node-archiver icon indicating copy to clipboard operation
node-archiver copied to clipboard
verified publisher icon archiverjs

Security issue with glob

Open tinohager opened this issue 1 month ago • 7 comments

Hello, npm audit reports a vulnerability related to the glob package. Would it be possible to update this dependency in your project?

glob CLI: Command injection via -c/--cmd executes matches with shell:true

Image Image

tinohager avatar Nov 18 '25 12:11 tinohager

I have the same issue. @tinohager : What do you use as dependency visualizer to generate the graphic above ?

MrYerome avatar Nov 18 '25 13:11 MrYerome

@MrYerome https://npmgraph.js.org/?q=glob

tinohager avatar Nov 18 '25 13:11 tinohager

Would love to have an update yes, but is this repo ever maintained anymore?

Not seeing any updates this past year.

Xenope avatar Nov 20 '25 11:11 Xenope

Hum, it looks like it's ok? Version 10.5.0 of glob that contains the fix is being installed now.

It's weird because my trivy scan still shoes me a vulnerability with version 10.4.5.

Xenope avatar Nov 20 '25 15:11 Xenope

An update has also been made here. Image

tinohager avatar Nov 20 '25 16:11 tinohager

Same here. I'm afraid that this repo is not maintained anymore... There are multiple pending security patches.

davidd396 avatar Nov 27 '25 18:11 davidd396

I ran into the same thing with Snyk. It seems like just adding the patched glob as a dev dependency should be fine and quiets the Snyk error/warning. The security issue seems to be only related to using the glob CLI functionality.

That said it would be nice to have the dependencies for this project updated.

dereekb avatar Dec 01 '25 23:12 dereekb