You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Safe-only Dependabot/audit sweep targeting the next branch. Lockfile refreshes within existing semver ranges plus three same-major devDep-scoped resolutions. No runtime dependency ranges were changed.
yarn npm audit --all --recursive: 80 → 11 advisories. yarn install --immutable and yarn build both pass (TS 5.9.3 on next handles the newer @google-cloud/storage typedefs that broke the main-targeted sweep).
pinned exactly by @verdaccio/core; same-major override (devDep only)
handlebars@4.7.8
resolution → ^4.7.9
pinned exactly by @verdaccio/hooks; same-major override (devDep only)
minimatch@7.4.6
resolution → ^7.4.8
pinned exactly by @verdaccio/core/@verdaccio/utils; same-major override (devDep only)
—
yarn dedupe
collapsed duplicate descriptors
Flagged — not changed (would require breaking changes)
Package
Why left alone
webpack-dev-server@4.15.2
Fix is in 5.2.1+; major bump of a @electron-forge/plugin-webpack runtime dep
@tootallnate/once@2.0.0
Via @google-cloud/storage → teeny-request@^9 → http-proxy-agent@5; teeny-request@10 is cross-major under a published runtime dep
tmp@0.0.33
Pinned ^0.0.33 by external-editor@3 (via @inquirer/prompts); fix is 0.2.4+
markdown-it@14.1.0
Pinned exactly by markdownlint-cli2@0.19.1; fix needs markdownlint-cli2@^0.22 (0.x bump of devDep lint tool — may change lint output)
lodash@4.17.21/4.17.23, lodash-es@4.17.23
Patched 4.18.0 published 2026-03-31; blocked by 7-day npmMinimalAgeGate until 2026-04-07
@xmldom/xmldom@0.8.10
Patched 0.8.12 published 2026-03-29; blocked by npmMinimalAgeGate until 2026-04-05
The three resolutions entries only affect the verdaccio devDep subtree and can be dropped once verdaccio publishes a release that unpins those exact versions.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/path-to-regexp@0.1.13. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Safe-only Dependabot/audit sweep targeting the
nextbranch. Lockfile refreshes within existing semver ranges plus three same-major devDep-scoped resolutions. No runtime dependency ranges were changed.yarn npm audit --all --recursive: 80 → 11 advisories.yarn install --immutableandyarn buildboth pass (TS 5.9.3 onnexthandles the newer@google-cloud/storagetypedefs that broke themain-targeted sweep).Changes
yarn up -R@aws-sdk/client-s3/@aws-sdk/lib-storageyarn up -R(parent)@smithy/config-resolver@^4,fast-xml-parser@^4.5.5@google-cloud/storageyarn up -R(parent)express/body-parser/compression/@cypress/requestyarn up -R(parent)qs,path-to-regexp,on-headersverdaccioyarn up -R(parent)electron(devDep)yarn up -Rajv@8.17.1^8.18.0@verdaccio/core; same-major override (devDep only)handlebars@4.7.8^4.7.9@verdaccio/hooks; same-major override (devDep only)minimatch@7.4.6^7.4.8@verdaccio/core/@verdaccio/utils; same-major override (devDep only)yarn dedupeFlagged — not changed (would require breaking changes)
webpack-dev-server@4.15.2@electron-forge/plugin-webpackruntime dep@tootallnate/once@2.0.0@google-cloud/storage→teeny-request@^9→http-proxy-agent@5;teeny-request@10is cross-major under a published runtime deptmp@0.0.33^0.0.33byexternal-editor@3(via@inquirer/prompts); fix is 0.2.4+markdown-it@14.1.0markdownlint-cli2@0.19.1; fix needsmarkdownlint-cli2@^0.22(0.x bump of devDep lint tool — may change lint output)lodash@4.17.21/4.17.23,lodash-es@4.17.234.18.0published 2026-03-31; blocked by 7-daynpmMinimalAgeGateuntil 2026-04-07@xmldom/xmldom@0.8.100.8.12published 2026-03-29; blocked bynpmMinimalAgeGateuntil 2026-04-05The three
resolutionsentries only affect the verdaccio devDep subtree and can be dropped once verdaccio publishes a release that unpins those exact versions.