Bump the npm_and_yarn group across 2 directories with 24 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
@octokit/request	5.4.14	8.4.1
lerna	3.22.1	8.2.3
tmp	0.0.33	removed
@typescript-eslint/eslint-plugin	2.34.0	8.42.0
@typescript-eslint/parser	2.34.0	8.42.0
eslint	6.8.0	9.34.0

Bumps the npm_and_yarn group with 10 updates in the /crypto directory:

Package	From	To
semver	5.7.1	5.7.2
brace-expansion	1.1.11	1.1.12
braces	2.3.2	3.0.3
jest	26.6.3	30.1.3
ts-jest	26.5.1	29.4.1
form-data	2.3.3	removed
web3	1.3.4	4.16.0
minimist	1.2.5	1.2.8
ejs	3.1.6	3.1.10
get-func-name	2.0.0	2.0.2

Updates @octokit/request from 5.4.14 to 8.4.1

Release notes

Sourced from @​octokit/request's releases.

v8.4.1

8.4.1 (2025-02-15)

Bug Fixes

• ReDos regex vulnerability, reported by @​DayShift (#741) (356411e)

v8.4.0

8.4.0 (2024-04-09)

Features

• re-add redirect request option (#636) (abc4955), closes #599

v8.3.1

8.3.1 (2024-04-05)

Bug Fixes

• upgrade @octokit/endpoint (4e7127c)

v8.3.0

8.3.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types (6822e8b)

Features

• security: Add provenance (#685) (2e67925)

v8.2.0

8.2.0 (2024-02-09)

Features

• add documentation link in error message (#667) (dbfeab2)

v8.1.6

8.1.6 (2023-11-22)

Bug Fixes

... (truncated)

Commits

• 356411e fix: ReDos regex vulnerability, reported by @​DayShift (#741)
• abc4955 feat: re-add redirect request option (#636)
• 4e7127c fix: upgrade @octokit/endpoint
• 2e67925 feat(security): Add provenance (#685)
• 6822e8b fix: upgrade @octokit/types
• dbfeab2 feat: add documentation link in error message (#667)
• c013de4 docs: fix spelling errors (#671)
• 3d22c38 chore(deps): update dependency prettier to v3.2.5
• 984ec17 chore(deps): update dependency esbuild to ^0.20.0
• 2a9cf78 ci(action): update peter-evans/create-or-update-comment action to v4
• Additional commits viewable in compare view

Updates lerna from 3.22.1 to 8.2.3

Release notes

Sourced from lerna's releases.

v8.2.3

8.2.3 (2025-06-29)

Bug Fixes

• use internal fork of unmaintained strong-log-transformer (#4195) (7115485)

v8.2.2

8.2.2 (2025-04-10)

Bug Fixes

• use searchStrategy: global to fix breaking change behaviour after upgrading cosmiconfig to 9.0.0 (#4159) (6242511)
• version: disable legacy peer deps behavior by default (#4175) (0cd3241)

v8.2.1

8.2.1 (2025-03-03)

Note: Version bump only for package lerna-monorepo

v8.2.0

8.2.0 (2025-02-19)

Bug Fixes

• drop strip-ansi in favor of native stripVTControlCharacters (#4095) (9e4ac9c)

Features

• allow custom working dir for detectProjects (#4148) (08d1d0d)

v8.1.9

8.1.9 (2024-10-31)

Bug Fixes

• add extends property in schema (#4075) (28c8ef2)
• core: avoid reading empty .config.json, upgrade cosmiconfig@v9.0.0 (#4062) (960bdd9)
• update nx support to latest v20 (#4103) (cb37f19)
• version: enable changing commit message when using amend (#3954) (529e83f)

Features

• publish: support full file path for --summary-file (#4039) (cfd573a)

... (truncated)

Changelog

Sourced from lerna's changelog.

