Skip to content

Update lockfile#1072

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/lock-file-maintenance
Open

Update lockfile#1072
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/lock-file-maintenance

Conversation

@renovate

@renovate renovate Bot commented Sep 1, 2024

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Update Change
lockFileMaintenance All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from 3d33a5b to 76bcc7e Compare September 10, 2024 17:59
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 76bcc7e to a07dc72 Compare September 20, 2024 20:50
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from a07dc72 to 07c1934 Compare January 13, 2025 21:23
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 07c1934 to 1d25c19 Compare January 21, 2025 22:20
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 1d25c19 to 427d4e6 Compare March 19, 2025 20:39
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 427d4e6 to ccd0637 Compare April 14, 2025 14:42
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from ccd0637 to 51f385c Compare May 12, 2025 21:13
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 51f385c to 594665d Compare June 15, 2025 11:54
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from f49e021 to b009029 Compare August 13, 2025 17:13
@socket-security

socket-security Bot commented Aug 13, 2025

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Potential security risk (AI signal): npm hardhat is 85.0% likely risky

Notes: This module is straightforward telemetry logic but presents notable supply-chain/privacy risk: it takes arbitrary JSON from the command line and transmits it to a third-party analytics endpoint, while also embedding a hardcoded analytics API secret. In test/subprocess mode it avoids network exfiltration but still writes the untrusted payload to an environment-controlled file path. There is no clear evidence of covert malware (e.g., backdoor, reverse shell), but the embedded secret and unconditional handling of arbitrary payload content make it suspicious and should be reviewed for data minimization and secret management.

Confidence: 0.85

Severity: 0.72

From: packages/plugin-hardhat/package.jsonnpm/hardhat@3.9.1

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat@3.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/core is 68.0% likely to have a medium risk anomaly

Notes: The code defines a stack-trace manipulation utility that can selectively hide or reveal frames and inject synthetic frames into error traces. While not inherently malicious, its global alteration of Error.prepareStackTrace and stackTraceLimit enables obfuscation of error reporting and can hinder debugging or auditing. Use is advised with thorough documentation and restricted scope in security-sensitive environments.

Confidence: 0.68

Severity: 0.60

From: ?npm/nyc@17.1.0npm/@babel/core@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/core is 75.0% likely to have a medium risk anomaly

Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious.

Confidence: 0.75

Severity: 0.50

From: ?npm/nyc@17.1.0npm/@babel/core@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/helper-module-imports is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation.

Confidence: 0.78

Severity: 0.55

From: ?npm/nyc@17.1.0npm/@babel/helper-module-imports@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 80.0% likely to have a medium risk anomaly

Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling.

Confidence: 0.80

Severity: 0.50

From: ?npm/nyc@17.1.0npm/@babel/helper-module-transforms@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/helper-string-parser is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet.

Confidence: 0.78

Severity: 0.55

From: ?npm/nyc@17.1.0npm/@babel/helper-string-parser@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/helpers is 75.0% likely to have a medium risk anomaly

Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself.

Confidence: 0.75

Severity: 0.60

From: ?npm/nyc@17.1.0npm/@babel/helpers@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @babel/helpers is 61.0% likely to have a medium risk anomaly

Notes: The code fragment is a standard Babel decorator runtime helper (applyDecs2203). Its security posture hinges on the trustworthiness of the supplied decorators. If decorators are from untrusted sources, they can execute arbitrary code during decoration or initialization. The library itself does not exhibit malicious behavior, but this pattern introduces a high-risk surface via external inputs. Recommended mitigations include validating decorator outputs, enforcing sandboxing or runner boundaries for decorators, and auditing decorator sources in the application.

Confidence: 0.61

Severity: 0.58

From: ?npm/nyc@17.1.0npm/@babel/helpers@7.29.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm @smithy/core is 65.0% likely to have a medium risk anomaly

Notes: The code implements a conventional, well-structured event-stream unmarshalling pipeline with explicit handling for error, exception, and event message types. The primary security considerations are: potential exposure of header/body content through thrown errors, reliance on the deserializer contract (notably the $unknown flag), and ensuring that downstream consumers appropriately trust the deserialized payloads. In a supply-chain context, ensure that eventStreamCodec, deserializer implementations, and error handling are trusted and audited to avoid leaking sensitive metadata, and consider sanitizing error messages in production.

