A high severity vulnerability in glob utilized by TailwindCSS 3

[ajuvonen]

What version of Tailwind CSS are you using?

3.4.18

What build tool (or framework if it abstracts the build tool) are you using?

Vite 7

What version of Node.js are you using?

22

What browser are you using?

N/A

What operating system are you using?

N/A

Reproduction URL

Repro URL not necessary

Describe your issue

Taking into account the following NPM audit report, could you consider patching TailwindCSS 3 to mitigate the vulnerability?

# npm audit report

glob  10.3.7 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix --force`
Will install tailwindcss@4.1.17, which is a breaking change
node_modules/glob
  js-beautify  >=1.15.3
  Depends on vulnerable versions of glob
  node_modules/js-beautify
  sucrase  >=3.35.0
  Depends on vulnerable versions of glob
  node_modules/sucrase
    tailwindcss  3.4.15 - 3.4.18
    Depends on vulnerable versions of sucrase
    node_modules/tailwindcss

[MiniCodeMonkey]

As a temporary fix until the dependency has been bumped in tailwind v3, you can add this to your package.json to force a newer version of glob that isn't vulnerable.

"overrides": {
    "glob": "^11.0.0"
},