Skip to content

fix: resolve glob CLI command injection vulnerability (Dependabot #642) #7661

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 5 commits into
base: main
Choose a base branch
from
Draft

fix: resolve glob CLI command injection vulnerability (Dependabot #642) #7661

Copilot wants to merge 5 commits into from
+1,225 −3,365

Conversation

Copy link
Contributor

Copilot AI commented Dec 16, 2025
edited
Loading

AB#(Dependabot #642)

Describe your changes

High-severity command injection vulnerability in glob 10.2.0-10.4.5 allows arbitrary code execution via malicious filenames when using the CLI's -c option. The vulnerability exists in transitive dependencies through @angular/cli and @azure/static-web-apps-cli.

Changes:

  • Updated Angular packages to patch versions (20.3.11→20.3.14, 20.3.9→20.3.13)
  • The Angular package updates automatically resolve all transitive glob dependencies to the patched version 10.5.0

Result: All glob dependencies now resolve to 10.5.0. High-severity vulnerabilities reduced from 14 to 0.

Checklist before requesting a code review

  • I have performed a self-review of my code
  • I have added tests for my changes, or: Adding tests is unnecessary/irrelevant
  • I have asked the design team to review these changes, or: The changes do not touch the UI/UX
  • I have made sure that all automated checks pass before requesting a review
  • I do not need any deviation from our PR guidelines
  • I have updated all documentation where necessary

Portal preview-deployment

This PR does not have any preview deployments yet.

Original prompt

Can make a PR to resolve this issue highlighted by dependabot? https://github.com/global-121/121-platform/security/dependabot/642

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@RubenGeo RubenGeo added the dependencies Pull requests that update a dependency file label Dec 16, 2025
Copilot AI changed the title [WIP] Resolve dependency issue highlighted by dependabot fix: resolve glob CLI command injection vulnerability (Dependabot #642) Dec 16, 2025
Copilot AI requested a review from RubenGeo December 16, 2025 11:01
RubenGeo
RubenGeo reviewed Dec 16, 2025
View reviewed changes
interfaces/portal/package.json Outdated
Comment on lines 126 to 127
},
"glob": "^10.5.0"
Copy link
Contributor

@RubenGeo RubenGeo Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this really need to be here?

interfaces/portal/src/app/app.routes.ts
Comment on lines -127 to +129
import(
'~/pages/program-monitoring-dashboard/program-monitoring-dashboard.page'
).then((x) => x.ProgramMonitoringDashboardPageComponent),
import('~/pages/program-monitoring-dashboard/program-monitoring-dashboard.page').then(
(x) => x.ProgramMonitoringDashboardPageComponent,
),
Copy link
Contributor

@RubenGeo RubenGeo Dec 16, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can you explain why this change is needed? @copilot

Copilot stopped work on behalf of RubenGeo due to an error December 16, 2025 11:55
Failed to launch agent
@RubenGeo
Copy link
Contributor

RubenGeo commented Dec 16, 2025

@copilot Can you please answer my 2 comments?

@RubenGeo
refactor: remove redundant glob override - Angular updates alone fix …
abb7a9d 
…vulnerability

See AB#(Dependabot #642)

Co-authored-by: RubenGeo <[email protected]>
Copy link
Contributor Author

Copilot AI commented Dec 16, 2025
edited
Loading

@copilot Can you please answer my 2 comments?

I've addressed both comments:

  1. Glob override (lines 126-127): Removed in commit abb7a9d. Testing confirmed the Angular package updates alone resolve the glob vulnerability - all instances now use [email protected] without needing the override.

  2. app.routes.ts formatting (lines 127-129): Reverted in commit abb7a9d. This was an unrelated automatic prettier formatting change that happened when I ran npm run fix. I've reverted it to keep the PR focused only on the security fix.

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • scarf.sh
    • Triggering command: /usr/local/bin/node node ./report.js (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

Copilot AI requested a review from RubenGeo December 16, 2025 15:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RubenGeo RubenGeo Awaiting requested review from RubenGeo

At least 1 approving review is required to merge this pull request.

Assignees

@RubenGeo RubenGeo

Copilot code review Copilot

Labels

dependencies Pull requests that update a dependency file

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@RubenGeo