Security issue with glob

[tinohager]

Hello,
npm audit reports a vulnerability related to the glob package.
Would it be possible to update this dependency in your project?

glob CLI: Command injection via -c/--cmd executes matches with shell:true

[MrYerome]

I have the same issue.
@tinohager : What do you use as dependency visualizer to generate the graphic above ?

[tinohager]

@MrYerome https://npmgraph.js.org/?q=glob

[Xenope]

Would love to have an update yes, but is this repo ever maintained anymore?

Not seeing any updates this past year.

[Xenope]

Hum, it looks like it's ok? Version 10.5.0 of glob that contains the fix is being installed now.

It's weird because my trivy scan still shoes me a vulnerability with version 10.4.5.

[tinohager]

An update has also been made here.

[davidd396]

Same here. I'm afraid that this repo is not maintained anymore...
There are multiple pending security patches.

[dereekb]

I ran into the same thing with Snyk. It seems like just adding the patched glob as a dev dependency should be fine and quiets the Snyk error/warning. The security issue seems to be only related to using the glob CLI functionality.

That said it would be nice to have the dependencies for this project updated.

[erikpragt-connectid]

Hi all, I ran into the same issue, and I fixed it by using a dependency override in the package.json:

  "overrides": {
    "glob": "10.5.0"
  },