Skip to content

Bump pm2 from 7.0.1 to 7.0.3#252

Merged
github-actions[bot] merged 1 commit into
Currentfrom
dependabot/npm_and_yarn/pm2-7.0.3
Jun 29, 2026
Merged

Bump pm2 from 7.0.1 to 7.0.3#252
github-actions[bot] merged 1 commit into
Currentfrom
dependabot/npm_and_yarn/pm2-7.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps pm2 from 7.0.1 to 7.0.3.

Release notes

Sourced from pm2's releases.

v7.0.3

7.0.3

Bug Fixes

  • Fix daemon failing to boot on Node.js < 14.18 — embedded vizion used node:-scheme requires; switched to bare specifiers

v7.0.2

7.0.2

Bug Fixes

  • Fix pm2 serve returning 403 Forbidden on Windows — traversal guard used hardcoded / separator #6109
  • Fix pm2 ls table misalignment when a username exceeds the user column width — cli-tableau's truncate() miscounts ANSI bytes, leaking bold into the watching column
  • Fix long status lines (e.g. Applying action … on app […]) wrapping on narrow terminals — Common.printOut now ANSI-aware crops single-line TTY output to terminal width (piped output unaffected)

Features

  • pm2 ls host-metrics line now shown by defaultpm2 update)
  • pm2 ls adaptive layout: picks the widest layout that fits the terminal — full → condensed → new ultra-compact mini (id · name · status · cpu · mem) — and caps the name column so long names can't overflow the table
  • pm2 ls host-metrics line only lists network interfaces carrying traffic (hides idle utun/awdl/bridge/anpi/unused en*)
  • pm2 ls host-metrics line: replaced mem free with ram usage (%), added GPU memory/temperature when reported, per-interface network errors/drops shown when non-zero

Core Refactor

  • Drop old vizion module, refactor to support only git and drop 3 submodules
  • Replace the bundled pm2-sysmonit module and systeminformation with lib/tools/SysMetrics.js (Linux/macOS); pm2 slist/getSystemData and the Docker metrics path now read this collector. Covered by test/programmatic/sysmetrics.mocha.js

Security

  • Bump js-yaml 4.1.1 → 4.3.0 — fixes quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68) #6122
  • Bump ws 8.20.0 → 8.21.0 — fixes uninitialized-memory disclosure and tiny-fragment DoS (GHSA-58qx-3vcg-4xpx, GHSA-96hv-2xvq-fx4p) #6116
  • Bump @pm2/js-api 0.8.0 → 0.8.1, pulling in patched ws@8.21.0 (its transitive ws was pinned to the vulnerable 7.x). Production deps are now advisory-free (npm audit --omit=dev clean)
Changelog

Sourced from pm2's changelog.

7.0.3

Bug Fixes

  • Fix daemon failing to boot on Node.js < 14.18 — embedded vizion used node:-scheme requires; switched to bare specifiers

7.0.2

Bug Fixes

  • Fix pm2 serve returning 403 Forbidden on Windows — traversal guard used hardcoded / separator #6109
  • Fix pm2 ls table misalignment when a username exceeds the user column width — cli-tableau's truncate() miscounts ANSI bytes, leaking bold into the watching column
  • Fix long status lines (e.g. Applying action … on app […]) wrapping on narrow terminals — Common.printOut now ANSI-aware crops single-line TTY output to terminal width (piped output unaffected)

Features

  • pm2 ls host-metrics line now shown by defaultpm2 update)
  • pm2 ls adaptive layout: picks the widest layout that fits the terminal — full → condensed → new ultra-compact mini (id · name · status · cpu · mem) — and caps the name column so long names can't overflow the table
  • pm2 ls host-metrics line only lists network interfaces carrying traffic (hides idle utun/awdl/bridge/anpi/unused en*)
  • pm2 ls host-metrics line: replaced mem free with ram usage (%), added GPU memory/temperature when reported, per-interface network errors/drops shown when non-zero

Core Refactor

  • Drop old vizion module, refactor to support only git and drop 3 submodules
  • Replace the bundled pm2-sysmonit module and systeminformation with lib/tools/SysMetrics.js (Linux/macOS); pm2 slist/getSystemData and the Docker metrics path now read this collector. Covered by test/programmatic/sysmetrics.mocha.js

