UI5 / webcomponents-react / 19458559428
85%
main: 85%

LAST BUILD BRANCH: dependabot/npm_and_yarn/examples/nextjs-app/next-16.1.5
DEFAULT BRANCH: main
Ran
Jobs 7
Files 231
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.929%. Remained the same
19458559428

push

github

web-flow 
chore(deps): update dependency glob to v11.1.0 [security] (#7950)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [glob](https://redirect.github.com/isaacs/node-glob) | [`11.0.3` ->
`11.1.0`](https://renovatebot.com/diffs/npm/glob/11.0.3/11.1.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/glob/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/glob/11.0.3/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)

### Summary

The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.

### Details

**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:

```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```

**Technical Flow:**
1. User runs `glob -c <command> <pattern>` 
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands

**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not... (continued)

3264 of 4169 branches covered (78.29%)

Branch coverage included in aggregate %.

5741 of 6434 relevant lines covered (89.23%)

118568.16 hits per line

Jobs
ID Job ID Ran Files Coverage
2 base - 19458559428.2 162
11.58
 GitHub Action Run
3 charts - 19458559428.3 215
21.38
 GitHub Action Run
4 main/src/internal - 19458559428.4 157
10.15
 GitHub Action Run
5 main/src/webComponents - 19458559428.5 157
8.43
 GitHub Action Run
6 cypress-commands - 19458559428.6 157
10.0
 GitHub Action Run
7 compat - 19458559428.7 168
13.32
 GitHub Action Run
7 main/src/components - 19424552838.7 157
85.95
 GitHub Action Run
Source Files on build 19458559428