Update ui deps sync (major) by renovate[bot] · Pull Request #685 · OpenZeppelin/contracts-wizard

renovate · 2025-10-06T07:39:24Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@rollup/plugin-alias (source)	`^5.1.1` → `^6.0.0`
@rollup/plugin-commonjs (source)	`^28.0.8` → `^29.0.3`
ava (source)	`^6.4.1` → `^8.0.1`
openai	`5.23.2` → `6.39.1`
openai	`5.23.2` → `6.39.1`
svelte-check	`^3.8.6` → `^4.4.8`
svelte-preprocess	`^5.1.4` → `^6.0.5`
tailwindcss (source)	`^3.4.18` → `^4.3.0`
typescript (source)	`^5.9.3` → `^6.0.3`

Release Notes

rollup/plugins (@rollup/plugin-alias)

`v6.0.0`

2025-10-28

Breaking Changes

feat!: ESM only. Update Node and Rollup minimum versions (#1926)

rollup/plugins (@rollup/plugin-commonjs)

`v29.0.3`

2026-05-29

Bugfixes

commonjs: make #1868 es5-compatible (#1981)

`v29.0.2`

2026-03-06

Bugfixes

commonjs: conditional exports (#1952)

`v29.0.1`

2026-03-05

Bugfixes

commonjs: correctly replaces shorthand "global" property in object (#1957)

`v29.0.0`

2025-10-30

Breaking Changes

feat!: revert #1909 and add requireNodeBuiltins option (#1937)

`v28.0.9`

2025-10-24

Bugfixes

fix: handle node: builtins with strictRequires: auto (#1930)

avajs/ava (ava)

`v8.0.1`

Compare Source

What's Changed

This release officially adds Node.js 26 support, with thanks to @novemberborn in #3450.

Per our policy, support for Node.js 25 has been removed.

Full Changelog: avajs/ava@v8.0.0...v8.0.1

`v8.0.0`

Compare Source

Breaking Changes

AVA now expects Node.js 22.20, 24.12 or newer.

Internally AVA is now fully ESM. This is possible now that Node.js supports loading ES modules using require() calls and simplifies AVA's types and internals.

If you use AVA from a CommonJS project you'll have to update your imports:

-const test = require('ava');
+const {default: test} = require('ava');

We expect an increasing number of projects to be ESM only. As per the above, CommonJS is still supported, but we don't expect cjs extensions to be used. The default file extensions are now js and mjs. Specify extensions: ['cjs', 'js', 'mjs'] for AVA to run test files with the cjs extension.

All test files (and those loaded through AVA's require config) are now loaded via import(). Use customization hooks for transpilation. The object form of the extensions configuration is no longer supported.

If you use AVA with @ava/typescript you must upgrade that package to v7.

New Features

There's two new test modifiers courtesy of @sindresorhus: test.skipIf() to skip a test based on a runtime condition. test.runIf() is the inverse: the test only runs when the condition is true.

test.skipIf(process.platform === 'win32')('not on Windows', t => {
	t.pass();
});

test.runIf(process.platform === 'linux')('Linux only', t => {
	t.pass();
});

These work with other modifiers like .serial and .failing:

test.serial.skipIf(process.platform === 'win32')('serial, not on Windows', t => {
	t.pass();
});

test.failing.skipIf(process.platform === 'win32')('expected failure, not on Windows', t => {
	t.fail();
});

Other Changes

Watch mode now ignores changes to *.tsbuildinfo files
TAP reporter is more defensive when restoring the original error name, thanks to @ninper00 in #3415
Reported errors when throwsAsync/notThrowsAsync are not awaited have been improved by @sindresorhus in #3436

New Contributors

@ninper00 made their first contribution in #3415

Full Changelog: avajs/ava@v7.0.0...v8.0.0

`v7.0.0`

Compare Source

What's Changed

Replace strip-ansi with node:util.stripVTControlCharacters by @fisker in #3403
Remove support for Node.js 18 and 23; require 20.19 or newer, 22.20 or newer or 24,12 or newer; update dependencies including transitive glob by @novemberborn in #3416

Full Changelog: avajs/ava@v6.4.1...v7.0.0

openai/openai-node (openai)

`v6.39.1`

Compare Source

Full Changelog: v6.39.0...v6.39.1

Bug Fixes

Improve undici dispatcher mismatch guidance (#1898) (b6e5fd6)
treat text/plan with format: binary as raw upload (f9a632a)
treat text/plan with format: binary as raw upload (323cb78)

Chores

internal: codegen related update (d32deef)

`v6.39.0`

Compare Source

Full Changelog: v6.38.0...v6.39.0

Features

api: api update (33ea11f)
api: manual updates (c210b09)
api: manual updates (92df9dc)
api: update OpenAPI spec or Stainless config (c7c0f52)

