Replace glob@^7.0.0 with tinyglobby@^0.2.15 (#54737)

Summary:
This replaces `glob@^7.0.0` with `tinyglobby@^0.2.15`. `glob@7` has been deprecated for a while and some versions after had security notices released for them. The plan is to backport this PR to `0.81.x` and onwards.

> [!NOTE]
> This is a stopgap solution until `fs.glob` becomes generally available with the EOL of Node v20

Succeeds:
- #54669
- #48875

## Changelog:

[GENERAL] [SECURITY] - Replace `glob@^7.0.0` with `tinyglobby@^0.2.15`

Pull Request resolved: #54737

Test Plan:
- Ran all modified commands manually and `pod install in `rn-tester`
- NOTE: `ios-prebuild`-related scripts haven't been run manually yet

Reviewed By: robhogan

Differential Revision: D88069145

Pulled By: huntie

fbshipit-source-id: 0c455342a4c6d1d6605fd09fe47b418e5d751491

Author: kitten

flow-typed/npm/glob_v7.x.x.js

@@ -0,0 +1,34 @@
+declare module 'tinyglobby' {
+  import typeof FSModule from 'fs';
+
+  declare type FileSystemAdapter = Partial<FSModule>;
+
+  declare type GlobOptions = {
+    absolute?: boolean,
+    braceExpansion?: boolean,
+    caseSensitiveMatch?: boolean,
+    cwd?: string | URL,
+    debug?: boolean,
+    deep?: number,
+    dot?: boolean,
+    expandDirectories?: boolean,
+    extglob?: boolean,
+    followSymbolicLinks?: boolean,
+    fs?: FileSystemAdapter,
+    globstar?: boolean,
+    ignore?: string | $ReadOnlyArray<string>,
+    onlyDirectories?: boolean,
+    onlyFiles?: boolean,
+    signal?: AbortSignal,
+  };
+
+  declare type GlobModule = {
+    convertPathToPattern(path: string): string;
+    escapePath(path: string): string;
+    isDynamicPattern(pattern: string, options?: { caseSensitiveMatch: boolean }): boolean;
+    glob(patterns: string | $ReadOnlyArray<string>, options?: GlobOptions): Promise<string[]>;
+    globSync(patterns: string | $ReadOnlyArray<string>, options?: GlobOptions): string[];
+  };
+
+  declare module.exports: GlobModule;
+}

flow-typed/npm/tinyglobby_v0.2.x.js

@@ -87,7 +87,6 @@
     "fb-dotslash": "0.5.8",
     "flow-api-translator": "0.32.0",
     "flow-bin": "^0.291.0",
-    "glob": "^7.1.1",
     "hermes-eslint": "0.32.0",
     "hermes-transform": "0.32.0",
     "ini": "^5.0.0",
@@ -116,6 +115,7 @@
     "supports-color": "^7.1.0",
     "temp-dir": "^2.0.0",
     "tinybench": "^4.1.0",
+    "tinyglobby": "^0.2.15",
     "typescript": "5.8.3",
     "ws": "^7.5.10"
   },

package.json

@@ -31,10 +31,10 @@
   "dependencies": {
     "@babel/core": "^7.25.2",
     "@babel/parser": "^7.25.3",
-    "glob": "^7.1.1",
     "hermes-parser": "0.32.0",
     "invariant": "^2.2.4",
     "nullthrows": "^1.1.1",
+    "tinyglobby": "^0.2.15",
     "yargs": "^17.6.2"
   },
   "devDependencies": {

packages/react-native-codegen/package.json

@@ -25,10 +25,10 @@
 
 const babel = require('@babel/core');
 const fs = require('fs');
-const glob = require('glob');
 const micromatch = require('micromatch');
 const path = require('path');
 const prettier = require('prettier');
+const {globSync} = require('tinyglobby');
 const {styleText} = require('util');
 
 const prettierConfig = JSON.parse(
@@ -106,8 +106,11 @@ async function buildFile(file, silent) {
 }
 
 const srcDir = path.resolve(__dirname, '..', SRC_DIR);
-const pattern = path.resolve(srcDir, '**/*');
-const files = glob.sync(pattern, {nodir: true});
+const files = globSync('**/*', {
+  cwd: srcDir,
+  absolute: true,
+  onlyFiles: true,
+});
 
 process.stdout.write(fixedWidth(`${path.basename(PACKAGE_DIR)}\n`));
 

packages/react-native-codegen/scripts/build.js

@@ -15,8 +15,8 @@ const {FlowParser} = require('../../parsers/flow/parser');
 const {TypeScriptParser} = require('../../parsers/typescript/parser');
 const {filterJSFile} = require('./combine-utils');
 const fs = require('fs');
-const glob = require('glob');
 const path = require('path');
+const {globSync} = require('tinyglobby');
 
