@react-router/dev depends on a version of glob that is vulnerable

[vmihalachi]

Reproduction

Hi!

It seems that the current version referenced by @react-router/dev depends on a version of glob that is vulnerable.

The recommendation is to upgrade glob from 10.4.5 to 10.5.0 to fix the vulnerability.

Here the details:

• See advisory for vulnerability details
• isaacs/node-glob@1e4e297
• isaacs/node-glob@47473c0
• GHSA-5j98-mcp5-4vw2
• https://nvd.nist.gov/vuln/detail/CVE-2025-64756

System Info

Not applicable

Used Package Manager

npm

Expected Behavior

Not applicable

Actual Behavior

Not applicable

[timdorr]

Not true. We use tinyglobby:

react-router/packages/react-router-dev/package.json

Line 92 in e30006e

"tinyglobby": "^0.2.14",

And fast-glob in our dev deps:

react-router/packages/react-router-dev/package.json

Line 112 in e30006e

"fast-glob": "3.2.11",

The only place we use glob directly is via our integration test suite, which isn't library code:

react-router/integration/package.json

Line 31 in e30006e

"glob": "8.0.3",

[vmihalachi]

Hi @timdorr , I checked better. You are right that is not a direct dependency, but it's an indirect one from @npmcli/package-json. This dependency should most likely be updated from v4 to v7 :)

@react-router/dev depends on @npmcli/package-json

Source code https://github.com/remix-run/react-router/blob/main/packages/react-router-dev/package.json

.lock file

@npmcli/package-json depends on glob

Source code of version 4.0.1 https://github.com/npm/package-json/blob/v4.0.1/package.json

.lock file

And here is the @npmcli/package-json changelog that mentions glob related updates https://github.com/npm/package-json/blob/main/CHANGELOG.md

[timdorr]

While @react-router/dev should be a dev dep and this won't be a practical issue, and the vulnerability is with the CLI version of glob not the library itself, this will be resolved when #14558 is published.

[vmihalachi]

@timdorr thank you very much :)