fix: update glob to v10.5.0 to resolve CVE-2025-64756 (#910)

### Summary

This PR updates the `glob` package to version `^10.5.0` to resolve the
command injection vulnerability
[CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756).

Changes included:
- Updated `glob` dependency in `packages/react-native-builder-bob` from
`^8.0.3` to `^10.5.0`.
- Refactored `src/utils/compile.ts` to use the new `globSync` named
export from `glob` v10 API.
- Removed `@types/glob` from `devDependencies` as `glob` v10 includes
built-in type definitions, and the old types caused conflicts.
- Added a `resolution` in the root `package.json` to force
`glob@^10.5.0` across the monorepo, ensuring no vulnerable versions
remain in the lockfile.

### Test plan

1. **Automated Tests**: Ran `yarn test` in
`packages/react-native-builder-bob`. All tests passed.
   ```bash
   yarn workspace react-native-builder-bob test
   ```
2. **Type Check**: Ran `yarn typecheck` to verify that removing
`@types/glob` and using built-in types works correctly.
   ```bash
   yarn typecheck
   ```
3. **Lint Check**: Ran `yarn lint` to ensure no linting errors.
   ```bash
   yarn lint
   ```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Updates `glob` to ^10.5.0, refactors to use `globSync`, and removes
`@types/glob` now that types are bundled.
> 
> - **Dependencies**
> - Bump `glob` in `packages/react-native-builder-bob/package.json` from
`^8.0.3` to `^10.5.0`.
> - Remove `@types/glob` from `devDependencies` (types included in
`glob` v10).
> - **Build utils**
> - Refactor `packages/react-native-builder-bob/src/utils/compile.ts` to
import `{ globSync }` from `glob` and replace `glob.sync` call.
> - **Lockfile**
> - Update `yarn.lock` to reflect `[email protected]` and updated transitive
dependencies.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
1f1c339. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Ram <[email protected]>

Author: ram-ui-dev

packages/react-native-builder-bob/package.json

@@ -54,7 +54,7 @@
     "del": "^6.1.1",
     "escape-string-regexp": "^4.0.0",
     "fs-extra": "^10.1.0",
-    "glob": "^8.0.3",
+    "glob": "^10.5.0",
     "is-git-dirty": "^2.0.1",
     "json5": "^2.2.1",
     "kleur": "^4.1.4",
@@ -71,7 +71,6 @@
     "@types/dedent": "^0.7.0",
     "@types/del": "^4.0.0",
     "@types/fs-extra": "^9.0.13",
-    "@types/glob": "^7.2.0",
     "@types/json5": "^2.2.0",
     "@types/mock-fs": "^4.13.4",
     "@types/prompts": "^2.0.14",

packages/react-native-builder-bob/src/utils/compile.ts

@@ -2,7 +2,7 @@ import path from 'path';
 import fs from 'fs-extra';
 import kleur from 'kleur';
 import * as babel from '@babel/core';
-import glob from 'glob';
+import { globSync } from 'glob';
 import type { Input, Variants } from '../types';
 import { isCodegenSpec } from './isCodegenSpec';
 
@@ -39,7 +39,7 @@ export default async function compile({
   jsxRuntime = 'automatic',
   variants,
 }: Options) {
-  const files = glob.sync('**/*', {
+  const files = globSync('**/*', {
     cwd: source,
     absolute: true,
     nodir: true,

yarn.lock

@@ -4292,16 +4292,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/glob@npm:^7.2.0":
-  version: 7.2.0
-  resolution: "@types/glob@npm:7.2.0"
-  dependencies:
-    "@types/minimatch": "npm:*"
-    "@types/node": "npm:*"
-  checksum: 10c0/a8eb5d5cb5c48fc58c7ca3ff1e1ddf771ee07ca5043da6e4871e6757b4472e2e73b4cfef2644c38983174a4bc728c73f8da02845c28a1212f98cabd293ecae98
-  languageName: node
-  linkType: hard
-
 "@types/hast@npm:^3.0.0, @types/hast@npm:^3.0.4":
   version: 3.0.4
   resolution: "@types/hast@npm:3.0.4"
@@ -4368,13 +4358,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/minimatch@npm:*":
-  version: 5.1.2
-  resolution: "@types/minimatch@npm:5.1.2"
-  checksum: 10c0/83cf1c11748891b714e129de0585af4c55dd4c2cafb1f1d5233d79246e5e1e19d1b5ad9e8db449667b3ffa2b6c80125c429dbee1054e9efb45758dbc4e118562
-  languageName: node
-  linkType: hard
-
 "@types/minimist@npm:^1.2.0":
   version: 1.2.2
   resolution: "@types/minimist@npm:1.2.2"
@@ -8131,18 +8114,19 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob@npm:^10.2.2":
-  version: 10.3.4
-  resolution: "glob@npm:10.3.4"
+"glob@npm:^10.2.2, glob@npm:^10.5.0":
+  version: 10.5.0
+  resolution: "glob@npm:10.5.0"
   dependencies:
     foreground-child: "npm:^3.1.0"
-    jackspeak: "npm:^2.0.3"
-    minimatch: "npm:^9.0.1"
-    minipass: "npm:^5.0.0 || ^6.0.2 || ^7.0.0"
-    path-scurry: "npm:^1.10.1"
+    jackspeak: "npm:^3.1.2"
+    minimatch: "npm:^9.0.4"
+    minipass: "npm:^7.1.2"
+    package-json-from-dist: "npm:^1.0.0"
+    path-scurry: "npm:^1.11.1"
   bin:
-    glob: dist/cjs/src/bin.js
-  checksum: 10c0/fe075f8109749cb0c264fd6eee8bf0cc8bb23a02305619b7a88bf1f79766218cc3ef66a3e8f3cd2e826006f047a3a8833c1694f167e978a6e37c34a8c053e48e
+    glob: dist/esm/bin.mjs
+  checksum: 10c0/100705eddbde6323e7b35e1d1ac28bcb58322095bd8e63a7d0bef1a2cdafe0d0f7922a981b2b48369a4f8c1b077be5c171804534c3509dfe950dde15fbe6d828
   languageName: node
   linkType: hard
 
