Squash actions by mikolalysenko · Pull Request #43 · SocketDev/socket-patch

mikolalysenko · 2026-03-23T23:53:00Z

No description provided.

socket-security · 2026-03-23T23:54:35Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/@types/nock@11.1.0
	npm/minimatch@9.0.3
	npm/eslint@8.57.0
	npm/eslint@8.55.0
	npm/eslint@8.31.0
	npm/eslint@8.28.0
	npm/glob@8.0.3
	cargo/tokio@1.48.0
	npm/jest@29.7.0
	npm/jest@29.3.1
	npm/jest@28.1.3
	npm/@typescript-eslint/parser@5.48.0
	npm/@typescript-eslint/parser@5.62.0
	pypi/urllib3@2.5.0
	npm/eslint-config-prettier@8.5.0
	npm/eslint-config-prettier@8.10.0
	pypi/pyinstaller@6.10.0
	pypi/pyinstaller@6.19.0
	npm/typescript-eslint@8.46.3
	pypi/setuptools@75.3.2
	pypi/pip@25.2
	npm/@types/semver@7.7.0
	npm/@types/semver@7.5.8
	pypi/numpy@2.2.4
	npm/@iarna/toml@3.0.0
	npm/eslint-plugin-node@11.1.0
	npm/linux-os-info@2.0.0
	npm/@types/jest@29.5.14
	npm/@types/jest@29.5.12
	npm/@types/jest@27.5.2
	npm/@types/jest@29.2.5
	npm/eslint-plugin-simple-import-sort@7.0.0
	npm/vitest@4.0.7
See 146 more rows in the dashboard

View full report

socket-security · 2026-03-23T23:54:36Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: npm `form-data` uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/@actions/cache@4.0.3` → `npm/form-data@4.0.0` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/form-data@4.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `vite` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: .github/actions/rust-lang/crates-io-auth-action/b7e9a28eded4986ec6b1fa40eeee8f8f165559ec/pnpm-lock.yaml → `npm/vitest@4.0.7` → `npm/vite@7.2.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/vite@7.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.10.0.dist-info/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/poetry.lock → `pypi/pyinstaller@6.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `pyinstaller` License: GPL-2.0-or-later WITH Bootloader-exception - the applicable license policy does not allow this license exception (pyinstaller-6.19.0.dist-info/licenses/COPYING.txt) From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/tests/data/inner/pyproject.toml → `pypi/pyinstaller@6.19.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/pyinstaller@6.19.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

socket-security-staging · 2026-03-23T23:59:34Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/@types/nock@11.1.0
	npm/minimatch@9.0.3
	npm/eslint@8.57.0
	npm/eslint@8.55.0
	npm/eslint@8.31.0
	npm/eslint@8.28.0
	npm/glob@8.0.3
	cargo/tokio@1.48.0
	npm/jest@29.7.0
	npm/jest@29.3.1
	npm/jest@28.1.3
	npm/@typescript-eslint/parser@5.48.0
	npm/@typescript-eslint/parser@5.62.0
	pypi/urllib3@2.5.0
	npm/eslint-config-prettier@8.5.0
	npm/eslint-config-prettier@8.10.0
	pypi/pyinstaller@6.10.0
	pypi/pyinstaller@6.19.0
	npm/typescript-eslint@8.46.3
	pypi/setuptools@75.3.2
	pypi/pip@25.2
	npm/@types/semver@7.7.0
	npm/@types/semver@7.5.8
	pypi/numpy@2.2.4
	npm/@types/jest@29.2.5
	npm/@iarna/toml@3.0.0
	npm/eslint-plugin-node@11.1.0
	npm/@types/jest@29.5.14
	npm/@types/jest@29.5.12
	npm/@types/jest@27.5.2
	npm/linux-os-info@2.0.0
See 149 more rows in the dashboard

