chore(deps): bump immutable from 4.3.4 to 4.3.8 by dependabot[bot] · Pull Request #2 · Dustin4444/rxjs

dependabot · 2026-03-04T23:10:14Z

Bumps immutable from 4.3.4 to 4.3.8.

Release notes

v4.3.8

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

v4.3.7

What's Changed

Fix issue with slice negative of filtered sequence by @jdeniau in immutable-js/immutable-js#2006

Full Changelog: immutable-js/immutable-js@v4.3.6...v4.3.7

v4.3.6

What's Changed

Fix Repeat().equals(undefined) incorrectly returning true by @butchler in immutable-js/immutable-js#1994

Internals

change youtube image by @jdeniau in immutable-js/immutable-js#1973

Upgrade eslint and ignore no-constructor-return rule for actual constructors by @jdeniau in immutable-js/immutable-js#1974

upgrate documentation website to next 14 by @jdeniau in immutable-js/immutable-js#1975

start migrating to nextjs app router by @jdeniau in immutable-js/immutable-js#1976

upgrade next sitemap by @jdeniau in immutable-js/immutable-js#1978

New Contributors

@butchler made their first contribution in immutable-js/immutable-js#1994

Full Changelog: immutable-js/immutable-js@v4.3.5...v4.3.6

v4.3.5

What's Changed

Fix Set.fromKeys types with Map constructor in TS 5.0 by @jdeniau in immutable-js/immutable-js#1971

upgrade to TS 5.1 by @jdeniau in immutable-js/immutable-js#1972

fix dist-stats command by @jdeniau in immutable-js/immutable-js#1964

fix Read the Docs link on readme by @joshding in immutable-js/immutable-js#1970

New Contributors

@joshding made their first contribution in immutable-js/immutable-js#1970

Full Changelog: immutable-js/immutable-js@v4.3.4...v4.3.5

Changelog

Sourced from immutable's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning. Dates are formatted as YYYY-MM-DD.

Unreleased

5.1.5

Fix Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in immutable

5.1.4

Migrate some files to TS by @jdeniau in immutable-js/immutable-js#2125

Iterator.ts

PairSorting.ts

toJS.ts

Math.ts

Hash.ts

Extract CollectionHelperMethods and convert to TS by @jdeniau in immutable-js/immutable-js#2131

Use npm trusted publishing only to avoid token stealing.

Documentation

Fix/a11y issues by @lyannel in immutable-js/immutable-js#2136

Doc add Map.get signature update by @borracciaBlu in immutable-js/immutable-js#2138

fix(doc):minor-issues#2132 by @JayMeDotDot in immutable-js/immutable-js#2133

Fix algolia search by @jdeniau in immutable-js/immutable-js#2135

Typo in OrderedMap by @jdeniau in immutable-js/immutable-js#2144

Internal

chore: Sort all imports and activate eslint import rule by @jdeniau in immutable-js/immutable-js#2119

5.1.3

TypeScript

fix: allow readonly map entry constructor by @septs in immutable-js/immutable-js#2123

Documentation

There has been a huge amount of changes in the documentation, mainly migrate from an autogenerated documentation from .d.ts file, to a proper documentation in markdown. The playground has been included on nearly all method examples. We added a page about browser extensions too: https://immutable-js.com/browser-extension/

Internal

... (truncated)

