Bump tailwindcss from 3.4.17 to 3.4.19

[dependabot]

Bumps tailwindcss from 3.4.17 to 3.4.19.

Release notes

Sourced from tailwindcss's releases.

v3.4.19

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

v3.4.18

Fixed

• Improve support for raw supports-[…] queries in arbitrary values (#13605)
• Fix require.cache error when loaded through a TypeScript file in Node 22.18+ (#18665)
• Support import.meta.resolve(…) in configs for new enough Node.js versions (#18938)
• Allow using newer versions of postcss-load-config for better ESM and TypeScript PostCSS config support with the CLI (#18938)
• Remove irrelevant utility rules when matching important classes (#19030)

Changelog

Sourced from tailwindcss's changelog.

[3.4.19] - 2025-12-10

Fixed

• Don’t break sibling-*() functions when used inside calc(…) (#19335)

[4.1.17] - 2025-11-06

Fixed

• Substitute @variant inside legacy JS APIs (#19263)
• Prevent occasional crash on Windows when loaded into a worker thread (#19242)

[4.1.16] - 2025-10-23

Fixed

• Discard candidates with an empty data type (#19172)
• Fix canonicalization of arbitrary variants with attribute selectors (#19176)
• Fix invalid colors due to nested & (#19184)
• Improve canonicalization for & > :pseudo and & :pseudo arbitrary variants (#19178)

[4.1.15] - 2025-10-20

Fixed

• Fix Safari devtools rendering issue due to color-mix fallback (#19069)
• Suppress Lightning CSS warnings about :deep, :slotted, and :global (#19094)
• Fix resolving theme keys when starting with the name of another theme key in JS configs and plugins (#19097)
• Allow named groups in combination with not-*, has-*, and in-* (#19100)
• Prevent important utilities from affecting other utilities (#19110)
• Don’t index into strings with the theme(…) function (#19111)
• Fix parsing issue when \t is used in at-rules (#19130)
• Upgrade: Canonicalize utilities containing 0 values (#19095)
• Upgrade: Migrate deprecated break-words to wrap-break-word (#19157)

Changed

• Remove the postinstall script from oxide (#19149)(tailwindlabs/tailwindcss#19149)

[4.1.14] - 2025-10-01

Fixed

• Handle ' syntax in ClojureScript when extracting classes (#18888)
• Handle @variant inside @custom-variant (#18885)
• Merge suggestions when using @utility (#18900)
• Ensure that file system watchers created when using the CLI are always cleaned up (#18905)
• Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#18907)
• Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#18907)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​tailwindcss@​3.4.17 ⏵ 3.4.19	+1		+1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm mz in module dns Module: dns Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/mz@2.7.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mz@2.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm mz in module child_process Module: child_process Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/mz@2.7.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mz@2.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm @alloc/quick-lru was last published 5 years ago Last Publish: 4/6/2021, 12:28:18 AM From: ? → npm/tailwindcss@3.4.19 → npm/@alloc/quick-lru@5.2.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@alloc/quick-lru@5.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm any-promise was last published 10 years ago Last Publish: 5/8/2016, 12:15:06 PM From: ? → npm/tailwindcss@3.4.19 → npm/any-promise@1.3.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/any-promise@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm camelcase-css was last published 8 years ago Last Publish: 8/11/2018, 12:59:21 AM From: ? → npm/tailwindcss@3.4.19 → npm/camelcase-css@2.0.1 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/camelcase-css@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm dlv was last published 7 years ago Last Publish: 5/22/2019, 1:14:06 PM From: ? → npm/tailwindcss@3.4.19 → npm/dlv@1.1.3 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/dlv@1.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Debug access: npm jiti in module module Module: module Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is debug access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Debug access: npm jiti in module perf_hooks Module: perf_hooks Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is debug access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Debug access: npm jiti in module vm Module: vm Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is debug access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Debug access: npm jiti in module v8 Module: v8 Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is debug access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads NODE_DEBUG Env Vars: NODE_DEBUG Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_DEBUG Env Vars: JITI_DEBUG Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_CACHE Env Vars: JITI_CACHE Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_ESM_RESOLVE Env Vars: JITI_ESM_RESOLVE Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_REQUIRE_CACHE Env Vars: JITI_REQUIRE_CACHE Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_SOURCE_MAPS Env Vars: JITI_SOURCE_MAPS Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_ALIAS Env Vars: JITI_ALIAS Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_TRANSFORM_MODULES Env Vars: JITI_TRANSFORM_MODULES Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_NATIVE_MODULES Env Vars: JITI_NATIVE_MODULES Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_EXPERIMENTAL_BUN Env Vars: JITI_EXPERIMENTAL_BUN Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads TMPDIR Env Vars: TMPDIR Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm jiti reads JITI_RESPECT_TMPDIR_ENV Env Vars: JITI_RESPECT_TMPDIR_ENV Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm jiti with module fs Module: fs Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High entropy strings: npm jiti Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What are high entropy strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Please inspect these strings to check if they are benign. Maintainers should clarify the purpose and existence of high entropy strings if there is a legitimate purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm jiti with 100.0% likelihood Confidence: 1.00 Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm jiti URLs: https://github.com/puleos/object-hash/issues/26, SemVer.compare Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/astro@6.4.2 → npm/jiti@1.21.7 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jiti@1.21.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm mz with module fs Module: fs Location: Package overview From: ? → npm/tailwindcss@3.4.19 → npm/mz@2.7.0 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mz@2.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 9 more rows in the dashboard

View full report