[BUG] vulnerable glob dependency

[keptt]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Running npm audit or a trivy scanner flags a high CVE-2025-64756 vulnerability due to glob@11.0.3. glob@11.1.0 fixes the issue. The problem is that this breaks application builds that make use of tools such as trivy scanner.
Notice that the CVE itself doesn't affect npm, as the issue is only in the cli interface of glob, while npm uses its library interface.

Expected Behavior

npm should not bundle a vulnerable version of glob and therefore not break builds due to security scans

Steps To Reproduce

1. In this environment:

Node.js version: 20.17.0 (or higher)
npm version: 11.6.2

2. Run 'npm audit'
3. See error:

glob  10.3.7 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix`
node_modules/glob

Environment

• npm: 11.6.2
• Node.js: 20.17.0
• OS Name: macOS Sequoia 15.6.1
• System Model Name: MacBook Pro M3
• npm config:

; "user" config from /Users/root1/.npmrc

//registry.npmjs.org/:_authToken = (protected)

; "project" config from /Users/root1/code/npm/.npmrc

package-lock = true

; node bin location = /Users/root1/.nvm/versions/node/v20.17.0/bin/node
; node version = v20.17.0
; npm local prefix = /Users/root1/code/npm
; npm version = 11.6.2
; cwd = /Users/root1/code/npm
; HOME = /Users/root1
; Run `npm config ls -l` to show all defaults.

[JeffreyStevens]

I'm also seeing issues with docker node:22-alpine image scans failing on these locations for glob (see node-gyp dependency):

/usr/local/lib/node_modules/npm/node_modules/node-gyp/node_modules/glob/package.json
/usr/local/lib/node_modules/npm/node_modules/glob/package.json

Related tar image also failing security scans:
/usr/local/lib/node_modules/npm/node_modules/tar/package.json

I opened related issue nodejs/node-gyp#3246

[keptt]

npm 11.6.3 has just released but unfortunately this issue hasn't been addressed. Will have to wait for the next release. A temporary solution on the client-end seems to be creating a .trivyignore file with the CVE in-qeustion. Other security scanners should have a similar ignore-rule feature. This is, however, not ideal, as such practices may lead to false negatives

EDIT: to avoid false negatives, use .trivyignore.yml or a Rego file. They let you use more advanced filtering such as specifying a path to the vulnerable package. However, these features are experimental according to the Trivy docs

[owlstronaut]

#8770 will be the dependency update for this

[dtma007]

@owlstronaut Thanks for the quick response! Sorry, I'm not familiar with the release process. Is there a rough ETA on when a new npm release will be available with the updated glob version? Thanks again!

[owlstronaut]

@owlstronaut Thanks for the quick response! Sorry, I'm not familiar with the release process. Is there a rough ETA on when a new npm release will be available with the updated glob version? Thanks again!

Hopefully next week before the holiday weekend. I'll be working with @wraithgar to try to get it out

[Andrea-Filice]

tell me that a fix is coming soon, I've been freaking out for 3 days trying to figure out why the npm audit command gives me 2 high vulnerabilities.

[keptt]

Thanks @owlstronaut, appreciate that! Looking forward to the 11.6.4 release