Author: boneskull

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/compartment-mapper@2.0.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/compartment-mapper@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Author: boneskull

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/evasive-transform@2.1.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/evasive-transform@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Author: boneskull

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/module-source@1.4.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/module-source@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Author: boneskull

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/zip@1.1.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/zip@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: globalThis["fetch"]

Location: Package overview

From: ? → npm/jest@29.5.0 → npm/@types/node@22.18.12

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@22.18.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: http

Location: Package overview

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/agentkeepalive@4.2.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agentkeepalive@4.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: https

Location: Package overview

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/agentkeepalive@4.2.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agentkeepalive@4.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: boneskull

Previous Author: kriskowal

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/compartment-mapper@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/compartment-mapper@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: boneskull

Previous Author: kriskowal

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/evasive-transform@2.1.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/evasive-transform@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: boneskull

Previous Author: kriskowal

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/module-source@1.4.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/module-source@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: boneskull

Previous Author: kriskowal

From: ? → npm/@lavamoat/node@1.0.0 → npm/@endo/zip@1.1.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@endo/zip@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: gar

Previous Author: nlf

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/@npmcli/move-file@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/move-file@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: lukekarrys

Previous Author: gar

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/npmlog@6.0.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npmlog@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: gar

Previous Author: nlf

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/ssri@9.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ssri@9.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: sindresorhus

Previous Author: jamestalmage

From: ? → npm/@lavamoat/node@1.0.0 → npm/supports-hyperlinks@2.3.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/supports-hyperlinks@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: zkat

Previous Author: iarna

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/unique-slug@2.0.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unique-slug@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: This functionality has been moved to @npmcli/fs

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/@npmcli/move-file@2.0.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/move-file@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: This package is no longer supported.

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/are-we-there-yet@3.0.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/are-we-there-yet@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: This package is no longer supported.

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/gauge@4.0.4

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/gauge@4.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: This package is no longer supported.

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/npmlog@6.0.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/npmlog@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: Rimraf versions prior to v4 are no longer supported

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/rimraf@3.0.2

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rimraf@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Reason: Old versions of tar are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/tar@6.2.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@6.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

CVE: GHSA-vpq2-c234-7xj6 @tootallnate/once vulnerable to Incorrect Control Flow Scoping (LOW)

Affected versions: < 3.0.1

Patched version: 3.0.1

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/@tootallnate/once@2.0.0

ℹ Read more on: This package | This alert | What is a mild CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tootallnate/once@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts.

Confidence: 1.00

Severity: 0.60

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/chownr@2.0.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code fragment is a conventional HTTP proxy agent component handling optional proxy authentication and dynamic header adjustments. There is no evidence of malicious activity, data exfiltration, or supply-chain abuse within this fragment. The main concerns relate to reliance on internal Node.js fields (version fragility) and potential in-memory exposure of credentials, but these are standard operational caveats for proxy clients and do not indicate malice.

Confidence: 1.00

Severity: 0.60

From: ? → npm/rollup@2.80.0 → npm/crypto-browserify@3.12.1 → npm/@jest/expect@29.5.0 → npm/jest@29.5.0 → npm/webpack-dev-server@5.2.2 → npm/fork-ts-checker-webpack-plugin@9.0.2 → npm/tsx@4.20.3 → npm/vite@6.4.1 → npm/playwright@1.57.0 → npm/http-proxy-agent@5.0.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-proxy-agent@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.