@@ -8160,19 +8144,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"glob@npm:^8.0.3":
-  version: 8.1.0
-  resolution: "glob@npm:8.1.0"
-  dependencies:
-    fs.realpath: "npm:^1.0.0"
-    inflight: "npm:^1.0.4"
-    inherits: "npm:2"
-    minimatch: "npm:^5.0.1"
-    once: "npm:^1.3.0"
-  checksum: 10c0/cb0b5cab17a59c57299376abe5646c7070f8acb89df5595b492dba3bfb43d301a46c01e5695f01154e6553168207cb60d4eaf07d3be4bc3eb9b0457c5c561d0f
-  languageName: node
-  linkType: hard
-
 "global-dirs@npm:^0.1.1":
   version: 0.1.1
   resolution: "global-dirs@npm:0.1.1"
@@ -9234,16 +9205,16 @@ __metadata:
   languageName: node
   linkType: hard
 
-"jackspeak@npm:^2.0.3":
-  version: 2.3.3
-  resolution: "jackspeak@npm:2.3.3"
+"jackspeak@npm:^3.1.2":
+  version: 3.4.3
+  resolution: "jackspeak@npm:3.4.3"
   dependencies:
     "@isaacs/cliui": "npm:^8.0.2"
     "@pkgjs/parseargs": "npm:^0.11.0"
   dependenciesMeta:
     "@pkgjs/parseargs":
       optional: true
-  checksum: 10c0/787b0617dcc534ef793ba685b92347b1b3d634d888b2833a57b140e97eb1f628ec3e460ba1a68fd99bd148004442625db7519be186b38ff51f4951e7c99b52d7
+  checksum: 10c0/6acc10d139eaefdbe04d2f679e6191b3abf073f111edf10b1de5302c97ec93fffeb2fdd8681ed17f16268aa9dd4f8c588ed9d1d3bffbbfa6e8bf897cbb3149b9
   languageName: node
   linkType: hard
 
@@ -10909,7 +10880,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"minimatch@npm:^9.0.0, minimatch@npm:^9.0.1, minimatch@npm:^9.0.3, minimatch@npm:^9.0.4, minimatch@npm:^9.0.5":
+"minimatch@npm:^9.0.0, minimatch@npm:^9.0.3, minimatch@npm:^9.0.4, minimatch@npm:^9.0.5":
   version: 9.0.5
   resolution: "minimatch@npm:9.0.5"
   dependencies:
@@ -11642,6 +11613,13 @@ __metadata:
   languageName: node
   linkType: hard
 
+"package-json-from-dist@npm:^1.0.0":
+  version: 1.0.1
+  resolution: "package-json-from-dist@npm:1.0.1"
+  checksum: 10c0/62ba2785eb655fec084a257af34dbe24292ab74516d6aecef97ef72d4897310bc6898f6c85b5cd22770eaa1ce60d55a0230e150fb6a966e3ecd6c511e23d164b
+  languageName: node
+  linkType: hard
+
 "pacote@npm:^21.0.0":
   version: 21.0.0
   resolution: "pacote@npm:21.0.0"
@@ -11825,7 +11803,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"path-scurry@npm:^1.10.1":
+"path-scurry@npm:^1.11.1":
   version: 1.11.1
   resolution: "path-scurry@npm:1.11.1"
   dependencies:
@@ -12214,7 +12192,6 @@ __metadata:
     "@types/dedent": "npm:^0.7.0"
     "@types/del": "npm:^4.0.0"
     "@types/fs-extra": "npm:^9.0.13"
-    "@types/glob": "npm:^7.2.0"
     "@types/json5": "npm:^2.2.0"
     "@types/mock-fs": "npm:^4.13.4"
     "@types/prompts": "npm:^2.0.14"
@@ -12229,7 +12206,7 @@ __metadata:
     del: "npm:^6.1.1"
     escape-string-regexp: "npm:^4.0.0"
     fs-extra: "npm:^10.1.0"
-    glob: "npm:^8.0.3"
+    glob: "npm:^10.5.0"
     is-git-dirty: "npm:^2.0.1"
     json5: "npm:^2.2.1"
     kleur: "npm:^4.1.4"