Skip to content

Comments

Bump the npm_and_yarn group across 2 directories with 24 updates#20

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-5667d55b6a
Open

Bump the npm_and_yarn group across 2 directories with 24 updates#20
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-5667d55b6a

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Sep 4, 2025

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
@octokit/request 5.4.14 8.4.1
lerna 3.22.1 8.2.3
tmp 0.0.33 removed
@typescript-eslint/eslint-plugin 2.34.0 8.42.0
@typescript-eslint/parser 2.34.0 8.42.0
eslint 6.8.0 9.34.0

Bumps the npm_and_yarn group with 10 updates in the /crypto directory:

Package From To
semver 5.7.1 5.7.2
brace-expansion 1.1.11 1.1.12
braces 2.3.2 3.0.3
jest 26.6.3 30.1.3
ts-jest 26.5.1 29.4.1
form-data 2.3.3 removed
web3 1.3.4 4.16.0
minimist 1.2.5 1.2.8
ejs 3.1.6 3.1.10
get-func-name 2.0.0 2.0.2

Updates @octokit/request from 5.4.14 to 8.4.1

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

v8.4.0

8.4.0 (2024-04-09)

Features

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

  • upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

Features

v8.2.0

8.2.0 (2024-02-09)

Features

  • add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits
  • 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
  • abc4955 feat: re-add redirect request option (#636)
  • 4e7127c fix: upgrade @octokit/endpoint
  • 2e67925 feat(security): Add provenance (#685)
  • 6822e8b fix: upgrade @octokit/types
  • dbfeab2 feat: add documentation link in error message (#667)
  • c013de4 docs: fix spelling errors (#671)
  • 3d22c38 chore(deps): update dependency prettier to v3.2.5
  • 984ec17 chore(deps): update dependency esbuild to ^0.20.0
  • 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
  • Additional commits viewable in compare view

Updates lerna from 3.22.1 to 8.2.3

Release notes

Sourced from lerna's releases.

v8.2.3

8.2.3 (2025-06-29)

Bug Fixes

  • use internal fork of unmaintained strong-log-transformer (#4195) (7115485)

v8.2.2

8.2.2 (2025-04-10)

Bug Fixes

  • use searchStrategy: global to fix breaking change behaviour after upgrading cosmiconfig to 9.0.0 (#4159) (6242511)
  • version: disable legacy peer deps behavior by default (#4175) (0cd3241)

v8.2.1

8.2.1 (2025-03-03)

Note: Version bump only for package lerna-monorepo

v8.2.0

8.2.0 (2025-02-19)

Bug Fixes

  • drop strip-ansi in favor of native stripVTControlCharacters (#4095) (9e4ac9c)

Features

  • allow custom working dir for detectProjects (#4148) (08d1d0d)

v8.1.9

8.1.9 (2024-10-31)

Bug Fixes

  • add extends property in schema (#4075) (28c8ef2)
  • core: avoid reading empty .config.json, upgrade cosmiconfig@v9.0.0 (#4062) (960bdd9)
  • update nx support to latest v20 (#4103) (cb37f19)
  • version: enable changing commit message when using amend (#3954) (529e83f)

Features

  • publish: support full file path for --summary-file (#4039) (cfd573a)

... (truncated)

Changelog

Sourced from lerna's changelog.

8.2.3 (2025-06-29)

Bug Fixes

  • use internal fork of unmaintained strong-log-transformer (#4195) (7115485)

8.2.2 (2025-04-10)

Note: Version bump only for package lerna

8.2.1 (2025-03-03)

Note: Version bump only for package lerna

8.2.0 (2025-02-19)

Bug Fixes

  • drop strip-ansi in favor of native stripVTControlCharacters (#4095) (9e4ac9c)

Features

  • allow custom working dir for detectProjects (#4148) (08d1d0d)

8.1.9 (2024-10-31)

Bug Fixes

  • add extends property in schema (#4075) (28c8ef2)
  • core: avoid reading empty .config.json, upgrade cosmiconfig@v9.0.0 (#4062) (960bdd9)
  • update nx support to latest v20 (#4103) (cb37f19)

8.1.8 (2024-08-05)

Bug Fixes

  • publish: upgrade @​npmcli/arborist to 7.5.4 (#4058) (89de0eb)

8.1.7 (2024-07-21)

Bug Fixes

8.1.6 (2024-07-05)

Bug Fixes

... (truncated)

Commits
  • 25331af chore(misc): publish 8.2.3
  • 7115485 fix: use internal fork of unmaintained strong-log-transformer (#4195)
  • bde7882 chore: kill legacy linting setup and migrate from globby to tinyglobby (#4179)
  • 6ea835d chore(misc): publish 8.2.2
  • 95ab1cb chore(misc): publish 8.2.1
  • 770220c chore(deps): bump @​octokit/rest from 19.0.11 to 20.1.2 (#4154)
  • 58cdfec chore(misc): publish 8.2.0
  • 08d1d0d feat: allow custom working dir for detectProjects (#4148)
  • 0dd2cb9 chore: update to latest dependencies (#4151)
  • 9e4ac9c fix: drop strip-ansi in favor of native stripVTControlCharacters (#4095)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by jameshenry, a new releaser for lerna since your current version.


Updates @octokit/request-error from 1.2.1 to 5.1.1

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

  • upgrade @octokit/types to v13 (3af20bd)

Features

v5.0.1

5.0.1 (2023-09-23)

Bug Fixes

  • deps: update dependency @​octokit/types to v12 (#366) (590fc39)

v5.0.0

5.0.0 (2023-07-07)

Bug Fixes

  • deps: update dependency @​octokit/types to v11 (#348) (372097e)

BREAKING CHANGES

  • deps: upgrade @octokit/types to v11

v4.0.2

4.0.2 (2023-06-16)

Bug Fixes

  • deps: update dependency @​octokit/types to v10 (#343) (28b1958)

... (truncated)

Commits
  • b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
  • 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
  • 3af20bd fix: upgrade @octokit/types to v13
  • 94147e8 feat(security): Add provenance (#416)
  • 590fc39 fix(deps): update dependency @​octokit/types to v12 (#366)
  • 4b9c57e ci(action): update peter-evans/create-or-update-comment digest to 46da6c0
  • 710afc3 ci(action): update peter-evans/create-or-update-comment digest to 1f6c514
  • c82c8ce ci(action): update peter-evans/create-or-update-comment digest to 223779b
  • ec24ead ci(action): update peter-evans/create-or-update-comment digest to 46846e5 (#362)
  • 365f18d ci(action): update actions/checkout action to v4
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by octokitbot, a new releaser for @​octokit/request-error since your current version.


Updates glob-parent from 3.1.0 to 5.1.1

Release notes

Sourced from glob-parent's releases.

v5.1.1

Bug Fixes

v5.1.0

Features

  • add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

v5.0.0

⚠ BREAKING CHANGES

  • Drop support for node <6 & bump dependencies

Miscellaneous Chores

  • Drop support for node <6 & bump dependencies (896c0c0)

v4.0.0

⚠ BREAKING CHANGES

  • question marks are valid path characters on Windows so avoid flagging as a glob when alone
  • Update is-glob dependency

Features

  • hoist regexps and strings for performance gains (4a80667)
  • question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
  • Update is-glob dependency (e41fcd8)
Changelog

Sourced from glob-parent's changelog.

5.1.1 (2021-01-27)

Bug Fixes

5.1.0 (2021-01-27)

Features

  • add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

5.0.0 (2021-01-27)

⚠ BREAKING CHANGES

  • Drop support for node <6 & bump dependencies

Miscellaneous Chores

  • Drop support for node <6 & bump dependencies (896c0c0)

4.0.0 (2021-01-27)

⚠ BREAKING CHANGES

  • question marks are valid path characters on Windows so avoid flagging as a glob when alone
  • Update is-glob dependency

Features

  • hoist regexps and strings for performance gains (4a80667)
  • question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
  • Update is-glob dependency (e41fcd8)
Commits
  • 9b6e874 chore: release 5.1.1
  • 749c35e ci: try wrapping the JOB_ID in a string
  • 5d39def ci: attempt to switch to published coveralls
  • 0b5b37f ci: put the npm step back in for only Windows
  • 473f5d8 ci: update azure build images
  • 4731d2b ci: add npm revert step to azure
  • a98874f fix: unescape exclamation mark (#26)
  • 4aad91d ci: attempt to get flakey ci working
  • 9ff9b4e chore: release 5.1.0
  • eecf91d feat: add flipBackslashes option to disable auto conversion of slashes (clo...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by phated, a new releaser for glob-parent since your current version.