Bug Fixes

types: allow runtime fetch options (8f5003d)
typescript: upgrade tsc-multi so that it works with Node 26 (068f9c6)

Chores

api: docs updates (9d43adb)
tests: remove redundant File import (5465bbe)

`v6.38.0`

Compare Source

Full Changelog: v6.37.0...v6.38.0

Features

api: add service_tier parameter to responses compact method (423e838)

`v6.37.0`

Compare Source

Full Changelog: v6.36.0...v6.37.0

Features

api: add quantity field to admin organization usage responses (273a8f7)
api: add web_search_call.results output option to responses (91c75e0)
api: launch realtime translate + update image 2 (a296b66)
api: manual updates (794b905)
api: manual updates (6963729)
api: realtime 2 (f4b7177)

Bug Fixes

api: fix imagegen size enum regression (4fe8469)

Chores

redact api-key headers in debug logs (99c9c80)

`v6.36.0`

Compare Source

Full Changelog: v6.36.0...v6.37.0

Features

api: add quantity field to admin organization usage responses (273a8f7)
api: add web_search_call.results output option to responses (91c75e0)
api: launch realtime translate + update image 2 (a296b66)
api: manual updates (794b905)
api: manual updates (6963729)
api: realtime 2 (f4b7177)

Bug Fixes

api: fix imagegen size enum regression (4fe8469)

Chores

redact api-key headers in debug logs (99c9c80)

`v6.35.0`

Compare Source

Full Changelog: v6.34.0...v6.35.0

Features

api: Add detail to InputFileContent (910ec5d)
api: add OAuthErrorCode type (f84bd1f)
api: add prompt_cache_retention parameter to responses compact (c486d1f)
api: add web_search_call.results to ResponseIncludable (72449a1)
api: manual updates (b742f1f)
client: add support for binary messages (c498cc3)
client: add support for path parameters in websockets clients (e0aba70)
client: add support for queuing messages when waiting for a connection (fd8868c)
client: add support for WebSockets in the browser when using simple auth (27bda6a)
client: support automatic reconnection for websockets (189410b)
typescript: expose underlying WebSocket type (7e96939)

Bug Fixes

client: allow single messages greater than the size of the websockets queue (ad19ab2)
internal: gitignore generated oidc dir (cf860f6)
types: correct prompt_cache_retention enum value in chat/completions and responses (5a81e1a)
types: preserve emitted ts-ignore comments (1cde375)

Chores

ci: remove release-doctor workflow (e5ab4d1)
format: apply prettier output (80fa23d)
format: ignore release-updated jsr config (f606e8b)
formatter: run prettier and eslint separately (68a988e)
internal: codegen related update (7673137)
internal: fix package.json duplicate keys (5f075a8)
internal: more robust bootstrap script (252e70a)
internal: version bump (34c84ee)
tests: bump steady to v0.22.1 (316bdba)

Documentation

improve examples (6400d19)

`v6.34.0`

Compare Source

Full Changelog: v6.33.0...v6.34.0

Features

api: add phase field to Message in conversations (eb7cbc1)
client: add support for short-lived tokens (#839) (a72ebcf)

Bug Fixes

api: remove web_search_call.results from ResponseIncludable in responses (1f6968e)

Chores

internal: codegen related update (1081460)
internal: update multipart form array serialization (3faee8d)
tests: bump steady to v0.20.1 (b73cc6b)

Documentation

api: add multi-file ingestion recommendations to vector-stores files/file-batches (1bc32a3)

`v6.33.0`

Compare Source

Full Changelog: v6.32.0...v6.33.0

Features

api: add keys field to computer action types (27a850e)
client: add async iterator and stream() to WebSocket classes (e1c16ee)

Bug Fixes

api: align SDK response types with expanded item schemas (491cd52)
types: make type required in ResponseInputMessageItem (2012293)

Chores

ci: skip lint on metadata-only changes (74a917f)
internal: refactor imports (cfe9c60)
internal: update gitignore (71bd114)
tests: bump steady to v0.19.4 (f2e9dea)
tests: bump steady to v0.19.5 (37c6cf4)
tests: bump steady to v0.19.6 (496b3af)
tests: bump steady to v0.19.7 (8491eb6)

Refactors

tests: switch from prism to steady (47c0581)

`v6.32.0`

Compare Source

Full Changelog: v6.31.0...v6.32.0

Features

api: 5.4 nano and mini model slugs (068df6d)

`v6.31.0`

Compare Source

Full Changelog: v6.31.0...v6.32.0

Features

api: 5.4 nano and mini model slugs (068df6d)

`v6.30.1`

Compare Source

Full Changelog: v6.30.1...v6.31.0

Features

api: add in/nin filter types to ComparisonFilter (b2eda27)