View full report

socket-security-staging · 2026-03-23T23:59:36Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Malicious package: npm `@azure/core-paging` Note: Malicious code in core-paging (npm) Source: ghsa-malware (30a07b0b414cf37a67726b7c05234a6477fce90ea1f4fd51cffcd229eb0eb777) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: `?` → `npm/@actions/cache@5.0.3` → `npm/@azure/core-paging@1.6.2` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@azure/core-paging@1.6.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Malicious package: npm `@azure/core-tracing` Note: Malicious code in core-tracing (npm) Source: ghsa-malware (2c96af24051cb27c2f35974f06c2c5ab249abf90adda776ed4714c88c140aee2) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/@actions/cache@4.0.3` → `npm/@azure/core-tracing@1.0.0-preview.13` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@azure/core-tracing@1.0.0-preview.13`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Malicious package: npm `@jridgewell/gen-mapping` Note: Malicious code in gen-mapping (npm) Source: ghsa-malware (b4eec31ee330eb33aaa0bd7ce9a12d554bd6cad4d845e221ee1c01d5942a5ca3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: .github/actions/actions/upload-artifact/ea165f8d65b6e75b540449e92b4886f43607fa02/package-lock.json → `npm/jest@29.3.1` → `npm/ts-jest@29.0.3` → `npm/jest-circus@29.3.1` → `npm/@jridgewell/gen-mapping@0.1.1` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@jridgewell/gen-mapping@0.1.1`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Malicious package: npm `@jridgewell/gen-mapping` Note: Malicious code in gen-mapping (npm) Source: ghsa-malware (b4eec31ee330eb33aaa0bd7ce9a12d554bd6cad4d845e221ee1c01d5942a5ca3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: .github/actions/actions/upload-artifact/ea165f8d65b6e75b540449e92b4886f43607fa02/package-lock.json → `npm/jest@29.3.1` → `npm/ts-jest@29.0.3` → `npm/jest-circus@29.3.1` → `npm/@jridgewell/gen-mapping@0.3.2` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@jridgewell/gen-mapping@0.3.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Malicious package: npm `@jridgewell/gen-mapping` Note: Malicious code in gen-mapping (npm) Source: ghsa-malware (b4eec31ee330eb33aaa0bd7ce9a12d554bd6cad4d845e221ee1c01d5942a5ca3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/jest@29.7.0` → `npm/jest-circus@29.7.0` → `npm/ts-jest@29.3.2` → `npm/@jridgewell/gen-mapping@0.3.3` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@jridgewell/gen-mapping@0.3.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Malicious package: npm `@jridgewell/gen-mapping` Note: Malicious code in gen-mapping (npm) Source: ghsa-malware (b4eec31ee330eb33aaa0bd7ce9a12d554bd6cad4d845e221ee1c01d5942a5ca3) Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be rotated immediately from a different computer. The package should be removed, but as full control of the computer may have been given to an outside entity, there is no guarantee that removing the package will remove all malicious software resulting from installing it. From: .github/actions/actions/download-artifact/d3f86a106a0bac45b974a628896c90dbdf5c8093/package-lock.json → `npm/jest@29.7.0` → `npm/ts-jest@29.2.6` → `npm/@jridgewell/gen-mapping@0.3.8` ℹ Read more on: This package \| This alert \| What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/@jridgewell/gen-mapping@0.3.8`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: npm `form-data` uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 2.5.4 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/@actions/cache@4.0.3` → `npm/form-data@2.5.1` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/form-data@2.5.1`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: npm `form-data` uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/@actions/cache@4.0.3` → `npm/form-data@4.0.0` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/form-data@4.0.0`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Regular Expression Denial of Service (ReDoS) in npm `cross-spawn` CVE: GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn (HIGH) Affected versions: >= 7.0.0 < 7.0.5; < 6.0.6 Patched version: 7.0.5 From: .github/actions/actions/download-artifact/d3f86a106a0bac45b974a628896c90dbdf5c8093/package-lock.json → `npm/jest@29.7.0` → `npm/@actions/artifact@2.3.2` → `npm/eslint@8.55.0` → `npm/eslint-plugin-prettier@5.0.1` → `npm/cross-spawn@7.0.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/cross-spawn@7.0.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `fast-xml-parser` affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) CVE: GHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) (HIGH) Affected versions: >= 4.0.0-beta.3 < 5.5.6 Patched version: 5.5.6 From: `?` → `npm/@actions/cache@5.0.3` → `npm/fast-xml-parser@5.4.1` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/fast-xml-parser@5.4.1`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `flatted` vulnerable to unbounded recursion DoS in parse() revive phase CVE: GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase (HIGH) Affected versions: < 3.4.0 Patched version: 3.4.0 From: .github/actions/actions/cache/0057852bfaa89a56745cba8c7296529d2fc39830/package-lock.json → `npm/eslint@8.28.0` → `npm/flatted@3.2.5` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.5`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Prototype Pollution via parse() in NodeJS npm `flatted` CVE: GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted (HIGH) Affected versions: < 3.4.2 Patched version: 3.4.2 From: .github/actions/actions/cache/0057852bfaa89a56745cba8c7296529d2fc39830/package-lock.json → `npm/eslint@8.28.0` → `npm/flatted@3.2.5` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.5`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `flatted` vulnerable to unbounded recursion DoS in parse() revive phase CVE: GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase (HIGH) Affected versions: < 3.4.0 Patched version: 3.4.0 From: .github/actions/actions/upload-artifact/ea165f8d65b6e75b540449e92b4886f43607fa02/package-lock.json → `npm/eslint@8.31.0` → `npm/flatted@3.2.7` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.7`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Prototype Pollution via parse() in NodeJS npm `flatted` CVE: GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted (HIGH) Affected versions: < 3.4.2 Patched version: 3.4.2 From: .github/actions/actions/upload-artifact/ea165f8d65b6e75b540449e92b4886f43607fa02/package-lock.json → `npm/eslint@8.31.0` → `npm/flatted@3.2.7` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.7`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `flatted` vulnerable to unbounded recursion DoS in parse() revive phase CVE: GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase (HIGH) Affected versions: < 3.4.0 Patched version: 3.4.0 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/eslint@8.57.0` → `npm/flatted@3.2.