Skip to content

Update glob to at least 13.0.6#3974

Open
mbg wants to merge 1 commit into
mainfrom
mbg/deps/glob
Open

Update glob to at least 13.0.6#3974
mbg wants to merge 1 commit into
mainfrom
mbg/deps/glob

Conversation

@mbg

@mbg mbg commented Jun 23, 2026

Copy link
Copy Markdown
Member

Dependabot is struggling to update glob since we have an override for it. I checked, and the override is still required since some of our dependencies transitively depend on older versions of glob. This PR bumps glob to a newer version, which allows several other dependency updates as well.

Risk assessment

For internal use only. Please select the risk level of this change:

  • Low risk: Changes are fully under feature flags, or have been fully tested and validated in pre-production environments and are highly observable, or are documentation or test only.

Which use cases does this change impact?

Workflow types:

  • Advanced setup - Impacts users who have custom CodeQL workflows.
  • Managed - Impacts users with dynamic workflows (Default Setup, Code Quality, ...).

Products:

  • Code Scanning - The changes impact analyses when analysis-kinds: code-scanning.
  • Code Quality - The changes impact analyses when analysis-kinds: code-quality.
  • Other first-party - The changes impact other first-party analyses.
  • Third-party analyses - The changes affect the upload-sarif action.

Environments:

  • Dotcom - Impacts CodeQL workflows on github.com and/or GitHub Enterprise Cloud with Data Residency.
  • GHES - Impacts CodeQL workflows on GitHub Enterprise Server.

How did/will you validate this change?

  • Unit tests - I am depending on unit test coverage (i.e. tests in .test.ts files).
  • End-to-end tests - I am depending on PR checks (i.e. tests in pr-checks).

If something goes wrong after this change is released, what are the mitigation and rollback strategies?

  • Rollback - Change can only be disabled by rolling back the release or releasing a new version with a fix.

How will you know if something goes wrong after this change is released?

  • Telemetry - I rely on existing telemetry or have made changes to the telemetry.
    • Dashboards - I will watch relevant dashboards for issues after the release. Consider whether this requires this change to be released at a particular time rather than as part of a regular release.
    • Alerts - New or existing monitors will trip if something goes wrong with this change.

Are there any special considerations for merging or releasing this change?

  • No special considerations - This change can be merged at any time.

Merge / deployment checklist

  • Confirm this change is backwards compatible with existing workflows.
  • Consider adding a changelog entry for this change.
  • Confirm the readme and docs have been updated if necessary.

@mbg mbg requested a review from henrymercer June 23, 2026 18:11
@mbg mbg self-assigned this Jun 23, 2026
@mbg mbg requested a review from a team as a code owner June 23, 2026 18:11
Copilot AI review requested due to automatic review settings June 23, 2026 18:11
@github-actions github-actions Bot added the size/XS Should be very easy to review label Jun 23, 2026
@mbg mbg force-pushed the mbg/deps/glob branch from 8ba5267 to 423f7de Compare June 23, 2026 18:12
Copilot AI reviewed Jun 23, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the repository’s glob dependency (and its npm override) to ^13.0.6, unblocking Dependabot and allowing related dependency upgrades to proceed while keeping a single glob version resolved across the dependency tree.

Changes:

  • Bump glob in devDependencies to ^13.0.6.
  • Update the npm overrides entry for glob to ^13.0.6.
  • Refresh package-lock.json to reflect the new resolved glob version and resulting dependency graph adjustments.
Show a summary per file
File Description
package.json Updates glob version in devDependencies and in overrides to enforce the newer minimum across transitive dependencies.
package-lock.json Updates the lockfile to resolve glob@13.0.6 and reflect associated dependency graph changes.

Copilot's findings

  • Files reviewed: 1/3 changed files
  • Comments generated: 0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@henrymercer henrymercer Awaiting requested review from henrymercer

At least 1 approving review is required to merge this pull request.

Assignees

@mbg mbg

Labels

size/XS Should be very easy to review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mbg