Vulnerability in glob dependency

[seasoninthesky]

Is your feature request related to a problem? Please describe:

There is a vulnerability found in the glob package:
GHSA-5j98-mcp5-4vw2

Describe the solution you'd like:

The current version of @datadog/webpack-plugin uses glob v11.0.0

Updating glob to v11.1.0 would fix the issue.

Thanks!

[yoannmoinet]

Thanks a ton for the report!
It seems to only impact the CLI usage of glob, which we don't use.

The glob CLI contains a command injection vulnerability in its -c/--cmd option that allows arbitrary command execution when processing files with malicious names. When glob -c <command> <patterns> is used, matched filenames are passed to a shell with shell: true, enabling shell metacharacters in filenames to trigger command injection and achieve arbitrary code execution under the user or CI account privileges.

Also confirmed that the library usage is safe:

CLI Only: The vulnerability affects only the command-line interface
Library Safe: The core glob library API (glob(), globSync(), streams/iterators) is not affected
Shell Dependency: Exploitation requires shell metacharacter support (primarily POSIX systems)

[seasoninthesky]

Good to know that it's safe. It would still be nice to update though, due to npm audit fails in the CI 😇

[yoannmoinet]

It would still be nice to update though, due to npm audit fails in the CI 😇

That's fair indeed, feel free to submit a PR.
Otherwise I'll get to it later this week.

[seasoninthesky]

@yoannmoinet it would still be nice if you have time to update this. Thanks in advance.

[yoannmoinet]

Opened #256