CVE-2025-64756 - @oclif/plugin-plugins uses vulnerable glob@10.4.5

[joyjeena]

Describe the bug
@oclif/plugin-plugins is currently using glob@10.4.5, which has a known security vulnerability. This causes security scanners (e.g., npm audit, GitHub Dependabot, Snyk) to flag projects that depend on @oclif/plugin-plugins as vulnerable, even if the project itself does not use glob directly.
GHSA-5j98-mcp5-4vw2

To Reproduce
Steps to reproduce the behavior:
Install @oclif/plugin-plugins in a project:
npm install @oclif/plugin-plugins
Run a security scan such as npm audit or view Dependabot alerts.
Scroll through the report until you find the flagged glob version.
See the vulnerability warning related to glob@10.4.5.

Expected behavior
The plugin should use a patched/non-vulnerable version of glob so that dependent projects do not inherit the security alert.

Screenshots

Environment (please complete the following information):

• OS & version: [e.g. MacOS Monterey, Ubuntu 20.04.4 LTS, Windows 10]
• Shell/terminal & version [e.g. bash-3.2, bash-5.0, zsh 5.8, powershell 7.2.4, cmd.exe, Windows Terminal w/ powershell, etc... ]

Additional context
The vulnerable glob version appears to be pulled in via transitive dependency.
Updating to a patched glob version (e.g., 10.4.x or newer once fixed) should resolve the security warning.
This issue affects any consumers of @oclif/plugin-plugins whose security tooling blocks or warns on vulnerable dependency trees.

[Amndeep7]

Unfortunately it seems like the transitive glob dependency is bundled with the npm dependency so it is not possible to update solely the glob dependency even though it would be compatible with the semver restrictions set by the npm dependency. Instead, the maintainers will need to upgrade the npm dependency to the latest release which is the only way to get a vulnerability free version of the glob dependency.

However, I believe the CVE for the glob dependency does not apply for both @oclif/plugin-plugins and npm since the CVE is tied to the glob cli, not the library itself - and my brief skim of the codebases showed that neither of them use the cli.