Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 14 updates#1472

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c33a764421
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 14 updates#1472
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c33a764421

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 12 updates in the / directory:

Package From To
@fastify/express 4.0.4 4.0.5
@fastify/static 9.0.0 9.1.1
esbuild 0.27.4 0.28.1
fastify 5.8.2 5.8.5
form-data 4.0.5 4.0.6
nodemailer 8.0.3 9.0.1
samlify 2.10.2 2.13.0
sanitize-html 2.17.2 2.17.4
tmp 0.2.5 0.2.7
uuid 13.0.0 14.0.0
vite 7.3.1 7.3.5
ws 8.20.0 8.21.0

Updates @fastify/express from 4.0.4 to 4.0.5

Release notes

Sourced from @​fastify/express's releases.

v4.0.5

⚠️ Security Release

This fixes CVE CVE-2026-33807 GHSA-hrwm-hgmj-7p9c. This fixes CVE CVE-2026-33808 GHSA-6hw5-45gm-fj88.

What's Changed

New Contributors

Full Changelog: fastify/fastify-express@v4.0.4...v4.0.5

Commits
Maintainer changes

This version was pushed to npm by climba03003, a new releaser for @​fastify/express since your current version.


Updates @fastify/static from 9.0.0 to 9.1.1

Release notes

Sourced from @​fastify/static's releases.

v9.1.1

⚠️ Security Release

This fixes CVE CVE-2026-6410 GHSA-pr96-94w5-mx2h. This fixes CVE CVE-2026-6414 GHSA-x428-ghpx-8j92.

What's Changed

Full Changelog: fastify/fastify-static@v9.1.0...v9.1.1

v9.1.0

What's Changed

New Contributors

Full Changelog: fastify/fastify-static@v9.0.0...v9.1.0

Commits

Updates esbuild from 0.27.4 to 0.28.1

Release notes

Sourced from esbuild's releases.

v0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Changelog

Sourced from esbuild's changelog.

0.28.1

  • Disallow \ in local development server HTTP requests (GHSA-g7r4-m6w7-qqqr)

    This release fixes a security issue where HTTP requests to esbuild's local development server could traverse outside of the serve directory on Windows using a \ backslash character. It happened due to the use of Go's path.Clean() function, which only handles Unix-style / characters. HTTP requests with paths containing \ are no longer allowed.

    Thanks to @​dellalibera for reporting this issue.

  • Add integrity checks to the Deno API (GHSA-gv7w-rqvm-qjhr)

    The previous release of esbuild added integrity checks to esbuild's npm install script. This release also adds integrity checks to esbuild's Deno install script. Now esbuild's Deno API will also fail with an error if the downloaded esbuild binary contains something other than the expected content.

    Note that esbuild's Deno API installs from registry.npmjs.org by default, but allows the NPM_CONFIG_REGISTRY environment variable to override this with a custom package registry. This change means that the esbuild executable served by NPM_CONFIG_REGISTRY must now match the expected content.

    Thanks to @​sondt99 for reporting this issue.

  • Avoid inlining using and await using declarations (#4482)

    Previously esbuild's minifier sometimes incorrectly inlined using and await using declarations into subsequent uses of that declaration, which then fails to dispose of the resource correctly. This bug happened because inlining was done for let and const declarations by avoiding doing it for var declarations, which no longer worked when more declaration types were added. Here's an example:

    // Original code
    {
      using x = new Resource()
      x.activate()
    }
    // Old output (with --minify)
    new Resource().activate();
    // New output (with --minify)
    {using e=new Resource;e.activate()}

  • Fix module evaluation when an error is thrown (#4461, #4467)

    If an error is thrown during module evaluation, esbuild previously didn't preserve the state of the module for subsequent module references. This was observable if import() or require() is used to import a module multiple times. The thrown error is supposed to be thrown by every call to import() or require(), not just the first. With this release, esbuild will now throw the same error every time you call import() or require() on a module that throws during its evaluation.

