Description
Running npm install -g @aws/agentcore emits an npm deprecation warning about glob@10.5.0, which is pulled in transitively through archiver-utils@5.0.2. The install itself succeeds, but the warning adds noise to the user's first interaction with the CLI and may cause concern for users sensitive to deprecation/security signals.
Steps to Reproduce
npm install -g @aws/agentcore (or npm install in a fresh clone of this repo)- Observe the warning in the output
Expected Behavior
npm install completes without deprecation warnings, since the underlying issue has a supported successor available (glob@>=12).
Actual Behavior
npm warn deprecated glob@10.5.0: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
CLI Version
0.12.0 (latest)1.0.0-preview.3 (preview)
Both are affected.
Operating System
macOS (also reproducible on Linux/Windows — the warning originates from a transitive npm dependency)
Additional Context
Root cause
glob@10.5.0 is brought in through:
@aws/agentcore
├─ @aws-cdk/toolkit-lib
└─ archiver@7.0.1
└─ archiver-utils@5.0.2 ← still pins "glob": "^10.0.0" (latest version)
└─ glob@10.5.0 (deprecated)
archiver-utils@latest (5.0.2) still requires glob@^10.0.0, so this cannot be fixed at the source. On the npm registry, glob@<12 is currently marked as deprecated (legacy-v10 and earlier dist-tags); only glob@>=12 is free of the warning.
Proposed fix
Pin glob to ^13.0.0 (current latest) via package.json#overrides, following the same pattern already used in this repo for minimatch, fast-xml-parser, and @aws-sdk/xml-builder. Verified locally:
npm install completes with zero deprecation warnings.archiver-utils@5.0.2 only uses glob.sync(pattern, options), which remains a stable API in glob@13.glob@13's own minimatch ^10.2.2 requirement is compatible with the existing minimatch: 10.2.4 override.
Happy to send PRs against both main and preview branches if this approach is acceptable.
Description
Running
npm install -g @aws/agentcoreemits an npm deprecation warning aboutglob@10.5.0, which is pulled in transitively througharchiver-utils@5.0.2. The install itself succeeds, but the warning adds noise to the user's first interaction with the CLI and may cause concern for users sensitive to deprecation/security signals.Steps to Reproduce
npm install -g @aws/agentcore(ornpm installin a fresh clone of this repo)Expected Behavior
npm installcompletes without deprecation warnings, since the underlying issue has a supported successor available (glob@>=12).Actual Behavior
CLI Version
0.12.0(latest)1.0.0-preview.3(preview)Both are affected.
Operating System
macOS (also reproducible on Linux/Windows — the warning originates from a transitive npm dependency)
Additional Context
Root cause
glob@10.5.0is brought in through:archiver-utils@latest(5.0.2) still requiresglob@^10.0.0, so this cannot be fixed at the source. On the npm registry,glob@<12is currently marked as deprecated (legacy-v10and earlier dist-tags); onlyglob@>=12is free of the warning.Proposed fix
Pin
globto^13.0.0(currentlatest) viapackage.json#overrides, following the same pattern already used in this repo forminimatch,fast-xml-parser, and@aws-sdk/xml-builder. Verified locally:npm installcompletes with zero deprecation warnings.archiver-utils@5.0.2only usesglob.sync(pattern, options), which remains a stable API inglob@13.glob@13's ownminimatch ^10.2.2requirement is compatible with the existingminimatch: 10.2.4override.Happy to send PRs against both
mainandpreviewbranches if this approach is acceptable.