Skip to content

fix: update glob to v10.5.0 to resolve CVE-2025-64756 #910

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix: update glob to v10.5.0 to resolve CVE-2025-64756 #910

wants to merge 5 commits into from
+27 −51

Conversation

@ram-ui-dev
Copy link

@ram-ui-dev ram-ui-dev commented Nov 22, 2025
edited by cursor bot
Loading

Summary

This PR updates the glob package to version ^10.5.0 to resolve the command injection vulnerability CVE-2025-64756.

Changes included:

  • Updated glob dependency in packages/react-native-builder-bob from ^8.0.3 to ^10.5.0.
  • Refactored src/utils/compile.ts to use the new globSync named export from glob v10 API.
  • Removed @types/glob from devDependencies as glob v10 includes built-in type definitions, and the old types caused conflicts.
  • Added a resolution in the root package.json to force glob@^10.5.0 across the monorepo, ensuring no vulnerable versions remain in the lockfile.

Test plan

  1. Automated Tests: Ran yarn test in packages/react-native-builder-bob. All tests passed. 
    yarn workspace react-native-builder-bob test
  2. Type Check: Ran yarn typecheck to verify that removing @types/glob and using built-in types works correctly. 
    yarn typecheck
  3. Lint Check: Ran yarn lint to ensure no linting errors. 
    yarn lint

Note

Updates glob to ^10.5.0, refactors to use globSync, and removes @types/glob now that types are bundled.

  • Dependencies
    • Bump glob in packages/react-native-builder-bob/package.json from ^8.0.3 to ^10.5.0.
    • Remove @types/glob from devDependencies (types included in glob v10).
  • Build utils
    • Refactor packages/react-native-builder-bob/src/utils/compile.ts to import { globSync } from glob and replace glob.sync call.
  • Lockfile

Written by Cursor Bugbot for commit 1f1c339. This will update automatically on new commits. Configure here.

satya164
satya164 requested changes Nov 22, 2025
View reviewed changes
Copy link
Member

@satya164 satya164 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Please remove glob from resolutions. Overriding package version for monorepo only means we are not testing with the same set of dependencies that users may get. So the dependency tree could still contain vulnerable versions of glob while the monorepo doesn't show this, or result in different behavior from what users will install.

@ram-ui-dev
Copy link
Author

ram-ui-dev commented Nov 22, 2025

Fixed in the latest commit. Thanks!

@ram-ui-dev ram-ui-dev requested a review from satya164 November 22, 2025 14:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@satya164 satya164 Awaiting requested review from satya164

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ram-ui-dev @satya164 @ramanathanMuthuraman