  • Fix some edge cases around the new operator (#4477)

    Previously esbuild incorrectly printed certain edge cases involving complex expressions inside the target of a new expression (specifically an optional chain and/or a tagged template literal). The generated code for the new target was not correctly wrapped with parentheses, and either contained a syntax error or had different semantics. These edge cases have been fixed so that they now correctly wrap the new target in parentheses. Here is an example of some affected code:

    // Original code
    new (foo()`bar`)()
    new (foo()?.bar)()
    // Old output
    new foo()bar();
    new (foo())?.bar();

... (truncated)

Commits

Updates fastify from 5.8.2 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

New Contributors

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

v5.8.4

Full Changelog: fastify/fastify@v5.8.3...v5.8.4

v5.8.3

⚠️ Security Release

This fixes CVE CVE-2026-3635 GHSA-444r-cwp2-x5xf.

What's Changed

New Contributors

... (truncated)

Commits
  • 3983cce Bumped v5.8.5
  • 3ce3ae6 Merge commit from fork
  • b06a196 docs(ecosystem): add @​pompelmi/fastify-plugin (#6610)
  • 909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
  • 4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
  • 0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
  • 33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
  • fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
  • 8dee9be fix: restore trustProxy function for number and string types, add null check ...
  • d457aed chore: upgrade to typescript v6.0.2 (#6605)
  • Additional commits viewable in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates nodemailer from 8.0.3 to 9.0.1

Release notes

Sourced from nodemailer's releases.

v9.0.1

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

v9.0.0

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

v8.0.11

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

v8.0.10

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

v8.0.9

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

... (truncated)

Changelog

Sourced from nodemailer's changelog.

9.0.1 (2026-06-17)

Bug Fixes

  • enforce disableFileAccess/disableUrlAccess for raw message option (a82e060)

9.0.0 (2026-06-14)

⚠ BREAKING CHANGES

  • HTTPS requests made while fetching remote content (attachment href/path URLs, OAuth2 token endpoints, HTTP/HTTPS proxy CONNECT) now validate the server's TLS certificate by default. Requests to hosts with self-signed, expired, or hostname-mismatched certificates that previously succeeded will now fail. Opt back out per request with tls.rejectUnauthorized=false (transport options, or a per-attachment tls option).

Bug Fixes

  • replace deprecated url.parse with a WHATWG URL wrapper (0c080fb)
  • validate TLS certificates by default when fetching remote content (6a947ac)

8.0.11 (2026-06-10)

Bug Fixes

  • apply the transport-level newline option in stream and sendmail transports (cb4f904)
  • include icalEvent path/href content in the application/ics attachment (b801c48)
  • parse Ethereal response props without polynomial regex backtracking (067aebe)
  • resolve oauth2_provision_cb at send time for non-pooled SMTP transports (203c8ec)
  • return the promise from every resolveContent branch (07ffe8c)
  • strip the url scheme from List-ID header values (77e5885)
  • tag AWS SES transport errors with the ESES code (efa647a)

8.0.10 (2026-05-29)

Bug Fixes

  • fall back to lower-severity handler when custom logger lacks a level method (6d849df)

8.0.9 (2026-05-26)

Bug Fixes

  • two pending security advisories (jsonTransport access bypass, List-* CRLF injection) (#1820) (5f69497)

8.0.8 (2026-05-23)

Bug Fixes

... (truncated)

Commits
  • 69cf625 chore(master): release 9.0.1 (#1828)
  • a82e060 fix: enforce disableFileAccess/disableUrlAccess for raw message option
  • 4e58450 chore: update dev dependencies
  • 541f5fd chore(master): release 9.0.0 (#1827)
  • 0c080fb fix: replace deprecated url.parse with a WHATWG URL wrapper
  • 6a947ac fix!: validate TLS certificates by default when fetching remote content
  • e3b1bda chore(master): release 8.0.11 (#1826)
  • 4358caf refactor: remove dead checks flagged by Code Quality analysis
  • cf5195c chore: harden workflow token permissions and update GitHub Actions
  • 067aebe fix: parse Ethereal response props without polynomial regex backtracking
  • Additional commits viewable in compare view

Updates samlify from 2.10.2 to 2.13.0

Release notes

Sourced from samlify's releases.

v2.13.0

What's Changed

Security Audit

GHSA-34r5-q4jw-r36m (credit to @​RootUp)