8.2.3 (2025-06-29)

Bug Fixes

• use internal fork of unmaintained strong-log-transformer (#4195) (7115485)

8.2.2 (2025-04-10)

Note: Version bump only for package lerna

8.2.1 (2025-03-03)

Note: Version bump only for package lerna

8.2.0 (2025-02-19)

Bug Fixes

• drop strip-ansi in favor of native stripVTControlCharacters (#4095) (9e4ac9c)

Features

• allow custom working dir for detectProjects (#4148) (08d1d0d)

8.1.9 (2024-10-31)

Bug Fixes

• add extends property in schema (#4075) (28c8ef2)
• core: avoid reading empty .config.json, upgrade cosmiconfig@v9.0.0 (#4062) (960bdd9)
• update nx support to latest v20 (#4103) (cb37f19)

8.1.8 (2024-08-05)

Bug Fixes

• publish: upgrade @​npmcli/arborist to 7.5.4 (#4058) (89de0eb)

8.1.7 (2024-07-21)

Bug Fixes

• set explicit strip-ansi dependency (#4045) (6e5cfbc)

8.1.6 (2024-07-05)

Bug Fixes

• set explicit string-width dependency (#4038) (5f3603a)

... (truncated)

Commits

• 25331af chore(misc): publish 8.2.3
• 7115485 fix: use internal fork of unmaintained strong-log-transformer (#4195)
• bde7882 chore: kill legacy linting setup and migrate from globby to tinyglobby (#4179)
• 6ea835d chore(misc): publish 8.2.2
• 95ab1cb chore(misc): publish 8.2.1
• 770220c chore(deps): bump @​octokit/rest from 19.0.11 to 20.1.2 (#4154)
• 58cdfec chore(misc): publish 8.2.0
• 08d1d0d feat: allow custom working dir for detectProjects (#4148)
• 0dd2cb9 chore: update to latest dependencies (#4151)
• 9e4ac9c fix: drop strip-ansi in favor of native stripVTControlCharacters (#4095)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jameshenry, a new releaser for lerna since your current version.

Updates @octokit/request-error from 1.2.1 to 5.1.1

Release notes

Sourced from @​octokit/request-error's releases.

v5.1.1

5.1.1 (2025-02-14)

Bug Fixes

• ReDos regex vulnerability, reported by @​dayshift (12a14f0)

v5.1.0

5.1.0 (2024-04-05)

Bug Fixes

• upgrade @octokit/types to v13 (3af20bd)

Features

• security: Add provenance (#416) (94147e8)

v5.0.1

5.0.1 (2023-09-23)

Bug Fixes

• deps: update dependency @​octokit/types to v12 (#366) (590fc39)

v5.0.0

5.0.0 (2023-07-07)

Bug Fixes

• deps: update dependency @​octokit/types to v11 (#348) (372097e)

BREAKING CHANGES

• deps: upgrade @octokit/types to v11

v4.0.2

4.0.2 (2023-06-16)

Bug Fixes

• deps: update dependency @​octokit/types to v10 (#343) (28b1958)

... (truncated)

Commits

• b51ed27 test: ReDos regex vulnerability, reported by @​dayshift
• 12a14f0 fix: ReDos regex vulnerability, reported by @​dayshift
• 3af20bd fix: upgrade @octokit/types to v13
• 94147e8 feat(security): Add provenance (#416)
• 590fc39 fix(deps): update dependency @​octokit/types to v12 (#366)
• 4b9c57e ci(action): update peter-evans/create-or-update-comment digest to 46da6c0
• 710afc3 ci(action): update peter-evans/create-or-update-comment digest to 1f6c514
• c82c8ce ci(action): update peter-evans/create-or-update-comment digest to 223779b
• ec24ead ci(action): update peter-evans/create-or-update-comment digest to 46846e5 (#362)
• 365f18d ci(action): update actions/checkout action to v4
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by octokitbot, a new releaser for @​octokit/request-error since your current version.

Updates glob-parent from 3.1.0 to 5.1.1

Release notes

Sourced from glob-parent's releases.

v5.1.1

Bug Fixes

• unescape exclamation mark (#26) (a98874f)

v5.1.0

Features

• add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

v5.0.0

⚠ BREAKING CHANGES

• Drop support for node <6 & bump dependencies

Miscellaneous Chores

• Drop support for node <6 & bump dependencies (896c0c0)

v4.0.0

⚠ BREAKING CHANGES

• question marks are valid path characters on Windows so avoid flagging as a glob when alone
• Update is-glob dependency

Features

• hoist regexps and strings for performance gains (4a80667)
• question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
• Update is-glob dependency (e41fcd8)

Changelog

Sourced from glob-parent's changelog.

