typeorm is using glob version that contains CVE

[menahemo]

Issue description

typeorm is using glob version that contains CVE

Expected Behavior

Actual Behavior

Scan tools find high CVE in the latest typeorm version

Steps to reproduce

Use the latest package version build your code and scan it using JFrog or any other scan tools. You will find the vulnerable glob version in the package-lock file:
typeorm@0.3.27(ioredis@5.6.1)(pg@8.16.3)(reflect-metadata@0.2.2)(ts-node@10.9.2(@types/node@22.16.5)(typescript@5.8.3)):
dependencies:
'@sqltools/formatter': 1.2.5
ansis: 3.17.0
app-root-path: 3.1.0
buffer: 6.0.3
dayjs: 1.11.13
debug: 4.4.1
dedent: 1.6.0
dotenv: 16.6.1
glob: 10.4.5
reflect-metadata: 0.2.2
sha.js: 2.4.12
sql-highlight: 6.1.0
tslib: 2.8.1
uuid: 11.1.0
yargs: 17.7.2
optionalDependencies:
ioredis: 5.6.1
pg: 8.16.3
ts-node: 10.9.2(@types/node@22.16.5)(typescript@5.8.3)
transitivePeerDependencies:
- babel-plugin-macros
- supports-color

My Environment

typeorm@0.3.27(ioredis@5.6.1)(pg@8.16.3)(reflect-metadata@0.2.2)(ts-node@10.9.2(@types/node@22.16.5)(typescript@5.8.3)):
dependencies:
'@sqltools/formatter': 1.2.5
ansis: 3.17.0
app-root-path: 3.1.0
buffer: 6.0.3
dayjs: 1.11.13
debug: 4.4.1
dedent: 1.6.0
dotenv: 16.6.1
glob: 10.4.5
reflect-metadata: 0.2.2
sha.js: 2.4.12
sql-highlight: 6.1.0
tslib: 2.8.1
uuid: 11.1.0
yargs: 17.7.2
optionalDependencies:
ioredis: 5.6.1
pg: 8.16.3
ts-node: 10.9.2(@types/node@22.16.5)(typescript@5.8.3)
transitivePeerDependencies:
- babel-plugin-macros
- supports-color

Additional Context

No response

Relevant Database Driver(s)

• aurora-mysql
• aurora-postgres
• better-sqlite3
• cockroachdb
• cordova
• expo
• mongodb
• mysql
• nativescript
• oracle
• postgres
• react-native
• sap
• spanner
• sqlite
• sqlite-abstract
• sqljs
• sqlserver

Are you willing to resolve this issue by submitting a Pull Request?

No, I don’t have the time and I’m okay to wait for the community / maintainers to resolve this issue.

[alumni]

@menahemo Whenever you have an issue with a sub-dependency, please fix it in your own repository by running npm update, it should update glob to 10.5.0.

The npm registry is currently down (affected by the global Cloudfare outage) - you can do that after it's back up.

[p-mcgowan]

For anyone else watching the status: until it's resolved, you can override glob ^10 with a newer version in packge.json

"overrides": {
    "typeorm": {
      "glob": "^11.0.4"
    }
  },

Note that I don't believe this will work for everyone - my tests pass but apparently glob 11 is ESM and I would imagine other things should be failing (we only really use migrations and raw queries).

[menahemo]

@alumni @p-mcgowan We tried those fixes but it didn't worked for us.
Is there any ETA for a new version of typeorm?

[jpol0191]

If you need a temporary solution while the maintainer works on this, the following works on my project:

//package.json

"resolutions": {
  "typeorm/glob": "^10.5.0"
}

Run yarn install or npm install afterwards.

[alumni]

You can remove the resolution/override after running install (unless you need it for other dependencies). TypeORM requires glob@^10.4.5, which is already satisfied by 10.5.0, so there's nothing that TypeORM needs to fix.

All you need to do is to just update the glob transitive dependency using your package manager.

[cteyton]

If you need a temporary solution while the maintainer works on this, the following works on my project:

//package.json

"resolutions": {
  "typeorm/glob": "^10.5.0"
}

Run yarn install or npm install afterwards.

Hi @jpol0191 👋
Since the vulnerability concerns glob versions >= 10.3.7 <= 11.0.3, I'm wondering how your proposal should solve the issue?

[jpol0191]

If you need a temporary solution while the maintainer works on this, the following works on my project:

//package.json

"resolutions": {
  "typeorm/glob": "^10.5.0"
}

Run yarn install or npm install afterwards.

Hi @jpol0191 👋 Since the vulnerability concerns glob versions >= 10.3.7 <= 11.0.3, I'm wondering how your proposal should solve the issue?

I used the trivy utility to tell me which version have the CVE fixed. My tool outputs 11.1.0 and 10.5.0 as fixed versions.

You can also read here. https://avd.aquasec.com/nvd/2025/cve-2025-64756/#:~:text=This%20issue%20has%20been%20patched%20in%20versions%2010.5.0%20and%2011.1.0.