Conversation
The following vulnerabilities are fixed with an upgrade: - https://snyk.io/vuln/SNYK-JS-MINIMATCH-15353389
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| "commander": "^9.3.0", | ||
| "glob": "^8.0.3", | ||
| "minimatch": "^5.1.0", | ||
| "glob": "^12.0.0", |
There was a problem hiding this comment.
Major glob version bump likely breaks existing sync API usage
High Severity
Upgrading glob from ^8.0.3 to ^12.0.0 spans four major versions with significant breaking API changes. The existing code in config.ts uses import { glob } from "glob" and then calls glob.sync(pattern, { cwd }), which was the native v8 API but is only a backward-compatibility alias in v9.3+. Additionally, glob v11+ requires Node.js 20+, while the project targets Node 18 (per @types/node@^18). The yarn.lock was also not updated, so dependency resolution is unverified. Snyk's own metadata flags this as a breaking change.
Additional Locations (1)
2 participants
Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.
Snyk changed the following file(s):
packages/utils/package.jsonNote for zero-installs users
If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the
.yarn/cache/directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to runyarnto update the contents of the./yarn/cachedirectory.If you are not using zero-install you can ignore this as your flow should likely be unchanged.
Vulnerabilities that will be fixed with an upgrade:
SNYK-JS-MINIMATCH-15353389
Important
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.
For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic
Learn how to fix vulnerabilities with free interactive lessons:
🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.
Note
Medium Risk
Upgrades
globto a new major version andminimatchto a patched release, which could subtly change file-matching behavior used by the utils config parsing logic.Overview
Updates
@noom/symbolism-utilsdependencies by bumpingglobfrom^8.0.3to^12.0.0andminimatchfrom^5.1.0to^5.1.8to remediate a reported vulnerability.No code changes accompany the upgrade, but
globis a major-version jump and may affect howpackages/utils/src/config.tsexpands entry point patterns.Written by Cursor Bugbot for commit bad238b. This will update automatically on new commits. Configure here.