Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

fix(deps): update vulnerable glob pkg to10.5.0 in v10.x#3199

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Open
baranbbr wants to merge1 commit intonestjs:master
base:master
Choose a base branch
Loading
frombaranbbr:10.x

Conversation

@baranbbr
Copy link

@baranbbrbaranbbr commentedNov 27, 2025
edited
Loading

Caution

This shouldNOT be merged to master.

PR Checklist

Please check if your PR fulfills the following requirements:

PR Type

What kind of change does this PR introduce?

[ ] Bugfix[ ] Feature[ ] Code style update (formatting, local variables)[x] Refactoring (no functional changes, no api changes)[ ] Build related changes[ ] CI related changes[ ] Other... Please describe:

What is the current behavior?

Updating glob package in old release 10.
This is to addressCVE-2025-64756
https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952

Related to Issue Number:#3189

What is the new behavior?

Does this PR introduce a breaking change?

[ ] Yes[x] No

Other information

@baranbbrbaranbbr changed the titlefix(deps): update vulnerable glob pkg to 10.5.0fix(deps): update vulnerable glob pkg to10.5.0 in v10.xNov 27, 2025
@baranbbr
Copy link
Author

baranbbr commentedNov 27, 2025
edited
Loading

This is a backport for version10.x - looking at the recent releases it looks like older versions aren't updated? I'm not sure how the maintainers want to proceed? Imo there's value in creating a maintenance branch/release on version 10.

Version10.4.9 is still massively popular as I can see on npm:https://www.npmjs.com/package/@nestjs/cli?activeTab=versions

micalevisk reacted with eyes emoji

@baranbbr
Copy link
Author

@kamilmysliwiec I guess there are no plans to maintain previous major versions? If so, feel free to close this

@ooxx5626
Copy link

We are also using version 10.x and would like to receive a remediated/patched version 10.X to address this CVE.

@arketec
Copy link

in the meantime, you can override glob on this dependency only in your package.json

npm

"overrides": {    "@nestjs/cli": {      "glob": "^10.5.0"    }  },

yarn:

"resolutions": {    "@nestjs/cli/glob": "^10.5.0"  },

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@baranbbr@ooxx5626@arketec
[8]ページ先頭
©2009-2025 Movatter.jp