5.1.1 (2021-01-27)

Bug Fixes

• unescape exclamation mark (#26) (a98874f)

5.1.0 (2021-01-27)

Features

• add flipBackslashes option to disable auto conversion of slashes (closes #24) (#25) (eecf91d)

5.0.0 (2021-01-27)

⚠ BREAKING CHANGES

• Drop support for node <6 & bump dependencies

Miscellaneous Chores

• Drop support for node <6 & bump dependencies (896c0c0)

4.0.0 (2021-01-27)

⚠ BREAKING CHANGES

• question marks are valid path characters on Windows so avoid flagging as a glob when alone
• Update is-glob dependency

Features

• hoist regexps and strings for performance gains (4a80667)
• question marks are valid path characters on Windows so avoid flagging as a glob when alone (2a551dd)
• Update is-glob dependency (e41fcd8)

Commits

• 9b6e874 chore: release 5.1.1
• 749c35e ci: try wrapping the JOB_ID in a string
• 5d39def ci: attempt to switch to published coveralls
• 0b5b37f ci: put the npm step back in for only Windows
• 473f5d8 ci: update azure build images
• 4731d2b ci: add npm revert step to azure
• a98874f fix: unescape exclamation mark (#26)
• 4aad91d ci: attempt to get flakey ci working
• 9ff9b4e chore: release 5.1.0
• eecf91d feat: add flipBackslashes option to disable auto conversion of slashes (clo...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by phated, a new releaser for glob-parent since your current version.

Updates http-cache-semantics from 3.8.1 to 4.1.0

Commits

• ed83aec Explain trust server date
• 1b35980 rfc 5861 (stale-if-error, stale-while-revalidate)
• 2c2fac2 Drop trustServerDate
• eb7028f Test names
• 84cc9a8 Bump
• ae5ecd5 Add status to tests
• 385b5d3 Minor storable bug
• 8ff37cb Fix test
• 1988c3f Rename var
• 7160146 Merge pull request #24 from non-binary/nb/fix-validators-typo
• Additional commits viewable in compare view

Removes tmp

Updates @typescript-eslint/eslint-plugin from 2.34.0 to 8.42.0

Release notes

Sourced from @​typescript-eslint/eslint-plugin's releases.

v8.42.0

8.42.0 (2025-09-02)

🚀 Features

• deprecate tseslint.config() (#11531) -- see https://typescript-eslint.io/packages/typescript-eslint#migrating-to-defineconfig

🩹 Fixes

• deps: update eslint monorepo to v9.33.0 (#11482)
• typescript-eslint: handle non-normalized windows paths produced by jiti (#11546)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.41.0

8.41.0 (2025-08-25)

🚀 Features

• tighten tsconfigRootDir validation (#11463)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.40.0

8.40.0 (2025-08-18)

🩹 Fixes

• typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#11475)
• typescript-estree: correct range of import assertion with trailing comma (#11478)
• utils: correct calculateConfigForFile return type (#11451)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Nolan Gajdascz @​Gajdascz

You can read about our versioning strategy and releases on our website.

v8.39.1

8.39.1 (2025-08-11)

... (truncated)

Changelog

Sourced from @​typescript-eslint/eslint-plugin's changelog.

8.42.0 (2025-09-02)

🩹 Fixes

• deps: update eslint monorepo to v9.33.0 (#11482)

You can read about our versioning strategy and releases on our website.

8.41.0 (2025-08-25)

🩹 Fixes

• deps: update dependency prettier to v3.6.2 (#11496)

You can read about our versioning strategy and releases on our website.

8.40.0 (2025-08-18)

🚀 Features

• typescript-estree: forbid invalid keys in EnumMember (#11232)

❤️ Thank You

• fisker Cheung @​fisker

You can read about our versioning strategy and releases on our website.

8.39.1 (2025-08-11)

This was a version bump only for eslint-plugin to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.0 (2025-08-04)

🚀 Features

• eslint-plugin: [only-throw-error] support yield/await expressions (#11417)
• eslint-plugin: add no-unnecessary-type-conversion to strict-type-checked ruleset (#11427)
• update to TypeScript 5.9.2 (#11445)
• eslint-plugin: [naming-convention] add enumMember PascalCase default option (#11127)

🩹 Fixes

• eslint-plugin: [no-unsafe-assignment] add an unsafeObjectPattern message (#11403)
• eslint-plugin: [prefer-optional-chain] ignore check option for most RHS of a chain (#11272)

❤️ Thank You

... (truncated)

Commits

• d135909 chore(release): publish 8.42.0
• 0daf303 chore: use new ESLint rules internally (#11558)
• ee3efa7 feat(typescript-estree): forbid invalid keys in EnumMember (#11497)
• 264ca2f fix(deps): update eslint monorepo to v9.33.0 (#11482)
• 31a7336 chore(release): publish 8.41.0
• a4526b3 chore: skip failing tests to fix CI (#11505)
• 03e21eb fix(deps): update dependency prettier to v3.6.2 (#11496)
• 60c3b26 chore(release): publish 8.40.0
• 7648622 fix(typescript-estree): revert #11232 (feat(typescript-estree): forbid invali...
• d50a6b1 feat(typescript-estree): forbid invalid keys in EnumMember (#11232)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​typescript-eslint/eslint-plugin since your current version.

Updates @typescript-eslint/parser from 2.34.0 to 8.42.0

Release notes

Sourced from @​typescript-eslint/parser's releases.

v8.42.0

8.42.0 (2025-09-02)

🚀 Features

• deprecate tseslint.config() (#11531) -- see https://typescript-eslint.io/packages/typescript-eslint#migrating-to-defineconfig

🩹 Fixes

• deps: update eslint monorepo to v9.33.0 (#11482)
• typescript-eslint: handle non-normalized windows paths produced by jiti (#11546)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.41.0

8.41.0 (2025-08-25)

🚀 Features

• tighten tsconfigRootDir validation (#11463)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger

You can read about our versioning strategy and releases on our website.

v8.40.0

8.40.0 (2025-08-18)

🩹 Fixes

• typescript-eslint: export plugin, parser, and configs that are compatible with both defineConfig() and tseslint.config() (#11475)
• typescript-estree: correct range of import assertion with trailing comma (#11478)
• utils: correct calculateConfigForFile return type (#11451)

❤️ Thank You

• Kirk Waiblinger @​kirkwaiblinger
• Nolan Gajdascz @​Gajdascz

You can read about our versioning strategy and releases on our website.

v8.39.1

8.39.1 (2025-08-11)

... (truncated)

Changelog

Sourced from @​typescript-eslint/parser's changelog.

8.42.0 (2025-09-02)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.41.0 (2025-08-25)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.40.0 (2025-08-18)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.1 (2025-08-11)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.39.0 (2025-08-04)

🚀 Features

• update to TypeScript 5.9.2 (#11445)

❤️ Thank You

• Brad Zacher @​bradzacher

You can read about our versioning strategy and releases on our website.

8.38.0 (2025-07-21)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.37.0 (2025-07-14)

This was a version bump only for parser to align it with other projects, there were no code changes.

You can read about our versioning strategy and releases on our website.

8.36.0 (2025-07-07)

... (truncated)

Commits

• d135909 chore(release): publish 8.42.0
• 31a7336 chore(release): publish 8.41.0
• 60c3b26 chore(release): publish 8.40.0
• b2ee794 chore(release): publish 8.39.1
• c98d513 chore(release): publish 8.39.0
• 2112d58 feat: update to TypeScript 5.9.2 (#11445)
• d11e79e chore(release): publish 8.38.0
• 816be17 chore(release): publish 8.37.0
• 84b7a2e chore(release): publish 8.36.0
• e2ecca6 chore: fix issues introduced by updated nx configuration (#11230)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​typescript-eslint/parser since your current version.

Updates eslint from 6.8.0 to 9.34.0

Release notes

Sourced from eslint's releases.

v9.34.0

Features

• 0bb777a feat: multithread linting (#19794) (Francesco Trotta)
• 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#19951) (Pixel998)

Bug Fixes

• 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#20024) (Tanuj Kanti)
• 6c07420 fix: fix spurious failure in neostandard integration test (#20023) (Kirk Waiblinger)
• 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#20002) (Sweta Tanwar)

Documentation

• 0b4a590 docs: make rulesdir deprecation clearer (#20018) (Domenico Gemoli)
• 327c672 docs: Update README (GitHub Actions Bot)
• bf26229 docs: Fix typo in core-concepts/index.md (#20009) (Tobias Hernstig)
• 2309327 docs: fix typo in the "Configuring Rules" section (#20001) (ghazi-git)
• 2b87e21 docs: [no-else-return] clarify sample code. (#19991) (Yuki Takada (Yukinosuke Takada))
• c36570c docs: Update README (GitHub Actions Bot)

Chores

• f19ad94 chore: upgrade to @eslint/js@9.34.0 (#20030) (Francesco Trotta)
• b48fa20 chore: package.json update for @​eslint/js release (Jenkins)
• 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
• 0c9999c refactor: prefer default options in grouped-accessor-pairs (#20028) (루밀LuMir)
• d503f19 ci: fix stale.yml (#20010) (루밀LuMir)
• e2dc67d ci: centralize stale.yml (#19994) (루밀LuMir)
• 7093cb8 ci: bump actions/checkout from 4 to 5 (#20005) (dependabot[bot])

v9.33.0

Features

• e07820e feat: add global object access detection to no-restricted-globals (#19939) (sethamus)
• 90b050e feat: support explicit resource management in one-var (#19941) (Sweta Tanwar)

Bug Fixes

• 732433c fix: allow any type for meta.docs.recommended in custom rules (#19995) (Francesco Trotta)
• e8a6914 fix: Fixed potential bug in check-emfile-handling.js (#19975) (諏訪原慶斗)

Documentation

• 34f0723 docs: playground button for TypeScript code example (#19671) (Tanuj Kanti)
• dc942a4 docs: Update README (GitHub Actions Bot)
• 5a4b6f7 docs: Update no-multi-assign.md (#19979) (Yuki Takada (Yukinosuke Takada))
• 247e156 docs: add missing let declarations in no-plusplus (#19980) (Yuki Takada (Yukinosuke Takada))
• 0d17242 docs: Update README (GitHub Actions Bot)
• fa20b9d docs: Clarify when to open an issue for a PR (#19974) (Nicholas C. Zakas)

Build Related

• 27fa865 build: use ESLint class to generate formatter examples (#19972) (Milos Djermanovic)

Chores

• 4258046 chore: update dependency @​eslint/js to v9.33.0 (#19998) (renovate[bot])
• ad28371 chore: package.json update for @​eslint/js release (Jenkins)

... (truncated)

Changelog

Sourced from eslint's changelog.

v9.34.0 - August 22, 2025

• f19ad94 chore: upgrade to @eslint/js@9.34.0 (#20030) (Francesco Trotta)
• b48fa20 chore: package.json update for @​eslint/js release (Jenkins)
• 4bce8a2 chore: package.json update for eslint-config-eslint release (Jenkins)
• 0c9999c refactor: prefer default options in grouped-accessor-pairs (#20028) (루밀LuMir)
• 0b4a590 docs: make rulesdir deprecation clearer (#20018) (Domenico Gemoli)
• 9b89903 fix: default value of accessor-pairs option in rule.d.ts file (#20024) (Tanuj Kanti)
• 6c07420 fix: fix spurious failure in neostandard integration test (#20023) (Kirk Waiblinger)
• 676f4ac fix: allow scientific notation with trailing zeros matching exponent (#20002) (Sweta Tanwar)
• 327c672 docs: Update README (GitHub Actions Bot)
• d503f19 ci: fix stale.yml (#20010) (루밀LuMir)
• 0bb777a feat: multithread linting (#19794) (Francesco Trotta)
• bf26229 docs: Fix typo in core-concepts/index.md (#20009) (Tobias Hernstig)
• 43a5f9e feat: add eslint-plugin-regexp to eslint-config-eslint base config (#19951) (Pixel998)
• e2dc67d ci: centralize stale.yml (#19994) (루밀LuMir)
• 7093cb8 ci: bump actions/checkout from 4 to 5 (#20005) (dependabot[bot])
• 2309327 docs: fix typo in the "Configuring Rules" section (#20001) (ghazi-git)
• 2b87e21 docs: [no-else-return] clarify sample code. (#19991) (Yuki Takada (Yukinosuke Takada))
• c36570c docs: Update README (GitHub Actions Bot)

v9.33.0 - August 8, 2025

• 4258046 chore: update dependency @​eslint/js to v9.33.0 (#19998) (renovate[bot])
• ad28371 chore: package.json update for @​eslint/js release (Jenkins)
• 06a22f1 test: resolve flakiness in --mcp flag test (#19993) (Pixel998)
• 732433c fix: allow any type for meta.docs.recommended in custom rules (#19995) (Francesco Trotta)
• 34f0723 docs: playground button for TypeScript code example (#19671) (Tanuj Kanti)
• dc942a4 docs: Update README (GitHub Actions Bot)
• 5a4b6f7 docs: Update no-multi-assign.md (#19979) (Yuki Takada (Yukinosuke Takada))
• 247e156 docs: add missing let declarations in no-plusplus (#19980) (Yuki Takada (Yukinosuke Takada))
• 0d17242 docs: Update README (GitHub Actions Bot)
• e07820e feat: add global object access detection to no-restricted-globals (#19939) (sethamus)
• fa20b9d docs: Clarify when to open an issue for a PR (#19974) (Nicholas C. Zakas)
• 54920ed test: switch to Linter.Config in ESLintRules type tests (

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jest@​30.1.3
	@​typescript-eslint/​parser@​2.34.0 ⏵ 8.42.0			-31
	@​typescript-eslint/​eslint-plugin@​2.34.0 ⏵ 8.42.0			-21
	web3@​1.3.4 ⏵ 4.16.0	-1	+5	+21
	lerna@​3.22.1 ⏵ 8.2.3	-5		+15
	ts-jest@​29.4.1
	typescript@​4.1.3 ⏵ 4.9.5	+1		-11		+20
	eslint@​6.8.0 ⏵ 9.34.0	+1			+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		@emnapi/core@1.5.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@emnapi/core@1.5.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@inquirer/external-editor@1.0.1 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@inquirer/external-editor@1.0.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@inquirer/external-editor@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@lerna/create@8.2.3 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@lerna/create@8.2.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lerna/create@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: net Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: tls Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: dns Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: http-proxy-agent Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/agent@2.2.2 has Network access. Module: https-proxy-agent Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/agent@2.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/agent@2.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/arborist@7.5.4 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/arborist@7.5.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/arborist@7.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@npmcli/promise-spawn@7.0.2 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@npmcli/promise-spawn@7.0.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/promise-spawn@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@nx/devkit@20.8.2 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@nx/devkit@20.8.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nx/devkit@20.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@sigstore/sign@2.3.2 has Network access. Module: http2 Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@sigstore/sign@2.3.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sigstore/sign@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@tybys/wasm-util@0.10.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@tybys/wasm-util@0.10.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@tybys/wasm-util@0.9.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/@tybys/wasm-util@0.9.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@unrs/resolver-binding-wasm32-wasi@1.11.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		conventional-changelog-core@5.0.1 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/conventional-changelog-core@5.0.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/conventional-changelog-core@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		cross-fetch@4.1.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/web3@4.16.0 → npm/cross-fetch@4.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-fetch@4.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		foreground-child@3.3.1 has Shell access. Module: child_process Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/foreground-child@3.3.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		lerna@8.2.3 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lerna@8.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: http Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		minipass-fetch@3.0.5 has Network access. Module: https Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/minipass-fetch@3.0.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		napi-postinstall@0.3.3 has Network access. Module: globalThis["fetch"] Location: Package overview From: crypto/package-lock.json → npm/jest@30.1.3 → npm/napi-postinstall@0.3.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		node-gyp@10.3.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/node-gyp@10.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@10.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		node-machine-id@1.1.12 has Shell access. Module: child_process Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/node-machine-id@1.1.12 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-machine-id@1.1.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm-registry-fetch@17.1.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/lerna@8.2.3 → npm/npm-registry-fetch@17.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npm-registry-fetch@17.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 37 more rows in the dashboard

View full report