`v6.29.0`

Compare Source

Full Changelog: v6.29.0...v6.30.0

Features

api: add /v1/videos endpoint option to batches (271d879)
api: add defer_loading field to NamespaceTool (7cc8f0a)

Bug Fixes

api: oidc publishing for npm (fa50066)

`v6.28.0`

Compare Source

Full Changelog: v6.28.0...v6.29.0

Features

api: custom voices (a11307a)

`v6.27.0`

Compare Source

Full Changelog: v6.26.0...v6.27.0

Features

api: The GA ComputerTool now uses the CompuerTool class. The 'computer_use_preview' tool is moved to ComputerUsePreview (0206188)

Chores

internal: improve import alias names (9cc2478)

`v6.26.0`

Compare Source

Full Changelog: v6.26.0...v6.27.0

Features

api: The GA ComputerTool now uses the CompuerTool class. The 'computer_use_preview' tool is moved to ComputerUsePreview (0206188)

Chores

internal: improve import alias names (9cc2478)

`v6.25.0`

Compare Source

Full Changelog: v6.24.0...v6.25.0

Features

api: add phase (e32b853)

Bug Fixes

api: fix phase enum (2ffe1be)
api: phase docs (7fdfa38)

Chores

internal: refactor sse event parsing (0ea2380)

`v6.24.0`

Compare Source

Full Changelog: v6.24.0...v6.25.0

Features

api: add phase (e32b853)

Bug Fixes

api: fix phase enum (2ffe1be)
api: phase docs (7fdfa38)

Chores

internal: refactor sse event parsing (0ea2380)

`v6.23.0`

Compare Source

Full Changelog: v6.23.0...v6.24.0

Features

api: add gpt-realtime-1.5 and gpt-audio-1.5 models to realtime (75875bf)

`v6.22.0`

Compare Source

Full Changelog: v6.21.0...v6.22.0

Features

api: container network_policy and skills (65c1482)

Bug Fixes

docs: restore helper methods in API reference (3a4c189)
webhooks: restore webhook type exports (49bbf46)

Chores

internal: avoid type checking errors with ts-reset (4b0d1f2)

Documentation

split api.md by standalone resources (48e07d6)
update comment (e3a1ea0)

`v6.21.0`

Compare Source

Full Changelog: v6.21.0...v6.22.0

Features

api: container network_policy and skills (65c1482)

Bug Fixes

docs: restore helper methods in API reference (3a4c189)
webhooks: restore webhook type exports (49bbf46)

Chores

internal: avoid type checking errors with ts-reset (4b0d1f2)

Documentation

split api.md by standalone resources (48e07d6)
update comment (e3a1ea0)

`v6.20.0`

Compare Source

Full Changelog: v6.20.0...v6.21.0

Features

api: support for images in batch api (017ba1c)

`v6.19.0`

Compare Source

Full Changelog: v6.19.0...v6.20.0

Features

api: skills and hosted shell (e4bdd62)

`v6.18.0`

Compare Source

Full Changelog: v6.17.0...v6.18.0

Features

api: image generation actions for responses; ResponseFunctionCallArgumentsDoneEvent.name (d373c32)

Bug Fixes

client: avoid memory leak with abort signals (b449f36)
client: avoid removing abort listener too early (1c045f7)
client: undo change to web search Find action (8259b45)
client: update type for find_in_page action (9aa8d98)

Chores

client: do not parse responses with empty content-length (4a118fa)
client: restructure abort controller binding (a4d7151)
internal: fix pagination internals not accepting option promises (6677905)

`v6.17.0`

Compare Source

Full Changelog: v6.16.0...v6.17.0

Features

api: add shell_call_output status field (edf9590)
api: api update (6a2eb80)
api: api updates (19ca100)

Bug Fixes

api: mark assistants as deprecated (3ae2a14)

Chores

ci: upgrade actions/github-script (4ea73d3)
internal: update actions/checkout version (f163b77)
internal: upgrade babel, qs, js-yaml (2e2f3c6)

`v6.16.0`

Compare Source

Full Changelog: v6.15.0...v6.16.0

Features

api: add new Response completed_at prop (ca40534)
ci: add breaking change detection workflow (a6f3dea)

Chores

break long lines in snippets into multiline (80dee2f)
internal: codegen related update (b2fac3e)

`v6.15.0`

Compare Source

Full Changelog: v6.14.0...v6.15.0

Bug Fixes

rebuild (5627b41)

`v6.14.0`

Compare Source

Full Changelog: v6.14.0...v6.15.0

Bug Fixes

rebuild (5627b41)

`v6.13.0`

Compare Source

Full Changelog: v6.13.0...v6.14.0

Features

api: gpt-image-1.5 (6c1ac1d)

`v6.10.0`

Compare Source

Full Changelog: v6.9.1...v6.10.0

Features

api: gpt-5.1-codex-max and responses/compact (935f79e)

Chores

client: fix logger property type (fdc671f)
internal: upgrade eslint (9de0f90)

`v6.9.1`

Compare Source

Full Changelog: v6.9.0...v6.9.1

Bug Fixes

api: align types of input items / output items for typescript (99adaa7)

`v6.9.0`

Compare Source

Full Changelog: v6.9.0...v6.9.1

Bug Fixes

api: align types of input items / output items for typescript (99adaa7)

`v6.8.1`

Compare Source

Full Changelog: v6.8.0...v6.8.1

Bug Fixes

api: fix nullability of logprobs (40a403c)

`v6.8.0`

Compare Source

Full Changelog: v6.7.0...v6.8.0

Features

api: Realtime API token_limits, Hybrid searching ranking options (6a5b48c)
api: remove InputAudio from ResponseInputContent (9909fef)

Chores

internal: codegen related update (3ad52aa)

`v6.7.0`

Compare Source

Full Changelog: v6.6.0...v6.7.0

Features

add support for zod@4 schemas (#1666) (10ef7ff)

Bug Fixes

api: docs updates (2591c21)

`v6.6.0`

Compare Source

Full Changelog: v6.6.0...v6.7.0

Features

add support for zod@4 schemas (#1666) (10ef7ff)

Bug Fixes

api: docs updates (2591c21)

`v6.5.0`

Compare Source

Full Changelog: v6.5.0...v6.6.0

Features

api: Add responses.input_tokens.count (520c8a9)

Bug Fixes

api: internal openapi updates (d4aaef9)

`v6.4.0`

Compare Source

Full Changelog: v6.4.0...v6.5.0

Features

api: api update (4d21af3)

`v6.3.0`

Compare Source

Full Changelog: v6.3.0...v6.4.0

Features

api: Add support for gpt-4o-transcribe-diarize on audio/transcriptions endpoint (2d27392)

`v6.2.0`

Compare Source

Full Changelog: v6.2.0...v6.3.0

Features

api: comparison filter in/not in (1a733c6)

Chores

internal: use npm pack for build uploads (a532410)

`v6.1.0`

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

api: dev day 2025 launches (f2816db)

Chores

internal: codegen related update (b6f64b7)
jsdoc: fix @link annotations to refer only to parts of the package‘s public interface (73e465d)

`v6.0.1`

Compare Source

Full Changelog: v6.0.1...v6.1.0

Features

api: add support for realtime calls (5de9585)

`v6.0.0`

Compare Source

Full Changelog: v6.0.0...v6.0.1

Bug Fixes

api: add status, approval_request_id to MCP tool call (498c6a5)

feat: provide --incremental and --tsgo flags (#2932)

Patch Changes

fix: ignore Unix domain sockets in file watcher to prevent crashes (#2931)
fix: properly use machine output by default for Claude Code (e9f58d2)

`v4.3.6`

Compare Source

Patch Changes

fix: don't hoist type/snippet referencing $store (#2926)

`v4.3.5`

Compare Source

Patch Changes

fix: ensure await-block type is preserved in the latest Svelte version (#2895)

`v4.3.4`

Compare Source

Patch Changes

chore: use machine format when run by Claude Code (#2870)

`v4.3.3`

Compare Source

Patch Changes

fix: prevent file watcher issue (#2859)
fix: allow undefined and null values for #each in Svelte 5 (#2863)
perf: check if file content changed in tsconfig file watch (#2859)

[`v4.3.2`](https://redirect.github.com/sveltejs/language-to

✂ Note

PR body was truncated to here.

Configuration

📅 Schedule: (UTC)

Branch creation
- At any time (no schedule defined)
Automerge
- At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2025-10-06T07:39:49Z

Walkthrough

This PR upgrades dependencies in the UI package. The OpenAI dependency is bumped from 5.23.2 to 6.5.0 in both the import map and package.json. Additional devDependencies are also updated: svelte-check, svelte-preprocess, and tailwindcss to newer minor and patch versions.

Changes

Cohort / File(s)	Summary
UI package dependency updates `packages/ui/import_map.json`, `packages/ui/package.json`	Upgraded openai from 5.23.2 to 6.5.0; upgraded svelte-check from ^3.8.6 to ^4.3.3; upgraded svelte-preprocess from ^5.1.4 to ^6.0.3; upgraded tailwindcss from ^3.4.18 to ^4.1.14

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

Renovate update import and package #674: Adds Renovate rules to ensure coordinated updates between import_map.json and packages/ui/package.json for dependency consistency.