Commits

485cbe0 4.3.8
6ed4eb6 Merge commit from fork
94bcd3c fix new proto key injection
faeb58b fix Prototype Pollution in mergeDeep, toJS, etc.
37ca417 release 4.3.7 (#2007)
23daf26 Fix issue with slice negative of filtered sequence (#2006)
493afba release 4.3.6 (#1997)
be3cb9a Fix Repeat(<value>).equals(undefined) incorrectly returning true (#1994)
d7664bf generate sitemap in path that will be deployed
f8327b1 upgrade next sitemap (#1978)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for immutable since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [immutable](https://github.com/immutable-js/immutable-js) from 4.3.4 to 4.3.8. - [Release notes](https://github.com/immutable-js/immutable-js/releases) - [Changelog](https://github.com/immutable-js/immutable-js/blob/main/CHANGELOG.md) - [Commits](immutable-js/immutable-js@v4.3.4...v4.3.8) --- updated-dependencies: - dependency-name: immutable dependency-version: 4.3.8 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-03-04T23:11:10Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Dynamic code execution: npm `function-bind` Eval Type: Function Location: Package overview From: `?` → `npm/function-bind@1.1.2` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/function-bind@1.1.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Trivial package: npm `is-arrayish` has 8 lines of code Location: Package overview From: `?` → `npm/husky@4.3.8` → `npm/@nx/js@17.3.2` → `npm/lint-staged@10.5.4` → `npm/is-arrayish@0.2.1` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/is-arrayish@0.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Trivial package: npm `isarray` has 4 lines of code Location: Package overview From: `?` → `npm/isarray@2.0.5` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/isarray@2.0.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `istanbul-lib-coverage` Eval Type: Function Location: Package overview From: `?` → `npm/istanbul-lib-coverage@3.2.2` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/istanbul-lib-coverage@3.2.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential vulnerability: npm `picomatch` with risk level "medium" Location: Package overview From: `?` → `npm/@angular/compiler-cli@13.4.0` → `npm/tshy@1.11.0` → `npm/@nx/js@17.3.2` → `npm/lint-staged@10.5.4` → `npm/picomatch@2.3.1` ℹ Read more on: This package \| This alert \| Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/picomatch@2.3.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `smart-buffer` Eval Type: Function Location: Package overview From: `?` → `npm/smart-buffer@4.2.0` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/smart-buffer@4.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm `@babel/plugin-syntax-import-meta` is now published by jlhwung instead of nicolo-ribaudo New Author: jlhwung Previous Author: nicolo-ribaudo From: `?` → `npm/@nx/js@17.3.2` → `npm/@babel/plugin-syntax-import-meta@7.10.4` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@babel/plugin-syntax-import-meta@7.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm `@babel/plugin-syntax-logical-assignment-operators` is now published by jlhwung instead of nicolo-ribaudo New Author: jlhwung Previous Author: nicolo-ribaudo From: `?` → `npm/@angular-devkit/build-angular@13.1.4` → `npm/@nx/js@17.3.2` → `npm/@babel/plugin-syntax-logical-assignment-operators@7.10.4` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@babel/plugin-syntax-logical-assignment-operators@7.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm `@babel/plugin-syntax-numeric-separator` is now published by jlhwung instead of nicolo-ribaudo New Author: jlhwung Previous Author: nicolo-ribaudo From: `?` → `npm/@angular-devkit/build-angular@13.1.4` → `npm/@nx/js@17.3.2` → `npm/@babel/plugin-syntax-numeric-separator@7.10.4` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@babel/plugin-syntax-numeric-separator@7.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@istanbuljs/load-nyc-config` with module fs Module: fs Location: Package overview From: `?` → `npm/@istanbuljs/load-nyc-config@1.1.0` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@istanbuljs/load-nyc-config@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm `@istanbuljs/load-nyc-config` reads NYC_CWD Env Vars: NYC_CWD Location: Package overview From: `?` → `npm/@istanbuljs/load-nyc-config@1.1.0` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@istanbuljs/load-nyc-config@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `@istanbuljs/load-nyc-config` Location: Package overview From: `?` → `npm/@istanbuljs/load-nyc-config@1.1.0` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@istanbuljs/load-nyc-config@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `@istanbuljs/schema` with https://git.io/vMKZ9 URLs: https://git.io/vMKZ9 Location: Package overview From: `?