Publish npm packages with fixed security vulnerability (glob) #18303
Description
Is there an existing issue for this?
- I have checked for existing issues https://github.com/getsentry/sentry-javascript/issues
- I have reviewed the documentation https://docs.sentry.io/
- I am using the latest SDK release https://github.com/getsentry/sentry-javascript/releases
How do you use Sentry?
Sentry Saas (sentry.io)
Which SDK are you using?
@sentry/react-router
SDK Version
10.26.0
Framework Version
React Router v7
Link to Sentry event
No response
Reproduction Example/SDK Setup
In source main branch @sentry/react-router contains the patched version of the glob library since at least Friday 2025-11-20, but the last published version 10.26.0 from the same date still contains the vulnerable library.
Create @sentry/react-router to a react router project and run audit:
npm create react-router@latest
npm install @sentry/react-router
npm audit
glob 11.0.0 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
No fix available
node_modules/glob
@sentry/react-router *
Depends on vulnerable versions of glob
node_modules/@sentry/react-router
2 high severity vulnerabilitiesSteps to Reproduce
- Create a react router project
- Install Sentry
- run npm audit
Expected Result
@sentry/react-router ships with no vulnerable libraries
Actual Result
@sentry/react-router introduces vulnerable version of glob
Additional Context
No response
Priority
React with 👍 to help prioritize this issue. Please use comments to provide useful context, avoiding +1 or me too, to help us triage it.