Skip to content

[Snyk] Security upgrade glob from 7.0.3 to 12.0.0#143

Open
jhamot wants to merge 1 commit intomasterfrom
snyk-fix-bd847beca734fe27d055a710c01725f4
Open

[Snyk] Security upgrade glob from 7.0.3 to 12.0.0#143
jhamot wants to merge 1 commit intomasterfrom
snyk-fix-bd847beca734fe27d055a710c01725f4

Conversation

@jhamot
Copy link
Owner

@jhamot jhamot commented Feb 19, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • script/vsts/package.json
  • script/vsts/package-lock.json

Vulnerabilities that will be fixed with an upgrade:

Issue Score
high severity Regular Expression Denial of Service (ReDoS)
SNYK-JS-MINIMATCH-15309438		   170  

Breaking Change Risk

Merge Risk: High

Notice: This assessment is enhanced by AI.

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

@snyk-bot
fix: script/vsts/package.json & script/vsts/package-lock.json to redu…
5cd6c30 
…ce vulnerabilities

The following vulnerabilities are fixed with an upgrade:
- https://snyk.io/vuln/SNYK-JS-MINIMATCH-15309438
@jhamot
Copy link
Owner Author

jhamot commented Feb 19, 2026

Merge Risk: High

This is a very large major version upgrade from v7 to v12, which includes a complete rewrite of the library. This introduces numerous significant breaking changes that will require substantial code refactoring.

Key Breaking Changes:

  • Promise-Based API: The library has shifted from a callback-based API to a Promise-based API. All asynchronous calls must be updated to use async/await or .then(). [1]
  • Named Exports Only: The package no longer has a default export. You must update your import statements from const glob = require('glob') to use named imports like const { glob } = require('glob'). [1, 2]
  • Path Separator Handling: On all platforms, including Windows, the backslash (\) is now treated exclusively as an escape character and not a path separator. All glob patterns must use the forward-slash (/). This is a critical change for Windows environments. [1, 4]
  • Dropped Node.js Support: Support for older Node.js versions has been dropped. Version 9 and later require Node.js v16 or higher. [1]
  • Removed Options: Several options from v7 have been removed, including silent, strict, nonull, nounique, and nosort. The behavior is now standardized (e.g., results are always unique and unsorted). [1]

Recommendation:
Due to the complete API rewrite, this upgrade cannot be done without significant developer intervention. Code must be refactored to use the new Promise-based API with named imports and ensure all glob patterns use forward-slashes as path separators.

Source: Changelog

Notice 🤖: This content was augmented using artificial intelligence. AI-generated content may contain errors and should be reviewed for accuracy before use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jhamot @snyk-bot