[Snyk] Security upgrade glob from 11.0.2 to 12.0.0#9
Conversation
…rabilities The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-BRACEEXPANSION-9789073
There was a problem hiding this comment.
Pull request overview
Upgrades the glob dependency used by the scripts/ documentation generator package to remediate a Snyk-reported ReDoS vulnerability (via brace-expansion) and refreshes the lockfile accordingly.
Changes:
- Bump
globinscripts/package.jsonfrom^11.xto^12.0.0. - Regenerate/update
scripts/package-lock.jsonto resolveglob@12and updated transitive versions.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| scripts/package.json | Updates glob dependency version for the scripts/doc-generator package. |
| scripts/package-lock.json | Updates resolved dependency graph to glob@12 and related transitive packages. |
Files not reviewed (1)
- scripts/package-lock.json: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "@types/node": "^24.5.1", | ||
| "@types/react": "^19.1.13", | ||
| "glob": "^11.0.3", | ||
| "glob": "^12.0.0", | ||
| "ts-node": "^10.9.2", |
There was a problem hiding this comment.
glob@12 declares engines.node as 20 || >=22 (see lockfile), but scripts/package.json doesn't declare a Node engine requirement. This can lead to confusing install/runtime failures for contributors or CI running Node 18/16. Consider adding an explicit engines field (e.g. >=20) for this scripts package, or keep glob on v11 if older Node versions must be supported.
| "version": "12.0.0", | ||
| "resolved": "https://registry.npmjs.org/glob/-/glob-12.0.0.tgz", | ||
| "integrity": "sha512-5Qcll1z7IKgHr5g485ePDdHcNQY0k2dtv/bjYy0iuyGxQw2qSOiiXUXJ+AYQpg3HNoUMHqAruX478Jeev7UULw==", | ||
| "license": "BlueOak-1.0.0", | ||
| "dependencies": { | ||
| "foreground-child": "^3.1.0", | ||
| "jackspeak": "^4.0.1", | ||
| "minimatch": "^10.0.0", | ||
| "foreground-child": "^3.3.1", | ||
| "jackspeak": "^4.1.1", | ||
| "minimatch": "^10.1.1", |
There was a problem hiding this comment.
glob is updated to v12 here; note that this release declares engines.node as 20 || >=22 (a few lines below in this same entry). If the docs generator/scripts are expected to run under Node 18/16, this upgrade will break installs/runs; consider pinning glob to v11 or explicitly requiring Node >=20 via engines in scripts/package.json.
Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.
Snyk changed the following file(s):
scripts/package.jsonscripts/package-lock.jsonVulnerabilities that will be fixed with an upgrade:
SNYK-JS-BRACEEXPANSION-9789073
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Regular Expression Denial of Service (ReDoS)