 const flowParser = new FlowParser();
 const typescriptParser = new TypeScriptParser();
@@ -66,13 +66,11 @@ function expandDirectoriesIntoFiles(
       if (!fs.lstatSync(file).isDirectory()) {
         return [file];
       }
-      const filePattern = path.sep === '\\' ? file.replace(/\\/g, '/') : file;
-      return glob.sync(`${filePattern}/**/*{,.fb}.{js,ts,tsx}`, {
-        nodir: true,
-        // TODO: This will remove the need of slash substitution above for Windows,
-        // but it requires glob@v9+; with the package currenlty relying on
-        // [email protected]; and flow-typed repo not having definitions for glob@9+.
-        // windowsPathsNoEscape: true,
+      return globSync('**/*{,.fb}.{js,ts,tsx}', {
+        expandDirectories: false,
+        onlyFiles: true,
+        absolute: true,
+        cwd: file,
       });
     })
     .filter(element => filterJSFile(element, platform, exclude));

packages/react-native-codegen/src/cli/combine/combine-js-to-schema.js

@@ -175,7 +175,6 @@
     "base64-js": "^1.5.1",
     "commander": "^12.0.0",
     "flow-enums-runtime": "^0.0.6",
-    "glob": "^7.1.1",
     "hermes-compiler": "0.0.0",
     "invariant": "^2.2.4",
     "jest-environment-node": "^29.7.0",
@@ -191,6 +190,7 @@
     "scheduler": "0.27.0",
     "semver": "^7.1.3",
     "stacktrace-parser": "^0.1.10",
+    "tinyglobby": "^0.2.15",
     "whatwg-fetch": "^3.0.0",
     "ws": "^7.5.10",
     "yargs": "^17.6.2"

packages/react-native/package.json

@@ -13,8 +13,8 @@
 const CodegenUtils = require('../codegen-utils');
 const {codegenLog} = require('./utils');
 const fs = require('fs');
-const glob = require('glob');
 const path = require('path');
+const {globSync} = require('tinyglobby');
 
 function generateSchemaInfos(
   libraries /*: $ReadOnlyArray<$FlowFixMe> */,
@@ -57,17 +57,18 @@ function extractSupportedApplePlatforms(
   dependencyPath /*: string */,
 ) /*: ?{[string]: boolean} */ {
   codegenLog('Searching for podspec in the project dependencies.', true);
-  const podspecs = glob.sync('*.podspec', {cwd: dependencyPath});
+  const podspecs = globSync('*.podspec', {
+    cwd: dependencyPath,
+    onlyFiles: true,
+    absolute: true,
+  });
 
   if (podspecs.length === 0) {
     return;
   }
 
   // Take the first podspec found
-  const podspec = fs.readFileSync(
-    path.join(dependencyPath, podspecs[0]),
-    'utf8',
-  );
+  const podspec = fs.readFileSync(podspecs[0], 'utf8');
 
   /**
    * Podspec can have platforms defined in two ways:

packages/react-native/scripts/codegen/generate-artifacts-executor/generateSchemaInfos.js

@@ -15,8 +15,8 @@ import type {BuildFlavor, Destination} from './types';
 const {createLogger} = require('./utils');
 const {execSync} = require('child_process');
 const fs = require('fs');
-const glob = require('glob');
 const path = require('path');
+const {globSync} = require('tinyglobby');
 
 const buildLog = createLogger('SPM');
 
@@ -28,9 +28,16 @@ function computeFrameworkPaths(
   productsFolder /*: string */,
 ) /*: Array<string> */ {
   // The frameworks are in the products folder under a platform/buildType folder and are directories ending with .framework
-  const frameworks = glob.sync('**/*.framework', {
+  const frameworks = globSync('**/*.framework', {
     cwd: productsFolder,
+    expandDirectories: false,
+    onlyDirectories: true,
     absolute: true,
+  }).map(framework => {
+    // NOTE: tinyglobby outputs a trailing slash for directories
+    return framework[framework.length - 1] === '/'
+      ? framework.slice(0, -1)
+      : framework;
   });
 
   if (frameworks.length === 0) {

packages/react-native/scripts/ios-prebuild/build.js

@@ -9,8 +9,8 @@
  */
 
 const fs = require('fs');
-const glob = require('glob');
 const path = require('path');
+const {globSync} = require('tinyglobby');
 
 /**
  * This regular expression is designed to match function calls to `podspec_sources` within a podspec file.
@@ -32,9 +32,10 @@ function getHeaderFilesFromPodspecs(
   rootFolder /*:string*/,
 ) /*: { [key: string]: string[] }*/ {
   // Find podspec files
-  const podSpecFiles = glob.sync('**/*.podspec', {
+  const podSpecFiles = globSync('**/*.podspec', {
     cwd: rootFolder,
     absolute: true,
+    onlyFiles: true,
   });
 
   const headers /*: { [key: string]: string[] }*/ = {};
@@ -66,9 +67,10 @@ function getHeaderFilesFromPodspecs(
         const p = path.resolve(process.cwd(), path.dirname(podspec));
         const results = globPatterns
           .map(g => {
-            return glob.sync(g.replace('{h}', 'h'), {
+            return globSync(g.replace('{h}', 'h'), {
               cwd: p,
               absolute: true,
+              expandDirectories: false,
             });
           })
           .flat();