Skip to content

fix: Update glob to 10.5.0 to address CVE-2025-64756 #1591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
MarcAstr0 wants to merge 4 commits into
base: main
Choose a base branch
from
Draft

fix: Update glob to 10.5.0 to address CVE-2025-64756 #1591

MarcAstr0 wants to merge 4 commits into from

Conversation

@MarcAstr0
Copy link
Collaborator

@MarcAstr0 MarcAstr0 commented Nov 24, 2025

Force all glob dependencies to use version 10.5.0 or higher via pnpm hook to prevent command injection vulnerability (CVE-2025-64756) that affects glob versions 10.2.0 through 10.4.x.

The vulnerability allows arbitrary command execution when the glob CLI tool is used with the -c/--cmd flag and processes files with malicious names. While this primarily affects CLI usage, updating ensures no security scanners will flag vulnerable versions in the dependency tree.

Changes:

  • Updated .pnpmfile.cjs hook to override vulnerable glob versions
  • Regenerated pnpm-lock.yaml with glob 10.5.0

🤖 Generated with Claude Code

Description

Changes

Checks

  • Project Builds
  • Project passes tests and checks
  • Updated documentation accordingly

@MarcAstr0 @claude
fix: Update glob to 10.5.0 to address CVE-2025-64756
224dfd7 
Force all glob dependencies to use version 10.5.0 or higher via pnpm
hook to prevent command injection vulnerability (CVE-2025-64756) that
affects glob versions 10.2.0 through 10.4.x.

The vulnerability allows arbitrary command execution when the glob CLI
tool is used with the -c/--cmd flag and processes files with malicious
names. While this primarily affects CLI usage, updating ensures no
security scanners will flag vulnerable versions in the dependency tree.

Changes:
- Updated .pnpmfile.cjs hook to override vulnerable glob versions
- Regenerated pnpm-lock.yaml with glob 10.5.0

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@MarcAstr0 MarcAstr0 added the do not merge This PR can be approved, but not merged yet label Nov 24, 2025
@what-the-diff
Copy link

what-the-diff bot commented Nov 24, 2025

PR Summary

  • Upgrade of 'glob' dependency version
    This update boosts the security of our application by addressing a potential weakness, called command injection vulnerability, that was discovered in certain versions of the 'glob' dependency we use. This vulnerability has been officially identified by number CVE-2025-64756. We've upgraded from those susceptible versions to version '10.5.0' to eliminate this risk. This action puts our users' data safety at top priority, ensuring our software continues to provide trustworthy service.

@MarcAstr0
Copy link
Collaborator Author

MarcAstr0 commented Nov 24, 2025

/integration sha=224dfd7

@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025

⌛ Integration tests are running...

Check their status here 👈

@github-actions
Copy link
Contributor

github-actions bot commented Nov 24, 2025

❌ Oh no! Integration tests have failed

MarcAstr0 and others added 3 commits November 24, 2025 16:18
@MarcAstr0 @claude
fix: TypeScript type error for RequestOptions.headers
c8fabbb 
Fix type error caused by stricter type checking in @types/node 20.19.x
where RequestOptions.headers could be OutgoingHttpHeaders or readonly
string array. Added explicit type cast to OutgoingHttpHeaders when
setting Content-Length header.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@MarcAstr0
Bump versions [skip ci]
3b1dbe2
@MarcAstr0
Bump versions [skip ci]
34ee792
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

do not merge This PR can be approved, but not merged yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@MarcAstr0