Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2985

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0700d5feda
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2985
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-0700d5feda

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package From To
dompurify 3.3.3 3.4.12
fast-xml-parser 4.5.6 5.10.0
form-data 4.0.5 4.0.6
launch-editor 2.11.1 2.14.1
postcss 8.5.6 8.5.19
webpack-dev-server 5.2.2 5.2.6

Updates dompurify from 3.3.3 to 3.4.12

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.12

  • Fixed an issue where a hook would not get called for custom elements, thanks @​Rikuxx0
  • Hardened the handling of hooks removing elements, @​mkrause-bee360
  • Added support for a few new SVG attributes, thanks @​cbn-falias & @​Develop-KIM
  • Hardened the handling of declarative partial updates
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible

DOMPurify 3.4.9

  • Further improved the handling of Trusted Types config options, thanks @​offset
  • Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
  • Added more test coverage for IN_PLACE and Trusted Types related usage
  • Bumped several dependencies where possible
  • Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

  • Cleaned up the repository root, renamed some and removed unneeded files
  • Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
  • Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
  • Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
  • Bumped several dependencies where possible

DOMPurify 3.4.7

  • Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
  • Removed a problem leading to permanent hook pollution, thanks @​offset
  • Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

... (truncated)

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates fast-xml-parser from 4.5.6 to 5.10.0

Release notes

Sourced from fast-xml-parser's releases.

v5.10.0

What's Changed

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.3...v5.10.0

v5.9.3

What's Changed

New Contributors

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.2...v5.9.3

v5.9.2

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.1...v5.9.2

v5.9.1

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.9.0...v5.9.1

update strnum, use is-unsafe

  • update strnum to 2.3.0
    • you can set hex, binary, enotation, infinity, unicode
  • validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

update strnum, FXB. Use xml-naming for DOCTYPE

  • integrate xml-naming to validate DOCTYPE entity name and notation name (using qname because of backward compatibility)
    • This will consider xml-version as well. '1.0' is default
  • update strnum to 2.3.0
    • You can set octal and binary parsing which is by deault off
  • update fast-xml-builder to 1.2.0
    • can sanitize tag names if found invalid
    • fix format output

fix minor old bugs and update builder

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

backward compatibility for numerical external entity, fix #705, #817

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.10.0 / 2026-07-11

  • upgrade:
    • xml-naming v0.3.0: cache support
    • PEM v1.6.2: sibling bug fix
    • is-unsafe v2.0.0: tree shaking

*5.9.3 / 2026-06-19

  • update strnum

*5.9.2 / 2026-06-17

  • dummy release to test changes in github action

*5.9.1 / 2026-06-17

  • dummy release to test release from github action

*5.9.0 / 2026-06-15

  • update strnum to 2.3.0
    • you can set hex, binary, enotation, infinity, unicode
  • validate unsafe HTML or XML data in doctype entities unsing 'is-unsafe' library. User can override rules by overriding EntityDecoder.

*5.8.0 / 2026-05-12

  • integrate xml-naming to validate DOCTYPE entity name and notation name (using qname becaue of backward compatibility)
    • This will consider xml-version as well. '1.0' is default
  • update strnum to 2.3.0
    • You can set octal and binary parsing which is bydeault off
  • update fast-xml-builder to 1.2.0
    • can sanitize tag names if found invalid
    • fix format output

5.7.3 / 2006-05-05

  • fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
  • fix stop node expression when ns prefix is removed (found by iruizsalinas)
  • update XML Builder to 1.1.7
  • mark addEntity deprecated

5.7.2 / 2026-04-25

  • allow numerical external entity for backward compatibility
  • fix #705: attributesGroupName working with preserveOrder
  • fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for fast-xml-parser since your current version.


Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

  • [Fix] escape CR, LF, and " in field names and filenames 8dff42c
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
  • [Deps] update hasown, mime-types 92ae0eb
  • [Dev Deps] update js-randomness-predictor 67b0f65
Commits
  • 64190db v4.0.6
  • 92ae0eb [Deps] update hasown, mime-types
  • f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
  • 8dff42c [Fix] escape CR, LF, and " in field names and filenames
  • 67b0f65 [Dev Deps] update js-randomness-predictor
  • See full diff in compare view

Updates launch-editor from 2.11.1 to 2.14.1

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for launch-editor since your current version.


Updates postcss from 8.5.6 to 8.5.19

Release notes

Sourced from postcss's releases.

8.5.19

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

8.5.18

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

8.5.17

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).

8.5.16

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

8.5.8

  • Fixed Processor#version.

8.5.7

  • Improved source map annotation cleaning performance (by CodeAnt AI).
Changelog

Sourced from postcss's changelog.

8.5.19

  • Fixed cleaning before for new nodes inserted to Root (by @​MahinAnowar).

8.5.18

  • Restricted loading previous source maps file to the opts.from folder for security reasons (use unsafeMap: true to disable the check).

8.5.17

  • Fixed Maximum call stack size exceeded error.
  • Fixed Prototype hijacking for postcss.fromJSON().
  • Fixed Input#origin() for unmapped end position (by @​chatman-media).

8.5.16

8.5.15

  • Fixed declaration parsing performance (by @​homanp).

8.5.14

8.5.13

  • Fixed postcss-scss commend regression.

8.5.12

  • Fixed reading any file via user-generated CSS.
  • Added opts.unsafeMap to disable checks.

8.5.11

  • Fixed nested brackets parsing performance (by @​offset).

8.5.10

  • Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

8.5.9

  • Speed up source map encoding paring in case of the error.

... (truncated)

Commits
  • 9543b22 Release 8.5.19 version
  • 3d13bf9 Fix CI on Windows too
  • 00d0dd2 Keep explicitly set raws.before when inserting nodes into root (#2111)
  • 7a05b33 Temporary fix CI
  • 4c0d194 Release 8.5.18 version
  • 92b4e78 Update dependencies
  • 95663d3 Limit where source map can be loaded for security reasons
  • 74e25ae Release 8.5.17 version
  • d1518af Fix Maximum call stack size exceeded error
  • 2421312 Fix linter
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for postcss since your current version.


Updates shell-quote from 1.8.3 to 1.10.0

Changelog

Sourced from shell-quote's changelog.

v1.10.0 - 2026-07-10

Merged

Commits

  • [Fix] parse: match nested ${...} braces so nested parameter expansion is consumed as one substitution c0842c8
  • [Tests] parse: pin single-quote literalness and unmatched-quote handling a0d03e3
  • [readme] remove the space in js code fences so evalmd evaluates them 2116fa3
  • [Tests] quote: pin conservative escaping of =, @, ^, ,, :, ! (#11) 1c36f3f
  • [readme] document that quote outputs POSIX quoting, not cmd.exe/PowerShell 100e96e
  • [readme] document parse's supported parameter-expansion subset e1c75cd
  • [Fix] parse: a backslash inside single quotes must not escape the closing quote 5d460a3
  • [readme] fix stale example outputs 2de86f5
  • [Tests] quote: pin that a backslash with whitespace is not doubled in single quotes (#14) 190e236
  • [readme] quote: use output verbatim; do not re-quote it (#11) 1b36468
  • [Refactor] parse: fix swapped SINGLE_QUOTE/DOUBLE_QUOTE variable names 801af5c
  • [types] fix an error TS v6 ignores but v7 fails on 59bbf8b
  • [Dev Deps] update @arethetypeswrong/cli, evalmd a04d475
  • [Dev Deps] update @arethetypeswrong/ci, eslint d390f9a
  • [Tests] quote: the tilde test escapes every ~, not just a leading one (#9) 617d119

v1.9.0 - 2026-06-24

Commits

  • [New] add types dca6e21
  • [Dev Deps] update eslint 9aa9e8f
  • [Fix] parse: finalize tokens in linear time (GHSA-395f-4hp3-45gv) 7ff5488
  • [actions] update workflows 75e8497
  • [actions] Windows + node 4/6/7: pin eslint to 9 before install, since npm 2/3 cannot stage eslint 10@types/esrecurse 3fb739d
  • [actions] retry npm install on Windows to survive npm 2/3 staging-rename flake abe0163
  • [actions] Windows + node 5/7: install deps with a modern node b4bafa2
  • [Fix] quote: escape leading ~ to prevent shell tilde-expansion 7a76c1a
  • [Dev Deps] update auto-changelog, tape 7184b44
  • [Dev Deps] apparently jackspeak is no longer in the graph 9ba368a

