Insecure version of the glob package used

[GrahamCampbell]

glob  10.3.7 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob
  js-beautify  >=1.15.3
  Depends on vulnerable versions of glob
  node_modules/js-beautify

Can be mitigated by upgrading to ^11.1.0.

[jagjotsinghparry]

A PR already exists for this bump in version: #2369

[GrahamCampbell]

Oh, dang... #2350.

[jakub-pietrzak]

I have just submitted #2387.
Vulnerability fix has been backported to glob 10.5.0 -> isaacs/node-glob#636

[apuroop-busetty]

On a related note, I’m also experiencing issues with the current version of the glob package. Is there an update on when we can proceed with upgrading it, or could someone advise on the next steps? @bitwiseman , @esseks

[bitwiseman]

The issue is known. We didn't want to update until we were ready to take a breaking change.

[beeequeue]

if you are looking to make a breaking change, could you also consider maybe switching the library to tinyglobby?

glob is quite big, and switching from it would remove 3/5ths of the install size of js-beautify while also running the glob operations slightly faster :)

many libraries are moving to it recently, js-beautify is in fact one of the few packages in the vitest package tree that still uses glob:

[ignatremizov]

@beeequeue in js-beautify it's possible to replace the js-beautify runtime glob with tinyglobby. But devDependencies (mocha and jshint via cli) still use glob