fix: cve globby issue resolved via glob

monken · Aug 24, 2024 · 7e27d12 · 7e27d12
1 parent 8b02176
commit 7e27d12
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -185,7 +185,7 @@ Only applicable if **type** is `api`:
 - **parameters** (optional): Parameters passed to **action** (e.g. `{ StackName: "MyStack" }`)
 - **region** (optional): Either `AWS_DEFAULT_REGION` or this parameter have to be set which specifies the region where the API call is made.
 You can also use a plain string if you want the default behavior, which is simply including a JSON file.
-- **isGlob** (optional): Forces the usage of [globby](https://www.npmjs.com/package/globby) to spit out an array of includes
+- **isGlob** (optional): Forces the usage of [glob](https://www.npmjs.com/package/glob) to spit out an array of includes
 - **inject** (optional): Pass in localized env / options to be injected into a template
 
 ### Examples

diff --git a/index.js b/index.js
@@ -2,7 +2,7 @@ const url = require('url');
 const path = require('path');
 const { readFile } = require('fs/promises');
 const _ = require('lodash');
-const globby = require('globby');
+const { globSync } = require('glob');
 const Promise = require('bluebird');
 const sortObject = require('@znemz/sort-object');
 const { S3Client, GetObjectCommand } = require('@aws-sdk/client-s3');
@@ -262,7 +262,7 @@ async function recurse({ base, scope, cft, ...opts }) {
             const absolute = location.relative
               ? path.join(path.dirname(base.path), location.host, location.path || '')
               : [location.host, location.path].join('');
-            const globs = globby.sync(absolute);
+            const globs = globSync(absolute).sort();
             if (json.omitExtension) {
               return globs.map((f) => path.basename(f, path.extname(f)));
             }
@@ -590,7 +590,7 @@ async function fnInclude({ base, scope, cft, ...opts }) {
 
     handleInjectSetup();
     if (isGlob(cft, absolute)) {
-      const paths = globby.sync(absolute);
+      const paths = globSync(absolute).sort();
       const template = yaml.load(paths.map((_p) => `- Fn::Include: file://${_p}`).join('\n'));
       return recurse({ base, scope, cft: template, ...opts });
     }

diff --git a/package.json b/package.json
@@ -41,23 +41,25 @@
     "test:run": "sleep 1 && mocha --timeout 20000 --bail t/include.js t/cli.js t/replaceEnv.js"
   },
   "dependencies": {
-    "@aws-sdk/client-cloudformation": "^3",
-    "@aws-sdk/client-s3": "^3",
-    "@znemz/cft-utils": "0.1.0",
+    "@aws-sdk/client-cloudformation": "^3.637.0",
+    "@aws-sdk/client-s3": "^3.637.0",
+    "@znemz/cft-utils": "0.1.1",
     "@znemz/sort-object": "^3.0.4",
     "aws-sdk-v3-proxy": "2.1.2",
     "bluebird": "^3.7.2",
     "deepmerge": "^4.2.2",
-    "globby": "^11.1.0",
+    "glob": "^11.0.0",
     "jmespath": "^0.16.0",
     "js-yaml": "^3.14.0",
     "jsonminify": "^0.4.1",
-    "lodash": "^4.17.20",
+    "lodash": "^4.17.21",
     "path-parse": "~1.0.7",
     "proxy-agent": "6.3.1",
     "yargs": "17"
   },
   "devDependencies": {
+    "@commitlint/cli": "^19",
+    "@commitlint/config-conventional": "^19",
     "better-npm-audit": "3.7.3",
     "eslint": "8",
     "eslint-config-prettier": "9",
@@ -68,7 +70,7 @@
     "npm-run-all": "4.1.5",
     "prettier": "3",
     "serve": "14.2.1",
-    "sort-package-json": "2.6.0"
+    "sort-package-json": "2.10.1"
   },
   "engines": {
     "node": ">=8"