Skip to content

Replace glob@^7.0.0 with tinyglobby@^0.2.15 #54737

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 7 commits into from
Closed

Replace glob@^7.0.0 with tinyglobby@^0.2.15 #54737

wants to merge 7 commits into from
+159 −160

Conversation

@kitten
Copy link
Contributor

@kitten kitten commented Dec 1, 2025
edited
Loading

Summary:

This replaces glob@^7.0.0 with tinyglobby@^0.2.15. glob@7 has been deprecated for a while and some versions after had security notices released for them. The plan is to backport this PR to 0.81.x and onwards.

Note

This is a stopgap solution until fs.glob becomes generally available with the EOL of Node v20

Succeeds:

Notable differences

tinyglobby isn't a 1:1 replacement for glob. They have a few breaking changes planned for v1 that will reduce the amount of differences, but they haven't landed these yet. A small summary of the differences are:

  • expandDirectories: false needs to be set to avoid tinyglobby expanding directories recursively when they exactly match a glob and to avoid ** being misinterpreted
  • onlyFiles: false needs to be set if we want to match directories
  • Directories will be returned with a trailing slash rather than an exact path
  • ignore also stops traversal, meaning, patterns matching directories (e.g. .../*) will be interpreted like a .../**/* ignore pattern in glob

Changelog:

[GENERAL] [SECURITY] - Replace glob@^7.0.0 with tinyglobby@^0.2.15

Test Plan:

  • Ran all modified commands manually and pod install in rn-tester
  • ios-prebuild-related scripts will be run and tested via CI

@meta-cla meta-cla bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Dec 1, 2025
@kitten kitten mentioned this pull request Dec 1, 2025
Closed
@facebook-github-bot facebook-github-bot added the Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team. label Dec 1, 2025
@meta-codesync
Copy link

meta-codesync bot commented Dec 1, 2025

@huntie has imported this pull request. If you are a Meta employee, you can view this in D88069145.

@kitten kitten force-pushed the @kitten/security/replace-glob-with-tinyglobby branch from 2c69744 to 8fa4f28 Compare December 2, 2025 10:51
@kitten kitten force-pushed the @kitten/security/replace-glob-with-tinyglobby branch from 20409c4 to 574cda0 Compare December 2, 2025 12:28
kitten added 2 commits December 2, 2025 13:00
@kitten
Fix up ignore patterns by only matching exact files
afbb54c 
A difference between `glob` and `tinyglob` is how `ignore` is applied.
`glob` has an exception that only applies `.../*` patterns to files.
`tinyglobby` doesn't make this distinction and hence that'd also exclude
directories to be traversed. Patterns have been adjusted to account for
this.
@kitten
Remove trailing slash from .framework search
f6f68b2
This was referenced Dec 2, 2025
Open
Closed
Closed
facebook-github-bot pushed a commit to facebook/metro that referenced this pull request Dec 3, 2025
@huntie @facebook-github-bot
Replace glob with tinyglobby
def0dc4 
Summary:
Follows facebook/react-native#54737. Replaces #1442.

Replace `glob@^7.0.0` with the lighter weight `tinyglobby` package to resolve deprecation warnings. This affects only Metro's scripts files.

Changelog:
- **[Security]**: Replace `glob@^7.0.0` with `tinyglobby@^0.2.15`

Reviewed By: vzaidman

Differential Revision: D88146420
@huntie huntie mentioned this pull request Dec 3, 2025
Closed
meta-codesync bot pushed a commit to facebook/metro that referenced this pull request Dec 3, 2025
@huntie @meta-codesync
Replace glob with tinyglobby (#1627)
ff27069 
Summary:
Pull Request resolved: #1627

Follows facebook/react-native#54737. Replaces #1442.

Replace `glob@^7.0.0` with the lighter weight `tinyglobby` package to resolve deprecation warnings. This affects only Metro's scripts files.

Changelog:
- **[Security]**: Replace `glob@^7.0.0` with `tinyglobby@^0.2.15`

Reviewed By: vzaidman

Differential Revision: D88146420

fbshipit-source-id: f201240589951be236f3c941258551d58340d5d8
@meta-codesync meta-codesync bot closed this in 41eace0 Dec 3, 2025
@meta-codesync
Copy link

meta-codesync bot commented Dec 3, 2025

@huntie merged this pull request in 41eace0.

@facebook-github-bot facebook-github-bot added the Merged This PR has been merged. label Dec 3, 2025
@react-native-bot
Copy link
Collaborator

react-native-bot commented Dec 3, 2025

This pull request was successfully merged by @kitten in 41eace0

When will my fix make it into a release? | How to file a pick request?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. Merged This PR has been merged. p: Expo Partner: Expo Partner Shared with Meta Applied via automation to indicate that an Issue or Pull Request has been shared with the team.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kitten @react-native-bot @facebook-github-bot