asar icon indicating copy to clipboard operation
asar copied to clipboard

Published 20 hours ago verified publisher icon electron

chore: bump glob to 9.3.5

Open theogravity opened this issue 11 months ago • 3 comments

This updates the project to use [email protected] (not using glob@10 as that looks to be ESM-only and this project does not have ESM support).

The reason for updating glob is older versions of glob uses inflight, which has a medium-level vulun that triggers our Vanta SOC2 compliance monitoring for security issues.

This version of glob no longer works for node 14, so I bumped the engine requirements to 18.

theogravity avatar Mar 07 '24 20:03 theogravity

Tests appear to be failing on Windows.

dsanders11 avatar Mar 07 '24 20:03 dsanders11

@dsanders11 Addressed the comments.

theogravity avatar Mar 07 '24 20:03 theogravity

I'm not sure if this is a complete solution for the purposes of resolving security scanner warnings because we still have dependencies to [email protected], glob@^7.0.5, glob@^7.1.3 as per the yarn.lock file via various transient dependencies.

The transients are only on devDeps though. At least for our scanner, it only cares about deps for node_module installs.

PS C:\Users\theo\projects\asar> npm ls glob
@electron/[email protected] C:\Users\theo\projects\asar
+-- [email protected]
| `-- [email protected]
|   `-- [email protected]
+-- [email protected]
+-- [email protected]
| `-- [email protected]
+-- [email protected]
| `-- [email protected]
`-- [email protected]
  +-- [email protected]
  | `-- [email protected]
  |   `-- [email protected]
  |     `-- [email protected]
  |       `-- [email protected]
  `-- [email protected]
    `-- [email protected]
      `-- [email protected]

theogravity avatar Mar 07 '24 21:03 theogravity

bump

hallelk avatar Jul 21 '24 14:07 hallelk