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511
Commits
  • 64988d9 v1.10.0
  • 617d119 [Tests] quote: the tilde test escapes every ~, not just a leading one (#9)
  • 59bbf8b [types] fix an error TS v6 ignores but v7 fails on
  • 190e236 [Tests] quote: pin that a backslash with whitespace is not doubled in singl...
  • a04d475 [Dev Deps] update @arethetypeswrong/cli, evalmd
  • b9545b3 [New] parse: add opt-in splitUnquoted option for shell field-splitting of...
  • 1b36468 [readme] quote: use output verbatim; do not re-quote it (#11)
  • 1c36f3f [Tests] quote: pin conservative escaping of =, @, ^, ,, :, ! (#11)
  • e1c75cd [readme] document parse's supported parameter-expansion subset
  • c0842c8 [Fix] parse: match nested ${...} braces so nested parameter expansion is ...
  • Additional commits viewable in compare view

Updates webpack-dev-server from 5.2.2 to 5.2.6

Release notes

Sourced from webpack-dev-server's releases.

v5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

v5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

v5.2.4

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

v5.2.3

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5
Changelog

Sourced from webpack-dev-server's changelog.

5.2.6

Patch Changes

  • fix: allow undefined as the Server constructor options argument again (by @​bjohansebas in #5695)

    Restores accepting undefined (defaulting it to {}) for the options argument, so passing a webpack config's optional devServer field type-checks and works as before.

  • Protect the built-in state-changing routes (/webpack-dev-server/invalidate and /webpack-dev-server/open-editor) against cross-site request forgery. Requests are now checked with Sec-Fetch-Site (falling back to an Origin/Host comparison when it is absent), so a cross-site page can no longer trigger a rebuild or open a file in the editor. Same-origin requests, user-initiated navigations, and non-browser clients (e.g. curl) are unaffected. (by @​bjohansebas in #5698)

  • Handle malformed Host and Origin header values gracefully when validating requests. (by @​bjohansebas in #5699)

5.2.5

Patch Changes

  • Skip the HMR WebSocket path when forwarding upgrade requests to user-defined proxies, so custom proxy WebSocket upgrades are no longer intercepted by the dev server. (by @​bjohansebas in #5680)

All notable changes to this project will be documented in this file. See standard-version for commit guidelines.

5.2.4 (2026-05-11)

Bug Fixes

  • set Cross-Origin-Resource-Policy header to prevent source code theft over HTTP

5.2.3 (2026-01-12)

Bug Fixes

  • add cause for errorObject (#5518) (37b033d)
  • compatibility with event target and universal target and lazy compilation (574026c)
  • overlay: add ESC key to dismiss overlay (#5598) (f91baa8)
  • progress indicator styles (#5557) (41a53a1)
  • upgrade selfsigned to v5
Commits
  • 8a37b0e chore(release): new release (#5697)
  • f21ed0f fix: handle malformed Host and Origin headers (#5699)
  • 80cd9ee fix: reject cross-site requests to open-editor and invalidate endpoints (#5698)
  • 308e853 fix: handle undefined options in Server constructor (#5695)
  • 8b2b915 chore: update branch references from v4 to v5 in workflow configuration
  • 870ed22 chore: add v5 branch to release workflow triggers
  • c3ee325 chore(release): new release (#5682)
  • 60173be feat: add changeset validation and release workflow (#5680)
  • 948d5e6 fix(proxy): match the HMR upgrade path exactly like the ws server (#5678)
  • 93e8996 fix: skip HMR websocket path when forwarding upgrades to user-defined proxies...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for webpack-dev-server since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…dates

