glob
the most correct and second fastest glob implementation in JavaScript
51
Versions
BlueOak-1.0.0
License
No
Install Scripts
Missing
Provenance
Supply chain provenance
Status for the latest visible version.
No SLSA provenance
npm registry signatures
gitHead linked
Without SLSA provenance there is no cryptographic link between this tarball and the public source — the axios compromise (March 2026) relied on exactly this gap.
Maintainers
isaacs
Accepted risks
Findings the reviewer chose to accept rather than block on.
| Source | Rule | Reason | Accepted by | When |
|---|---|---|---|---|
| dependencies | unvetted-dep:path-is-absolute | AI (dependencies): path-is-absolute is a well-known, widely-used utility package by Sindre Sorhus; its use in glob is legitimate and expected for filesystem path handling. | ai | |
| phantom-deps | phantom-dep:fs.realpath | AI (phantom-deps): Polyfill used in build/config context; expected phantom-dep pattern for this package. | ai | |
| dependencies | unvetted-dep:fs.realpath | AI (dependencies): fs.realpath is a standard Node.js polyfill; stable dependency for glob's path resolution. | ai | |
| bogus-package | bogus-package | AI (bogus-package): glob is a canonical, extremely high-download npm package by Isaac Z. Schlueter. Bogus signals are artifacts of its age (~2011 publish era) when metadata standards didn't exist yet. | ai | |
| dependencies | unvetted-dep:fast-list | AI (dependencies): fast-list is a small utility package by isaacs (same author as glob); its use here is legitimate and consistent with the author's ecosystem of small Node.js utilities. | ai | |
| install-scripts | install-script:preinstall | AI (install-scripts): Preinstall runs node-waf to compile a native C++ binding — the standard build mechanism for native Node.js addons in the 2011 era. Entirely legitimate for this package. | ai | |
| phantom-deps | phantom-dep:graceful-fs | AI (phantom-deps): graceful-fs is a legitimate, well-known isaacs package declared as a runtime dep; phantom-dep finding reflects indirect usage pattern, not a security concern for this package. | ai | |
| dependencies | unvetted-dep:inflight | AI (dependencies): inflight is a well-known, long-established utility package by isaacs; its use in glob is expected and benign. | ai | |
| source-diff | large-new-source-files | AI (source-diff): 30 new files reflect TypeScript rewrite and modularization; consistent with major version refactor. | ai | |
| source-diff | source-size-tripled | AI (source-diff): Size increase from 34 KB to 135 KB is expected for TypeScript source + compiled output; no injection indicators. | ai | |
| dependencies | unvetted-dep:minimatch | AI (dependencies): minimatch is a canonical isaacs-maintained companion to glob; it is a stable, well-known dependency across the entire npm ecosystem and poses no risk for this package. | ai | |
| publish-pattern | new-deps-added | AI (publish-pattern): New deps (minipass, path-scurry, fs.realpath) are established packages; major version rewrite justifies dependency refresh. | ai | |
| license | uncommon-license:BSD | AI (license): BSD is a well-known permissive open-source license; the 'uncommon' flag is a false positive for this package. | ai | |
| provenance | no-provenance | AI (provenance): glob predates Sigstore provenance; absence of attestation is expected for this legacy package and does not indicate risk. | ai | |
| dependencies | unvetted-dep:package-json-from-dist | AI (dependencies): New package by isaacs (same trusted maintainer); reasonable version constraint; no security concern. | ai | |
| dependencies | unvetted-dep:jackspeak | AI (dependencies): jackspeak is a well-known CLI parsing library authored by isaacs, the same maintainer as glob. Its use here is expected and legitimate. | ai |
Versions (showing 51 of 70)
| Version | Deps | Published |
|---|---|---|
| 13.0.6 | 3 / 9 | |
| 13.0.5 | 3 / 9 | |
| 13.0.4 | 3 / 9 | |
| 13.0.3 | 3 / 9 | |
| 13.0.2 | 3 / 9 | |
| 13.0.1 | 3 / 8 | |
| 13.0.0 | 3 / 8 | |
| 12.0.0 | 6 / 8 | |
| 11.1.0 | 6 / 8 | |
| 10.5.0 | 6 / 9 | |
| 9.1.2 | 4 / 11 | |
| 9.0.0 | 4 / 11 | |
| 8.0.3 | 5 / 5 | |
| 7.1.7 | 6 / 4 | |
| 7.1.4 | 6 / 4 | |
| 7.1.3 | 6 / 4 | |
| 7.0.6 | 6 / 4 | |
| 6.0.3 | 5 / 4 | |
| 6.0.2 | 5 / 4 | |
| 6.0.1 | 5 / 4 | |
| 4.5.3 | 4 / 4 | |
| 4.5.1 | 4 / 4 | |
| 4.5.0 | 4 / 4 | |
| 4.3.4 | 4 / 4 | |
| 4.3.2 | 4 / 4 | |
| 4.3.1 | 4 / 4 | |
| 4.2.2 | 4 / 4 | |
| 4.2.1 | 4 / 4 | |
| 4.1.2 | 5 / 4 | |
| 4.0.6 | 4 / 3 | |
| 4.0.5 | 4 / 3 | |
| 4.0.4 | 4 / 3 | |
| 4.0.3 | 4 / 3 | |
| 4.0.2 | 3 / 3 | |
| 4.0.1 | 2 / 3 | |
| 4.0.0 | 2 / 3 | |
| 3.2.11 | 2 / 3 | |
| 3.2.10 | 2 / 3 | |
| 3.2.9 | 2 / 3 | |
| 3.2.8 | 2 / 3 | |
| 3.2.7 | 2 / 3 | |
| 3.2.6 | 2 / 3 | |
| 3.2.5 | 2 / 3 | |
| 3.2.4 | 2 / 3 | |
| 3.2.3 | 3 / 3 | |
| 3.2.1 | 3 / 3 | |
| 3.2.0 | 3 / 3 | |
| 3.1.21 | 3 / 3 | |
| 3.1.20 | 3 / 3 | |
| 3.1.19 | 3 / 3 | |
| 3.1.18 | 3 / 3 |