You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/traverse@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @audius/hedgehog is 100.0% likely to have a medium risk anomaly
Notes: The source code contains hardcoded sensitive credentials and cryptographic material that are directly exported, posing a high security risk if used in production or published publicly. There is no evidence of malware or obfuscation, but the insecure practice of embedding plaintext passwords and keys in source code can lead to credential leakage and compromise. It is strongly recommended to remove hardcoded secrets, implement secure credential management, and restrict exposure of sensitive data.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@audius/hedgehog@2.1.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @audius/sdk is 100.0% likely to have a medium risk anomaly
Notes: The code exhibits potential security risks due to dynamic imports and Hashids library usage.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@audius/sdk@3.0.8-beta.10. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly
Notes: This is a conventional Babel-like configuration loader with expected behaviors for JSON5 and JS-based configs, ignore handling, and upward directory discovery. The primary security concern is the potential execution of user-provided JS config (readConfigCode). No evidence of malicious code, telemetry, or exfiltration is present in the fragment. With trusted configs, risk remains moderate due to code execution potential, but the implementation follows standard patterns and error handling for configuration management.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/core@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/core@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly
Notes: The improved assessment confirms that this code fragment is a legitimate and comprehensive module-resolution utility (import-meta-resolve-like). It features robust error handling, caching, and protocol-aware resolution without evident malicious activity in this isolated fragment. The security risk is moderate due to the complex nature of resolution logic and potential for misconfiguration in dependent packages, but there is no demonstrated malware or data-exfiltration behavior within this code.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/core@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly
Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/core@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/generator is 100.0% likely to have a medium risk anomaly
Notes: The analyzed file is a typical internal utility (Buffer) used by a code generator to accumulate output and manage source maps. There is no evidence of data exfiltration, backdoors, or other malicious activities. The code’s complexity is high but aligned with normal source-map generation patterns. The overall risk from this fragment appears low.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/generator@7.22.15. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/helper-function-name is 100.0% likely to have a medium risk anomaly
Notes: No evidence of malicious behavior or supply chain abuse. The code is a conventional Babel AST transformation helper that preserves function identity and avoids local binding collisions. It operates entirely within the transformation context and does not perform network I/O, data exfiltration, or code execution from untrusted input.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/helper-function-name@7.22.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/helper-module-imports is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/helper-module-imports@7.22.15. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly
Notes: The analyzed fragment is a conventional, well-scoped string escape/parser utility (likely part of a Babel helper). There is no evidence of malicious behavior such as data exfiltration, backdoors, or remote control. The presence of source maps is typical for built libraries and does not indicate nefarious activity here.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/helper-string-parser@7.22.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code is a legitimate, build-time code generator that reads a local regenerator-runtime source, parses and transforms it to produce a customized runtime helper for Babel, and outputs the modified code with header metadata. There is no evidence of malicious behavior, data leakage, or network activity. The primary concerns are maintenance fragility due to AST assumptions and possible version drift in regenerator-runtime, not active security threats.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/helpers@7.22.15. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly
Notes: The module implements a legitimate Babel runtime polyfill for named capture groups, using established patterns (WeakMap, prototype inheritance, lazy initialization) to augment RegExp results and substitutions. No evidence of malicious activity, data leakage, or external communication. Overall security risk is low but the code warrants standard review for potential debugging complexity due to prototype and factory redefinition.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/runtime@7.18.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @babel/traverse is 100.0% likely to have a medium risk anomaly
Notes: No evidence of malicious behavior or data exfiltration. This module implements standard AST node removal semantics with safe guards (state checks, scope cleanup, hooks). The only notable aspect is the extensible removal hook mechanism which could run user-supplied code via hooks, but this is a documented extension point and not inherently malicious. Overall risk is low for typical usage; only potential risk would be if removal hooks execute unsafe user-provided logic in an unsafe environment.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/traverse@7.22.17. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @certusone/wormhole-sdk is 100.0% likely to have a medium risk anomaly
Notes: The analyzed code is a standard, autogenerated ethers.js ContractFactory for an NFTBridge contract. No malicious behavior detected within this fragment. Security posture is typical for library code; risk depends on the on-chain contract and provider configuration, not this loader.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@certusone/wormhole-sdk@0.1.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @jridgewell/resolve-uri is 100.0% likely to have a medium risk anomaly
Notes: The code implements a standard URL parsing and resolution utility with clear responsibilities and deterministic output for valid inputs. The primary security concern is lack of null-checks after regex.exec, which can cause runtime exceptions on malformed inputs. Otherwise, there is no evidence of malicious behavior. Recommended improvement is to guard regex results and validate inputs before accessing groups to prevent crashes and potential abuse.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@jridgewell/resolve-uri@3.1.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm @protobufjs/inquire is 100.0% likely to have a medium risk anomaly
Notes: The code uses eval to dynamically require a module, which is highly unusual and considered unsafe. The usage of eval can lead to code injection vulnerabilities if the moduleName is not properly validated. Additionally, the use of string manipulation to form 'require' is a form of obfuscation and makes the code harder to read and understand.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@protobufjs/inquire@1.1.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Potential code anomaly (AI signal): npm semver is 100.0% likely to have a medium risk anomaly
Notes: No malicious behavior detected. This is a legitimate SemVer utility implementation handling version validation, range filtering, and optional increments. Security risk is low for this code fragment; obfuscated indicators are absent. Overall malice likelihood is negligible.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/semver@6.3.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
dylanjeffers
requested review from
raymondjacobson and
rickyrombo
and removed request for
raymondjacobson
No description provided.