limit recursion for **, improve perf considerably

This limits the levels of recursion allowed when encountering multiple
non-adjacent `**` portions of a pattern.

Update `**` handling, with performance massively improved by limiting
the recursive walk much more aggressively. When a `**` portion is
present, the entire pattern is split up into sections. The head and tail
first have to match, and then each subsequent portion is only tested in
the part of the file where it might actually be found, taking advantage
of the fact that non-globstar portions must always consume as many path
portions as there are pattern portions.

Fix: GHSA-7r86-cg39-jmmj

Author: isaacs

README.md

@@ -396,6 +396,22 @@ separators in file paths for comparison.)
 
 Defaults to the value of `process.platform`.
 
+### maxGlobstarRecursion
+
+Max number of non-adjacent `**` patterns to recursively walk
+down.
+
+The default of `200` is almost certainly high enough for most
+purposes, and can handle absurdly excessive patterns.
+
+If the limit is exceeded (which would require very excessively
+long patterns and paths containing lots of `**` patterns!), then
+it is treated as non-matching, even if the path would normally
+match the pattern provided.
+
+That is, this is an intentional false negative, deemed an
+acceptable break in correctness for security and performance.
+
 ## Comparisons to other fnmatch/glob implementations
 
 While strict compliance with the existing standards is a

package-lock.json

@@ -45,7 +45,7 @@
     "@types/node": "^25.3.0",
     "mkdirp": "^3.0.1",
     "prettier": "^3.6.2",
-    "tap": "^21.6.1",
+    "tap": "^21.6.2",
     "tshy": "^3.0.2",
     "typedoc": "^0.28.5"
   },

package.json

@@ -1,6 +1,6 @@
 const MAX_PATTERN_LENGTH = 1024 * 64
 export const assertValidPattern: (pattern: any) => void = (
-  pattern: any,
+  pattern: unknown,
 ): asserts pattern is string => {
   if (typeof pattern !== 'string') {
     throw new TypeError('invalid pattern')