build(deps): bump the npm_and_yarn group across 1 directory with 45 updates

[dependabot]

Bumps the npm_and_yarn group with 35 updates in the /docs directory:

Package	From	To
semver	6.3.0	6.3.1
semver	5.7.1	5.7.2
core-js-compat	3.6.5	3.45.1
@babel/helpers	7.10.4	7.28.3
@babel/runtime	7.11.2	7.28.3
@babel/traverse	7.11.0	7.28.3
ansi-html	0.0.7	removed
webpack-dev-server	3.11.0	3.11.3
async	2.6.3	2.6.4
body-parser	1.19.0	1.20.3
express	4.17.1	4.21.2
brace-expansion	1.1.11	1.1.12
browserify-sign	4.2.1	4.2.3
cipher-base	1.0.4	1.0.6
color-string	1.5.3	1.9.1
cross-spawn	6.0.5	6.0.6
decode-uri-component	0.2.0	0.2.2
follow-redirects	1.5.10	1.15.11
vuepress-theme-cosmos	1.0.172	1.0.184
http-cache-semantics	4.1.0	4.2.0
is-svg	3.0.0	removed
postcss-svgo	4.0.2	4.0.3
json-schema	0.2.3	0.4.0
jsprim	1.4.1	1.4.2
minimatch	3.0.4	3.1.2
minimist	1.2.5	1.2.8
on-headers	1.0.2	1.1.0
compression	1.7.4	1.8.1
path-parse	1.0.6	1.0.7
pug	2.0.4	3.0.3
pug-plain-loader	1.0.0	1.1.0
pug-code-gen	2.0.2	2.0.3
qs	6.5.2	6.5.3
sha.js	2.4.11	2.4.12
terser	4.8.0	4.8.1
ws	6.2.1	6.2.3

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates semver from 5.7.1 to 5.7.2

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• See full diff in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates core-js-compat from 3.6.5 to 3.45.1

Changelog

Sourced from core-js-compat's changelog.

3.45.1 - 2025.08.20

• Changes v3.45.0...v3.45.1 (30 commits)
• Fixed a conflict of native methods from Map upsert proposal with polyfilled methods in the pure version
• Added bugs fields to package.json of all packages
• Compat data improvements:
  • Map upsert proposal features marked as shipped from Bun 1.2.20
  • Added Samsung Internet 29 compat data mapping
  • Added Electron 39 compat data mapping

3.45.0 - 2025.08.04

• Changes v3.44.0...v3.45.0 (70 commits)
• Uint8Array to / from base64 and hex proposal:
  • Built-ins:
    • Uint8Array.fromBase64
    • Uint8Array.fromHex
    • Uint8Array.prototype.setFromBase64
    • Uint8Array.prototype.setFromHex
    • Uint8Array.prototype.toBase64
    • Uint8Array.prototype.toHex
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Added detection of a Webkit bug: Uint8Array fromBase64 / setFromBase64 does not throw an error on incorrect length of base64 string
• Math.sumPrecise proposal:
  • Built-ins:
    • Math.sumPrecise
  • Moved to stable ES, July 2025 TC39 meeting
  • Added es. namespace module, /es/ and /stable/ namespaces entries
• Iterator sequencing proposal:
  • Built-ins:
    • Iterator.concat
  • Moved to stage 3, July 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Map upsert proposal:
  • Built-ins:
    • Map.prototype.getOrInsert
    • Map.prototype.getOrInsertComputed
    • WeakMap.prototype.getOrInsert
    • WeakMap.prototype.getOrInsertComputed
  • Moved to stage 3, July 2025 TC39 meeting
  • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
• Added missing dependencies to some entries of static Iterator methods
• Fixed Joint Iteration proposal in /stage/ entries
• Compat data improvements:
  • Uint8Array to / from base64 and hex proposal features marked as supported from V8 ~ Chromium 140
  • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as unsupported in Safari and supported only from Bun 1.2.20 because of a bug: it does not throw an error on incorrect length of base64 string
  • %TypedArray%.prototype.with marked as fixed in Safari 26.0
  • Updated Electron 38 compat data mapping
  • Added Opera Android 91 compat data mapping

3.44.0 - 2025.07.07

... (truncated)

Commits

• a16b86a v3.45.1
• 15d1d36 add Electron 39 compat data mapping
• e5a779f update dependencies
• 9cd9b6b add Samsung Internet 29 compat data mapping
• c2e35ca mark Map upsert proposal features as shipped from Bun 1.2.20
• 977a3a4 update dependencies
• d4fa8f0 enforce bugs field in package.json of public packages
• 79bf819 v3.45.0
• 13d55b8 update Opera Android 91 compat data mapping
• 472c65a Uint8Array.{ fromBase64, prototype.setFromBase64 } are fixed in Bun 1.2.20
• Additional commits viewable in compare view