Full Changelog: tngan/samlify@v2.12.0...v2.13.0

v2.12.0

What's Changed

Full Changelog: tngan/samlify@v2.11.0...v2.12.0

v2.11.0

What's Changed

New Contributors

Full Changelog: tngan/samlify@v2.10.2...v2.11.0

Commits
  • 3230b2b chore: bump version to 2.13.0
  • b37a65c fix: escape XML element text in replaceTagsByValue to prevent SAML attribute ...
  • 0235cab feat: per-request AssertionConsumerServiceIndex for createLoginRequest (close...
  • a3910b1 feat: support RSASSA-PSS signature algorithms (closes #624) (#625)
  • 8f1cc8b feat: support elementsOrder option on IdP metadata (closes #429) (#622)
  • c393d81 fix: invoke customTagReplacement even without explicit template (closes #549)...
  • ee738cc feat: support tagPrefix.protocol and tagPrefix.assertion on IdP (closes #388)...
  • 1c2b9fa feat: per-request ForceAuthn for createLoginRequest (closes #359) (#618)
  • 803acc1 fix: default signatureConfig for SP when wantMessageSigned is true (closes #4...
  • 3ee2bc6 fix: surface SP/IdP signing flags in ERR_METADATA_CONFLICT_REQUEST_SIGNED_FLA...
  • Additional commits viewable in compare view

Updates sanitize-html from 2.17.2 to 2.17.4

Changelog

Sourced from sanitize-html's changelog.

2.17.4

Changes

  • sanitize-html and launder now share a single implementation of naughtyHref, based on that which previously existed in sanitize-html.

Security

  • Security vulnerability: the xmp tag could be used to pass forbidden markup through sanitize-html, even when xmp itself is not explicitly allowed All users of sanitize-html should update immediately. Thanks to Vincenzo Turturro for reporting the vulnerability.

2.17.3 (2026-04-15)

Security

  • Fix vulnerability introduced in version 2.17.2 that allowed XSS attacks if the developer chose to permit option tags. There was no vulnerability when not explicitly allowing option tags.
Commits

Updates tmp from 0.2.5 to 0.2.7

Commits

Updates uuid from 13.0.0 to 14.0.0

Release notes

Sourced from uuid's releases.

v14.0.0

14.0.0 (2026-04-19)

⚠ BREAKING CHANGES

  • expect crypto to be global everywhere (requires node@20+) (#935)
  • drop node@18 support (#934)

Features

Bug Fixes

  • expect crypto to be global everywhere (requires node@20+) (#935) (f2c235f)
  • Use GITHUB_TOKEN for release-please and enable npm provenance (#925) (ffa3138)

v13.0.2

13.0.2 (2026-05-04)

Bug Fixes

  • rerelease to fix provenance. (49ccb35)

v13.0.1

13.0.1 (2026-04-27)

Bug Fixes

Changelog

Sourced from uuid's changelog.

14.0.0 (2026-04-19)

Security

  • Fixes GHSA-w5hq-g745-h8pq: v3(), v5(), and v6() did not validate that writes would remain within the bounds of a caller-supplied buffer, allowing out-of-bounds writes when an invalid offset was provided. A RangeError is now thrown if offset < 0 or offset + 16 > buf.length.

⚠ BREAKING CHANGES

  • crypto is now expected to be globally defined (requires node@20+) (#935)
  • drop node@18 support (#934)
  • upgrade minimum supported TypeScript version to 5.4.3, in keeping with the project's policy of supporting TypeScript versions released within the last two years
Commits

…pdates

Bumps the npm_and_yarn group with 12 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@fastify/express](https://github.com/fastify/fastify-express) | `4.0.4` | `4.0.5` |
| [@fastify/static](https://github.com/fastify/fastify-static) | `9.0.0` | `9.1.1` |
| [esbuild](https://github.com/evanw/esbuild) | `0.27.4` | `0.28.1` |
| [fastify](https://github.com/fastify/fastify) | `5.8.2` | `5.8.5` |
| [form-data](https://github.com/form-data/form-data) | `4.0.5` | `4.0.6` |
| [nodemailer](https://github.com/nodemailer/nodemailer) | `8.0.3` | `9.0.1` |
| [samlify](https://github.com/tngan/samlify) | `2.10.2` | `2.13.0` |
| [sanitize-html](https://github.com/apostrophecms/apostrophe/tree/HEAD/packages/sanitize-html) | `2.17.2` | `2.17.4` |
| [tmp](https://github.com/raszi/node-tmp) | `0.2.5` | `0.2.7` |
| [uuid](https://github.com/uuidjs/uuid) | `13.0.0` | `14.0.0` |
| [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) | `7.3.1` | `7.3.5` |
| [ws](https://github.com/websockets/ws) | `8.20.0` | `8.21.0` |