Confidence: 0.65

Severity: 0.60

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/@openzeppelin/defender-sdk-base-client@2.7.1npm/@openzeppelin/foundry-upgrades@0.4.1npm/@openzeppelin/hardhat-upgrades@4.0.2npm/@smithy/core@3.29.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/core@3.29.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm cross-spawn is 75.0% likely to have a medium risk anomaly

Notes: This file is a minimal, legitimate wrapper around Node.js child_process.spawn and spawnSync to provide improved ENOENT (command not found) error handling. It does not perform any network requests, dynamic code evaluation, secret disclosure, or telemetry. The only “sink” is the intended execution of local processes as directed by the calling application. No malicious behavior detected.

Confidence: 0.75

Severity: 0.55

From: ?npm/wsrun@5.2.4npm/cross-spawn@6.0.6

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@6.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm esbuild is 90.0% likely to have a medium risk anomaly

Notes: The esbuild package uses a postinstall install.js script to download platform-specific binaries from registry sources and verify them via hashes. While hash verification reduces risk, the elevated postinstall action creates a potential code-execution surface if the script is tampered with. Audit install.js and its endpoints, ensure artifacts are strictly verified against known hashes, and test in controlled environments before deployment.

Confidence: 0.90

Severity: 0.60

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/hardhat@3.9.1npm/tsx@4.23.0npm/esbuild@0.28.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.28.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm eslint is 65.0% likely to have a medium risk anomaly

Notes: This module cleanly loads JavaScript rule modules from a directory with simple caching. The primary security consideration is that requiring arbitrary .js files from a directory executes their code during load, which can be risky if the directory contents are untrusted or modifiable by an attacker. In typical usage, this is expected behavior for plugin-like rule loaders, but it represents a potential supply chain risk if an attacker can place malicious JS files in the targeted directory. No hardcoded secrets or malicious network activity are evident in this snippet.

Confidence: 0.65

Severity: 0.60

From: package.jsonnpm/eslint@8.57.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@8.57.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm js-yaml is 65.0% likely to have a medium risk anomaly

Notes: The script functions as a straightforward JSON↔YAML translator CLI with standard error handling. The primary security concern is the use of yaml.loadAll without a safeLoad alternative, which could enable YAML deserialization risks if inputs contain crafted tags. To improve security, switch to a safe loader (e.g., yaml.safeLoadAll or equivalent) or ensure the library is configured to restrict risky constructors. Overall, no malware indicators were observed; the risk is confined to YAML deserialization semantics.

Confidence: 0.65

Severity: 0.60

From: packages/plugin-hardhat/examples/BoxTransparent/package-lock.jsonnpm/@changesets/cli@2.31.0npm/nyc@17.1.0npm/@openzeppelin/docs-utils@0.1.6npm/ava@6.4.1npm/js-yaml@3.15.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@3.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm nyc is 77.0% likely to have a medium risk anomaly

Notes: No malicious activity detected in this code fragment. It implements standard source map extraction, caching, and coverage remapping functionality without external network access or data exfiltration. Security risk is low, with minor IO-related robustness considerations.

Confidence: 0.77

Severity: 0.55

From: package.jsonnpm/nyc@17.1.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nyc@17.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm process-on-spawn is 90.0% likely to have a medium risk anomaly

Notes: The module is a global hook that intercepts and allows modification of all child process spawns. The code itself is not overtly malicious (no embedded exfiltration or network code), but it creates a high-risk capability: listeners receive full environment and spawn metadata and can both read secrets and modify what is executed. If untrusted or malicious listeners can be registered, this becomes a significant supply-chain/backdoor risk. Recommend careful review of any code that registers listeners and restrict usage to trusted code only; consider whether such global monkey-patching is acceptable for your threat model.

Confidence: 0.90

Severity: 0.65

From: ?npm/nyc@17.1.0npm/process-on-spawn@1.1.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/process-on-spawn@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm resolve is 85.0% likely to have a medium risk anomaly

Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment.

Confidence: 0.85

Severity: 0.80

From: ?npm/eslint-plugin-unicorn@51.0.1npm/resolve@1.22.12

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm tar is 66.0% likely to have a medium risk anomaly

Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming.

Confidence: 0.66

Severity: 0.56

From: packages/plugin-hardhat/examples/BoxTransparent/package-lock.jsonnpm/ava@6.4.1npm/tar@7.5.20

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 75.0% likely to have a medium risk anomaly

Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication.

Confidence: 0.75

Severity: 0.60

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/@nomicfoundation/hardhat-ethers@4.0.14npm/@nomicfoundation/hardhat-verify@3.0.21npm/hardhat@3.9.1npm/undici@6.27.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 68.0% likely to have a medium risk anomaly

Notes: The analyzed code implements a conventional HTTP/WebSocket-like upgrade handler with proper input validation, abort signal integration, and asynchronous callback management. It does not exhibit malicious activity such as data exfiltration or backdoors. The deliberate onHeaders error path is consistent with protocol expectations to reject non-upgrade responses. Overall security risk remains low to moderate, contingent on integration context, but no indicators of malware or obfuscation are detected in this fragment.

