nestjs
fix(deps): update vulnerable glob pkg to `10.5.0` in v10.x
[!CAUTION] This should NOT be merged to master.
PR Checklist
Please check if your PR fulfills the following requirements:
- [x] The commit message follows our guidelines: https://github.com/nestjs/nest/blob/master/CONTRIBUTING.md
- [ ] Tests for the changes have been added (for bug fixes / features)
- [ ] Docs have been added / updated (for bug fixes / features)
PR Type
What kind of change does this PR introduce?
[ ] Bugfix
[ ] Feature
[ ] Code style update (formatting, local variables)
[x] Refactoring (no functional changes, no api changes)
[ ] Build related changes
[ ] CI related changes
[ ] Other... Please describe:
What is the current behavior?
Updating glob package in old release 10.
This is to address CVE-2025-64756
https://security.snyk.io/vuln/SNYK-JS-GLOB-14040952
Related to Issue Number: #3189
What is the new behavior?
Does this PR introduce a breaking change?
[ ] Yes
[x] No
Other information
This is a backport for version 10.x - looking at the recent releases it looks like older versions aren't updated? I'm not sure how the maintainers want to proceed? Imo there's value in creating a maintenance branch/release on version 10.
Version 10.4.9 is still massively popular as I can see on npm: https://www.npmjs.com/package/@nestjs/cli?activeTab=versions
@kamilmysliwiec I guess there are no plans to maintain previous major versions? If so, feel free to close this
We are also using version 10.x and would like to receive a remediated/patched version 10.X to address this CVE.
in the meantime, you can override glob on this dependency only in your package.json
npm
"overrides": {
"@nestjs/cli": {
"glob": "^10.5.0"
}
},
yarn:
"resolutions": {
"@nestjs/cli/glob": "^10.5.0"
},
