Skip to content

chore(deps): switch to tinyglobby #1041

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

chore(deps): switch to tinyglobby #1041

wants to merge 1 commit into from

Conversation

benmccann
Copy link

@benmccann benmccann commented May 7, 2025
edited by hearts bot
Loading

@benmccann
Copy link
Author

benmccann commented Jun 26, 2025
edited by hearts bot
Loading

@babblebey @travi @gr2m would I be able to get a review on this PR? It's a bit difficult to keep it updated to avoid merge conflicts since rennovate is constantly updating the lockfile. Thanks!

@gr2m
Copy link
Member

gr2m commented Jun 27, 2025
edited by hearts bot
Loading

The number of dependencies is not a problem, especially if both globby and and all of its sub dependencies are quite established and from @sindresorhus whom we know and trust.

tinyglobby seems to be widely used as well, but we would have to investigate thoroughly before we expose us to a new 3rd party injection attack vector. So I'm not saying no, we are just being careful

@benmccann
Copy link
Author

benmccann commented Jun 27, 2025
edited
Loading

Yeah, it's good to be thoughtful about dependency changes. In case it helps, here are the top 10 packages using both libraries. Overall, I'd say that the most popular packages are leaning towards using tinyglobby, but globby has more downloads overall as it takes awhile for people to upgrade their packages and become aware of newer packages.

I'll also note that you don't have to just trust Sindre, but all 14 people who have access to publish globby or one of its dependencies as compared to only 6 for tinyglobby. I generally think that everyone involved in both packages and their dependencies is quite trustworthy, but am more worried about compromised machines/credentials. The more people with the ability to publish, the more attack surface area exists.

# Downloads Package Note
1 107.99M vite
2 78.69M node-gyp
3 52.53M eslint-import-resolver-typescript
4 42.00M vitest
5 39.83M copy-webpack-plugin
6 14.24M @oclif/core
7 11.97M @nx/js
8 9.67M @vitest/ui
9 8.14M lerna
10 8.06M @lerna/create
# Downloads Package Note
1 62.34M del Sindre's package
2 22.99M react-dev-utils deprecated
3 22.93M stylelint
4 18.45M @graphql-tools/graphql-file-loader
5 17.61M @graphql-tools/json-file-loader
6 16.26M @graphql-tools/code-file-loader
7 9.54M @storybook/codemod they're investigating switch and already switched another package to tinyglobby during dependency cleanup
8 9.39M @semantic-release/github this package
9 8.44M @storybook/cli they're investigating switch and already switched another package to tinyglobby during dependency cleanup
10 7.80M cpy Sindre's package

@benmccann benmccann force-pushed the tinyglobby branch 2 times, most recently from 08bab71 to 55ea34f Compare June 28, 2025 02:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@benmccann @gr2m