chore(deps): [security] bump glob from 10.4.5 to 10.5.0 (!47) · Merge requests · Christianto / Dependencies / MyAnimeList API SDK for Node.js

Bumps glob from 10.4.5 to 10.5.0. This update includes a security fix.

Vulnerabilities fixed

glob CLI: Command injection via -c/--cmd executes matches with shell:true

Summary

The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.

Details

Root Cause:
The vulnerability exists in src/bin.mts:277 where the CLI collects glob matches and executes the supplied command using foregroundChild() with shell: true:
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
Technical Flow:

User runs glob -c <command> <pattern>

CLI finds files matching the pattern

Matched filenames are collected into an array

Command is executed with matched filenames as arguments using shell: true

Shell interprets metacharacters in filenames as command syntax

Malicious filenames execute arbitrary commands

... (truncated)

Patched versions: 10.5.0; 11.1.0
Affected versions: >= 10.2.0, = 11.0.0, < 11.1.0

Commits

56774ef 10.5.0
1e4e297 bin: Do not expose filenames to shell expansion
See full diff in compare view

Dependabot commands

You can trigger Dependabot actions by commenting on this MR

@repurika recreate will recreate this MR rewriting all the manual changes and resolving conflicts

chore(deps): [security] bump glob from 10.4.5 to 10.5.0

Summary

Details

Merge request reports