Update dependencies to support [email protected]+ for security fix

Open godfrey-altmetric opened this issue 1 month ago • 3 comments

Dependabot cannot update glob to a non-vulnerable version because jest requires glob@^7.1.3 and ^7.1.4 via transitive dependencies on [email protected], @jest/[email protected], [email protected], and [email protected]. The earliest fixed version is [email protected]. Please update these dependencies to allow [email protected]+ to resolve the security vulnerability.

Nov 20 '25 10:11 godfrey-altmetric

Yeah, this is https://github.com/istanbuljs/babel-plugin-istanbul/pull/301

Nov 20 '25 13:11 SimenB

The security issue only impacts the v10 and v11 lines of glob, so no action should be needed by Jest to enable resolving the security vuln

Nov 28 '25 19:11 G-Rath

Is this not done via https://github.com/jestjs/jest/pull/15905 ?

Dec 02 '25 13:12 derTobsch