Skip to content

chore: upgrade glob from 10_2_7 to 10_5_0#33

Draft
alchemain-qa-bot[bot] wants to merge 2 commits into
masterfrom
felix/upgrade/glob-7_2_3
Draft

chore: upgrade glob from 10_2_7 to 10_5_0#33
alchemain-qa-bot[bot] wants to merge 2 commits into
masterfrom
felix/upgrade/glob-7_2_3

Conversation

@alchemain-qa-bot

Copy link
Copy Markdown

This pull request upgrades the glob dependency from version 10.2.7 to 10.5.0.

Why this upgrade is needed:

The primary driver for this change is to address a critical security vulnerability (GHSA-5j98-mcp5-4vw2) in the glob CLI. In versions prior to 10.5.0, the -c/--cmd option executed matched file paths using shell:true, which allowed command injection. An attacker could craft a malicious file name that, when matched by a glob pattern, would execute arbitrary shell commands.

Code changes:

No code changes were required. The upgrade is a straightforward version bump in the dependency manifest, as the fix is entirely contained within the glob library itself. The new version resolves the vulnerability without altering any of our application's existing usage patterns or APIs.

@alchemain-qa-bot alchemain-qa-bot Bot mentioned this pull request Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant