Skip to content

Update del to v6.1.1 for security improvements #210

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ram-ui-dev wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Update del to v6.1.1 for security improvements #210

ram-ui-dev wants to merge 2 commits into from

Conversation

@ram-ui-dev
Copy link

@ram-ui-dev ram-ui-dev commented Nov 22, 2025
edited
Loading

Summary

Updates the del dependency from v4.1.1 to v6.1.1, bringing significant security improvements and updated dependencies while maintaining CommonJS compatibility.

Motivation

  • Eliminates dependency on the vulnerable glob package (replaced with fast-glob)
  • Updates globby from v6.1.0 to v11.0.1 (5 major versions)
  • Addresses security concerns from outdated dependencies
  • Improves performance with modern fast-glob implementation

Changes Made

1. Updated Dependencies

  • del: ^4.1.1^6.1.1
    • Brings globby@11.0.1 (uses fast-glob instead of glob)
    • Updates rimraf to v3
    • Adds graceful-fs for better filesystem reliability

2. Updated Error Handling

  • Modified error message regex to match del@6.x format
  • Changed "files/folders" to "files/directories" in error detection
  • Added TypeScript type assertion for better type safety

3. Fixed Tests

  • Updated two tests that delete files outside the output directory
  • Added explicit dangerouslyAllowCleanPatternsOutsideProject: true option
  • Required due to stricter path validation in del@6.x

4. Fixed ESLint Error (Bonus)

  • Removed .js extension from jest.config import in wallaby.config.js
  • Fixes import/extensions ESLint rule violation
  • This was a pre-existing error on master that blocked pre-push hooks

Why Not del@7.x or del@8.x?

  • del@7.0.0+ are pure ESM modules
  • Current project uses CommonJS with Jest 24
  • Upgrading to ESM would require converting entire project to ESM, upgrading Jest to v29+, and potential breaking changes for users
  • del@6.1.1 is the optimal choice: Last CommonJS-compatible version with modern dependencies

Test Results

✅ All 42 tests passing (100%)
✅ Build successful
✅ TypeScript compilation successful

Breaking Changes

None - This is a drop-in replacement with the same API.

Checklist

  • Tests pass locally
  • Build succeeds
  • No breaking changes to public API
  • Updated error handling for del@6.x compatibility
  • All existing functionality preserved

@ramanathanMuthuraman
Update del to v6.1.1 for security improvements
cd0d537 
- Update del from ^4.1.1 to ^6.1.1
- Eliminates vulnerable glob dependency (replaced with fast-glob)
- Updates globby from v6 to v11
- Fix error message regex for del@6.x compatibility
- Add TypeScript type assertion for error handling
- Update tests for stricter path validation in del@6.x

All 42 tests passing. No breaking changes.
@ramanathanMuthuraman
Fix ESLint error in wallaby.config.js
6f524ea 
Remove .js extension from jest.config require to comply with import/extensions rule.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ram-ui-dev @ramanathanMuthuraman