sentry-javascript icon indicating copy to clipboard operation
sentry-javascript copied to clipboard
verified publisher icon getsentry

Publish npm packages with fixed security vulnerability (glob)

Open toubsen opened this issue 1 month ago • 4 comments

Is there an existing issue for this?

  • [x] I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
  • [x] I have reviewed the documentation https://docs.sentry.io/
  • [x] I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases

How do you use Sentry?

Sentry Saas (sentry.io)

Which SDK are you using?

@sentry/react-router

SDK Version

10.26.0

Framework Version

React Router v7

Link to Sentry event

No response

Reproduction Example/SDK Setup

In source main branch @sentry/react-router contains the patched version of the glob library since at least Friday 2025-11-20, but the last published version 10.26.0 from the same date still contains the vulnerable library.

Create @sentry/react-router to a react router project and run audit:

npm create react-router@latest
npm install @sentry/react-router
npm audit

glob  11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
No fix available
node_modules/glob
  @sentry/react-router  *
  Depends on vulnerable versions of glob
  node_modules/@sentry/react-router

2 high severity vulnerabilities

Steps to Reproduce

  1. Create a react router project
  2. Install Sentry
  3. run npm audit

Expected Result

@sentry/react-router ships with no vulnerable libraries

Actual Result

@sentry/react-router introduces vulnerable version of glob

Additional Context

No response

Priority

React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it.

toubsen avatar Nov 24 '25 12:11 toubsen

JS-1205

linear[bot] avatar Nov 24 '25 12:11 linear[bot]

Hey, thanks for writing in! We're going to ship 10.27.0 soon, which will include the glob dependency bump. We're just waiting on an unrelated change. But should be out by today/tomorrow the latest.

Lms24 avatar Nov 24 '25 13:11 Lms24

Hello. Having deps with CVEs breaks our CI/CD pipeline. We just cannot deploy anything with CVEs since it doesn't pass vulnerability scans enforced by our security team prior to actual build process. I personally like sentry but if such attitude to security persists we would have no choice but to ditch it. Hope you would avoid such situations in the future and issue security patches in a timely manner. Thanks for understanding.

chapati avatar Nov 26 '25 02:11 chapati

Hey @chapati apologies for this negative experience. Could you let us know if there's a dependency in particular that's not yet updated and released? 10.27.0 was released Monday evening (UTC) which included the glob bump. If there's anything else blocking you from using our SDK please let us know!

Lms24 avatar Nov 26 '25 10:11 Lms24

This issue has gone three weeks without activity. In another week, I will close it.

But! If you comment or otherwise update it, I will reset the clock, and if you remove the label Waiting for: Community, I will leave it alone ... forever!

"A weed is but an unloved flower." ― Ella Wheeler Wilcox 🥀

getsantry[bot] avatar Dec 18 '25 08:12 getsantry[bot]