Merge pull request #3000 from modernweb-dev/fix/glob-promise

fix(storybook-builder): fix glob-promise security finding

Author: bashmish

.changeset/curvy-ducks-destroy.md

@@ -0,0 +1,5 @@
+---
+'@web/storybook-builder': patch
+---
+
+replace glob-promise with glob due to security findings

package-lock.json

@@ -63,7 +63,7 @@
     "cjs-module-lexer": "^1.2.3",
     "es-module-lexer": "^1.2.1",
     "esbuild": "^0.25.0",
-    "glob-promise": "^6.0.3",
+    "glob": "^12.0.0",
     "lodash-es": "^4.17.21",
     "path-browserify": "^1.0.1",
     "rehype-external-links": "^3.0.0",

packages/storybook-builder/package.json

@@ -2,9 +2,12 @@
 
 import { normalizeStories } from '@storybook/core-common';
 import type { Options } from '@storybook/types';
-import { promise as glob } from 'glob-promise';
+import { glob } from 'glob';
 import { isAbsolute, join } from 'node:path';
 
+const excludeNodeModulesGlobOptions = (glob: string) =>
+  /node_modules/.test(glob) ? {} : { ignore: ['**/node_modules/**'] };
+
 export async function listStories(options: Options) {
   const slash = (await import('slash')).default; // for CJS compatibility
 
@@ -17,8 +20,13 @@ export async function listStories(options: Options) {
         const pattern = join(directory, files);
         const absolutePattern = isAbsolute(pattern) ? pattern : join(options.configDir, pattern);
 
-        return glob(slash(absolutePattern), { follow: true });
+        return glob(slash(absolutePattern), {
+          ...excludeNodeModulesGlobOptions(absolutePattern),
+          follow: true,
+        });
       }),
     )
-  ).reduce((carry, stories) => carry.concat(stories), []);
+  )
+    .reduce((carry, stories) => carry.concat(stories.map(slash)), [])
+    .sort();
 }