Open joshcartme opened 6 months ago
I see that renovate attempted to upgrade glob to 9 in https://github.com/protobufjs/protobuf.js/pull/1869. Something went wrong but the logs from what failed are gone. Locally I've tried upgrading it to the latest 9 and for my purposes, which are not comprehensive, it works fine.
+1
protobuf.js version: 7.2.6 protobufjs-cli version: 1.1.2
The CLI pulls in
"glob": "^8.0.0",
. glob less than 9 hasinflight
as a dependency.inflight
has a known vulnerability, https://security.snyk.io/package/npm/inflight, and as it appears to be abandonware will likely never be fixed. It is also not going to be fixed in the8.x
branch of glob, https://github.com/isaacs/node-glob/issues/573.It appears the the use of glob in the cli is compatible with 9 or 10, I'm not entirely sure how to evaluate that myself.