Updates `@fastify/express` from 4.0.4 to 4.0.5
- [Release notes](https://github.com/fastify/fastify-express/releases)
- [Commits](fastify/fastify-express@v4.0.4...v4.0.5)

Updates `@fastify/static` from 9.0.0 to 9.1.1
- [Release notes](https://github.com/fastify/fastify-static/releases)
- [Commits](fastify/fastify-static@v9.0.0...v9.1.1)

Updates `esbuild` from 0.27.4 to 0.28.1
- [Release notes](https://github.com/evanw/esbuild/releases)
- [Changelog](https://github.com/evanw/esbuild/blob/main/CHANGELOG.md)
- [Commits](evanw/esbuild@v0.27.4...v0.28.1)

Updates `fastify` from 5.8.2 to 5.8.5
- [Release notes](https://github.com/fastify/fastify/releases)
- [Commits](fastify/fastify@v5.8.2...v5.8.5)

Updates `form-data` from 4.0.5 to 4.0.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `nodemailer` from 8.0.3 to 9.0.1
- [Release notes](https://github.com/nodemailer/nodemailer/releases)
- [Changelog](https://github.com/nodemailer/nodemailer/blob/master/CHANGELOG.md)
- [Commits](nodemailer/nodemailer@v8.0.3...v9.0.1)

Updates `samlify` from 2.10.2 to 2.13.0
- [Release notes](https://github.com/tngan/samlify/releases)
- [Commits](tngan/samlify@v2.10.2...v2.13.0)

Updates `sanitize-html` from 2.17.2 to 2.17.4
- [Changelog](https://github.com/apostrophecms/apostrophe/blob/main/packages/sanitize-html/CHANGELOG.md)
- [Commits](https://github.com/apostrophecms/apostrophe/commits/sanitize-html@2.17.4/packages/sanitize-html)

Updates `tmp` from 0.2.5 to 0.2.7
- [Changelog](https://github.com/raszi/node-tmp/blob/master/CHANGELOG.md)
- [Commits](raszi/node-tmp@v0.2.5...v0.2.7)

Updates `uuid` from 13.0.0 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v13.0.0...v14.0.0)

Updates `vite` from 7.3.1 to 7.3.5
- [Release notes](https://github.com/vitejs/vite/releases)
- [Changelog](https://github.com/vitejs/vite/blob/v7.3.5/packages/vite/CHANGELOG.md)
- [Commits](https://github.com/vitejs/vite/commits/v7.3.5/packages/vite)

Updates `ws` from 8.20.0 to 8.21.0
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@8.20.0...8.21.0)

Updates `@fastify/reply-from` from 12.6.1 to 12.6.2
- [Release notes](https://github.com/fastify/fastify-reply-from/releases)
- [Commits](fastify/fastify-reply-from@v12.6.1...v12.6.2)

Updates `@opentelemetry/exporter-prometheus` from 0.211.0 to 0.219.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-js/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-js/blob/main/CHANGELOG.md)
- [Commits](open-telemetry/opentelemetry-js@experimental/v0.211.0...experimental/v0.219.0)

---
updated-dependencies:
- dependency-name: "@fastify/express"
  dependency-version: 4.0.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@fastify/static"
  dependency-version: 9.1.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: esbuild
  dependency-version: 0.28.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: fastify
  dependency-version: 5.8.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: nodemailer
  dependency-version: 9.0.1
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: samlify
  dependency-version: 2.13.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: sanitize-html
  dependency-version: 2.17.4
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: tmp
  dependency-version: 0.2.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: vite
  dependency-version: 7.3.5
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.21.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@fastify/reply-from"
  dependency-version: 12.6.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: "@opentelemetry/exporter-prometheus"
  dependency-version: 0.219.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 22, 2026
@semanticdiff-com

semanticdiff-com Bot commented Jun 22, 2026

Copy link
Copy Markdown

Review changes with  SemanticDiff

Changed Files
File Status
  pnpm-workspace.yaml  12% smaller
  pnpm-lock.yaml Unsupported file format

@snyk-io

snyk-io Bot commented Jun 22, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm rimraf is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@opentelemetry/auto-instrumentations-node@0.77.0npm/rimraf@5.0.10

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rimraf@5.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants