glob < 9 pulls in insecure depedendency, inflight

[joshcartme]

protobuf.js version: 7.2.6
protobufjs-cli version: 1.1.2

The CLI pulls in "glob": "^8.0.0",. glob less than 9 has inflight as a dependency. inflight has a known vulnerability, https://security.snyk.io/package/npm/inflight, and as it appears to be abandonware will likely never be fixed. It is also not going to be fixed in the 8.x branch of glob, isaacs/node-glob#573.

It appears the the use of glob in the cli is compatible with 9 or 10, I'm not entirely sure how to evaluate that myself.

[joshcartme]

I see that renovate attempted to upgrade glob to 9 in #1869. Something went wrong but the logs from what failed are gone. Locally I've tried upgrading it to the latest 9 and for my purposes, which are not comprehensive, it works fine.

[avifenesh]

+1