Updates http-cache-semantics from 3.8.1 to 4.1.0

Commits

Removes tmp

Updates @typescript-eslint/eslint-plugin from 2.34.0 to 8.42.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.42.0

8.42.0 (2025-09-02)

🚀 Features

🩹 Fixes

  • deps: update eslint monorepo to v9.33.0 (#11482)
  • typescript-eslint: handle non-normalized windows paths produced by jiti (#11546)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.41.0

8.41.0 (2025-08-25)

🚀 Features

  • tighten tsconfigRootDir validation (#11463)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.40.0

8.40.0 (2025-08-18)

🩹 Fixes

  • typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#11475)
  • typescript-estree: correct range of import assertion with trailing comma (#11478)
  • utils: correct calculateConfigForFile return type (#11451)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.39.1

8.39.1 (2025-08-11)

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.42.0 (2025-09-02)

🩹 Fixes

  • deps: update eslint monorepo to v9.33.0 (#11482)

You can read about our versioning strategy and releases on our website.

8.41.0 (2025-08-25)

🩹 Fixes

  • deps: update dependency prettier to v3.6.2 (#11496)

You can read about our versioning strategy and releases on our website.

8.40.0 (2025-08-18)

🚀 Features

  • typescript-estree: forbid invalid keys in EnumMember (#11232)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

8.39.1 (2025-08-11)

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.0 (2025-08-04)

🚀 Features

  • eslint-plugin: [only-throw-error] support yield/await expressions (#11417)
  • eslint-plugin: add no-unnecessary-type-conversion to strict-type-checked ruleset (#11427)
  • update to TypeScript 5.9.2 (#11445)
  • eslint-plugin: [naming-convention] add enumMember PascalCase default option (#11127)

🩹 Fixes

  • eslint-plugin: [no-unsafe-assignment] add an unsafeObjectPattern message (#11403)
  • eslint-plugin: [prefer-optional-chain] ignore check option for most RHS of a chain (#11272)

❤️ Thank You

... (truncated)

Commits
  • d135909 chore(release): publish 8.42.0
  • 0daf303 chore: use new ESLint rules internally (#11558)
  • ee3efa7 feat(typescript-estree): forbid invalid keys in EnumMember (#11497)
  • 264ca2f fix(deps): update eslint monorepo to v9.33.0 (#11482)
  • 31a7336 chore(release): publish 8.41.0
  • a4526b3 chore: skip failing tests to fix CI (#11505)
  • 03e21eb fix(deps): update dependency prettier to v3.6.2 (#11496)
  • 60c3b26 chore(release): publish 8.40.0
  • 7648622 fix(typescript-estree): revert #11232 (feat(typescript-estree): forbid invali...
  • d50a6b1 feat(typescript-estree): forbid invalid keys in EnumMember (#11232)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​typescript-eslint/eslint-plugin since your current version.


Updates @typescript-eslint/parser from 2.34.0 to 8.42.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.42.0

8.42.0 (2025-09-02)

🚀 Features

🩹 Fixes

  • deps: update eslint monorepo to v9.33.0 (#11482)
  • typescript-eslint: handle non-normalized windows paths produced by jiti (#11546)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.41.0

8.41.0 (2025-08-25)

🚀 Features

  • tighten tsconfigRootDir validation (#11463)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.40.0

8.40.0 (2025-08-18)

🩹 Fixes

  • typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#11475)
  • typescript-estree: correct range of import assertion with trailing comma (#11478)
  • utils: correct calculateConfigForFile return type (#11451)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

v8.39.1

8.39.1 (2025-08-11)

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.42.0 (2025-09-02)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.41.0 (2025-08-25)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.40.0 (2025-08-18)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.1 (2025-08-11)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.0 (2025-08-04)

🚀 Features

  • update to TypeScript 5.9.2 (#11445)

❤️ Thank You

You can read about our versioning strategy and releases on our website.

8.38.0 (2025-07-21)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.37.0 (2025-07-14)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.36.0 (2025-07-07)

... (truncated)

Commits
  • d135909 chore(release): publish 8.42.0
  • 31a7336 chore(release): publish 8.41.0
  • 60c3b26 chore(release): publish 8.40.0
  • b2ee794 chore(release): publish 8.39.1
  • c98d513 chore(release): publish 8.39.0
  • 2112d58 feat: update to TypeScript 5.9.2 (#11445)
  • d11e79e chore(release): publish 8.38.0
  • 816be17 chore(release): publish 8.37.0
  • 84b7a2e chore(release): publish 8.36.0
  • e2ecca6 chore: fix issues introduced by updated nx configuration (#11230)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​typescript-eslint/parser since your current version.


Updates eslint from 6.8.0 to 9.34.0

Release notes

Sourced from eslint's releases.

v9.34.0

Features

  • 0bb777a feat: multithread linting (#19794) (Francesco Trotta)
  • 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#19951) (Pixel998)

Bug Fixes

  • 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#20024) (Tanuj Kanti)
  • 6c07420 fix: fix spurious failure in neostandard integration test (#20023) (Kirk Waiblinger)
  • 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#20002) (Sweta Tanwar)

Documentation

  • 0b4a590 docs: make rulesdir deprecation clearer (#20018) (Domenico Gemoli)
  • 327c672 docs: Update README (GitHub Actions Bot)
  • bf26229 docs: Fix typo in core-concepts/index.md (#20009) (Tobias Hernstig)
  • 2309327 docs: fix typo in the "Configuring Rules" section (#20001) (ghazi-git)
  • 2b87e21 docs: [no-else-return] clarify sample code. (#19991) (Yuki Takada (Yukinosuke Takada))
  • c36570c docs: Update README (GitHub Actions Bot)

Chores

  • f19ad94 chore: upgrade to @eslint/js@9.34.0 (#20030) (Francesco Trotta)
  • b48fa20 chore: package.json update for @​eslint/js release (Jenkins)
  • 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
  • 0c9999c refactor: prefer default options in grouped-accessor-pairs (#20028) (루밀LuMir)
  • d503f19 ci: fix stale.yml (#20010) (루밀LuMir)
  • e2dc67d ci: centralize stale.yml (#19994) (루밀LuMir)
  • 7093cb8 ci: bump actions/checkout from 4 to 5 (#20005) (dependabot[bot])

v9.33.0

Features

  • e07820e feat: add global object access detection to no-restricted-globals (#19939) (sethamus)
  • 90b050e feat: support explicit resource management in one-var (#19941) (Sweta Tanwar)

Bug Fixes

  • 732433c fix: allow any type for meta.docs.recommended in custom rules (#19995) (Francesco Trotta)
  • e8a6914 fix: Fixed potential bug in check-emfile-handling.js (#19975) (諏訪原慶斗)

Documentation

  • 34f0723 docs: playground button for TypeScript code example (#19671) (Tanuj Kanti)
  • dc942a4 docs: Update README (GitHub Actions Bot)
  • 5a4b6f7 docs: Update no-multi-assign.md (#19979) (Yuki Takada (Yukinosuke Takada))
  • 247e156 docs: add missing let declarations in no-plusplus (#19980) (Yuki Takada (Yukinosuke Takada))
  • 0d17242 docs: Update README (GitHub Actions Bot)
  • fa20b9d docs: Clarify when to open an issue for a PR (#19974) (Nicholas C. Zakas)

Build Related

  • 27fa865 build: use ESLint class to generate formatter examples (#19972) (Milos Djermanovic)

Chores

  • 4258046 chore: update dependency @​eslint/js to v9.33.0 (#19998) (renovate[bot])
  • ad28371 chore: package.json update for @​eslint/js release (Jenkins)

... (truncated)

Changelog

Sourced from eslint's changelog.

v9.34.0 - August 22, 2025

  • f19ad94 chore: upgrade to @eslint/js@9.34.0 (#20030) (Francesco Trotta)
  • b48fa20 chore: package.json update for @​eslint/js release (Jenkins)
  • 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
  • 0c9999c refactor: prefer default options in grouped-accessor-pairs (#20028) (루밀LuMir)
  • 0b4a590 docs: make rulesdir deprecation clearer (#20018) (Domenico Gemoli)
  • 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#20024) (Tanuj Kanti)
  • 6c07420 fix: fix spurious failure in neostandard integration test (#20023) (Kirk Waiblinger)
  • 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#20002) (Sweta Tanwar)
  • 327c672 docs: Update README (GitHub Actions Bot)
  • d503f19 ci: fix stale.yml (#20010) (루밀LuMir)
  • 0bb777a feat: multithread linting (#19794) (Francesco Trotta)
  • bf26229 docs: Fix typo in core-concepts/index.md (#20009) (Tobias Hernstig)
  • 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#19951) (Pixel998)
  • e2dc67d ci: centralize stale.yml (#19994) (루밀LuMir)
  • 7093cb8 ci: bump actions/checkout from 4 to 5 (#20005) (dependabot[bot])
  • 2309327 docs: fix typo in the "Configuring Rules" section (#20001) (ghazi-git)
  • 2b87e21 docs: [no-else-return] clarify sample code. (#19991) (Yuki Takada (Yukinosuke Takada))
  • c36570c docs: Update README (GitHub Actions Bot)

v9.33.0 - August 8, 2025

  • 4258046 chore: update dependency @​eslint/js to v9.33.0 (#19998) (renovate[bot])
  • ad28371 chore: package.json update for @​eslint/js release (Jenkins)
  • 06a22f1 test: resolve flakiness in --mcp flag test (#19993) (Pixel998)
  • 732433c fix: allow any type for meta.docs.recommended in custom rules (#19995) (Francesco Trotta)
  • 34f0723 docs: playground button for TypeScript code example (#19671) (Tanuj Kanti)
  • dc942a4 docs: Update README (GitHub Actions Bot)
  • 5a4b6f7 docs: Update no-multi-assign.md (#19979) (Yuki Takada (Yukinosuke Takada))
  • 247e156 docs: add missing let declarations in no-plusplus (#19980) (Yuki Takada (Yukinosuke Takada))
  • 0d17242 docs: Update README (GitHub Actions Bot)
  • e07820e feat: add global object access detection to no-restricted-globals (#19939) (sethamus)
  • fa20b9d docs: Clarify when to open an issue for a PR (#19974) (Nicholas C. Zakas)
  • 54920ed test: switch to Linter.Config in ESLintRules type tests (

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@octokit/request](https://github.com/octokit/request.js) | `5.4.14` | `8.4.1` |
| [lerna](https://github.com/lerna/lerna/tree/HEAD/packages/lerna) | `3.22.1` | `8.2.3` |
| [tmp](https://github.com/raszi/node-tmp) | `0.0.33` | `removed` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `2.34.0` | `8.42.0` |
| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `2.34.0` | `8.42.0` |
| [eslint](https://github.com/eslint/eslint) | `6.8.0` | `9.34.0` |

Bumps the npm_and_yarn group with 10 updates in the /crypto directory:

| Package | From | To |
| --- | --- | --- |
| [semver](https://github.com/npm/node-semver) | `5.7.1` | `5.7.2` |
| [brace-expansion](https://github.com/juliangruber/brace-expansion) | `1.1.11` | `1.1.12` |
| [braces](https://github.com/micromatch/braces) | `2.3.2` | `3.0.3` |
| [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `26.6.3` | `30.1.3` |
| [ts-jest](https://github.com/kulshekhar/ts-jest) | `26.5.1` | `29.4.1` |
| [form-data](https://github.com/form-data/form-data) | `2.3.3` | `removed` |
| [web3](https://github.com/ChainSafe/web3.js) | `1.3.4` | `4.16.0` |
| [minimist](https://github.com/minimistjs/minimist) | `1.2.5` | `1.2.8` |
| [ejs](https://github.com/mde/ejs) | `3.1.6` | `3.1.10` |
| [get-func-name](https://github.com/chaijs/get-func-name) | `2.0.0` | `2.0.2` |



Updates `@octokit/request` from 5.4.14 to 8.4.1
- [Release notes](https://github.com/octokit/request.js/releases)
- [Commits](octokit/request.js@v5.4.14...v8.4.1)

Updates `lerna` from 3.22.1 to 8.2.3
- [Release notes](https://github.com/lerna/lerna/releases)
- [Changelog](https://github.com/lerna/lerna/blob/main/packages/lerna/CHANGELOG.md)
- [Commits](https://github.com/lerna/lerna/commits/v8.2.3/packages/lerna)

Updates `@octokit/request-error` from 1.2.1 to 5.1.1
- [Release notes](https://github.com/octokit/request-error.js/releases)
- [Commits](octokit/request-error.js@v1.2.1...v5.1.1)

Updates `glob-parent` from 3.1.0 to 5.1.1
- [Release notes](https://github.com/gulpjs/glob-parent/releases)
- [Changelog](https://github.com/gulpjs/glob-parent/blob/main/CHANGELOG.md)
- [Commits](gulpjs/glob-parent@v3.1.0...v5.1.1)

Updates `http-cache-semantics` from 3.8.1 to 4.1.0
- [Commits](kornelski/http-cache-semantics@v3.8.1...v4.1.0)

Removes `tmp`

Updates `@typescript-eslint/eslint-plugin` from 2.34.0 to 8.42.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.42.0/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 2.34.0 to 8.42.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.42.0/packages/parser)

Updates `eslint` from 6.8.0 to 9.34.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Changelog](https://github.com/eslint/eslint/blob/main/CHANGELOG.md)
- [Commits](eslint/eslint@v6.8.0...v9.34.0)

Updates `semver` from 5.7.1 to 5.7.2
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v5.7.2/CHANGELOG.md)
- [Commits](npm/node-semver@v5.7.1...v5.7.2)

Updates `brace-expansion` from 1.1.11 to 1.1.12
- [Release notes](https://github.com/juliangruber/brace-expansion/releases)
- [Commits](juliangruber/brace-expansion@1.1.11...v1.1.12)

Updates `braces` from 2.3.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/commits/3.0.3)

Updates `jest` from 26.6.3 to 30.1.3
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.1.3/packages/jest)

Updates `ts-jest` from 26.5.1 to 29.4.1
- [Release notes](https://github.com/kulshekhar/ts-jest/releases)
- [Changelog](https://github.com/kulshekhar/ts-jest/blob/main/CHANGELOG.md)
- [Commits](kulshekhar/ts-jest@v26.5.1...v29.4.1)

Updates `cross-spawn` from 6.0.5 to 7.0.6
- [Changelog](https://github.com/moxystudio/node-cross-spawn/blob/master/CHANGELOG.md)
- [Commits](moxystudio/node-cross-spawn@v6.0.5...v7.0.6)

Removes `form-data`

Updates `web3` from 1.3.4 to 4.16.0
- [Release notes](https://github.com/ChainSafe/web3.js/releases)
- [Changelog](https://github.com/web3/web3.js/blob/4.x/CHANGELOG.md)
- [Commits](web3/web3.js@v1.3.4...v4.16.0)

Updates `micromatch` from 3.1.10 to 4.0.8
- [Release notes](https://github.com/micromatch/micromatch/releases)
- [Changelog](https://github.com/micromatch/micromatch/blob/master/CHANGELOG.md)
- [Commits](micromatch/micromatch@3.1.10...4.0.8)

Updates `minimist` from 1.2.5 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

Updates `@babel/helpers` from 7.13.10 to 7.28.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.3/packages/babel-helpers)

Updates `@babel/traverse` from 7.13.0 to 7.28.3
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.3/packages/babel-traverse)

Updates `ws` from 3.3.3 to 8.18.3
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@3.3.3...8.18.3)

Updates `ejs` from 3.1.6 to 3.1.10
- [Release notes](https://github.com/mde/ejs/releases)
- [Commits](mde/ejs@v3.1.6...v3.1.10)

Updates `get-func-name` from 2.0.0 to 2.0.2
- [Release notes](https://github.com/chaijs/get-func-name/releases)
- [Commits](https://github.com/chaijs/get-func-name/commits/v2.0.2)

