Skip to content

fix: update glob to v10.5.0 to resolve CVE-2025-64756#910

Merged
satya164 merged 5 commits intocallstack:mainfrom
ram-ui-dev:fix/cve-2025-64756-glob-update
Nov 24, 2025
Merged

fix: update glob to v10.5.0 to resolve CVE-2025-64756#910
satya164 merged 5 commits intocallstack:mainfrom
ram-ui-dev:fix/cve-2025-64756-glob-update

Conversation

@ram-ui-dev
Copy link
Contributor

@ram-ui-dev ram-ui-dev commented Nov 22, 2025
edited by cursor bot
Loading

Summary

This PR updates the glob package to version ^10.5.0 to resolve the command injection vulnerability CVE-2025-64756.

Changes included:

  • Updated glob dependency in packages/react-native-builder-bob from ^8.0.3 to ^10.5.0.
  • Refactored src/utils/compile.ts to use the new globSync named export from glob v10 API.
  • Removed @types/glob from devDependencies as glob v10 includes built-in type definitions, and the old types caused conflicts.
  • Added a resolution in the root package.json to force glob@^10.5.0 across the monorepo, ensuring no vulnerable versions remain in the lockfile.

Test plan

  1. Automated Tests: Ran yarn test in packages/react-native-builder-bob. All tests passed. 
    yarn workspace react-native-builder-bob test
  2. Type Check: Ran yarn typecheck to verify that removing @types/glob and using built-in types works correctly. 
    yarn typecheck
  3. Lint Check: Ran yarn lint to ensure no linting errors. 
    yarn lint

Note

Updates glob to ^10.5.0, refactors to use globSync, and removes @types/glob now that types are bundled.

  • Dependencies
    • Bump glob in packages/react-native-builder-bob/package.json from ^8.0.3 to ^10.5.0.
    • Remove @types/glob from devDependencies (types included in glob v10).
  • Build utils
    • Refactor packages/react-native-builder-bob/src/utils/compile.ts to import { globSync } from glob and replace glob.sync call.
  • Lockfile
    • Update yarn.lock to reflect glob@10.5.0 and updated transitive dependencies.

Written by Cursor Bugbot for commit 1f1c339. This will update automatically on new commits. Configure here.

satya164
satya164 requested changes Nov 22, 2025
View reviewed changes
Copy link
Member

@satya164 satya164 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the PR.

Please remove glob from resolutions. Overriding package version for monorepo only means we are not testing with the same set of dependencies that users may get. So the dependency tree could still contain vulnerable versions of glob while the monorepo doesn't show this, or result in different behavior from what users will install.

@ram-ui-dev
Copy link
Contributor Author

ram-ui-dev commented Nov 22, 2025

Fixed in the latest commit. Thanks!

@ram-ui-dev ram-ui-dev requested a review from satya164 November 22, 2025 14:09
satya164
satya164 approved these changes Nov 23, 2025
View reviewed changes
Copy link
Member

@satya164 satya164 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you

@satya164 satya164 enabled auto-merge November 23, 2025 22:59
@satya164 satya164 added this pull request to the merge queue Nov 24, 2025
Merged via the queue into callstack:main with commit 5aa16f8 Nov 24, 2025
30 of 34 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@satya164 satya164 satya164 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ram-ui-dev @satya164 @ramanathanMuthuraman