Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: callstack/react-native-builder-bob
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: react-native-builder-bob@0.40.15
Choose a base ref
...
head repository: callstack/react-native-builder-bob
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: react-native-builder-bob@0.40.16
Choose a head ref
  • 3 commits
  • 12 files changed
  • 3 contributors

Commits on Nov 24, 2025

  1. fix: update glob to v10.5.0 to resolve CVE-2025-64756 (#910) 

    ### Summary

This PR updates the `glob` package to version `^10.5.0` to resolve the
command injection vulnerability
[CVE-2025-64756](https://nvd.nist.gov/vuln/detail/CVE-2025-64756).

Changes included:
- Updated `glob` dependency in `packages/react-native-builder-bob` from
`^8.0.3` to `^10.5.0`.
- Refactored `src/utils/compile.ts` to use the new `globSync` named
export from `glob` v10 API.
- Removed `@types/glob` from `devDependencies` as `glob` v10 includes
built-in type definitions, and the old types caused conflicts.
- Added a `resolution` in the root `package.json` to force
`glob@^10.5.0` across the monorepo, ensuring no vulnerable versions
remain in the lockfile.

### Test plan

1. **Automated Tests**: Ran `yarn test` in
`packages/react-native-builder-bob`. All tests passed.
   ```bash
   yarn workspace react-native-builder-bob test
   ```
2. **Type Check**: Ran `yarn typecheck` to verify that removing
`@types/glob` and using built-in types works correctly.
   ```bash
   yarn typecheck
   ```
3. **Lint Check**: Ran `yarn lint` to ensure no linting errors.
   ```bash
   yarn lint
   ```

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Updates `glob` to ^10.5.0, refactors to use `globSync`, and removes
`@types/glob` now that types are bundled.
> 
> - **Dependencies**
> - Bump `glob` in `packages/react-native-builder-bob/package.json` from
`^8.0.3` to `^10.5.0`.
> - Remove `@types/glob` from `devDependencies` (types included in
`glob` v10).
> - **Build utils**
> - Refactor `packages/react-native-builder-bob/src/utils/compile.ts` to
import `{ globSync }` from `glob` and replace `glob.sync` call.
> - **Lockfile**
> - Update `yarn.lock` to reflect `glob@10.5.0` and updated transitive
dependencies.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
1f1c339. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: Ram <ramanathan.gksvv@gmail.com>
    @ram-ui-dev @ramanathanMuthuraman
    ram-ui-dev and ramanathanMuthuraman authored Nov 24, 2025
    Configuration menu
    Copy the full SHA
    5aa16f8 View commit details
    Browse the repository at this point in the history

  2. chore: update website URL

    @satya164
    satya164 committed Nov 24, 2025
    Configuration menu
    Copy the full SHA
    11b5783 View commit details
    Browse the repository at this point in the history

  3. chore: publish 

     - docs@0.6.10
 - create-react-native-library@0.55.1
 - react-native-builder-bob@0.40.16
    @satya164
    satya164 committed Nov 24, 2025
    Configuration menu
    Copy the full SHA
    b70f280 View commit details
    Browse the repository at this point in the history
Loading