transients are only on devDeps though. At least for our scanner, it only cares about deps for node_module installs.
|
BREAKING CHANGE: require Node 18.18.0
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The code changes LGTM, approving on that part.
@dsanders11 is right about the node bump / breaking change question. I don't have a strong opinion there except that we probably shouldn't depend on EOL packages
@erickzhao is right that there are still other devdep vectors do depend on old versions of glob, but fixing one is better than fixing zero 🤷♂️
bump |
This updates the project to use
glob@9.3.5
(not using glob@10 as that looks to be ESM-only and this project does not have ESM support).The reason for updating
glob
is older versions ofglob
usesinflight
, which has a medium-level vulun that triggers our Vanta SOC2 compliance monitoring for security issues.This version of glob no longer works for node 14, so I bumped the engine requirements to 18.