Confidence: 0.68

Severity: 0.50

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/@nomicfoundation/hardhat-ethers@4.0.14npm/@nomicfoundation/hardhat-verify@3.0.21npm/hardhat@3.9.1npm/undici@6.27.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 65.0% likely to have a medium risk anomaly

Notes: The code is a focused error-handling helper for HTTP responses that safely parses small payloads to include in an error object. It includes protective measures (chunk limits, controlled parsing, microtask-based callbacks) but uses unusual, brittle content-type checks and suppresses stack traces for debugging concealment. There is no evidence of malicious activity, data exfiltration, or backdoors within this fragment. The main risk is potential silent data loss if payloads exceed the chunk limit or mismatched content-type handling leads to missing payloads, but this is a functional trade-off rather than malicious. Suggested improvements include robust content-type parsing, clearer error signaling when payload is truncated, and optional logging to aid debugging without exposing stack traces in production.

Confidence: 0.65

Severity: 0.58

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/@nomicfoundation/hardhat-ethers@4.0.14npm/@nomicfoundation/hardhat-verify@3.0.21npm/hardhat@3.9.1npm/undici@6.27.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 77.0% likely to have a medium risk anomaly

Notes: The script performs an in-place, lossy re-encoding of a local file from UTF-8 to Latin-1 and rewrites it without backups or validation. This is unsafe due to potential data loss and code corruption, and could be exploited to tamper with source files in a supply chain. It does not exhibit active malware behavior, but its destructive nature warrants removal or strict safeguards (backups, explicit intent, error handling).

Confidence: 0.77

Severity: 0.65

From: packages/plugin-hardhat/examples/BoxSolidityTests/package-lock.jsonnpm/@nomicfoundation/hardhat-ethers@4.0.14npm/@nomicfoundation/hardhat-verify@3.0.21npm/hardhat@3.9.1npm/undici@6.27.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Potential code anomaly (AI signal): npm undici is 63.0% likely to have a medium risk anomaly

Notes: The file package/lib/llhttp/llhttp-wasm.js functions as a wrapper around an embedded WASM payload responsible for HTTP parsing, with obfuscated/low-level operations and lazy decoding that defers real behavior to the embedded binary. The lack of integrity checks and the embedded executable raise risk, and the true malicious intent cannot be confirmed without extracting and inspecting the WASM payload and how downstream code instantiates it.

Confidence: 0.63

Severity: 0.55

From: packages/plugin-hardhat/package.jsonnpm/undici@8.7.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@8.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 6 more rows in the dashboard

View full report

@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from b009029 to 9f2c68a Compare August 19, 2025 17:14
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 9f2c68a to d5a7caf Compare August 31, 2025 12:50
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from d5a7caf to 7584431 Compare September 25, 2025 14:52
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 7584431 to 0764206 Compare October 21, 2025 14:48
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 0764206 to 510c33f Compare November 11, 2025 01:57
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 510c33f to 74b9428 Compare November 19, 2025 00:38
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 74b9428 to fda120c Compare December 3, 2025 18:34
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from fda120c to 7bdae7b Compare December 31, 2025 13:53
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 7bdae7b to 41209ac Compare January 8, 2026 19:55
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from a809c79 to 589c0dd Compare January 23, 2026 18:35
@coderabbitai

coderabbitai Bot commented Jan 23, 2026

Copy link
Copy Markdown

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

  • 🔍 Trigger a full review
✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment
  • Commit unit tests in branch renovate/lock-file-maintenance

Comment @coderabbitai help to get the list of available commands and usage tips.

@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 589c0dd to d858607 Compare February 2, 2026 17:52
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from 756027a to e5ce036 Compare February 17, 2026 21:43
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from e5ce036 to 7850d77 Compare March 5, 2026 15:53
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 7850d77 to b51afb6 Compare March 13, 2026 18:49
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from b51afb6 to 73c8647 Compare April 1, 2026 20:57
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from 73c8647 to ace0efd Compare April 8, 2026 21:34
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from ace0efd to 217c9b6 Compare April 29, 2026 13:52
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 2 times, most recently from c475cfe to 81ca304 Compare May 18, 2026 11:30
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 8 times, most recently from fd2acbc to 6a1bfc4 Compare June 2, 2026 18:53
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch 3 times, most recently from 6d594b6 to d82efd5 Compare June 11, 2026 19:36
@renovate renovate Bot force-pushed the renovate/lock-file-maintenance branch from d82efd5 to 3e2482d Compare July 12, 2026 11:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants