Bump the npm_and_yarn group across 2 directories with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 14 updates in the /crypto directory:

Package	From	To
@babel/traverse	7.13.0	7.28.3
braces	2.3.2	3.0.3
jest	26.6.3	30.1.3
ts-jest	26.5.1	29.4.1
ejs	3.1.6	3.1.10
elliptic	6.5.4	6.6.1
@ethersproject/signing-key	5.0.11	5.8.0
get-func-name	2.0.0	2.0.2
minimist	1.2.5	1.2.8
qs	6.5.2	6.5.3
body-parser	1.19.0	1.20.3
express	4.17.1	4.21.2
tough-cookie	2.5.0	removed
web3	1.3.4	4.16.0

Bumps the npm_and_yarn group with 2 updates in the / directory: braces and lerna.

Updates @babel/traverse from 7.13.0 to 7.28.3

Release notes

Sourced from @​babel/traverse's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• 741cbd2 chore: fix various typos across codebase (#17476)
• 5051613 Type-check .d.ts file with strict: true (#17461)
• ccc5fae v7.28.0
• 4b4e7e2 Create babel-helper-globals (#17297)
• cf5ae03 LVal coverage updates (Part 2) (#17391)
• 6ca9df4 Accept bigints in t.bigIntLiteral factory (#17378)
• 75f0140 Parse discard binding (#17163)
• 4ce7dfd v7.27.7
• 6c8faf1 add generateUidBasedOnNode test cases (#17381)
• Additional commits viewable in compare view

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed
• Require Node.js >= 8.3

Non-breaking changes

• Caching was removed

Commits

• See full diff in compare view

Updates jest from 26.6.3 to 30.1.3

Release notes

Sourced from jest's releases.

30.1.3

Fixes

• Fix unstable_mockModule with node: prefixed core modules.

30.1.2

Fixes

• [jest-snapshot-utils] Correct snapshot header regexp to work with newline across OSes (#15803)

30.1.1

Fixes

• [jest-snapshot-utils] Fix deprecated goo.gl snapshot warning not handling Windows end-of-line sequences (#15800)

30.1.0

Features

• [jest-leak-detector] Configurable GC aggressiveness regarding to V8 heap snapshot generation (#15793)
• [jest-runtime] Reduce redundant ReferenceError messages
• [jest-core] Include test modules that failed to load when --onlyFailures is active

Fixes

• `[jest-snapshot-utils] Fix deprecated goo.gl snapshot guide link not getting replaced with fully canonical URL (#15787)
• [jest-circus] Fix it.concurrent not working with describe.skip (#15765)
• [jest-snapshot] Fix mangled inline snapshot updates when used with Prettier 3 and CRLF line endings
• [jest-runtime] Importing from @jest/globals in more than one file no longer breaks relative paths (#15772)

Chore

• [expect] Update docblock for toContain() to display info on substring check (#15789)

30.0.2

What's Changed

Fixes

• [jest-matcher-utils] Make 'deepCyclicCopyObject' safer by setting descriptors to a null-prototype object (#15689)
• [jest-util] Make garbage collection protection property writable (#15689)

Full Changelog: https://github.com/jestjs/jest/blob/main/CHANGELOG.md

Jest 30.0.1

What's Changed

Features

• [jest-resolver] Implement the defaultAsyncResolver (#15679)

... (truncated)

Changelog

Sourced from jest's changelog.

30.1.3

Fixes

• Fix unstable_mockModule with node: prefixed core modules.

30.1.2

Fixes

• [jest-snapshot-utils] Correct snapshot header regexp to work with newline across OSes (#15803)

30.1.1

Fixes

• [jest-snapshot-utils] Fix deprecated goo.gl snapshot warning not handling Windows end-of-line sequences (#15800)

30.1.0

Features

• [jest-leak-detector] Configurable GC aggressiveness regarding to V8 heap snapshot generation (#15793)
• [jest-runtime] Reduce redundant ReferenceError messages
• [jest-core] Include test modules that failed to load when --onlyFailures is active

Fixes

• [jest-snapshot-utils] Fix deprecated goo.gl snapshot guide link not getting replaced with fully canonical URL (#15787)
• [jest-circus] Fix it.concurrent not working with describe.skip (#15765)
• [jest-snapshot] Fix mangled inline snapshot updates when used with Prettier 3 and CRLF line endings
• [jest-runtime] Importing from @jest/globals in more than one file no longer breaks relative paths (#15772)

Chore

• [expect] Update docblock for toContain() to display info on substring check (#15789)

30.0.5

Features

• [jest-config] Allow testMatch to take a string value
• [jest-worker] Let workerIdleMemoryLimit accept 0 to always restart worker child processes

Fixes

• [expect] Fix bigint error (#15702)

30.0.4

... (truncated)

Commits

• da9b532 v30.1.3
• ebfa31c v30.1.2
• d347c0f v30.1.1
• 4d5f41d v30.1.0
• 22236cf v30.0.5
• f4296d2 v30.0.4
• d4a6c94 v30.0.3
• 393acbf v30.0.2
• 5ce865b v30.0.1
• 469f665 v30.0.0
• Additional commits viewable in compare view

Updates ts-jest from 26.5.1 to 29.4.1

Release notes

Sourced from ts-jest's releases.

v29.4.1

Please refer to CHANGELOG.md for details.

v29.4.0

Please refer to CHANGELOG.md for details.

v29.3.4

Please refer to CHANGELOG.md for details.

v29.3.3

Please refer to CHANGELOG.md for details.

v29.3.2

Please refer to CHANGELOG.md for details.

v29.3.1

Please refer to CHANGELOG.md for details.

v29.3.0

Please refer to CHANGELOG.md for details.

v29.2.6

Please refer to CHANGELOG.md for details.

v29.2.5

Please refer to CHANGELOG.md for details.

v29.2.4

Please refer to CHANGELOG.md for details.

v29.2.3

Please refer to CHANGELOG.md for details.

v29.2.2

Please refer to CHANGELOG.md for details.

v29.2.1

Please refer to CHANGELOG.md for details.

v29.2.0

Please refer to CHANGELOG.md for details.

v29.1.5

Please refer to CHANGELOG.md for details.

v29.1.4

Please refer to CHANGELOG.md for details.

v29.1.3

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from ts-jest's changelog.

29.4.1 (2025-08-03)

Bug Fixes

• fix: replace ejs with handlebars due to security issues (899c9b7), closes #4969

29.4.0 (2025-06-11)

Features

• feat: support Jest 30 (84e093e)

29.3.4 (2025-05-16)

Bug Fixes

• fix: fix TsJestTransformerOptions type (3b11e29), closes #4247
• fix(cli): fix wrong path for preset creator fns (249eb2c)
• fix(config): disable rewriteRelativeImportExtensions always (9b1f472), closes #4855

29.3.3 (2025-05-14)

Bug Fixes

• fix(cli): init config with preset creator functions (cdd3039), closes #4840
• fix(config): disable isolatedDeclarations (5d6b35f), closes #4847

29.3.2 (2025-04-12)

Bug Fixes

• fix: transpile js files from node_modules whenever Jest asks (968370e), closes #4637

29.3.1 (2025-03-31)

... (truncated)

Commits

• 9099745 chore(release): 29.4.1
• 9f0b9f2 build(deps): Update dependency @​types/handlebars to ^4.1.0
• 322a3c7 ci: add code scanning workflow
• 899c9b7 fix: replace ejs with handlebars due to security issues
• 953f239 build(deps): Update dependency memfs to ^4.36.0
• 8459897 build(deps): Update dependency memfs to ^4.35.0
• 3c41410 build(deps): Update dependency memfs to ^4.34.0
• d50ff1e build(deps): Update dependency memfs to ^4.32.0
• 5984f70 build(deps): Update dependency memfs to ^4.30.1
• 18b9665 build(deps): Update Jest packages to ^30.0.5
• Additional commits viewable in compare view

Updates cross-spawn from 6.0.5 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

7.0.3 (2020-05-25)

Bug Fixes

• detect path key based on correct environment (#133) (159e7e9)

7.0.2 (2020-04-04)

Bug Fixes

• fix worker threads in Node >=11.10.0 (#132) (6c5b4f0)

7.0.1 (2019-10-07)

Bug Fixes

• core: support worker threads (#127) (cfd49c9)

7.0.0 (2019-09-03)

⚠ BREAKING CHANGES

• drop support for Node.js < 8

• drop support for versions below Node.js 8 (#125) (16feb53)

... (truncated)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates ejs from 3.1.6 to 3.1.10

Release notes

Sourced from ejs's releases.

v3.1.10

Version 3.1.10

v3.1.9

Version 3.1.9

v3.1.8

Version 3.1.8

v3.1.7

Version 3.1.7

Commits

• d3f807d Version 3.1.10
• 9ee26dd Mocha TDD
• e469741 Basic pollution protection
• 715e950 Merge pull request #756 from Jeffrey-mu/main
• cabe314 Include advanced usage examples
• 29b076c Added header
• 11503c7 Merge branch 'main' of github.com:mde/ejs into main
• 7690404 Added security banner to README
• f47d7ae Update SECURITY.md
• 828cea1 Update SECURITY.md
• Additional commits viewable in compare view

Updates elliptic from 6.5.4 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates @ethersproject/signing-key from 5.0.11 to 5.8.0

Release notes

Sourced from @​ethersproject/signing-key's releases.

ethers/v5.8.0 (2025-02-25 19:15) [legacy version]

This is a security update for the legacy Ethers v5 branch, addressing two security fixes.

• A bug in elliptic, which does not affect ethers but triggers a critical security warning during nom audit [see: missing signature length check, missing check for leading bit, allow BER-encoded signatures, false negative verification, signing malformed input]
• A bug in ws which can be used as DoS vector when communicating with malicious WebSocket service providers, triggering a high security warning during nom audit [see: too many HTTP headers]

For those that wish to audit the specific changes in the the bundled version between v5.7 and v5.8, see this gist.

Changes

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

---

Embedding UMD with SRI:

<script type="text/javascript"
  integrity="sha384-KpyAXoFibPIUEi79EsnN1EtEWCCrOQ8MtGsa4IrVxeZo514PYarFXujnjyu0DzgC"
  crossorigin="anonymous"
  src="https://cdnjs.cloudflare.com/ajax/libs/ethers/5.8.0/ethers.umd.min.js">
</script>

ethers/v5.7.2 (2022-10-19 04:19)

• Updated tests to use goerli instead of ropsten. (1392803, 706d3ca)
• Added new error strings Pocket returns. (9f990c5)
• Fixed Alchemy goerli URL. (#3320, #3323, #3340, #3358, #3423; 74e3d98)
• Update testnets for third-party providers. (#3320, #3323, #3340, #3358, #3423; 2a3a2e1)

---

Embedding UMD with SRI:

<script type="text/javascript"
        integrity="sha384-Htz1SE4Sl5aitpvFgr2j0sfsGUIuSXI6t8hEyrlQ93zflEF3a29bH2AvkUROUw7J"
        crossorigin="anonymous"
        src="https://cdn-cors.ethers.io/lib/ethers-5.7.2.umd.min.js">
</script>

ethers/v5.7.1 (2022-09-13 21:28)

• Fixed message signing errors that clobbered critical Error properties. (#3356; b14cb0f)
• Add support for all data URL formats. (#3341; 4c86dc9)
• Added Sepolia network. (#3325; d083522)

---

... (truncated)

Changelog

Sourced from @​ethersproject/signing-key's changelog.

ethers/v5.8.0 (2025-02-25 19:15)

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

ethers/v5.7.2 (2022-10-19 04:19)

• Updated tests to use goerli instead of ropsten. (1392803, 706d3ca)
• Added new error strings Pocket returns. (9f990c5)
• Fixed Alchemy goerli URL. (#3320, #3323, #3340, #3358, #3423; 74e3d98)
• Update testnets for third-party providers. (#3320, #3323, #3340, #3358, #3423; 2a3a2e1)

ethers/v5.7.1 (2022-09-13 21:28)

• Fixed message signing errors that clobbered critical Error properties. (#3356; b14cb0f)
• Add support for all data URL formats. (#3341; 4c86dc9)
• Added Sepolia network. (#3325; d083522)

ethers/v5.7.0 (2022-08-18 16:17)

• Update PocketProvider to newer URL format. (#2980; 10d07ca)
• Add new ENS normalization specification for wider UTF-8 support. (#42, #2376, #2754; 14bf407, fce9aaa, f274104)
• Added ACTION_REJECTED error for UI-based Signers. (d9897e0)
• Include current baseFee in feeData for easier custom fee calculation. (8314236)
• Add restrictions for new UTF-8 specification ENS names. (#42, #2376, #2754; e52fbfb)
• Expand the definition of a WebSocketLike. (#2843; 00114d7)
• Expanded type for queryFitler to allow string. (#2882; 60da870)
• Added finalized and safe blockTags. (#3091; 549168c)
• Added arbitrum-goerli to Networks and AlchemyProvider. (#3246; e72d13e)
• Add EIP-712 type exports. (#221; 7ce41cd)
• Added optimism-goerli to AlchemyProvider. (#3246; f1cb0d2)
• Updated EtherscanProvider for new CommunityResource API throttling. (6bd13c3)
• Fix old events from being emitted at the beginning of a filter. (#3069, #3094; ea2d245)
• Fixed Interface signautres missing strings as eventFragments. (#3157; c004ae5)
• Fix bug in EIP1193Bridge forwarding to the wrong method. (#3166; 17676e9)
• Use updated Web3 Secret Storage format for JSON wallets. (#3075; 6f57e8b)
• Relaxed nameprep length requirement dropping RFC-5891 section 4.2.4. (#3161; abdf2e3)
• Switch to hash.js for ripemd160 on node as it was removed from the default crypto provider in node 17. (#3082; 450694e)
• Add optimism-kovan to EtherscanProvider. (#3135; 4d3e586)
• Forward any blockTag along in the FallbackProvider during call. (#3168; ab43e7d)
• Allow browser fetch option overrides. (#3096; c309df8)

ethers/v5.6.9 (2022-06-17 14:44)

... (truncated)

Commits

• 5ff3dc9 admin: updated dist files with update-versions
• f8deaae Updated to latest elliptic library to fix audit warnings.
• fa5f647 admin: updated dist files
• ec1b958 admin: updated dist files
• a71f518 admin: update dist files
• a27ef82 Lock versions for BigNumber fix (#3017).
• fc1e006 admin: update dist files
• 7b299dd Enforce 32-byte private key length (2926).
• b8cda5d admin: updated dist files
• 73a46ef admin: updated dist files
• Additional commits viewable in compare view

Updates get-func-name from 2.0.0 to 2.0.2

Release notes

Sourced from get-func-name's releases.

v2.0.2

What's Changed

Revert previous changes that shipped this as an ES module.

Full Changelog: https://github.com/chaijs/get-func-name/commits/v2.0.2

v2.0.1

What's Changed

Fix GHSA-4q6p-r6v2-jvc5

Full Changelog: https://github.com/chaijs/get-func-name/commits/v2.0.1

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by keithamus, a new releaser for get-func-name since your current version.

Updates semver from 5.7.1 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

v5.7.2

5.7.2 (2023-07-10)

Bug Fixes

• 2f8fd41 #585 better handling of whitespace (#585) (@​joaomoreno, @​lukekarrys)

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

• 928e56d #591 better handling of whitespace (#591) (@​lukekarrys, @​joaomoreno, @​nicolo-ribaudo)

6.2.0

• Coerce numbers to strings when passed to semver.coerce()
• Add rtl option to coerce from right to left

6.1.3

• Handle X-ranges properly in includePrerelease mode

6.1.2

• Do not throw when testing invalid version strings

6.1.1

• Add options support for semver.coerce()
• Handle undefined version passed to Range.test

6.1.0

• Add semver.compareBuild function
• Support * in semver.intersects

6.0

• Fix intersects logic.

  This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

• Add minVersion method

5.6

• Move boolean loose param to an options object, with backwards-compatibility protection.
• Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits

• 44d27bc chore: release 6.3.1
• 928e56d fix: better handling of whitespace (#591)
• 39f6326 chore: @​npmcli/template-oss@​4.16.0
• 0eeceec 6.3.0
• 2779d96 Expose the token enum on the exports
• 9f5f615 changelog
• ce6190e 6.2.0
• 24af461 Add test coverage for bin file
• 388ec1c Add rtl option to coerce from right to left
• d062593 coerce(number) will coerce to a string
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.

Updates json5 from 2.2.0 to 2.2.3

Release notes

Sourced from json5's releases.

v2.2.3

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

Changelog

Sourced from json5's changelog.

v2.2.3 [code, diff]

• Fix: json5@2.2.3 is now the 'latest' release according to npm instead of v1.0.2. (#299)

v2.2.2 [code, diff]

• Fix: Properties with the name __proto__ are added to objects and arrays. (#199) This also fixes a prototype pollution vulnerability reported by Jonathan Gregson! (#295).

v2.2.1 [code, diff]

• Fix: Removed dependence on minimist to patch CVE-2021-44906. (#266)

Commits

• c3a7524 2.2.3
• 94fd06d docs: update CHANGELOG for v2.2.3
• Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jest@​30.1.3
	web3@​1.3.4 ⏵ 4.16.0	-1	+5	+21
	lerna@​3.22.1 ⏵ 8.2.3	-5		+15
	ts-jest@​29.4.1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@emnapi/core@1.5.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@emnapi/core@1.5.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@inquirer/external-editor@1.0.1 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@inquirer/external-editor@1.0.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@inquirer/external-editor@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@lerna/create@8.2.3 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@lerna/create@8.2.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lerna/create@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: net Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: tls Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: dns Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: http-proxy-agent Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: https-proxy-agent Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/arborist@7.5.4 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/arborist@7.5.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/arborist@7.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/promise-spawn@7.0.2 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/promise-spawn@7.0.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/promise-spawn@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@nx/devkit@20.8.2 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@nx/devkit@20.8.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nx/devkit@20.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@sigstore/sign@2.3.2 has Network access. Module: http2 Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@sigstore/sign@2.3.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sigstore/sign@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@tybys/wasm-util@0.10.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@tybys/wasm-util@0.10.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@tybys/wasm-util@0.9.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@tybys/wasm-util@0.9.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@unrs/resolver-binding-wasm32-wasi@1.11.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		conventional-changelog-core@5.0.1 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/conventional-changelog-core@5.0.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/conventional-changelog-core@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		cross-fetch@4.1.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/web3@4.16.0 → npm/cross-fetch@4.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-fetch@4.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		foreground-child@3.3.1 has Shell access. Module: child_process Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/foreground-child@3.3.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		lerna@8.2.3 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lerna@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: https Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		napi-postinstall@0.3.3 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/napi-postinstall@0.3.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		node-gyp@10.3.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/node-gyp@10.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@10.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		node-machine-id@1.1.12 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/node-machine-id@1.1.12 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-machine-id@1.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm-registry-fetch@17.1.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/npm-registry-fetch@17.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm-registry-fetch@17.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 37 more rows in the dashboard

View full report