fix(deps): upgrade glob to fix CVE-2025-64756

[PabloThiele]

User description

Description of change

This PR upgrades the glob package from version 10.4.5 to 10.5.0 to address security vulnerability CVE-2025-64756.

What the change does:

• Updates the glob dependency in package.json from ^10.4.5 to ^10.5.0
• Updates package-lock.json to reflect the new version

Why this change is needed:
The current version of glob (10.4.5) contains a command injection vulnerability (CVE-2025-64756) in its CLI -c/--cmd option. This vulnerability allows arbitrary command execution when processing files with malicious names. The issue affects versions 10.3.7 to 10.4.x and has been patched in version 10.5.0.

CVSS Score: 7.5 (HIGH severity)

• Attack vector: NETWORK
• Attack complexity: HIGH
• Confidentiality impact: HIGH
• Integrity impact: HIGH

How verified:

• ✅ Updated package.json and ran npm install to update package-lock.json
• ✅ Verified compilation succeeds with npm run compile
• ✅ Confirmed glob version updated to 10.5.0 in package-lock.json
• ✅ No linting errors introduced

Current behavior:
TypeORM uses glob version 10.4.5 which is vulnerable to CVE-2025-64756.

New behavior:
TypeORM uses glob version 10.5.0 which includes the security patch for CVE-2025-64756.

References:

• CVE-2025-64756: GHSA-5j98-mcp5-4vw2
• Fixed in glob version 10.5.0 and 11.1.0

Pull-Request Checklist

• Code is up-to-date with the master branch
• This pull request links relevant issues as Fixes #00000 (N/A - security fix, no related issue)
• There are new or updated unit tests validating the change (N/A - dependency upgrade only, no code changes)
• Documentation has been updated to reflect this change (N/A - no user-facing changes)

---

PR Type

Bug fix

---

Description

• Upgrades glob dependency from 10.4.5 to 10.5.0

• Addresses CVE-2025-64756 command injection vulnerability

• Prevents arbitrary command execution via malicious filenames

• HIGH severity security patch (CVSS 7.5)

---

Diagram Walkthrough

flowchart LR
  A["glob 10.4.5<br/>Vulnerable"] -- "Security Patch" --> B["glob 10.5.0<br/>CVE-2025-64756 Fixed"]
  B --> C["Command Injection<br/>Prevented"]

Loading

File Walkthrough

	Relevant files
Dependencies	package.json Upgrade glob dependency to patched version                              package.json Updated glob dependency version from ^10.4.5 to ^10.5.0 Addresses CVE-2025-64756 command injection vulnerability No other dependency changes +1/-1

---

Summary by CodeRabbit

• Chores
  • Updated an internal dependency (glob) to a newer patch release. No user-facing changes or new features in this release.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[qodo-free-for-open-source-projects]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
Update

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[coderabbitai]

Walkthrough

A dependency version bump for the "glob" package from ^10.4.5 to ^10.5.0 in package.json. No behavioral changes, API modifications, or control flow alterations.

Changes

Cohort / File(s)	Summary
Dependency version update package.json	Bumped "glob" dependency from ^10.4.5 to ^10.5.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

• Verify that glob v10.5.0 is backward compatible and introduces no breaking changes
• Confirm the updated version is appropriate for the project's use case

Possibly related issues

• typeorm is using glob version that contains CVE #11776 — This PR upgrades glob from 10.4.5 to 10.5.0, addressing the same vulnerable version reported in that issue.

Suggested reviewers

• sgarner
• gioboa

Poem

🐰 A hop and a bump, a tidy small fix,
glob leaps from 10.4.5 to 10.5, quick!
No new paths changed, just safer to stay,
I nibble the crumbs and bound on my way. ✨

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title accurately describes the main change: upgrading the glob dependency to address a CVE vulnerability, which is the primary objective of this pull request.

✨ Finishing touches

• 📝 Generate docstrings

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

📝 Customizable high-level summaries are now available in beta!

You can now customize how CodeRabbit generates the high-level summary in your pull requests — including its content, structure, tone, and formatting.

• Provide your own instructions using the high_level_summary_instructions setting.
• Format the summary however you like (bullet lists, tables, multi-section layouts, contributor stats, etc.).
• Use high_level_summary_in_walkthrough to move the summary from the description to the walkthrough section.

Example instruction:

"Divide the high-level summary into five sections:

1. 📝 Description — Summarize the main change in 50–60 words, explaining what was done.
2. 📓 References — List relevant issues, discussions, documentation, or related PRs.
3. 📦 Dependencies & Requirements — Mention any new/updated dependencies, environment variable changes, or configuration updates.
4. 📊 Contributor Summary — Include a Markdown table showing contributions:
   | Contributor | Lines Added | Lines Removed | Files Changed |
5. ✔️ Additional Notes — Add any extra reviewer context.
   Keep each section concise (under 200 words) and use bullet or numbered lists for clarity."

Note: This feature is currently in beta for Pro-tier users, and pricing will be announced later.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[qodo-free-for-open-source-projects]

PR Code Suggestions ✨

No code suggestions found for the PR.

[alumni]

See #11776

[pkg-pr-new]

typeorm-sql-js-example

npm i https://pkg.pr.new/typeorm/typeorm@11784

commit: ec1d717

[danielelkington]

Will 0.3.28 be released soon so this patch can be released?

[alumni]

@danielelkington you don't need this patch, please check #11776 (comment).