This repository was archived by the owner on Dec 10, 2025. It is now read-only.
This repository was archived by the owner on Dec 10, 2025. It is now read-only.
CVE-2025-64756: Bump glob dependency to 10.5.0 #3947
Description
Expected Behavior
npm audit passes without vulnerabilities.
Actual Behavior
npm audit fails with vulnerabilities.
- glob CLI: Command injection via -c/--cmd executes matches with shell:true (CVE-2025-64756)
- brace-expansion Regular Expression Denial of Service vulnerability (CVE-2025-5889)
Steps to Reproduce
npm install or npm audit
Versions
language: typescript
node: 24
cdktf: 0.21.0
Providers
No response
Gist
No response
Possible Solutions
Bump glob to 10.5.0.
Workarounds
No response
Anything Else?
No response
References
No response
Help Wanted
- I'm interested in contributing a fix myself
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment