fix(security): patch glob CLI command injection in lovable_clone npm lockfile#413
fix(security): patch glob CLI command injection in lovable_clone npm lockfile#413Aryansharma28 merged 4 commits intomainfrom
Conversation
github-actions
Bot
added
the
low-risk-change
Dependency Update Assessment:
|
| Before | After | |
|---|---|---|
| glob version | 10.4.5 | 13.0.6 |
| Major versions jumped | — | 3 major versions |
This is a significant version jump. However, the reason npm resolved to 13.0.6 instead of 10.5.0 is that all glob 10.x versions are now marked as deprecated by the maintainer (isaacs). npm prefers non-deprecated versions when resolving ranges, so >=10.5.0 lands on the latest stable (13.0.6).
The glob JS API (glob(), globSync(), Glob class) has remained stable across these versions. The breaking changes in 11.x/12.x/13.x were primarily around: dropping old Node.js versions, removing the callback API (already removed in 10.x), and internal performance improvements.
5. PINNED VERSION COMMENTS
None found. No comments anywhere in the codebase mention pinning or constraining glob versions.
6. TRANSITIVE vs DIRECT
Transitive only. The full dependency chain is:
tailwindcss (devDependency) → sucrase (^3.35.0) → glob (^10.3.10)
tailwindcssis a devDependency in the templatesucraseusesglobonly in its CLI (dist/cli.js) for file globbing — not in its core transpiler APItailwindcssuses sucrase's programmatic API for transpiling config files, not sucrase's CLI- Therefore: even if glob 13.x had breaking API changes, they would not affect tailwindcss's usage of sucrase
7. FINAL VERDICT: TRIVIAL
Classification: TRIVIAL — Dev-only transitive dep, not imported anywhere in our code. Safe to merge with CI passing.
Rationale:
globis a transitive devDependency in an example template (not published, not production code)- Zero direct imports of
globexist anywhere in the codebase - The consuming package (
sucrase) only uses glob in its CLI, and its consumer (tailwindcss) uses sucrase's programmatic API — the glob upgrade path is completely inert - The 3-major-version jump is forced by the maintainer deprecating all 10.x releases; npm resolves to the latest non-deprecated version
- No
node_modulesare even committed — this only affects the lockfile - No version pin comments exist anywhere in the codebase
Risk: effectively zero. The only way this could cause an issue is if someone runs npm install in the example template and sucrase's CLI (not used by tailwindcss) fails on glob 13.x — and even that is unlikely since the JS API is stable.
|
CI green — all 7 checks pass (CodeQL, Python tests, PR validation, evaluation, approval gate). Ready for review. |
…late npm lockfile
sergioestebance
force-pushed
the
fix/security-glob-npm
branch
from
caa68f3 to
fee53c2
Compare
github-actions
Bot
removed
the
low-risk-change
|
Rebased onto latest main. Conflict resolved in |
sergioestebance
added
the
dependencies
Resolved override conflict in package.json by keeping both rollup (from main) and glob (from this branch). package-lock.json regenerated against current main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
Automated low-risk assessment This PR was evaluated against the repository's Low-Risk Pull Requests procedure and does not qualify as low risk.
This PR requires a manual review before merging. |
Re-resolved lovable_clone/template/package.json after main merged #413 (glob), keeping both picomatch ranges from this PR (2.x + 4.x) plus glob override from main. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Re-resolved lovable_clone/template/package.json after main merged #413 (glob), keeping all overrides combined plus lodash from this PR. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2 participants
Summary
Adds npm overrides for glob in python/examples/lovable_clone/template to fix:
Note: pnpm-lock.yaml fix for docs/ is handled by PR #394.
Part of #400
Test plan
npm install --package-lock-onlysucceeds