glob < 9 pulls in insecure depedendency, inflight

[joshcartme]

protobuf.js version: 7.2.6
protobufjs-cli version: 1.1.2

The CLI pulls in "glob": "^8.0.0",. glob less than 9 has inflight as a dependency. inflight has a known vulnerability, https://security.snyk.io/package/npm/inflight, and as it appears to be abandonware will likely never be fixed. It is also not going to be fixed in the 8.x branch of glob, isaacs/node-glob#573.

It appears the the use of glob in the cli is compatible with 9 or 10, I'm not entirely sure how to evaluate that myself.

[joshcartme]

I see that renovate attempted to upgrade glob to 9 in #1869. Something went wrong but the logs from what failed are gone. Locally I've tried upgrading it to the latest 9 and for my purposes, which are not comprehensive, it works fine.

[avifenesh]

+1

[mortbopet]

+1 - glob v8 is marked as a deprecated package due to the mentioned security vulnerability, and protobufjs-cli is thus (transitively) illegal to use for any organization which scans for deprecated packages - e.g. internally in Microsoft, and I'd imagine in many other places. A bump to glob >=9 would be greatly appreciated. CC @mkruskal-google seems like there's already a PR ready for review which bumps to version 9, although it might be a good time to consider a more recent version of glob, since v9.0 is already a 3 year old package.