Looks like tempy is on a strict version 1.0.1 in this project's package.json. As a result, this tree is the maximum version of glob that can be upgraded safely while respecting all the other package's constraints.
├─ root-package
│ └─ semantic-release-monorepo@npm:8.0.2 [0d2e1] (via npm:^8.0.2 [38627])
│ └─ tempy@npm:1.0.1 (via npm:1.0.1)
│ └─ del@npm:6.1.1 (via npm:^6.0.0)
│ └─ rimraf@npm:3.0.2 (via npm:^3.0.2)
│ └─ glob@npm:7.2.3 (via npm:^7.1.3)
The CVE that this version of glob is affected by is CVE-2025-64756.
I'm not sure if there was a technical reason that it was pinned, but at this point there are 2 major version increases for tempy. I haven't exhausted them all but, I have confirmed that if this library upgraded to the latest, this particular CVE would go away. I'd be happy to make a PR to migrate this dependency, but wanted to check first that there wasn't a technical reason for this particular pin.
ETA:
- I looked into the loose 2.0 release of tempy, and the same glob version (by way of the same
del version) would be included, so 3.x would be necessary.
Looks like tempy is on a strict version
1.0.1in this project's package.json. As a result, this tree is the maximum version ofglobthat can be upgraded safely while respecting all the other package's constraints.The CVE that this version of
globis affected by isCVE-2025-64756.I'm not sure if there was a technical reason that it was pinned, but at this point there are 2 major version increases for
tempy.I haven't exhausted them all but,I have confirmed that if this library upgraded to the latest, this particular CVE would go away. I'd be happy to make a PR to migrate this dependency, but wanted to check first that there wasn't a technical reason for this particular pin.ETA:
delversion) would be included, so 3.x would be necessary.