` → `npm/@istanbuljs/schema@0.1.3` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@istanbuljs/schema@0.1.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm `@istanbuljs/schema` reads NODE_OPTIONS Env Vars: NODE_OPTIONS Location: Package overview From: `?` → `npm/@istanbuljs/schema@0.1.3` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@istanbuljs/schema@0.1.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@nodelib/fs.scandir` with module fs Module: fs Location: Package overview From: `?` → `npm/eslint@8.56.0` → `npm/@nx/js@17.3.2` → `npm/@nodelib/fs.scandir@2.1.5` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@nodelib/fs.scandir@2.1.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `@nodelib/fs.scandir` is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, well-structured implementation of a directory-reading utility that supports: reading with file types, optionally following symbolic links, and optionally returning full stat data. It uses standard Node.js filesystem patterns and a parallel task runner without obvious malicious behavior or data exfiltration. No hard-coded secrets or environment variable misuse detected. Overall security risk is low unless the surrounding project introduces insecure usage patterns; within this module itself, there is no malware or backdoor logic. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint@8.56.0` → `npm/@nx/js@17.3.2` → `npm/@nodelib/fs.scandir@2.1.5` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@nodelib/fs.scandir@2.1.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `@pkgjs/parseargs` URLs: https://github.com/nodejs/node/pull/38248, Function.prototype.call Location: Package overview From: `?` → `npm/tshy@1.11.0` → `npm/@pkgjs/parseargs@0.11.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@pkgjs/parseargs@0.11.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ansi-styles` URLs: https://github.com/Qix-/color-convert/blob/3f0e0d4e92e235796ccb17f6e85c72094a651f49/conversions.js Location: Package overview From: `?` → `npm/ansi-styles@5.2.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ansi-styles@5.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ansi-styles` URLs: https://github.com/Qix-/color-convert/blob/3f0e0d4e92e235796ccb17f6e85c72094a651f49/conversions.js Location: Package overview From: `?` → `npm/tshy@1.11.0` → `npm/ansi-styles@6.2.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ansi-styles@6.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm `anymatch` is now published by phated instead of paulmillr New Author: phated Previous Author: paulmillr From: `?` → `npm/@angular/compiler-cli@13.4.0` → `npm/tshy@1.11.0` → `npm/anymatch@3.1.3` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/anymatch@3.1.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `argparse` URLs: http://docs.python.org/dev/library/argparse.html#sub-commands, http://docs.python.org/dev/library/argparse.html#the-parse-args-method, http://docs.python.org/dev/library/argparse.html#partial-parsing, http://docs.python.org/dev/library/argparse.html#printing-help Location: Package overview From: `?` → `npm/nx@17.3.2` → `npm/argparse@1.0.10` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@1.0.10`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `crypt` is 100.0% likely to have a medium risk anomaly Notes: Best report acknowledges this as a non-malicious utility with substantial correctness and cryptographic-use caveats. The primary risks are the rotr bug and non-cryptographic randomness, which could lead to misbehavior in crypto-sensitive contexts. No evidence of data exfiltration or backdoors is found in this fragment. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/crypt@0.0.2` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/crypt@0.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `env-paths` URLs: https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html, https://wiki.debian.org/XDGBaseDirectorySpecification#state Location: Package overview From: `?` → `npm/env-paths@2.2.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/env-paths@2.