Skip to content

Security fix: update glob to 10.5.0 to fix CLI command injection vulnerability#280

Merged
jhodapp merged 1 commit intomainfrom
security/fix-glob-command-injection
Feb 12, 2026
Merged

Security fix: update glob to 10.5.0 to fix CLI command injection vulnerability#280
jhodapp merged 1 commit intomainfrom
security/fix-glob-command-injection

Conversation

@jhodapp
Copy link
Member

@jhodapp jhodapp commented Feb 12, 2026

Description

Updates the transitive glob dependency from 10.4.5 to 10.5.0 to resolve a HIGH severity Dependabot security alert.

GitHub Issue: Resolves Dependabot alert #34

Changes

  • Updated glob lock file resolution from 10.4.5 to 10.5.0 (within the existing ^10.3.10 semver range)
  • No package.json changes needed — only package-lock.json updated
  • Affects transitive dependency paths: tailwindcss → sucrase → glob and @vitest/coverage-v8 → test-exclude → glob

Testing Strategy

  • All 440 unit tests pass
  • Lock file only change — no code or direct dependency changes

Concerns

  • None — this is a patch bump within the existing semver range

@jhodapp jhodapp changed the title fix: update glob to 10.5.0 to fix CLI command injection vulnerability Security fix: update glob to 10.5.0 to fix CLI command injection vulnerability Feb 12, 2026
@jhodapp jhodapp self-assigned this Feb 12, 2026
@jhodapp jhodapp added the security Any feature or fix relating to software security label Feb 12, 2026
@jhodapp jhodapp added this to the 1.0.0-beta3 milestone Feb 12, 2026
@jhodapp jhodapp requested a review from calebbourg February 12, 2026 21:56
@jhodapp
fix: update glob to 10.5.0 to fix CLI command injection vulnerability
e022fac 
Addresses Dependabot alert #34 (HIGH severity): glob >= 10.2.0,
< 10.5.0 is vulnerable to command injection via -c/--cmd flag.

Updated the lock file resolution from 10.4.5 to 10.5.0 (within the
existing ^10.3.10 semver range used by sucrase/tailwindcss and
test-exclude/vitest). No package.json changes needed.
@jhodapp jhodapp force-pushed the security/fix-glob-command-injection branch from f9c5b7e to e022fac Compare February 12, 2026 22:43
@jhodapp jhodapp merged commit 57b98db into main Feb 12, 2026
6 checks passed
@jhodapp jhodapp deleted the security/fix-glob-command-injection branch February 12, 2026 22:56
@github-project-automation github-project-automation bot moved this from Review to ✅ Done in Refactor Coaching Platform Feb 12, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@calebbourg calebbourg Awaiting requested review from calebbourg

Assignees

@jhodapp jhodapp

Labels

security Any feature or fix relating to software security

Projects

Refactor Coaching Platform
Status: ✅ Done

Milestone

1.0.0-beta3

Development

Successfully merging this pull request may close these issues.

1 participant

@jhodapp