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.9`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Prototype Pollution via parse() in NodeJS npm `flatted` CVE: GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted (HIGH) Affected versions: < 3.4.2 Patched version: 3.4.2 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/eslint@8.57.0` → `npm/flatted@3.2.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.2.9`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `flatted` vulnerable to unbounded recursion DoS in parse() revive phase CVE: GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase (HIGH) Affected versions: < 3.4.0 Patched version: 3.4.0 From: .github/actions/rust-lang/crates-io-auth-action/b7e9a28eded4986ec6b1fa40eeee8f8f165559ec/pnpm-lock.yaml → `npm/eslint@9.39.1` → `npm/flatted@3.3.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.3.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Prototype Pollution via parse() in NodeJS npm `flatted` CVE: GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted (HIGH) Affected versions: < 3.4.2 Patched version: 3.4.2 From: .github/actions/rust-lang/crates-io-auth-action/b7e9a28eded4986ec6b1fa40eeee8f8f165559ec/pnpm-lock.yaml → `npm/eslint@9.39.1` → `npm/flatted@3.3.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/flatted@3.3.3`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `glob` CLI: Command injection via -c/--cmd executes matches with shell:true CVE: GHSA-5j98-mcp5-4vw2 glob CLI: Command injection via -c/--cmd executes matches with shell:true (HIGH) Affected versions: >= 11.0.0 < 11.1.0; >= 10.2.0 < 10.5.0 Patched version: 10.5.0 From: .github/actions/actions/download-artifact/d3f86a106a0bac45b974a628896c90dbdf5c8093/package-lock.json → `npm/@actions/artifact@2.3.2` → `npm/glob@10.3.12` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/glob@10.3.12`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `minimatch` ReDoS: nested () extglobs generate catastrophically backtracking regular expressions CVE:* GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested () extglobs generate catastrophically backtracking regular expressions (HIGH) Affected versions:* >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.4 Patched version: 3.1.4 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/jest@29.7.0` → `npm/jest-circus@29.7.0` → `npm/eslint-plugin-node@11.1.0` → `npm/ts-jest@29.3.2` → `npm/@actions/cache@4.0.3` → `npm/@actions/glob@0.5.0` → `npm/eslint@8.57.0` → `npm/minimatch@3.1.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/minimatch@3.1.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `minimatch` has a ReDoS via repeated wildcards with non-matching literal in pattern CVE: GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (HIGH) Affected versions: >= 10.0.0 < 10.2.1; >= 9.0.0 < 9.0.6; >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.4.7; >= 6.0.0 < 6.2.1; >= 5.0.0 < 5.1.7; >= 4.0.0 < 4.2.4; < 3.1.3 Patched version: 3.1.3 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/jest@29.7.0` → `npm/jest-circus@29.7.0` → `npm/eslint-plugin-node@11.1.0` → `npm/ts-jest@29.3.2` → `npm/@actions/cache@4.0.3` → `npm/@actions/glob@0.5.0` → `npm/eslint@8.57.0` → `npm/minimatch@3.1.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/minimatch@3.1.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `minimatch` has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 3.1.3 From: .github/actions/actions/setup-python/a26af69be951a213d495a4c3e4e4022e16d87065/package-lock.json → `npm/jest@29.7.0` → `npm/jest-circus@29.7.0` → `npm/eslint-plugin-node@11.1.0` → `npm/ts-jest@29.3.2` → `npm/@actions/cache@4.0.3` → `npm/@actions/glob@0.5.0` → `npm/eslint@8.57.0` → `npm/minimatch@3.1.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/minimatch@3.1.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm `minimatch` has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 5.1.8 From: .github/actions/actions/upload-artifact/ea165f8d65b6e75b540449e92b4886f43607fa02/package-lock.json → `npm/glob@8.0.3` → `npm/minimatch@5.1.2` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity-Staging ignore npm/minimatch@5.1.2`. You can also ignore all packages with `@SocketSecurity-Staging ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 83 more rows in the dashboard

View full report

squash actions

8499efa

.

59b9052

mikolalysenko closed this Mar 24, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Squash actions#43

Squash actions#43
mikolalysenko wants to merge 2 commits intomainfrom
mik-flatten-actions

mikolalysenko commented Mar 23, 2026

Uh oh!

socket-security bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

socket-security-staging bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

socket-security-staging bot commented Mar 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

mikolalysenko commented Mar 23, 2026

Uh oh!

socket-security bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security-staging bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security-staging bot commented Mar 23, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

socket-security bot commented Mar 23, 2026 •

edited

Loading

socket-security bot commented Mar 23, 2026 •

edited

Loading

socket-security-staging bot commented Mar 23, 2026 •

edited

Loading

socket-security-staging bot commented Mar 23, 2026 •

edited

Loading