Updates @babel/helpers from 7.10.4 to 7.28.3

Release notes

Sourced from @​babel/helpers's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• cac0ff4 v7.28.2
• f743094 fix: regeneratorDefine compatibility with es5 strict mode (#17441)
• baa4cb8 v7.27.6
• fdbf1b3 fix: finally causes unexpected return value (#17366)
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• 49c0dbb Fix iterator compatibility of regeneratorValues (#17335)
• Additional commits viewable in compare view

Updates @babel/runtime from 7.11.2 to 7.28.3

Release notes

Sourced from @​babel/runtime's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• cac0ff4 v7.28.2
• f68ac51 chore: Avoid CITGM errors (#17382)
• baa4cb8 v7.27.6
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
• da5e371 v7.27.3
• eebd3a0 v7.27.1
• Additional commits viewable in compare view

Updates @babel/traverse from 7.11.0 to 7.28.3

Release notes

Sourced from @​babel/traverse's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• 5051613 Type-check .d.ts file with strict: true (#17461)
• ccc5fae v7.28.0
• 4b4e7e2 Create babel-helper-globals (#17297)
• cf5ae03 LVal coverage updates (Part 2) (#17391)
• 6ca9df4 Accept bigints in t.bigIntLiteral factory (#17378)
• 75f0140 Parse discard binding (#17163)
• 4ce7dfd v7.27.7
• 6c8faf1 add generateUidBasedOnNode test cases (#17381)
• Additional commits viewable in compare view

Removes ansi-html

Updates webpack-dev-server from 3.11.0 to 3.11.3

Release notes

Sourced from webpack-dev-server's releases.

v3.11.3

3.11.3 (2021-11-08)

Bug Fixes

• replace ansi-html with ansi-html-community (#4011) (4fef67b)

v3.11.2

3.11.2 (2021-01-13)

Bug Fixes

• cli arguments for serve command (a5fe337)

v3.11.1

3.11.1 (2020-12-29)

Bug Fixes

• the open option works using webpack serve without value (#2948) (4837dc9)
• vulnerable deps (#2949) (78dde50)

Changelog

Sourced from webpack-dev-server's changelog.

3.11.3 (2021-11-08)

Bug Fixes

• replace ansi-html with ansi-html-community (#4011) (4fef67b)

3.11.2 (2021-01-13)

Bug Fixes

• cli arguments for serve command (a5fe337)

3.11.1 (2020-12-29)

Bug Fixes

• the open option works using webpack serve without value (#2948) (4837dc9)
• vulnerable deps (#2949) (78dde50)

Commits

• aa3cddc chore(release): 3.11.3
• 4fef67b fix: replace ansi-html with ansi-html-community (#4011)
• 5cb545f chore(release): 3.11.2
• a5fe337 fix: cli arguments for serve command
• 7e70eee chore(release): 3.11.1
• 78dde50 fix: vulnerable deps (#2949)
• 4837dc9 fix: the open option works using webpack serve without value (#2948)
• See full diff in compare view

Updates async from 2.6.3 to 2.6.4

Changelog

Sourced from async's changelog.

v2.6.4

• Fix potential prototype pollution exploit (#1828)

Commits

• c6bdaca Version 2.6.4
• 8870da9 Update built files
• 4df6754 update changelog
• 8f7f903 Fix prototype pollution vulnerability (#1828)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by hargasinski, a new releaser for async since your current version.

Updates body-parser from 1.19.0 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/body-parser#522
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/body-parser#523
• fix: pin to node@22.4.1 by @​wesleytodd in expressjs/body-parser#527
• deps: qs@6.12.3 by @​melikhov-dev in expressjs/body-parser#521
• Add OSSF Scorecard badge by @​bjohansebas in expressjs/body-parser#531
• Linter by @​UlisesGascon in expressjs/body-parser#534
• Release: 1.20.3 by @​UlisesGascon in expressjs/body-parser#535

New Contributors

• @​inigomarquinez made their first contribution in expressjs/body-parser#522
• @​melikhov-dev made their first contribution in expressjs/body-parser#521
• @​bjohansebas made their first contribution in expressjs/body-parser#531
• @​UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

1.20.2

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3

... (truncated)

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

• deps: qs@6.13.0
• add depth option to customize the depth level in the parser
• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

1.20.2 / 2023-02-21

• Fix strict json error message on Node.js 19+
• deps: content-type@~1.0.5
  • perf: skip value escaping when unnecessary
• deps: raw-body@2.5.2

1.20.1 / 2022-10-06

• deps: qs@6.11.0
• perf: remove unnecessary object clone

1.20.0 / 2022-04-02

• Fix error message for json parse whitespace in strict
• Fix internal error when inflated body exceeds limit
• Prevent loss of async hooks context
• Prevent hanging when request already read
• deps: depd@2.0.0
  • Replace internal eval usage with Function constructor
  • Use instance methods on process to check for listeners
• deps: http-errors@2.0.0
  • deps: depd@2.0.0
  • deps: statuses@2.0.1
• deps: on-finished@2.4.1
• deps: qs@6.10.3
• deps: raw-body@2.5.1
  • deps: http-errors@2.0.0

1.19.2 / 2022-02-15

• deps: bytes@3.1.2
• deps: qs@6.9.7
  • Fix handling of __proto__ keys
• deps: raw-body@2.4.3
  • deps: bytes@3.1.2

1.19.1 / 2021-12-10

... (truncated)

Commits

• 1752951 1.20.3
• 39744cf chore: linter (#534)
• b2695c4 Merge commit from fork

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vuepress-theme-cosmos@​1.0.172 ⏵ 1.0.184	+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		npm/on-headers@1.1.0 has Network access. Module: http Location: Package overview From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/on-headers@1.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/on-headers@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/update-browserslist-db@1.1.3 has Shell access. Module: child_process Location: Package overview From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/update-browserslist-db@1.1.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/update-browserslist-db@1.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/websocket-driver@0.7.4 has Network access. Module: http-parser-js Location: Package overview From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/websocket-driver@0.7.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/websocket-driver@0.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/async@2.6.4 has a New author. New Author: hargasinski Previous Author: aearly From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/async@2.6.4 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async@2.6.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/body-parser@1.20.3 has a New author. New Author: ulisesgascon Previous Author: dougwilson From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/body-parser@1.20.3 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/body-parser@1.20.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/browserify-rsa@4.1.1 has a New author. New Author: ljharb Previous Author: cwmma From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/browserify-rsa@4.1.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/browserify-rsa@4.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/encodeurl@2.0.0 has a New author. New Author: blakeembrey Previous Author: dougwilson From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/encodeurl@2.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/encodeurl@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/express@4.21.2 has a New author. New Author: jonchurch Previous Author: ulisesgascon From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/express@4.21.2 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/express@4.21.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/hash-base@3.0.5 has a New author. New Author: ljharb Previous Author: fanatid From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/hash-base@3.0.5 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hash-base@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/is-expression@4.0.0 has a New author. New Author: forbeslindesay Previous Author: timothygu From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/is-expression@4.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/is-expression@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/negotiator@0.6.4 has a New author. New Author: blakeembrey Previous Author: wesleytodd From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/negotiator@0.6.4 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/negotiator@0.6.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/on-headers@1.1.0 has a New author. New Author: ulisesgascon Previous Author: dougwilson From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/on-headers@1.1.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/on-headers@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/parse-asn1@5.1.7 has a New author. New Author: ljharb Previous Author: cwmma From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/parse-asn1@5.1.7 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/parse-asn1@5.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/pbkdf2@3.1.3 has a New author. New Author: ljharb Previous Author: cwmma From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/pbkdf2@3.1.3 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/prismjs@1.30.0 has a New author. New Author: dmitrysharabin Previous Author: rundevelopment From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/prismjs@1.30.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prismjs@1.30.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/pug-plain-loader@1.1.0 has a New author. New Author: soda Previous Author: yyx990803 From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/pug-plain-loader@1.1.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pug-plain-loader@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/send@0.19.0 has a New author. New Author: ulisesgascon Previous Author: wesleytodd From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/send@0.19.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/send@0.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/sha.js@2.4.12 has a New author. New Author: ljharb Previous Author: dcousens From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/sha.js@2.4.12 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/token-stream@1.0.0 has a New author. New Author: timothygu Previous Author: forbeslindesay From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/token-stream@1.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/token-stream@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/void-elements@3.1.0 has a New author. New Author: forbeslindesay Previous Author: hemanth From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/void-elements@3.1.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/void-elements@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/vuepress-theme-cosmos@1.0.184 has a New author. New Author: mmulji-ic Previous Author: fadeev From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vuepress-theme-cosmos@1.0.184. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/prismjs@1.30.0 is a AI-detected potential code anomaly. Notes: The code is obfuscated, which may lead to unexpected anomalies. No immediate malicious behavior is found, however caution is advised. Confidence: 1.00 Severity: 0.60 From: docs/package-lock.json → npm/vuepress-theme-cosmos@1.0.184 → npm/prismjs@1.30.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prismjs@1.30.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report