refactor(cli): replace glob with tinyglobby and remediate dependency audit chains#2414
Open
ignatremizov wants to merge 2 commits intobeautifier:mainfrom
Open
Conversation
…g deps Replace CLI glob matching with `tinyglobby` and bump EditorConfig/Node runtime requirements to reduce production dependency weight and clear the previous production minimatch vulnerability chain. Changes: - switch CLI file-glob detection and expansion from `glob` to `tinyglobby` (`isDynamicPattern` + `globSync`) - preserve prior CLI behavior by keeping absolute paths, ignore rules, and directory-inclusive matching - bump `editorconfig` to `^3.0.1` - raise `engines.node` to `>=20` to match modern EditorConfig requirements - add override so EditorConfig resolves `minimatch` to `10.2.1` Validation: - `make js` passes - EditorConfig CLI smoke path (`--editorconfig`) passes - `npm audit --omit=dev` reports 0 vulnerabilities
…hain Update dev dependencies and add targeted overrides so full `npm audit` is clean while preserving the existing build/test workflow. Changes: - bump dev tooling versions: - `mocha` to `^11.7.5` - `serve` to `^14.2.5` - `webpack` to `^5.105.2` - add override pins for vulnerable transitive packages used by dev tooling: - `ajv@8.18.0` - `diff@8.0.3` - `glob@13.0.6` - `minimatch@10.2.1` - `brace-expansion@2.0.2` - `js-yaml@4.1.1` - `lodash@4.17.23` - `on-headers@1.1.0` - keep `editorconfig` on modern stack and preserve its minimatch override - add `tools/jshint-runner.js` compatibility loader so legacy jshint code paths continue to work with modern `minimatch` exports - route lint execution through the compatibility runner in `tools/build.sh` Validation: - `npm audit` reports 0 vulnerabilities - `make js` passes (lint, webpack build, mocha tests, node-src-index tests)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
main)This PR modernizes dependency usage to remove the vulnerable production
glob/minimatchpath and fully clean upnpm auditfindings.Main changes:
globwithtinyglobbyinjs/src/cli.jseditorconfigto^3.0.1and raise Node engine floor to>=20mocha,serve,webpack)tools/jshint-runner.jscompatibility shim so existing jshint flow continues working with modernminimatchexportsSize impact:
glob@10.5.0= 482,422 bytes vstinyglobby@0.2.15= 40,175 bytes (~91.7% smaller, ~12x)js-beautifynpm package size (npm pack --dry-run) is effectively unchanged:npm ci --omit=devin clean worktrees):node_modules: 6,128 KB -> 1,776 KB (~71.0% smaller)Fixes Issue: #2386
Related PRs:
Before Merge Checklist
These items can be completed after PR is created.
(Check any items that are not applicable (NA) for this PR)