Bump glob in node's npm and use tar ^7 (#1709)

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: theguild-bot <[email protected]>

Author: 3 people

packages/gateway/node.Dockerfile

@@ -84,9 +84,17 @@ ENV NODE_PATH=/gateway/node_modules
 # ensure that node uses the system CA certificates too because of https://nodejs.org/en/blog/release/v24.7.0
 ENV NODE_EXTRA_CA_CERTS=/etc/ssl/certs/ca-certificates.crt
 
-RUN npm install tar@latest -g
-
+# fix tar vulnerability by updating tar to latest v7 version
+RUN npm install tar@^7 -g
 RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/tar
 
+# fix glob vulnerability by updating glob to latest version ^11
+# deal with CVE-2025-64756
+RUN npm install glob@^11 -g
+# node-gyp uses glob v10, but v11 is safe because it requires node v20+ and we're running v25
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob
+# npm uses glob v11, so we've just bumped it to the latest
+RUN rm -rf /usr/local/lib/node_modules/npm/node_modules/glob
+
 USER node
 ENTRYPOINT ["dumb-init", "node", "bin.mjs"]