Bump glob to 13 in vscode and lsp to resolve Snyk advisories

[juliasilge]

This PR bumps glob to ^13.0.6 in both the VS Code extension (apps/vscode) and the LSP (apps/lsp) to clear a set of Snyk-reported security advisories, plus the regenerated yarn.lock.

Previously apps/vscode used glob@^11.0.3 and apps/lsp used glob@^10.2.5. Both fell in the affected ranges for the glob CLI command injection advisory, and both dragged in vulnerable transitive minimatch and brace-expansion versions.

Advisories resolved

• CVE-2025-64756 / GHSA-5j98-mcp5-4vw2 (HIGH, CWE-78): command injection in the glob CLI -c/--cmd option. Affects glob 10.2.0 to 10.4.x and 11.0.0 to 11.0.x.
• SNYK-JS-ISAACSBRACEEXPANSION-15208653 / CVE-2026-25547 (Critical, CWE-770): resource exhaustion in @isaacs/brace-expansion below 5.0.1, pulled in transitively via [email protected].
• Three HIGH minimatch ReDoS advisories (GHSA-23c5-xmqv-rm74, GHSA-3ppc-4f35-3m26, GHSA-7r86-cg39-jmmj) that affected the older minimatch versions in these trees.

Moving to glob@13 cascades to clean transitive dependencies ([email protected], [email protected]) in both apps. The scoped @isaacs/brace-expansion package from the original advisory is no longer in either app's tree.

Notes

• The glob command injection is CLI-only; the advisory states the library API is unaffected. Both apps use only the library API (glob() / glob.sync()), so there was no real exploit path here. The bump is to satisfy the version-based scanner.
• Both glob call sites use the stable API that is unchanged across these major versions, so no code changes were needed.

Verification

• yarn build-vscode passes (exit 0)
• LSP build passes (exit 0)
• yarn install --frozen-lockfile is consistent
• No glob@10/11, [email protected], or @isaacs/brace-expansion remain in either app's runtime dependency tree

Out of scope

• [email protected] and [email protected] still appear under dev/test tooling only (mocha, @vscode/test-cli); these are not shipped in either app and can be addressed separately.
• packages/ojs/quarto-ojs-runtime is a standalone, separately published package and is not a dependency of the VS Code extension, so its advisories do not affect the extension.

[posit-snyk-bot]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[juliasilge]

What I plan to do is to get this merged, rescan in Snyk, and if everything looks as I expect, do a release of the Quarto extension.

[cscheid]

lgtm! I'm going to merge it.