fix(deps): switch to tinyglobby

[benmccann]

https://npmgraph.js.org/?q=tinyglobby - 2 dependencies
https://npmgraph.js.org/?q=globby - 23 dependencies

[benmccann]

@babblebey @travi @gr2m would I be able to get a review on this PR? It's a bit difficult to keep it updated to avoid merge conflicts since rennovate is constantly updating the lockfile. Thanks!

[gr2m]

The number of dependencies is not a problem, especially if both globby and and all of its sub dependencies are quite established and from @sindresorhus whom we know and trust.

tinyglobby seems to be widely used as well, but we would have to investigate thoroughly before we expose us to a new 3rd party injection attack vector. So I'm not saying no, we are just being careful

[benmccann]

Yeah, it's good to be thoughtful about dependency changes. In case it helps, here are the top 10 packages using both libraries. Overall, I'd say that the most popular packages are leaning towards using tinyglobby, but globby has more downloads overall as it takes awhile for people to upgrade their packages and become aware of newer packages.

I'll also note that you don't have to just trust Sindre, but all 14 people who have access to publish globby or one of its dependencies as compared to only 6 for tinyglobby. I generally think that everyone involved in both packages and their dependencies is quite trustworthy, but am more worried about compromised machines/credentials. The more people with the ability to publish, the more attack surface area exists.

#	Downloads	Package	Note
1	107.99M	vite
2	78.69M	node-gyp
3	52.53M	eslint-import-resolver-typescript
4	42.00M	vitest
5	39.83M	copy-webpack-plugin
6	14.24M	@oclif/core
7	11.97M	@nx/js
8	9.67M	@vitest/ui
9	8.14M	lerna
10	8.06M	@lerna/create

#	Downloads	Package	Note
1	62.34M	del	Sindre's package
2	22.99M	react-dev-utils	deprecated
3	22.93M	stylelint	blocked on migrating until they cut a new major
4	18.45M	@graphql-tools/graphql-file-loader
5	17.61M	@graphql-tools/json-file-loader
6	16.26M	@graphql-tools/code-file-loader
7	9.54M	@storybook/codemod	they're investigating switch and already switched another package to tinyglobby during dependency cleanup update: they've now moved to tinyglobby
8	9.39M	@semantic-release/github	this package
9	8.44M	@storybook/cli	they're investigating switch and already switched another package to tinyglobby during dependency cleanup
10	7.80M	cpy	Sindre's package

[gr2m]

Great assessment, thank you for doing the research. Let me talk to @travi to have another set of eyes, but I'm in favor.

[gr2m]

sorry for the delay. Could you fix the merge conflict? Otherwise it's good to go!

[benmccann]

hey @gr2m, sorry it took me a little while to get back to this, but I've fixed the merge conflict now

[gr2m]

Thank you!

[github-actions]

🎉 This PR is included in version 11.0.6 🎉

The release is available on:

• npm package (@latest dist-tag)
• GitHub release

Your semantic-release bot 📦🚀