gaxios depends on vulnerable glob@10.4.5 via rimraf@5.0.10

[FabianFrank]

Please make sure you have searched for information in the following guides.

• Search the issues already opened: https://github.com/googleapis/google-cloud-node-core/issues
• Search StackOverflow: http://stackoverflow.com/questions/tagged/google-cloud-platform+node.js
• Check our Troubleshooting guide: https://github.com/googleapis/google-cloud-node-core/blob/main/docs/troubleshooting.md
• Check our FAQ: https://github.com/googleapis/google-cloud-node-core/blob/main/docs/faq.md
• Check our libraries HOW-TO: https://github.com/googleapis/gax-nodejs/blob/main/client-libraries.md
• Check out our authentication guide: https://github.com/googleapis/google-auth-library-nodejs
• Check out handwritten samples for many of our APIs: https://github.com/GoogleCloudPlatform/nodejs-docs-samples
• Check the API's issue tracker: https://cloud.google.com/support/docs/issue-trackers

Link to the code that reproduces this issue. A link to a public Github Repository or gist with a minimal reproduction.

google-cloud-node-core/packages/gaxios/package.json

Line 105 in 98f9ad3

"rimraf": "^5.0.1"

A step-by-step description of how to reproduce the issue, based on the linked reproduction.

➜  test123 npm install gaxios
npm warn deprecated node-domexception@1.0.0: Use your platform's native DOMException instead

added 54 packages, and audited 67 packages in 2s

17 packages are looking for funding
  run `npm fund` for details

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
➜  test123 npm audit
# npm audit report

glob  10.3.7 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob
  rimraf  5.0.2 - 5.0.10
  Depends on vulnerable versions of glob
  node_modules/rimraf

2 high severity vulnerabilities

To address all issues, run:
  npm audit fix

A clear and concise description of what the bug is, and what you expected to happen.

gaxios depends on vulnerable glob@10.4.5 via rimraf@5.0.10. gaxios should depend on a recent version of rimraf (requires major update) that does depend on a fixed version of glob.

A clear and concise description WHY you expect this behavior, i.e., was it a recent change, there is documentation that points to this behavior, etc. **

I expect to not be affected by vulnerabilities such as GHSA-5j98-mcp5-4vw2