Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@audius/common@1.5.78

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context

@audius/mobile@1.5.180

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [ab85f43]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

@audius/web@1.5.170

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab33d7b: Show likes and reposts counts on album collection pages (desktop)
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [ab85f43]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @amplitude/session-replay-browser is 100.0% likely to have a medium risk anomaly Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard SourceMap remapping mechanism. There is no inherent malicious behavior or backdoor within the shown fragment. The only potential risk lies in the use of the user-supplied loader callback, which could be misused by a project integrating this library. If the loader is trusted and sandboxed, the code poses no evident security threats. Overall, the security risk is moderate due to loader trust requirements. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, loader-driven Source Map remapping utility. It exhibits a legitimate trust boundary at the loader. No intrinsic malware present; security concerns hinge on loader trust and content exposure. Recommend reviewing loader implementations and ensuring options properly redact or restrict sourcesContent when distributing SourceMaps. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @apollo/protobufjs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code segment is a standard RPC service wrapper (protobufjs style) with conventional input validation, encoding/decoding, event emission, and end handling. No malicious behavior is evident, and there are no observable security vulnerabilities beyond ordinary library-level error handling. It does not exhibit data exfiltration, backdoors, or other anti-security patterns. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@apollo/protobufjs@1.2.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helpers@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: Selected report 1 provides a thorough evaluation of decorator-related runtime utilities and concludes low risk with potential for finishers to alter constructors if used with untrusted inputs. The improved assessment confirms normal, expected behavior for Babel decorator infrastructure and notes that the primary risk lies in the finishers channel if untrusted code is supplied. Security risk remains low to moderate depending on input provenance; malware likelihood is negligible based on the fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/@babel/runtime@7.24.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @bravemobile/react-native-code-push is 75.0% likely to have a medium risk anomaly Notes: The fragment represents a standard, legitimate OTA update mechanism for React Native, with normal update orchestration, user prompts, retry/rollback, and status reporting. There is no obvious malicious behavior or backdoor within this code fragment. The main security considerations relate to the integrity and authenticity of updates, secure transport, and the security of the native bridge implementation. Overall risk is moderate due to remote updates, but not due to internal malicious code in this snippet. Confidence: 0.75 Severity: 0.55 From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bravemobile/react-native-code-push@12.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @clack/prompts is 100.0% likely to have a medium risk anomaly Notes: The code fragment appears to be a part of a larger project related to CLI interactions and logging. The heavy obfuscation, incomplete functions, and potential untrusted input handling raise concerns about its security and reliability. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@clack/prompts@0.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clack/prompts@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emnapi/runtime is 100.0% likely to have a medium risk anomaly Notes: Overall, this code fragment is a standard and legitimate binding/runtime infrastructure for Node.js native addon interoperability (EMNAPI). There is no evidence of data exfiltration, remote control, backdoors, or malware behavior within this snippet. The primary security considerations relate to the complexity and correct handling of finalizers, weak references, and policy-driven warning paths; misconfiguration or misuse by host applications could introduce risk, but the code itself does not demonstrate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emnapi/runtime@1.5.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/cache is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a legitimate part of Emotion’s CSS-in-JS cache that manages hydration of server-rendered styles and style insertion. It does not exhibit malicious behavior or supply chain exploits within this snippet. The security risk is low to moderate (primarily DOM manipulation, which is expected for a UI library), with no evident data leakage or external communications. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/cache@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/cache@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/styled is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a standard, non-malicious portion of the Emotion styling library. No evidence of backdoors, credential theft, or external network/data exfiltration. The primary risk vector is the CSS-in-DOM injection path via dangerouslySetInnerHTML, which is expected but should be reviewed in the context of trusted inputs. Security posture is low-to-moderate; no immediate danger, but maintain caution with user-supplied template literals and ensure dependencies are trusted. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/styled@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/styled@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cacache is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/cacache@18.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@18.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chalk is 100.0% likely to have a medium risk anomaly Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/chalk@2.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chalk is 100.0% likely to have a medium risk anomaly Notes: The code is a non-malicious, well-scoped parser and applier for Chalk-like styling templates. It validates and applies styles, handles escapes, and provides explicit errors for malformed templates. No suspicious data exfiltration, network, or system manipulation behaviors are present. Given its context as a library fragment for styling output, the risk is low. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/chalk@4.1.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@4.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm commander is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard Commander-like CLI framework with dynamic subcommand execution via spawning local executables. It is not inherently malicious, but the external-executable dispatch mechanism introduces a legitimate supply-chain risk: untrusted or misconfigured subcommands can execute arbitrary local code. Recommend tightening executable discovery (absolute trusted paths only, explicit allowlists), validating subcommand targets before spawning, and ensuring regular security reviews of any projects using this pattern. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/commander@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cross-spawn is 100.0% likely to have a medium risk anomaly Notes: This file is a minimal, legitimate wrapper around Node.js child_process.spawn and spawnSync to provide improved ENOENT (command not found) error handling. It does not perform any network requests, dynamic code evaluation, secret disclosure, or telemetry. The only “sink” is the intended execution of local processes as directed by the calling application. No malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2 → npm/cross-spawn@7.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@7.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 15 more rows in the dashboard

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​babel/​plugin-proposal-class-static-block@​7.21.0
	npm/​@​esbuild-plugins/​node-globals-polyfill@​0.1.1 ⏵ 0.2.3	+1		+1
	npm/​@​babel/​preset-typescript@​7.22.15
	npm/​@​babel/​register@​7.7.0
	npm/​@​babel/​plugin-transform-runtime@​7.18.2
	npm/​@​emotion/​server@​11.11.0
	npm/​@​babel/​helper-compilation-targets@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​audius/​fetch-nft@​0.2.8
	npm/​@​babel/​plugin-transform-react-jsx@​7.21.0
	npm/​@​babel/​template@​7.22.15 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​cli@​7.7.0
	npm/​@​audius/​hedgehog@​2.1.0 ⏵ 3.0.0-alpha.1	+1
	npm/​@​ethersproject/​solidity@​5.4.0 ⏵ 5.0.5
	npm/​@​babel/​preset-env@​7.22.15
	npm/​@​atlaskit/​pragmatic-drag-and-drop@​1.7.7
	npm/​@​audius/​stems@​0.3.10
	npm/​@​babel/​helper-module-transforms@​7.22.20 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​parser@​7.22.16 ⏵ 7.27.1			-3
	npm/​@​babel/​compat-data@​7.22.20 ⏵ 7.27.1	+1		+1
	npm/​@​coral-xyz/​anchor@​0.29.0
	npm/​@​babel/​generator@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​babel/​traverse@​7.22.20 ⏵ 7.27.1	+1	+75	+1
	npm/​@​babel/​helpers@​7.22.15 ⏵ 7.27.1	+1	+2	+1
	npm/​@​babel/​core@​7.22.20 ⏵ 7.23.7			+1
	npm/​@​elastic/​elasticsearch@​8.1.0
	npm/​@​babel/​types@​7.26.3 ⏵ 7.27.1
	npm/​@​emotion/​styled@​11.14.0
	npm/​@​bravemobile/​react-native-code-push@​12.3.2
	npm/​@​apollo/​client@​3.3.7
	npm/​@​commander-js/​extra-typings@​12.1.0
	npm/​@​emotion/​eslint-plugin@​11.12.0
	npm/​@​emotion/​babel-preset-css-prop@​11.12.0
See 10 more rows in the dashboard

View full report