Skip to content

update dependencies#852

Merged
BrandtH22 merged 2 commits into
mainfrom
update-dependencies
Sep 24, 2025
Merged

update dependencies#852
BrandtH22 merged 2 commits into
mainfrom
update-dependencies

Conversation

@BrandtH22

Copy link
Copy Markdown
Contributor

prettier
react
react-dom

prettier
react
react-dom
@socket-security

socket-security Bot commented Sep 24, 2025

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedrimraf@​6.0.19910010078100
Updatedreact@​18.3.1 ⏵ 19.1.1100 +11008497100
Updatedprettier@​3.6.0 ⏵ 3.6.299 +110010090100
Updatedreact-dom@​18.3.1 ⏵ 19.1.1100 +110092 +197100
Added@​docsearch/​react@​4.1.0100100100100100

View full report

@socket-security

socket-security Bot commented Sep 24, 2025

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
caniuse-lite@1.0.30001743 has a License Policy Violation.

License: CC-BY-4.0 (npm metadata)

License: CC-BY-4.0 (package/package.json)

License: CC-BY-4.0 (package/LICENSE)

From: package-lock.jsonnpm/@docusaurus/preset-classic@3.8.1npm/@docusaurus/core@3.8.1npm/@docusaurus/plugin-google-gtag@3.8.1npm/@easyops-cn/docusaurus-search-local@0.52.1npm/caniuse-lite@1.0.30001743

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001743. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
core-js@3.45.1 is a AI-detected potential code anomaly.

Notes: The code constitutes a standards-compliant polyfill/compatibility patch for RegExp/String.prototype.replace with robust handling of named groups and replacer semantics. No evidence of malware, exfiltration, or sensitive data leakage. The risk profile is typical for polyfills in open-source libraries and is acceptable when used in trusted contexts, albeit with standard caution about using third-party dependencies in supply chains.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@docusaurus/core@3.8.1npm/core-js@3.45.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js@3.45.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
core-js@3.45.1 is a AI-detected potential code anomaly.

Notes: The code implements a targeted safety polyfill for Uint8Array.prototype.setFromBase64 to support base64 decoding into typed arrays. It includes environment feature checks and uses internal decoding helpers to fill the array and report read/written counts. No malicious activity detected; the flow is confined to in-memory decoding and prototype augmentation. This appears to be a legitimate compatibility helper rather than malware.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@docusaurus/core@3.8.1npm/core-js@3.45.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js@3.45.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
prettier@3.6.2 is a AI-detected potential code anomaly.

Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/prettier@3.6.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
react-dom@19.1.1 is a AI-detected potential code anomaly.

Notes: The fragment represents a sophisticated, production-grade React SSR pipeline with robust escaping, preloading, and suspense-handling mechanisms. No evidence of malware, backdoors, or data exfiltration detected in this fragment. Supply-chain risk is mitigated by standard SSR practices but warrants ongoing governance: lock dependency versions, audit options, validate import maps, and sanitize all externally supplied data before streaming. Overall security risk remains moderate due to the complexity and exposure surface of SSR systems; ongoing review of the full module and dependencies is advised.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/react-dom@19.1.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-dom@19.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
zod@4.1.11 is a AI-detected potential code anomaly.

Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@docsearch/react@4.1.0npm/zod@4.1.11

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.1.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@BrandtH22 BrandtH22 merged commit 482b878 into main Sep 24, 2025
13 checks passed
@BrandtH22 BrandtH22 deleted the update-dependencies branch September 24, 2025 18:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants