You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.1 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
No known CVEs reported for through2@5.0.1 or its new transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for the resolved tarball.
Prior threads: No earlier automation security-review threads on this PR.
Note (non-security):through2 v5 is ESM-first; existing require('through2') call sites may need .default on older Node versions. That is a build-compatibility concern, not an exploitable security issue.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.1 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
No known CVEs reported for through2@5.0.1 or its new transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for the resolved tarball.
Prior threads: No unresolved automation security-review threads on this PR.
Note (non-security):through2 v5 is ESM-first; existing require('through2') call sites may need .default on older Node versions. That is a build-compatibility concern, not an exploitable security issue.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.2 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
No known CVEs reported for through2@5.0.2 or its new transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for the resolved tarball.
Prior threads: No unresolved automation security-review threads on this PR.
Note (non-security):through2 v5 is ESM-first; on Node 22+, require('through2') exposes the API on .default, so existing through.obj call sites may need require('through2').default (or an ESM import). That is a build-compatibility concern, not an exploitable security issue.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.3 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
Lockfile analysis shows only six package entries changed, all tied to the through2 upgrade (through2@5.0.3, readable-stream@4.7.0, and its new transitive deps). The large diff is line-ending normalization, not unrelated dependency churn.
No known CVEs reported for through2@5.0.3 or its transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for the resolved tarball.
Prior threads: No unresolved automation security-review inline threads on this PR. Previous top-level assessments validated; no findings remain applicable.
Note (non-security):through2 v5 is ESM-first; on Node 22.12+, require('through2') may expose the API on .default, so existing through.obj call sites may need require('through2').default (or an ESM import). That is a build-compatibility concern, not an exploitable security issue.
The reason will be displayed to describe this comment to others. Learn more.
Stale comment
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.3 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
Lockfile changes are limited to the through2 upgrade (through2@5.0.3, readable-stream@4.7.0, and new transitive deps: abort-controller, event-target-shim, process, buffer).
No known CVEs reported for through2@5.0.3 or its transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for resolved tarballs.
Prior threads: No unresolved automation security-review inline threads on this PR. Previous top-level assessments validated; no findings remain applicable.
Note (non-security):through2 v5 is ESM-first; on Node 22.12+, require('through2') may expose the API on .default, so existing through.obj call sites may need require('through2').default (or an ESM import). That is a build-compatibility concern, not an exploitable security issue.
The reason will be displayed to describe this comment to others. Learn more.
Security review — no findings
Scope:through2^4.0.2 → ^5.0.0 (5.0.3 resolved) in web/package.json / web/package-lock.json only.
Assessment: No medium, high, or critical vulnerabilities identified in this change.
Reviewed attack surface:
through2 is a devDependency used only by the build-time Gulp plugin web/gulp-gpt-translate.js (through.obj stream transform for i18n translation). It is not part of the production runtime bundle.
Inputs to the transform are local source files (src/lang/en.js) and developer/CI-controlled OPENAI_API_KEY — not attacker-controlled production input.
Lockfile analysis shows only six substantive version changes, all tied to the through2 upgrade (through2@5.0.3, readable-stream@4.7.0, and new transitive deps: abort-controller, event-target-shim, process, buffer). The large diff is line-ending normalization, not unrelated dependency churn.
No known CVEs reported for through2@5.0.3 or its transitive dependency readable-stream@4.7.0.
npm audit reports no issues involving through2 or readable-stream.
Package integrity hashes are present for resolved tarballs.
Prior threads: No unresolved automation security-review inline threads on this PR. Previous top-level assessments validated; no findings remain applicable.
Note (non-security):through2 v5 is ESM-first; on Node 22.12+, require('through2') may expose the API on .default, so existing through.obj call sites may need require('through2').default (or an ESM import). That is a build-compatibility concern, not an exploitable security issue.
Sent by Cursor Automation: Find vulnerabilities
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
renovate
Bot
force-pushed
the
renovate/through2-5.x
branch
from
This PR contains the following updates:
^4.0.2→^5.0.0Release Notes
rvagg/through2 (through2)
v5.0.3Compare Source
Trivial Changes
v5.0.2Compare Source
Trivial Changes
v5.0.1Compare Source
Bug Fixes
v5.0.0Compare Source
⚠ BREAKING CHANGES
Features
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.