Eval Type: eval

Location: Package overview

From: ? → npm/eslint-scope@5.1.1

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-scope@5.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Location: Package overview

From: ? → npm/is-obj@1.0.1

ℹ Read more on: This package | This alert | What are trivial packages?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/is-obj@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Eval Type: Function

Location: Package overview

From: ? → npm/lodash.memoize@4.1.2

ℹ Read more on: This package | This alert | What is dynamic code execution?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.memoize@4.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: http

Location: Package overview

From: ? → npm/methods@1.1.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/methods@1.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Did you mean: parseurli

From: ? → npm/parseurl@1.3.3

ℹ Read more on: This package | This alert | What is AI-detected potential typosquatting?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Given the AI system's identification of this package as a potential typosquat, please verify that you did not intend to install a different package. Be cautious, as malicious packages often use names similar to popular ones.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/parseurl@1.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: dns

Location: Package overview

From: ? → npm/socks-proxy-agent@8.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socks-proxy-agent@8.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: net

Location: Package overview

From: ? → npm/socks-proxy-agent@8.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socks-proxy-agent@8.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: tls

Location: Package overview

From: ? → npm/socks-proxy-agent@8.0.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socks-proxy-agent@8.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: child_process

Location: Package overview

From: packages/utils/package.json → npm/tree-kill@1.2.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tree-kill@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://github.com/nodejs/node/pull/38248, Function.prototype.call

Location: Package overview

From: ? → npm/@pkgjs/parseargs@0.11.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pkgjs/parseargs@0.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code snippet demonstrates a non-standard HTTP(S) Agent extension used for customized socket pooling and delayed socket acquisition. While complex and reliant on internal Node APIs (and using @ts-expect-error to bypass typings), there is no clear evidence of malicious intent such as data exfiltration, backdoors, or remote control mechanisms within this fragment. The structure could pose stability or compatibility risks due to internal API usage, and could be exploited if combined with other vulnerabilities, but the shown code itself does not exhibit malicious behavior.

Confidence: 1.00

Severity: 0.60

From: ? → npm/agent-base@7.1.3

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/agent-base@7.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://gist.github.com/dperini/729294, https://mathiasbynens.be/demo/url-regex, https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html, http://tools.ietf.org/html/rfc4122, https://tools.ietf.org/html/rfc6901, https://tools.ietf.org/html/rfc3986#appendix-A, http://tools.ietf.org/html/draft-luff-relative-json-pointer-00, https://spec.openapis.org/oas/v3.0.0#data-types, https://github.com/miguelmota/is-base64, https://github.com/mafintosh/is-my-json-valid/blob/master/formats.js, http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address#answer-8829363, http://www.w3.org/TR/html5/forms.html#valid-e-mail-address, https://tools.ietf.org/html/rfc3339#appendix-C, http://tools.ietf.org/html/rfc3339#section-5.6, http://jmrware.com/articles/2009/uri_regexp/URI_regex.html

Location: Package overview

From: ? → npm/ajv-formats@2.1.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv-formats@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: http://json-schema.org/schema

Location: Package overview

From: ? → npm/ajv-keywords@5.1.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv-keywords@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling.

Confidence: 1.00

Severity: 0.60

From: ? → npm/ajv@6.12.6

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.12.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#, https://github.com/ajv-validator/ajv/blob/master/lib/definition_schema.js, http://json-schema.org/draft-07/schema, schema.id, http://json-schema.org/schema, https://gist.github.com/dperini/729294, https://mathiasbynens.be/demo/url-regex, https://github.com/eslint/eslint/issues/7983., http://tools.ietf.org/html/rfc3339#section-5.6, https://github.com/mafintosh/is-my-json-valid/blob/master/formats.js, http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address#answer-8829363, http://www.w3.org/TR/html5/forms.html#valid-e-mail-address, https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html, http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses, http://tools.ietf.org/html/rfc4122, https://tools.ietf.org/html/rfc6901, https://tools.ietf.org/html/rfc3986#appendix-A, http://tools.ietf.org/html/draft-luff-relative-json-pointer-00, https://tools.ietf.org/html/rfc3339#appendix-C, http://jmrware.com/articles/2009/uri_regexp/URI_regex.html, min.js.map, https://mathiasbynens.be/notes/javascript-encoding, https://github.com/bestiejs/punycode.js, http://json-schema.org/draft-07/schema#, https://tools.ietf.org/html/rfc3492#section-3.4, gary.court@gmail.com, https://github.com/epoberezkin/fast-json-stable-stringify

Location: Package overview

From: ? → npm/ajv@6.12.6

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.12.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://github.com/Qix-/color-convert/blob/3f0e0d4e92e235796ccb17f6e85c72094a651f49/conversions.js

Location: Package overview

From: ? → npm/ansi-styles@6.2.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ansi-styles@6.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: brace.open

Location: Package overview

From: ? → npm/braces@2.3.2

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/braces@2.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code appears to be a standard, non-malicious Content-Disposition header parser with strict input validation and proper encoding/decoding utilities. No evident data exfiltration or remote execution within this fragment. The primary precaution is to ensure the external decodefield function is safe and that PARAM_REGEXP robustly handles edge-case inputs to prevent DoS or parsing failures.

Confidence: 1.00

Severity: 0.60

From: ? → npm/content-disposition@0.5.4

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/content-disposition@0.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

New Author: phated

Previous Author: thlorenz

From: ? → npm/convert-source-map@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/convert-source-map@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://github.com/thlorenz/convert-source-map#upgrading

Location: Package overview

From: ? → npm/convert-source-map@2.0.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/convert-source-map@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: fs/promises

Location: Package overview

From: ? → npm/cosmiconfig@8.3.6

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cosmiconfig@8.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: fs

Location: Package overview

From: ? → npm/cosmiconfig@8.3.6

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cosmiconfig@8.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: http://github.com/estools/escope, http://www.ecma-international.org/publications/standards/Ecma-262.htm, http://github.com/estools/esmangle, https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API, https://github.com/eslint/espree, https://github.com/estools/esrecurse, node.id

Location: Package overview

From: ? → npm/eslint-scope@5.1.1

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-scope@5.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: fs

Location: Package overview

From: ? → npm/etag@1.8.1

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/etag@1.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed code is a conventional object merge utility with explicit safeguards against prototype pollution and support for deep/shallow merging. It is self-contained, non-networking, and suitable for safe inclusion in many JavaScript projects. No malicious behavior detected under the provided scope. Security risk remains low when used with trusted inputs, but care should be taken when merging untrusted objects into critical targets.

Confidence: 1.00

Severity: 0.60

From: ? → npm/extend@3.0.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/extend@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

URLs: https://github.com/sindresorhus/globby#globbing-patterns, https://github.com/mrmlnc/fast-glob#options-3, https://github.com/mrmlnc/fast-glob, https://github.com/mrmlnc/fast-glob#isdynamicpatternpattern-options

Location: Package overview

From: ? → npm/globby@11.1.0

ℹ Read more on: This package | This alert | What are URL strings?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/globby@11.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Module: fs

Location: Package overview

From: ? → npm/globby@11.1.0

ℹ Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/globby@11.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.