[Snyk] Security upgrade glob from 10.4.5 to 12.0.0#20
Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-CROSSSPAWN-8303230 - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
There was a problem hiding this comment.
Pull request overview
This PR upgrades the glob package from version 10.4.5 to 12.0.0 to address two security vulnerabilities: a high-severity ReDoS vulnerability in cross-spawn (SNYK-JS-CROSSSPAWN-8303230) and a low-severity ReDoS vulnerability in brace-expansion (SNYK-JS-BRACEEXPANSION-9789073). However, this is a major version upgrade that introduces breaking changes in Node.js version requirements.
Changes:
- Upgraded glob from ^10.4.5 to ^12.0.0 in dependencies
- Updated package-lock.json with glob 12.0.0 and its entire dependency tree, including new packages like @isaacs/balanced-match, @isaacs/brace-expansion, and updated versions of minimatch, jackspeak, path-scurry, and other transitive dependencies
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| package.json | Updates glob dependency from ^10.4.5 to ^12.0.0 |
| package-lock.json | Updates glob to 12.0.0 and all its transitive dependencies, including new packages with Node 20+ requirements |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "find-package-json": "^1.2.0", | ||
| "fs-extra": "^11.3.0", | ||
| "glob": "^10.4.5", | ||
| "glob": "^12.0.0", |
There was a problem hiding this comment.
This upgrade introduces a critical Node.js version incompatibility. The updated glob package (version 12.0.0) and its dependencies require Node.js "20 || >=22", but this project's package.json specifies "engines.node": ">=18.0.0" (line 52).
The following packages in the dependency tree require Node 20 or >=22:
- glob@12.0.0 (line 4289)
- jackspeak@4.1.1 (line 5357)
- path-scurry@2.0.1 (line 7767)
- minimatch@10.1.2 (line 4332)
- @isaacs/brace-expansion@5.0.1 (line 519)
- @isaacs/balanced-match@4.0.1 (line 507)
- lru-cache@11.2.5 (line 7779)
To resolve this, you must either:
- Update the project's Node.js version requirement to "20 || >=22" in package.json, OR
- Downgrade to an earlier version of glob that supports Node 18 (such as glob@10.x which requires Node >=14)
Since this is a major version upgrade from glob 10.x to 12.x, there may also be breaking API changes that should be reviewed and tested.
| "glob": "^12.0.0", | |
| "glob": "^10.3.10", |
Snyk has created this PR to fix 2 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
package.jsonpackage-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-CROSSSPAWN-8303230
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)