refactor(cli): replace glob with tinyglobby and remediate dependency audit chains#2414
Conversation
…g deps Replace CLI glob matching with `tinyglobby` and bump EditorConfig/Node runtime requirements to reduce production dependency weight and clear the previous production minimatch vulnerability chain. Changes: - switch CLI file-glob detection and expansion from `glob` to `tinyglobby` (`isDynamicPattern` + `globSync`) - preserve prior CLI behavior by keeping absolute paths, ignore rules, and directory-inclusive matching - bump `editorconfig` to `^3.0.1` - raise `engines.node` to `>=20` to match modern EditorConfig requirements - add override so EditorConfig resolves `minimatch` to `10.2.1` Validation: - `make js` passes - EditorConfig CLI smoke path (`--editorconfig`) passes - `npm audit --omit=dev` reports 0 vulnerabilities
…hain Update dev dependencies and add targeted overrides so full `npm audit` is clean while preserving the existing build/test workflow. Changes: - bump dev tooling versions: - `mocha` to `^11.7.5` - `serve` to `^14.2.5` - `webpack` to `^5.105.2` - add override pins for vulnerable transitive packages used by dev tooling: - `ajv@8.18.0` - `diff@8.0.3` - `glob@13.0.6` - `minimatch@10.2.1` - `brace-expansion@2.0.2` - `js-yaml@4.1.1` - `lodash@4.17.23` - `on-headers@1.1.0` - keep `editorconfig` on modern stack and preserve its minimatch override - add `tools/jshint-runner.js` compatibility loader so legacy jshint code paths continue to work with modern `minimatch` exports - route lint execution through the compatibility runner in `tools/build.sh` Validation: - `npm audit` reports 0 vulnerabilities - `make js` passes (lint, webpack build, mocha tests, node-src-index tests)
|
Note that this is a breaking change since it drops support for Node v18, so would need to be released as a new major version. I've been working with folks to get patches out for |
|
Yes, although I'd say it's about time :) Node 18 went into maintenance mode Oct 2023 and reached EOL last year in April. Tbh Node 20 reaches EOL this year April, maybe for next major release it could go right to Node 22/24? I'm not too familiar with what is the general NPM community process for node version support deprecation, but I'm of the opinion more secure is better |
|
Never heard of tinyglobby before. |
|
tinyglobby is what most modern libraries ( |
4 participants
Description
main)This PR modernizes dependency usage to remove the vulnerable production
glob/minimatchpath and fully clean upnpm auditfindings.Main changes:
globwithtinyglobbyinjs/src/cli.jseditorconfigto^3.0.1and raise Node engine floor to>=20mocha,serve,webpack)tools/jshint-runner.jscompatibility shim so existing jshint flow continues working with modernminimatchexportsSize impact:
glob@10.5.0= 482,422 bytes vstinyglobby@0.2.15= 40,175 bytes (~91.7% smaller, ~12x)js-beautifynpm package size (npm pack --dry-run) is effectively unchanged:npm ci --omit=devin clean worktrees):node_modules: 6,128 KB -> 1,776 KB (~71.0% smaller)Fixes Issue: #2386
Related PRs:
Before Merge Checklist
These items can be completed after PR is created.
(Check any items that are not applicable (NA) for this PR)