fastify-static icon indicating copy to clipboard operation
fastify-static copied to clipboard
verified publisher icon fastify

Upgrade or switch from glob

Open benmccann opened this issue 1 month ago • 4 comments

The current version of glob used has 26 dependencies. The latest version of glob has only 6 dependencies, tinyglobby has 2, or best yet use Node's built-in for 0 dependencies

benmccann avatar Nov 19 '25 17:11 benmccann

What if those deps save us from some injection?

I say that because I trust the glob's maintainer and his work. In this scenario, the number of dependancies is not important for me.

or best yet use Node's built-in for 0 dependencies

This is not an option right now because we need to support Node.js 20

Eomm avatar Nov 19 '25 18:11 Eomm

That's why I also mentioned upgrading as a potential option. I didn't want to presume to know what your preference would be.

glob 12 had packages from 18 different maintainers and glob 13 has packages from only 1 maintainer, so if you want to rely on trusting him that's even more reason to upgrade and drop 17 other people from the dependency graph so you don't have to put so much trust in so many different people.

benmccann avatar Nov 19 '25 18:11 benmccann

We should just move to use the node core one. PRs are welcome ;).

mcollina avatar Nov 23 '25 09:11 mcollina

I actually tried to refactor this to make use of the existing core fs.glob function, but this is currently impossible because it cannot traverse symbolic links pointing to directories. I've created the following PR to show this: https://github.com/fastify/fastify-static/pull/549 I raised a feature request with the node team, but until this is done, we cannot use the node core one: https://github.com/nodejs/node/issues/61033

Sn1perdog avatar Dec 12 '25 13:12 Sn1perdog