---
updated-dependencies:
- dependency-name: "@octokit/request"
  dependency-version: 8.4.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lerna
  dependency-version: 8.2.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@octokit/request-error"
  dependency-version: 5.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: glob-parent
  dependency-version: 5.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: http-cache-semantics
  dependency-version: 4.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tmp
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.42.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.42.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: eslint
  dependency-version: 9.34.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: semver
  dependency-version: 5.7.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: brace-expansion
  dependency-version: 1.1.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: jest
  dependency-version: 30.1.3
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ts-jest
  dependency-version: 29.4.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: cross-spawn
  dependency-version: 7.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: web3
  dependency-version: 4.16.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: micromatch
  dependency-version: 4.0.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/helpers"
  dependency-version: 7.28.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@babel/traverse"
  dependency-version: 7.28.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.18.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ejs
  dependency-version: 3.1.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: get-func-name
  dependency-version: 2.0.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Sep 4, 2025
@socket-security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedjest@​30.1.31001006798100
Updated@​typescript-eslint/​parser@​2.34.0 ⏵ 8.42.010010069 -3197100
Updated@​typescript-eslint/​eslint-plugin@​2.34.0 ⏵ 8.42.09910078 -2197100
Updatedweb3@​1.3.4 ⏵ 4.16.099 -1100 +5100 +218870
Updatedlerna@​3.22.1 ⏵ 8.2.393 -510082 +1587100
Addedts-jest@​29.4.1971009387100
Updatedtypescript@​4.1.3 ⏵ 4.9.5100 +110089 -11100100 +20
Updatedeslint@​6.8.0 ⏵ 9.34.097 +110010094 +1100

View full report

@socket-security
Copy link

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
@emnapi/core@1.5.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: crypto/package-lock.jsonnpm/jest@30.1.3npm/@emnapi/core@1.5.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@inquirer/external-editor@1.0.1 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@inquirer/external-editor@1.0.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@inquirer/external-editor@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@lerna/create@8.2.3 has Network access.

Module: http

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@lerna/create@8.2.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lerna/create@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/agent@2.2.2 has Network access.

Module: net

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/agent@2.2.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/agent@2.2.2 has Network access.

Module: tls

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/agent@2.2.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/agent@2.2.2 has Network access.

Module: dns

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/agent@2.2.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/agent@2.2.2 has Network access.

Module: http-proxy-agent

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/agent@2.2.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/agent@2.2.2 has Network access.

Module: https-proxy-agent

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/agent@2.2.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/arborist@7.5.4 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/arborist@7.5.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/arborist@7.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@npmcli/promise-spawn@7.0.2 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@npmcli/promise-spawn@7.0.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/promise-spawn@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@nx/devkit@20.8.2 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@nx/devkit@20.8.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nx/devkit@20.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@sigstore/sign@2.3.2 has Network access.

Module: http2

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@sigstore/sign@2.3.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sigstore/sign@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@tybys/wasm-util@0.10.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: crypto/package-lock.jsonnpm/jest@30.1.3npm/@tybys/wasm-util@0.10.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@tybys/wasm-util@0.9.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/@tybys/wasm-util@0.9.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@unrs/resolver-binding-wasm32-wasi@1.11.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: crypto/package-lock.jsonnpm/jest@30.1.3npm/@unrs/resolver-binding-wasm32-wasi@1.11.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
conventional-changelog-core@5.0.1 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/conventional-changelog-core@5.0.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/conventional-changelog-core@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
cross-fetch@4.1.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: crypto/package-lock.jsonnpm/web3@4.16.0npm/cross-fetch@4.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-fetch@4.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
foreground-child@3.3.1 has Shell access.

Module: child_process

Location: Package overview

From: crypto/package-lock.jsonnpm/jest@30.1.3npm/foreground-child@3.3.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
lerna@8.2.3 has Network access.

Module: http

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lerna@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
minipass-fetch@3.0.5 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/minipass-fetch@3.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
minipass-fetch@3.0.5 has Network access.

Module: http

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/minipass-fetch@3.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
minipass-fetch@3.0.5 has Network access.

Module: https

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/minipass-fetch@3.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
napi-postinstall@0.3.3 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: crypto/package-lock.jsonnpm/jest@30.1.3npm/napi-postinstall@0.3.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
node-gyp@10.3.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/node-gyp@10.3.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@10.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
node-machine-id@1.1.12 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/node-machine-id@1.1.12

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-machine-id@1.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm-registry-fetch@17.1.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/lerna@8.2.3npm/npm-registry-fetch@17.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm-registry-fetch@17.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 37 more rows in the dashboard

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants