fix: update glob package

[joscha]

Currently, when using this package, a warning is shown:

It was mentioned here as well #789 (comment) by @wing328

The reason for these errors is because an old version of glob is pulled:

npm why glob
[email protected]
node_modules/glob
  glob@"7.2.3" from @openapitools/[email protected]
  node_modules/@openapitools/openapi-generator-cli
    @openapitools/openapi-generator-cli@"^2.13.5" from the root project

it gets added to the package lock when generating the dist via yarn build.
The reason is that the glob package is used here:

openapi-generator-cli/apps/generator-cli/src/app/services/generator.service.ts

Line 7 in 113ee84

import * as glob from 'glob';

but the current package.json does not define it as a runtime dependency. Thus, at build time nx uses the glob package that is available:

yarn why glob
yarn why v1.22.22
[1/4] 🤔  Why do we have the module "glob"...?
[2/4] 🚚  Initialising dependency graph...
[3/4] 🔍  Finding dependency...
[4/4] 🚡  Calculating file sizes...
=> Found "[email protected]"
info Has been hoisted to "glob"
info Reasons this module exists
   - Hoisted from "tslint#glob"
   - Hoisted from "@nx#jest#@jest#reporters#glob"
   - Hoisted from "@nx#jest#jest-config#glob"
   - Hoisted from "tmp#rimraf#glob"
   - Hoisted from "@nx#webpack#stylus#glob"
   - Hoisted from "jest#@jest#core#jest-runtime#glob"
   - Hoisted from "jest#@jest#core#@jest#transform#babel-plugin-istanbul#test-exclude#glob"
info Disk size without dependencies: "64KB"
info Disk size with unique dependencies: "232KB"
info Disk size with transitive dependencies: "304KB"
info Number of shared dependencies: 8
=> Found "npm#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
=> Found "@npmcli/map-workspaces#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm#@npmcli#map-workspaces" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
=> Found "@npmcli/package-json#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm#@npmcli#package-json" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
=> Found "cacache#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm#cacache" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
=> Found "node-gyp#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm#node-gyp" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
=> Found "read-package-json#[email protected]"
info This module exists because "semantic-release#@semantic-release#npm#npm#init-package-json#read-package-json" depends on it.
info Disk size without dependencies: "612KB"
info Disk size with unique dependencies: "2MB"
info Disk size with transitive dependencies: "3.74MB"
info Number of shared dependencies: 21
✨  Done in 0.31s.

which is the one that has been hoisted from a bunch of dev dependencies. These use old versions of glob that satisfy the dependency of an unversioned glob, thus making it into dist/apps/generator-cli/package.json:

By Specifying the dependency as a first-class runtime dep, we prevent this unintended hoisting.

A yarn build with the contents of this PR yields:

for dist/apps/generator-cli/package.json.

Thus removing the old glob (and by transitive dependency the old inflight), removing the warnings.

However, twist, this package currently defines "node": ">=10.0.0" as a minimum req. The current version of glob has a (quite sane) minimum of 20:

error [email protected]: The engine "node" is incompatible with this module. Expected version "20 || >=22". Got "18.20.4"

We need to either use an older version of glob, or bump the node dependency. Given that node 18 still has security support (see https://endoflife.date/nodejs) , we might need to find an acceptable compromise between 18 and Node 10. Thoughts?

The last 9.x version of glob has "node": ">=16", which should be acceptable?

EOL for Node 16 was September 11th, 2023, about a year ago and the last glob 9.x release was about a year ago: https://www.npmjs.com/package/glob/v/9.3.5

We could go glob@10 then we would be on a supported branch, but that version doesn't define a minimum engine version

[wing328]

The last 9.x version of glob has "node": ">=16", which should be acceptable?

yes i think so

thanks for the details explaining the issue and the PR

[github-actions]

🎉 This PR is included in version 2.13.13 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