Suggested reviewers

ericglau
collins-w

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update ui deps sync (major)" is directly related to the changeset, which consists of major version updates to four UI package dependencies (openai, svelte-check, svelte-preprocess, and tailwindcss). The title clearly conveys the primary change—updating UI dependencies to major versions—and would allow a teammate scanning the commit history to quickly understand the PR's purpose. While the term "sync" is somewhat informal compared to "update," the "(major)" notation effectively emphasizes the significant nature of these version bumps.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description check	✅ Passed	The PR description clearly describes the changeset as a dependency update PR with a detailed table of package version changes and comprehensive release notes for each updated dependency.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch renovate/major-ui-deps-sync

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

socket-security · 2025-10-08T16:46:15Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		High CVE: npm `flatted` vulnerable to unbounded recursion DoS in parse() revive phase CVE: GHSA-25h7-pfq9-p65f flatted vulnerable to unbounded recursion DoS in parse() revive phase (HIGH) Affected versions: < 3.4.0 Patched version: 3.4.0 From: `?` → `npm/eslint@9.33.0` → `npm/flatted@3.3.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/flatted@3.3.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Prototype Pollution via parse() in NodeJS npm `flatted` CVE: GHSA-rf6f-7fwh-wjgh Prototype Pollution via parse() in NodeJS flatted (HIGH) Affected versions: < 3.4.2 Patched version: 3.4.2 From: `?` → `npm/eslint@9.33.0` → `npm/flatted@3.3.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/flatted@3.3.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm `path-to-regexp` vulnerable to Denial of Service via sequential optional groups CVE: GHSA-j3q9-mxjg-w52f path-to-regexp vulnerable to Denial of Service via sequential optional groups (HIGH) Affected versions: >= 8.0.0 < 8.4.0 Patched version: 8.4.0 From: `?` → `npm/@modelcontextprotocol/sdk@1.29.0` → `npm/path-to-regexp@8.2.0` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/path-to-regexp@8.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Rollup 4 has Arbitrary File Write via Path Traversal CVE: GHSA-mw96-cpmx-2vgc Rollup 4 has Arbitrary File Write via Path Traversal (HIGH) Affected versions: < 2.80.0; >= 3.0.0 < 3.30.0; >= 4.0.0 < 4.59.0 Patched version: 4.59.0 From: packages/ui/package.json → `npm/rollup@4.52.4` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rollup@4.52.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) CVE: GHSA-xpqw-6gx7-v673 SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) (HIGH) Affected versions: = 4.0.0; >= 2.1.0 < 2.8.1; >= 3.0.0 < 3.3.3; >= 4.0.0 < 4.0.1 Patched version: 2.8.1 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/svgo@2.8.0` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/svgo@2.8.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) CVE: GHSA-xpqw-6gx7-v673 SVGO DoS through entity expansion in DOCTYPE (Billion Laughs) (HIGH) Affected versions: = 4.0.0; >= 2.1.0 < 2.8.1; >= 3.0.0 < 3.3.3; >= 4.0.0 < 4.0.1 Patched version: 2.8.1 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/svgo@4.0.0` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/svgo@4.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: node-npm `tar` Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal CVE: GHSA-34x7-hfp2-rc4v node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal (HIGH) Affected versions: < 7.5.7 Patched version: 7.5.7 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: node-npm `tar` is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization CVE: GHSA-8qq5-rm4j-mr97 node-tar is Vulnerable to Arbitrary File Overwrite and Symlink Poisoning via Insufficient Path Sanitization (HIGH) Affected versions: < 7.5.3 Patched version: 7.5.3 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Race Condition in node-npm `tar` Path Reservations via Unicode Ligature Collisions on macOS APFS CVE: GHSA-r6q2-hw4h-h46w Race Condition in node-tar Path Reservations via Unicode Ligature Collisions on macOS APFS (HIGH) Affected versions: < 7.5.4 Patched version: 7.5.4 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-npm `tar` Extraction CVE: GHSA-83g3-92jg-28cx Arbitrary File Read/Write via Hardlink Target Escape Through Symlink Chain in node-tar Extraction (HIGH) Affected versions: < 7.5.8 Patched version: 7.5.8 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: node-npm `tar` Symlink Path Traversal via Drive-Relative Linkpath CVE: GHSA-9ppj-qmqm-q256 node-tar Symlink Path Traversal via Drive-Relative Linkpath (HIGH) Affected versions: < 7.5.11 Patched version: 7.5.11 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm `tar` has Hardlink Path Traversal via Drive-Relative Linkpath CVE: GHSA-qffp-2rhf-9h96 tar has Hardlink Path Traversal via Drive-Relative Linkpath (HIGH) Affected versions: < 7.5.10 Patched version: 7.5.10 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/tar@7.4.3` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `@humanwhocodes/retry` is 100.0% likely to have a medium risk anomaly Notes: The Retrier class implements a conventional, well-scoped retry mechanism with abort support and backoff-like scheduling. There is no evidence of malicious behavior, data exfiltration, or backdoors in this fragment. The primary security considerations relate to the trustworthiness of the host-provided function (fn) and the external timing constants that govern bail/retry behavior. Overall risk is moderate due to the possibility of executing arbitrary host code, but this is expected for a retry utility; no external communications or data leakage are evident here. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint@9.33.0` → `npm/@humanwhocodes/retry@0.3.1` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@humanwhocodes/retry@0.3.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint@9.33.0` → `npm/ajv@6.12.6` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@6.12.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/@modelcontextprotocol/sdk@1.29.0` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/@modelcontextprotocol/sdk@1.29.0` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/@modelcontextprotocol/sdk@1.29.0` → `npm/ajv@8.18.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@8.18.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `cbor2` is 100.0% likely to have a medium risk anomaly Notes: Overall, the codebase appears to be a robust, feature-rich CBOR serialization library with extensive tag support and defensive input handling. There is no concrete evidence of malicious behavior or data exfiltration within the provided fragment. The main operational risk is inherent to any data-serialization component: untrusted inputs can trigger potentially expensive or error-prone constructions (URL/RegExp/Date) if downstream usage is insecure. The code mitigates this with strict validations and explicit error handling. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/ava@8.0.1` → `npm/cbor2@2.3.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/cbor2@2.3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `colord` is 100.0% likely to have a medium risk anomaly Notes: The code constitutes a focused HWB color space utility that converts RGBA to HWB and parses HWB strings, exposing conversion helpers via prototype augmentation. There is no direct evidence of malicious activity (no network/file I/O, no data leakage to unknown sinks). The main security considerations are prototype pollution risks due to prototype augmentation and the potential for side effects in environments that rely on Object.prototype stability; otherwise, the fragment appears benign as a color conversion utility. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/colord@2.9.3` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/colord@2.9.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `commander` is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional CLI launcher used to delegate to subcommands located near the main executable. It is not inherently malicious, but it introduces a local execution risk: if subcommand resolution is manipulated (habitual in dev or misconfigured environments), arbitrary code could run. To mitigate, enforce canonical subcommand resolution, restrict to a known whitelist, validate resolved paths, and consider isolating subcommand execution or validating subcommand binaries before execution. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/rollup-plugin-terser@7.0.2` → `npm/commander@2.20.3` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/commander@2.20.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `consola` is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/ava@8.0.1` → `npm/ava@6.4.1` → `npm/consola@3.4.2` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/consola@3.4.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `css-select` is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to be a legitimate and well-structured component of a CSS selector engine (css-select) implementing pseudo-selectors such as :is, :not, :has, :matches, and :where. There is no evidence of malicious behavior, data exfiltration, backdoors, or other supply-chain risky actions within this fragment. The security risk is low to moderate, contingent on the trustworthiness of the adapter implementation. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/css-select@5.2.2` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/css-select@5.2.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `css-tree` is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured CSS-values parser fragment with no inherent malicious behavior detected. Security risk in isolation is low, assuming the tokenizer dependency is trusted and integrity-checked. Primary concerns are supply-chain risk via the external tokenizer and potential DoS from pathological inputs; otherwise, the module operates locally to tokenize and parse input strings into an AST without external side effects. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/css-tree@2.2.1` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/css-tree@2.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm `css-tree` is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped parser fragment for a DSL-like FeatureFunction construct. It uses dynamic feature dispatch with proper balance checks and safe fallbacks, and emits a consistent AST node. No malicious behavior detected; the main risks relate to misconfiguration of the features map rather than code-level exploits. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/rollup-plugin-styles@4.0.0` → `npm/css-tree@3.1.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/css-tree@3.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 32 more rows in the dashboard