Bumps the npm_and_yarn group with 6 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.3.3` | `3.4.12` |
| [fast-xml-parser](https://github.com/NaturalIntelligence/fast-xml-parser) | `4.5.6` | `5.10.0` |
| [form-data](https://github.com/form-data/form-data) | `4.0.5` | `4.0.6` |
| [launch-editor](https://github.com/vitejs/launch-editor) | `2.11.1` | `2.14.1` |
| [postcss](https://github.com/postcss/postcss) | `8.5.6` | `8.5.19` |
| [webpack-dev-server](https://github.com/webpack/webpack-dev-server) | `5.2.2` | `5.2.6` |



Updates `dompurify` from 3.3.3 to 3.4.12
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.3.3...3.4.12)

Updates `fast-xml-parser` from 4.5.6 to 5.10.0
- [Release notes](https://github.com/NaturalIntelligence/fast-xml-parser/releases)
- [Changelog](https://github.com/NaturalIntelligence/fast-xml-parser/blob/master/CHANGELOG.md)
- [Commits](NaturalIntelligence/fast-xml-parser@v4.5.6...v5.10.0)

Updates `form-data` from 4.0.5 to 4.0.6
- [Changelog](https://github.com/form-data/form-data/blob/master/CHANGELOG.md)
- [Commits](form-data/form-data@v4.0.5...v4.0.6)

Updates `launch-editor` from 2.11.1 to 2.14.1
- [Commits](vitejs/launch-editor@v2.11.1...v2.14.1)

Updates `postcss` from 8.5.6 to 8.5.19
- [Release notes](https://github.com/postcss/postcss/releases)
- [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md)
- [Commits](postcss/postcss@8.5.6...8.5.19)

Updates `shell-quote` from 1.8.3 to 1.10.0
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.8.3...v1.10.0)

Updates `webpack-dev-server` from 5.2.2 to 5.2.6
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/v5.2.6/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v5.2.2...v5.2.6)

---
updated-dependencies:
- dependency-name: dompurify
  dependency-version: 3.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.10.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: launch-editor
  dependency-version: 2.14.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: postcss
  dependency-version: 8.5.19
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.10.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: protocol-galileo. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 15, 2026
@dependabot dependabot Bot requested review from a team as code owners July 15, 2026 22:39
@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
metamask-docs Ready Ready Preview, Comment Jul 15, 2026 10:45pm

Request Review

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​metamask/​profile-sync-controller@​16.0.0 ⏵ 28.3.098 +110087 +298 -1100

View full report

@socket-security

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm @metamask/snaps-controllers is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@metamask/snaps-controllers@19.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/snaps-controllers@19.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Publisher changed: npm ses is now published by kriscendobot

Author: kriscendobot

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module http

Module: http

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module https

Module: https

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm ses is 70.0% likely risky

Notes: This module is a dynamic evaluator generator that ultimately performs eval(arguments[0]) on caller-supplied code, after dynamically generating and injecting destructuring bindings into a nested with(...) scope environment. While it does not itself show exfiltration/persistence behavior, it creates a high-impact arbitrary code execution primitive, which becomes a serious security risk if any attacker-controlled data reaches arguments[0] or the scope/context objects.

Confidence: 0.70

Severity: 0.80

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm ses is now published by kriscendobot instead of boneskull

New Author: kriscendobot

Previous Author: boneskull

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ses is 70.0% likely to have a medium risk anomaly

Notes: The file package/dist/ses.umd.min.js contains an SES/Compartment-based module loader/runtime fragment that uses dynamic evaluation and can modify global intrinsics. While heavily obfuscated, there is no evidence of malware behavior such as data exfiltration or backdoors; the behavior aligns with sandbox hardening rather than active exploitation.

Confidence: 0.70

Severity: 0.35

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants