You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#564935fe87 Thanks @Andarist! - Automatically use the GitHub-provided token to allow most users to avoid explicit GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} configuration.
Patch Changes
#54554220dd Thanks @ryanbas21! - The .npmrc generation now intelligently handles both traditional NPM token authentication and trusted publishing scenarios by only appending the auth token when NPM_TOKEN is defined. This prevents 'undefined' from being written to the registry configuration when using OIDC tokens from GitHub Actions trusted publishing.
#5636af4a7e Thanks @Andarist! - Don't error on already committed symlinks and executables that stay untouched
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/glob@10.4.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
High CVE: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/undici@6.21.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm foreground-child is 100.0% likely to have a medium risk anomaly
Notes: The code implements a standard watchdog for child-process lifecycle management, aiming to prevent zombie processes when the parent exits. It is not inherently malicious, but reliability hinges on the correctness of the inline watchdog script and proper scoping of the PID. Potential improvements include addressing syntax reliability of the inline code, removing unnecessary no-op keepalive, and ensuring strict validation of the provided PID to mitigate accidental termination of unrelated processes.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/foreground-child@3.3.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code is a conventional, non-malicious implementation of glob pattern expansion and directory traversal. It reads filesystem data based on user-provided patterns but does not exhibit data exfiltration, remote communications, or code execution risks within this fragment. Overall security risk is low, with standard OS-specific handling for nocase behavior.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/glob@10.4.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly
Notes: The code implements a guarded, integrity-verified downloader for Solidity compiler binaries with mutex-based synchronization, cache management, and runtime validation. It includes appropriate integrity checks (keccak256) and platform-specific post-processing. No signs of malicious behavior or data exfiltration were observed. The primary security considerations are trust in the remote repository and the correctness of list.json metadata; if those sources are compromised, malicious binaries could be introduced despite the hash checks. Overall, the implementation appears secure and purpose-built for supply-chain integrity with moderate risk due to external dependencies.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/hardhat@2.24.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/undici@6.21.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm y18n is 100.0% likely to have a medium risk anomaly
Notes: The code is a standard local i18n helper that caches locale strings and writes updates to disk. It does not contain obvious malware or backdoors. However, there are security concerns related to unvalidated locale inputs, potential path traversal when locale is attacker-controlled, and race conditions in multi-process environments. If used in attack-prone contexts, these issues should be mitigated by validating locale values, constraining file paths within the intended directory, and optionally disabling auto-write-back (updateFiles=false) in high-risk deployments.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/y18n@4.0.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm yargs-parser is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code fragment represents a legitimate environment-variable integration path for a CLI argument parser (consistent with yargs-parser). There is no evidence of malicious behavior such as data exfiltration or backdoors. The primary security consideration is the potential for environment-driven overrides to affect runtime behavior; this is expected but should be carefully configured to avoid leaking sensitive settings. Overall risk is moderate but acceptable with proper configuration and validation.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yargs-parser@18.1.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly
Notes: The provided code consists of harmless-looking shell completion templates used to generate Bash/Zsh completions by querying the application for possible commands via --get-yargs-completions. There is no malicious behavior evident in the template code itself. The main risk is dependency on the integrity of the app_path binary that provides completions; if that binary is compromised, it could influence completions or run unintended commands. Overall, low likelihood of malware in these templates themselves.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yargs@13.3.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly
Notes: The module implements a standard extends resolution with circular-extends protection and recursive merging. Primary security concerns are the potential execution of arbitrary code when extends points to a JS module and possible disclosure of local files via path-based extends. Treat untrusted inputs as a high-risk factor; consider enforcing whitelisting of allowed extends or sandboxing JS module extends. Overall risk is moderate due to code execution potential from untrusted configuration sources.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yargs@13.3.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly
Notes: The code provides a reasonably solid and conventional configuration extends resolver with circular dependency protection and recursion. The main security concerns center on the potential execution of arbitrary code from extended modules via require and the handling of non-string extends or missing files. No obvious malicious activity is detected, but the trust model for module-based extends should be tightened (e.g., sandboxing, validation, or restricting to JSON-based configs).
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yargs@15.4.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code is a typical command-line argument parser (similar to yargs) with localization support, help/version handling, and command/subcommand infrastructure. There is no evidence of malicious behavior such as data exfiltration, reverse shells, hidden backdoors, or cryptomining. Data flows are confined to standard CLI input, environment- and filesystem-derived configuration, and buffered console output. While the code is complex and maintains extensive internal state, it does not exhibit malicious patterns within this fragment.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/yargs@15.4.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v1.5.3→v1.7.0Release Notes
changesets/action (changesets/action)
v1.7.0Compare Source
Minor Changes
935fe87Thanks @Andarist! - Automatically use the GitHub-provided token to allow most users to avoid explicitGITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}configuration.Patch Changes
#545
54220ddThanks @ryanbas21! - The.npmrcgeneration now intelligently handles both traditional NPM token authentication and trusted publishing scenarios by only appending the auth token whenNPM_TOKENis defined. This prevents 'undefined' from being written to the registry configuration when using OIDC tokens from GitHub Actions trusted publishing.#563
6af4a7eThanks @Andarist! - Don't error on already committed symlinks and executables that stay untouchedv1.6.0Compare Source
Minor Changes
342005dThanks @harsha-venugopal-ledn! - Upgrade from Node.js 20 to Node.js 24 LTSConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.