UI5 / webcomponents-react / 19459438263
85%

DEFAULT BRANCH: main
Ran
Jobs 7
Files 231
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 84.91% (-0.02%) from 84.929%
19459438263

push

github

web-flow 
chore(deps): update dependency glob to v11.1.0 [security] (#7950)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [glob](https://redirect.github.com/isaacs/node-glob) | [`11.0.3` ->
`11.1.0`](https://renovatebot.com/diffs/npm/glob/11.0.3/11.1.0) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/glob/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/glob/11.0.3/11.1.0?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-64756](https://redirect.github.com/isaacs/node-glob/security/advisories/GHSA-5j98-mcp5-4vw2)

### Summary

The glob CLI contains a command injection vulnerability in its
`-c/--cmd` option that allows arbitrary command execution when
processing files with malicious names. When `glob -c <command>
<patterns>` is used, matched filenames are passed to a shell with
`shell: true`, enabling shell metacharacters in filenames to trigger
command injection and achieve arbitrary code execution under the user or
CI account privileges.

### Details

**Root Cause:**
The vulnerability exists in `src/bin.mts:277` where the CLI collects
glob matches and executes the supplied command using `foregroundChild()`
with `shell: true`:

```javascript
stream.on('end', () => foregroundChild(cmd, matches, { shell: true }))
```

**Technical Flow:**
1. User runs `glob -c <command> <pattern>` 
2. CLI finds files matching the pattern
3. Matched filenames are collected into an array
4. Command is executed with matched filenames as arguments using `shell:
true`
5. Shell interprets metacharacters in filenames as command syntax
6. Malicious filenames execute arbitrary commands

**Affected Component:**
- **CLI Only:** The vulnerability affects only the command-line
interface
- **Library Safe:** The core glob library API (`glob()`, `globSync()`,
streams/iterators) is not... (continued)

3263 of 4169 branches covered (78.27%)

Branch coverage included in aggregate %.

5740 of 6434 relevant lines covered (89.21%)

118622.73 hits per line

Uncovered Existing Lines

Lines Coverage File
1
88.46
 -7.69% packages/base/src/internal/utils/debounce.ts
Jobs
ID Job ID Ran Files Coverage
1 base - 19459438263.1 162
11.56
 GitHub Action Run
2 main/src/components - 19459438263.2 157
85.95
 GitHub Action Run
3 charts - 19459438263.3 215
21.38
 GitHub Action Run
4 main/src/internal - 19459438263.4 157
10.15
 GitHub Action Run
5 main/src/webComponents - 19459438263.5 157
8.44
 GitHub Action Run
6 compat - 19459438263.6 168
13.32
 GitHub Action Run
7 cypress-commands - 19459438263.7 157
10.0
 GitHub Action Run
Source Files on build 19459438263