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `esprima` URLs: https://tc39.github.io/ecma262/#sec-white-space, https://tc39.github.io/ecma262/#sec-line-terminators, https://tc39.github.io/ecma262/#sec-names-and-keywords, https://tc39.github.io/ecma262/#sec-literals-numeric-literals, https://tc39.github.io/ecma262/#sec-primary-expression, https://tc39.github.io/ecma262/#sec-array-initializer, https://tc39.github.io/ecma262/#sec-object-initializer, https://tc39.github.io/ecma262/#sec-template-literals, https://tc39.github.io/ecma262/#sec-grouping-operator, https://tc39.github.io/ecma262/#sec-left-hand-side-expressions, https://tc39.github.io/ecma262/#sec-update-expressions, https://tc39.github.io/ecma262/#sec-unary-operators, https://tc39.github.io/ecma262/#sec-exp-operator, https://tc39.github.io/ecma262/#sec-multiplicative-operators, https://tc39.github.io/ecma262/#sec-additive-operators, https://tc39.github.io/ecma262/#sec-bitwise-shift-operators, https://tc39.github.io/ecma262/#sec-relational-operators, https://tc39.github.io/ecma262/#sec-equality-operators, https://tc39.github.io/ecma262/#sec-binary-bitwise-operators, https://tc39.github.io/ecma262/#sec-binary-logical-operators, https://tc39.github.io/ecma262/#sec-conditional-operator, https://tc39.github.io/ecma262/#sec-assignment-operators, https://tc39.github.io/ecma262/#sec-arrow-function-definitions, https://tc39.github.io/ecma262/#sec-comma-operator, https://tc39.github.io/ecma262/#sec-block, https://tc39.github.io/ecma262/#sec-let-and-const-declarations, https://tc39.github.io/ecma262/#sec-destructuring-binding-patterns, https://tc39.github.io/ecma262/#sec-variable-statement, https://tc39.github.io/ecma262/#sec-empty-statement, https://tc39.github.io/ecma262/#sec-expression-statement, https://tc39.github.io/ecma262/#sec-if-statement, https://tc39.github.io/ecma262/#sec-do-while-statement, https://tc39.github.io/ecma262/#sec-while-statement, https://tc39.github.io/ecma262/#sec-for-statement, https://tc39.github.io/ecma262/#sec-for-in-and-for-of-statements, https://tc39.github.io/ecma262/#sec-continue-statement, https://tc39.github.io/ecma262/#sec-break-statement, https://tc39.github.io/ecma262/#sec-return-statement, https://tc39.github.io/ecma262/#sec-wi, https://tc39.github.io/ecma262/#sec-with-statement, https://tc39.github.io/ecma262/#sec-switch-statement, https://tc39.github.io/ecma262/#sec-labelled-statements, https://tc39.github.io/ecma262/#sec-throw-statement, https://tc39.github.io/ecma262/#sec-try-statement, https://tc39.github.io/ecma262/#sec-debugger-statement, https://tc39.github.io/ecma262/#sec-ecmascript-language-statements-and-declarations, https://tc39.github.io/ecma262/#sec-function-definitions, https://tc39.github.io/ecma262/#sec-directive-prologues-and-the-use-strict-directive, https://tc39.github.io/ecma262/#sec-method-definitions, https://tc39.github.io/ecma262/#sec-generator-function-definitions, https://tc39.github.io/ecma262/#sec-class-definitions, https://tc39.github.io/ecma262/#sec-scripts, https://tc39.github.io/ecma262/#sec-modules, https://tc39.github.io/ecma262/#sec-imports, https://tc39.github.io/ecma262/#sec-exports, https://tc39.github.io/ecma262/#sec-comments, https://tc39.github.io/ecma262/#sec-future-reserved-words, https://tc39.github.io/ecma262/#sec-keywords, https://tc39.github.io/ecma262/#sec-punctuators, https://tc39.github.io/ecma262/#sec-literals-string-literals, https://tc39.github.io/ecma262/#sec-template-literal-lexical-components, https://tc39.github.io/ecma262/#sec-literals-regular-expression-literals, https://github.com/mozilla/sweet.js/wiki/design Location: Package overview From: `?` → `npm/nx@17.3.2` → `npm/esprima@4.0.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/esprima@4.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `esprima` is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard Esprima-based esvalidate CLI script intended to parse JavaScript source and report syntax errors. There is no sign of malicious behavior, data exfiltration, hidden backdoors, or crypto/mining activity. Cross-environment shims are notable but do not constitute malicious actions within this isolated snippet. Overall security risk is low, with no clear malware indicators. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/nx@17.3.2` → `npm/esprima@4.0.1` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/esprima@4.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `fast-levenshtein` URLs: http://en.wikipedia.org/wiki/Levenshtein_distance. Location: Package overview From: `?` → `npm/eslint@8.56.0` → `npm/fast-levenshtein@2.0.6` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/fast-levenshtein@2.0.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 22 more rows in the dashboard

View full report

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 4, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump immutable from 4.3.4 to 4.3.8#2

chore(deps): bump immutable from 4.3.4 to 4.3.8#2
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/immutable-4.3.8

dependabot Bot commented on behalf of github Mar 4, 2026

Uh oh!

socket-security Bot commented Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Mar 4, 2026

v4.3.8

v4.3.7

What's Changed

v4.3.6

What's Changed

Internals

New Contributors

v4.3.5

What's Changed

New Contributors

Changelog

Unreleased

5.1.5

5.1.4

Documentation

Internal

5.1.3

TypeScript

Documentation

Internal

Uh oh!

socket-security Bot commented Mar 4, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants