fix(deps): replaced glob by fast-glob due to security advisory

Author: manast

package.json

@@ -54,9 +54,10 @@
   },
   "dependencies": {
     "cron-parser": "^4.6.0",
-    "glob": "^8.0.3",
+    "fast-glob": "^3.3.2",
     "ioredis": "^5.3.2",
     "lodash": "^4.17.21",
+    "minimatch": "^9.0.3",
     "msgpackr": "^1.10.1",
     "node-abort-controller": "^3.1.1",
     "semver": "^7.5.4",

src/commands/script-loader.ts

@@ -1,5 +1,6 @@
 import { createHash } from 'crypto';
-import { glob, hasMagic } from 'glob';
+import { Minimatch } from 'minimatch';
+import * as fg from 'fast-glob';
 import * as path from 'path';
 import * as fs from 'fs';
 import { RedisClient } from '../interfaces';
@@ -74,9 +75,19 @@ export class ScriptLoaderError extends Error {
   }
 }
 
+const hasMagic = (pattern: string | string[]): boolean => {
+  if (!Array.isArray(pattern)) {
+    pattern = [pattern];
+  }
+  for (const p of pattern) {
+    if (new Minimatch(p, GlobOptions).hasMagic()) {return true;}
+  }
+  return false;
+};
+
 const isPossiblyMappedPath = (path: string) =>
   path && ['~', '<'].includes(path[0]);
-const hasFilenamePattern = (path: string) => hasMagic(path, GlobOptions);
+const hasFilenamePattern = (path: string) => hasMagic(path);
 
 /**
  * Lua script loader with include support
@@ -487,11 +498,7 @@ function splitFilename(filePath: string): {
 }
 
 async function getFilenamesByPattern(pattern: string): Promise<string[]> {
-  return new Promise<string[]>((resolve, reject) => {
-    glob(pattern, GlobOptions, (err, files) => {
-      return err ? reject(err) : resolve(files);
-    });
-  });
+  return fg.glob(pattern, { dot: true });
 }
 
 // Determine the project root