Skip to content

chore: remove redundant glob ^11.0.4 override (#940)#948

Merged
NoopDog merged 3 commits into
mainfrom
fran/940-audit-glob-override
Jun 4, 2026
Merged

chore: remove redundant glob ^11.0.4 override (#940)#948
NoopDog merged 3 commits into
mainfrom
fran/940-audit-glob-override

Conversation

@frano-m

@frano-m frano-m commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Remove the overrides: { glob: "^11.0.4" } block from package.json — it was added in chore: bump nextjs version to fix vulnerabilities (#704) #705 (Dec 2025) to silence audit findings from Next 14's transitive deps, and the dep graph no longer produces those findings under Next 16.
  • Refresh package-lock.json to the override-free resolution.
  • Add a short README subsection under "Consumer setup for Next.js 16" telling consumers that carry the same override to remove it.

Audit findings (npm audit shows zero glob-related vulns at v7/v11/v13)

State docgen plugin glob Jest 29 glob Total npm audit vulns
With override (current main) v11.1.0 (forced down from declared ^13.0.1) v11.1.0 (forced up from declared ^7.1.3) 7 moderate
Without override (this PR) v13.0.6 (matches declared range) v7.2.3 (matches declared range) 6 moderate

Removing the override:

  • Aligns @joshwooding/vite-plugin-react-docgen-typescript with its declared glob ^13.0.1 (the override was silently downgrading it).
  • Returns Jest 29's transitive glob to its declared ^7.1.3 — what Jest 29 was designed against.
  • Reduces audit count by 1 (the v11 forcing was adding a moderate finding).
  • Reintroduces a npm warn deprecated inflight@1.0.6 warning during install (Jest 29 → glob@7 → inflight). Cosmetic; not a CI failure.

Verification

  • npx tsc --noEmit — clean
  • npm test — 447 tests pass
  • Smoke test in data-biosphere on fran/x-nextjs-test with local tarball: npm run build:anvil-cmg succeeded end-to-end (all pages prerendered, next-sitemap generated).

Closes #940.

Test plan

  • CI green
  • Reviewer confirms npm audit doesn't surface new glob-related findings after this lands

🤖 Generated with Claude Code

frano-m and others added 2 commits June 3, 2026 17:20
@frano-m @claude
chore: remove redundant glob ^11.0.4 override (#940)
8d78751 
The override was added in #705 (Dec 2025) to address transitive
vulnerabilities flagged by npm audit at the time. Since Next.js
has been bumped to 16, the transitive dep graph no longer
contains the chains that pulled in those vulnerable versions —
npm audit reports zero glob-related vulnerabilities at v7, v11,
or v13 today.

The override was also silently downgrading
@joshwooding/vite-plugin-react-docgen-typescript from its declared
glob ^13 to v11, and was adding one moderate finding to the audit
that disappears when the override is removed.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@frano-m @claude
docs: note glob override removal for consumers (#940)
10ca26d 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings June 3, 2026 07:26
@frano-m frano-m marked this pull request as ready for review June 3, 2026 07:27
Copilot AI reviewed Jun 3, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR removes a now-redundant glob npm override from package.json (originally added to address Next.js 14-era audit findings) and refreshes the lockfile to reflect the natural, override-free dependency resolution under Next.js 16. It also updates the README to guide downstream consumers who may still carry the old override.

Changes:

  • Remove overrides: { glob: "^11.0.4" } from package.json.
  • Regenerate package-lock.json to reflect override-free glob resolution (notably allowing Jest’s transitive glob@7.x again and allowing newer consumers to use glob@13.x).
  • Add README guidance for consumers to remove the stale override.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File Description
README.md Adds consumer guidance on removing the stale glob override (and expected install warnings).
package.json Removes the glob override block.
package-lock.json Updates the resolved dependency graph after removing the override.

Comment thread README.md Outdated
Comment thread README.md Outdated
@frano-m @claude
docs: address copilot review on #940 readme
c368883 
- scope vulnerability claim to specific resolved versions + date
- mention both glob@7.x and inflight@1.0.6 deprecation warnings

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@NoopDog NoopDog merged commit 83903dd into main Jun 4, 2026
2 checks passed
@github-actions github-actions Bot mentioned this pull request Jun 4, 2026
Merged
@frano-m frano-m deleted the fran/940-audit-glob-override branch June 4, 2026 10:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@NoopDog NoopDog NoopDog approved these changes

Assignees

@NoopDog NoopDog

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Audit: is the overrides.glob: ^11.0.4 still needed?

3 participants

@frano-m @NoopDog