Security

  • Bump js-yaml 4.1.1 → 4.3.0 — fixes quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68) #6122
  • Bump ws 8.20.0 → 8.21.0 — fixes uninitialized-memory disclosure and tiny-fragment DoS (GHSA-58qx-3vcg-4xpx, GHSA-96hv-2xvq-fx4p) #6116
  • Bump @pm2/js-api 0.8.0 → 0.8.1, pulling in patched ws@8.21.0 (its transitive ws was pinned to the vulnerable 7.x). Production deps are now advisory-free (npm audit --omit=dev clean)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [pm2](https://github.com/Unitech/pm2) from 7.0.1 to 7.0.3.
- [Release notes](https://github.com/Unitech/pm2/releases)
- [Changelog](https://github.com/Unitech/pm2/blob/master/CHANGELOG.md)
- [Commits](Unitech/pm2@v7.0.1...v7.0.3)

---
updated-dependencies:
- dependency-name: pm2
  dependency-version: 7.0.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 29, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​pm2@​7.0.1 ⏵ 7.0.364 -8100100 +18760

View full report

@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm @pm2/blessed in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/blessed@0.1.81

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/blessed@0.1.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm @pm2/blessed in module child_process

Module: child_process

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/blessed@0.1.81

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/blessed@0.1.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Dynamic code execution: npm @pm2/blessed

Eval Type: Function

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/blessed@0.1.81

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/blessed@0.1.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @pm2/js-api in module http

Module: http

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/js-api@0.8.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/js-api@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm @pm2/js-api in module child_process

Module: child_process

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/js-api@0.8.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/js-api@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @pm2/pm2-version-check in module https

Module: https

Location: Package overview

From: ?npm/pm2@7.0.3npm/@pm2/pm2-version-check@1.0.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pm2/pm2-version-check@1.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @tootallnate/quickjs-emscripten in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/pm2@7.0.3npm/@tootallnate/quickjs-emscripten@0.23.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tootallnate/quickjs-emscripten@0.23.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm agent-base in module http

Module: http

Location: Package overview

From: ?npm/pm2@7.0.3npm/agent-base@7.1.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agent-base@7.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm agent-base in module https

Module: https

Location: Package overview

From: ?npm/pm2@7.0.3npm/agent-base@7.1.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agent-base@7.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm agent-base in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/agent-base@7.1.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agent-base@7.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Dynamic code execution: npm async

Eval Type: Function

Location: Package overview

From: ?npm/pm2@7.0.3npm/async@2.6.4

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async@2.6.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm basic-ftp in module tls

Module: tls

Location: Package overview

From: ?npm/pm2@7.0.3npm/basic-ftp@5.3.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm basic-ftp in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/basic-ftp@5.3.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Dynamic code execution: npm eventemitter2

Eval Type: Function

Location: Package overview

From: ?npm/pm2@7.0.3npm/eventemitter2@6.4.9

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eventemitter2@6.4.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm extrareqp2 in module http

Module: http

Location: Package overview

From: ?npm/pm2@7.0.3npm/extrareqp2@1.0.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/extrareqp2@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm extrareqp2 in module https

Module: https

Location: Package overview

From: ?npm/pm2@7.0.3npm/extrareqp2@1.0.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/extrareqp2@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm get-uri in module http

Module: http

Location: Package overview

From: ?npm/pm2@7.0.3npm/get-uri@6.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-uri@6.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm get-uri in module https

Module: https

Location: Package overview

From: ?npm/pm2@7.0.3npm/get-uri@6.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-uri@6.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm http-proxy-agent in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/http-proxy-agent@7.0.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-proxy-agent@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm http-proxy-agent in module tls

Module: tls

Location: Package overview

From: ?npm/pm2@7.0.3npm/http-proxy-agent@7.0.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-proxy-agent@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm lru-cache in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/pm2@7.0.3npm/lru-cache@7.18.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lru-cache@7.18.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-proxy-agent in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-proxy-agent@7.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-proxy-agent@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-proxy-agent in module tls

Module: tls

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-proxy-agent@7.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-proxy-agent@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-proxy-agent in module https-proxy-agent

Module: https-proxy-agent

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-proxy-agent@7.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-proxy-agent@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-proxy-agent in module http-proxy-agent

Module: http-proxy-agent

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-proxy-agent@7.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-proxy-agent@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-resolver in module netmask

Module: netmask

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-resolver@7.0.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-resolver@7.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-resolver in module net

Module: net

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-resolver@7.0.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-resolver@7.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pac-resolver in module dns

Module: dns

Location: Package overview

From: ?npm/pm2@7.0.3npm/pac-resolver@7.0.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pac-resolver@7.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 86 more rows in the dashboard

View full report

@github-actions github-actions Bot merged commit 4d3be55 into Current Jun 29, 2026
9 of 10 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/pm2-7.0.3 branch June 29, 2026 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Development

Successfully merging this pull request may close these issues.

1 participant