View full report

coderabbitai

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/ui/package.json (1)

15-45: Critical: Tailwind v4 migration incomplete—build will fail due to missing configuration updates.

The upgrade to Tailwind v4 requires configuration and CSS syntax changes that are not present in this PR:

Missing required dependency: @tailwindcss/postcss not in package.json. Tailwind v4 moved the PostCSS plugin to a separate package; your postcss.config.js requires 'tailwindcss' which no longer exists as a plugin.

Outdated CSS directives:

packages/ui/src/common/styles/global.css: Change @tailwind utilities; to @import "tailwindcss";

packages/ui/src/common/styles/standalone.css: Likely needs same update

Incompatible preprocessor config: packages/ui/svelte.config.js has postcss: true which will fail when PostCSS can't load the tailwindcss plugin.

Required changes before merge:

Add "@tailwindcss/postcss": "next" to devDependencies (or use CSS-first approach by removing postcss config entirely)

Update all CSS files from @tailwind directives to @import "tailwindcss"

Run npm run build and npm run validate to verify the build succeeds

Confirm svelte-check passes with Svelte v3.55.0 + svelte-check v4.3.3

The OpenAI SDK upgrade (v5.23.2→6.5.0) appears compatible with your usage patterns.

🧹 Nitpick comments (1)

packages/ui/package.json (1)

29-29: Consider using a caret range for OpenAI to allow patch/minor updates.

The version is pinned to an exact semver (6.5.0) rather than using a caret range (^6.5.0). While pinning prevents accidental upgrades, it also blocks security patches and minor updates. Most projects use caret ranges for npm dependencies to balance safety and flexibility. If exact pinning is intentional, please document the rationale.

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 8073313 and 9c27729.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

packages/ui/import_map.json (1 hunks)
packages/ui/package.json (2 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (10)

GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
GitHub Check: check
GitHub Check: build (cairo, default)
GitHub Check: build (solidity, default)
GitHub Check: build (stellar, default)
GitHub Check: build (stellar, compile)
GitHub Check: build (stylus, default)
GitHub Check: format-lint
GitHub Check: mcp
GitHub Check: semgrep-cloud-platform/scan

🔇 Additional comments (2)

packages/ui/import_map.json (1)

4-4: Verify OpenAI SDK v6 compatibility—significant API migration required.

The OpenAI SDK v6 migrated from node-fetch to builtin fetch, which represents a breaking change. Before merging, you must verify that:

All application code consuming the OpenAI SDK has been updated to work with v6's API (e.g., method signatures, response shapes)

The application builds successfully with the new version

Existing tests pass with v6

Since the PR context shows no code changes related to OpenAI usage, there's a risk that dependent code is incompatible with v6.

packages/ui/package.json (1)

39-40: Verify Svelte ecosystem upgrade—ensure build tools meet minimum requirements.

Svelte 4 is mainly a maintenance release that increases the minimum version requirements, with Node.js 16 now the minimum version and TypeScript 5+ recommended. The package.json shows TypeScript ^5.9.3 (line 44), which satisfies requirements.

However, verify that:

The application builds successfully with svelte-check ^4.3.3

If using SvelteKit, it's version 1.20.4 or newer (check if applicable)

The validate script at line 12 (svelte-check) runs without errors

coderabbitai · 2025-10-17T20:10:59Z

-    "tailwindcss": "^3.4.18",
+    "svelte-check": "^4.3.3",
+    "svelte-preprocess": "^6.0.3",
+    "tailwindcss": "^4.1.14",


⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

⚠️ Tailwind CSS v4 requires significant configuration and CSS file updates—verify migration is complete.

Tailwind CSS v4.0 is a major version with necessary updates required from v3 to v4. This update introduces breaking changes that are NOT evident in this PR:

CSS imports: In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives

Preprocessor incompatibility: Tailwind CSS v4.0 is not designed to be used with CSS preprocessors like Sass, Less, or Stylus, and it is not possible to use Sass for <style> blocks in Svelte

Browser support: Tailwind CSS v4.0 is designed for Safari 16.4+, Chrome 111+, and Firefox 128+. If you need to support older browsers, stick with v3.4

Configuration: CSS-first config replaces JavaScript-based tailwind.config.js

The PR shows no corresponding updates to CSS files, Tailwind config, or SCSS/Sass removal. The upgrade tool will handle most of these changes automatically, but there's no evidence it was used. Without these changes, the build will likely fail or styles will break.

Verify the following before merging:

All CSS files have been updated to use @import "tailwindcss" instead of @tailwind directives

tailwind.config.js has been updated to CSS-first format (or removed if no custom config needed)

Any SCSS/Sass files have been converted to plain CSS or removed

The build completes successfully and styles render correctly

Run the following verification script:

🏁 Script executed:

#!/bin/bash # Find and list Tailwind-related config and CSS files echo "=== Tailwind Config Files ===" find . -name "tailwind.config.*" -o -name "tailwind.css" -o -name "global.css" | grep -v node_modules echo "" echo "=== SCSS/Sass Files (may be incompatible with Tailwind v4) ===" find . -name "*.scss" -o -name "*.sass" | grep -v node_modules | head -20 echo "" echo "=== CSS Files Mentioning @tailwind ===" rg -t css "@tailwind" --no-heading echo "" echo "=== SVG/Vue/Svelte Files with Style Blocks Using @tailwind ===" rg -t svelte -A2 "<style" | grep -A2 "@tailwind"

Length of output: 418

CSS files must be updated to use Tailwind v4 syntax—@tailwind directives are no longer supported.

In v4 you import Tailwind using a regular CSS @import statement, not using the @tailwind directives you used in v3. The PR updates tailwindcss to v4.1.14 but contains two CSS files that still use the deprecated v3 syntax:

packages/ui/src/standalone.css:@tailwind utilities;

packages/ui/src/common/styles/global.css:@tailwind utilities;

These files must be updated before this PR can be merged. Change @tailwind utilities; to @import "tailwindcss"; in both files.

Additional items to verify:

If tailwind.config.js contains custom configuration, it must be explicitly loaded with @config "../../tailwind.config.js"; at the top of your CSS file (or migrated to CSS-first format using @theme)

Ensure tailwind.config.js is no longer auto-detected in v4 and add the @config directive if needed

If any .svelte, .vue, or other component files use <style> blocks with Tailwind, verify they reference the updated CSS or use the new v4 syntax

socket-security · 2026-04-23T15:35:29Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Quality	Maintenance
	@openzeppelin/uniswap-hooks@1.2.1
	rollup-plugin-terser@7.0.2
	@fhevm/solidity@0.9.1
	@changesets/changelog-github@0.5.1
	jszip@3.10.1
	@uniswap/v4-core@1.0.2
	typescript-eslint@8.39.1
	highlightjs-cairo@0.4.0
	@types/semver@7.7.0
	@types/semver@7.7.1
	file-saver@2.0.5
	path-browserify@1.0.1
	@openzeppelin/confidential-contracts@0.3.1
	@types/file-saver@2.0.7
	@fhevm/hardhat-plugin@0.3.0-1
	@types/resize-observer-browser@0.1.11
	sirv-cli@3.0.1
	tippy.js@6.3.7
	rollup-plugin-livereload@2.0.5
	rollup-plugin-styles@4.0.0
	svelte@3.59.2
	hardhat@2.26.5 ⏵ 2.26.3		^-1	⁺¹
	@types/node@20.19.21
	@types/node@20.19.10
	@fhevm/mock-utils@0.1.0
	solidity-ast@0.4.60
	postcss-load-config@6.0.1
	ethereum-cryptography@1.2.0 ⏵ 3.2.0	⁺¹	⁺¹
	postcss@8.5.6
	rimraf@5.0.10
	@zama-fhe/relayer-sdk@0.3.0-5
	highlightjs-solidity@2.0.6
	@rollup/plugin-json@6.1.0
See 32 more rows in the dashboard

View full report

renovate Bot requested a review from a team as a code owner October 6, 2025 07:39

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from e49ac46 to 394311c Compare October 8, 2025 16:38

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 7 times, most recently from ab19736 to e5f0fb6 Compare October 15, 2025 13:35

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 3 times, most recently from 2f3fb12 to 9c27729 Compare October 17, 2025 20:04

coderabbitai Bot reviewed Oct 17, 2025

View reviewed changes

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 6 times, most recently from e3ed09e to 65753f3 Compare October 24, 2025 14:45

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from 574305a to 84def4e Compare October 30, 2025 12:52

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from 856b623 to 9ab9475 Compare November 18, 2025 03:44

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 7 times, most recently from 9ceae70 to e56267c Compare December 1, 2025 18:54

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 4 times, most recently from 886ad57 to 98f9d30 Compare December 9, 2025 16:52

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from b394213 to 6bad696 Compare December 16, 2025 20:55

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 2 times, most recently from ed2eab4 to d865f3b Compare December 20, 2025 08:50

renovate Bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from bed7122 to 67c2053 Compare January 12, 2026 17:31

Update ui deps sync

7986656

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update ui deps sync (major)#685

Update ui deps sync (major)#685
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/major-ui-deps-sync

renovate Bot commented Oct 6, 2025 •

edited

Loading

Uh oh!

coderabbitai Bot commented Oct 6, 2025 •

edited

Loading

Uh oh!

socket-security Bot commented Oct 8, 2025 •

edited

Loading

Uh oh!

coderabbitai Bot left a comment

Uh oh!

coderabbitai Bot Oct 17, 2025

Uh oh!

socket-security Bot commented Apr 23, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate Bot commented Oct 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Breaking Changes

Bugfixes

Bugfixes

Bugfixes

Breaking Changes

Bugfixes

What's Changed

Breaking Changes

New Features

Other Changes

New Contributors

What's Changed

Bug Fixes

Chores

Features

Bug Fixes

Chores

Features

Features

Bug Fixes

Chores

Features

Bug Fixes

Chores

Features

Bug Fixes

Chores

Documentation

Features

Bug Fixes

Chores

Documentation

Features

Bug Fixes

Chores

Refactors

Features

Features

Features

Features

Bug Fixes

Features

Features

Chores

Features

Chores

Features

Bug Fixes

Chores

Features

Bug Fixes

Chores

Features

Features

Bug Fixes

Chores

Documentation

Features

Bug Fixes

Chores

Documentation

Features

Features

Features

Bug Fixes

Chores

Features

Bug Fixes

Chores

Features

Chores

Bug Fixes

Bug Fixes

Features

Features

Chores

renovate Bot commented Oct 6, 2025 •

edited

Loading