NPM Audit, Severity: High. Glob package in Tailwind v3 #19325

ashleyyy94 · 2025-11-18T09:20:05Z

ashleyyy94
Nov 18, 2025

Hi team,

GHSA-5j98-mcp5-4vw2. Glob package used in Tailwind v3 has a CVE reported with high severity, as shown below:


glob  10.3.7 - 11.0.3
Severity: high
glob CLI: Command injection via -c/--cmd executes matches with shell:true - https://github.com/advisories/GHSA-5j98-mcp5-4vw2
fix available via `npm audit fix --force`
Will install tailwindcss@4.1.17, which is a breaking change
node_modules/sucrase/node_modules/glob
  sucrase  >=3.35.0
  Depends on vulnerable versions of glob
  node_modules/sucrase
    tailwindcss  3.4.15 - 3.4.18
    Depends on vulnerable versions of sucrase
    node_modules/tailwindcss

Requesting for a release for v3 with the package updated, thank you!

nullaf · 2025-11-18T12:32:27Z

nullaf
Nov 18, 2025

I'd really appreciate this change too

0 replies

tordans · 2025-11-18T13:30:19Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

NPM Audit, Severity: High. Glob package in Tailwind v3 #19325

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Uh oh!

NPM Audit, Severity: High. Glob package in Tailwind v3 #19325

Uh oh!

ashleyyy94 Nov 18, 2025

Replies: 2 comments

Uh oh!

nullaf Nov 18, 2025

Uh oh!

tordans Nov 18, 2025

ashleyyy94
Nov 18, 2025

nullaf
Nov 18, 2025

tordans
Nov 18, 2025