Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates#2982

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c3b279e660
Closed

chore(deps): bump the npm_and_yarn group across 1 directory with 13 updates#2982
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-c3b279e660

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

…pdates

---
updated-dependencies:
- dependency-name: js-cookie
  dependency-version: 3.0.7
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 6.2.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: bn.js
  dependency-version: 5.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: bn.js
  dependency-version: 4.12.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.15.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-uri
  dependency-version: 3.1.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fast-xml-parser
  dependency-version: 5.9.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: form-data
  dependency-version: 4.0.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: launch-editor
  dependency-version: 2.14.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: mermaid
  dependency-version: 11.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.9.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack
  dependency-version: 5.108.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
  dependency-version: 5.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 10, 2026

Copy link
Copy Markdown
Contributor Author

Assignees

The following users could not be added as assignees: protocol-galileo. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 10, 2026
@dependabot dependabot Bot requested review from a team as code owners July 10, 2026 18:08
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 10, 2026
@vercel

vercel Bot commented Jul 10, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
metamask-docs Ready Ready Preview, Comment Jul 10, 2026 6:14pm

Request Review

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updated@​metamask/​profile-sync-controller@​16.0.0 ⏵ 28.3.098 +110087 +298 -1100
Updatedjs-cookie@​3.0.5 ⏵ 3.0.7100100 +1610089 +2100
Updatedkatex@​0.16.27 ⏵ 0.16.4792 +1100100 +195100

View full report

@socket-security

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm @metamask/snaps-controllers is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@metamask/snaps-controllers@19.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/snaps-controllers@19.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@docusaurus/theme-mermaid@3.10.1npm/@mermaid-js/layout-elk@0.1.9npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Publisher changed: npm ses is now published by kriscendobot

Author: kriscendobot

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm webpack is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/webpack@5.108.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.108.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module http

Module: http

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @ethersproject/web in module https

Module: https

Location: Package overview

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/@ethersproject/web@5.8.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm es-module-lexer is 70.0% likely risky

Notes: High-risk design primitive: the parser conditionally executes JavaScript via eval on substrings extracted from caller-controlled input (quoted-string heuristic). If parse() is used on untrusted data, this creates a plausible path to host-side code execution. Additionally, parse failures can leak input excerpts through thrown error messages. While no direct exfiltration/network activity is visible here, the embedded WASM makes full behavioral auditing difficult, so overall security posture should be treated as high risk, especially regarding eval-driven execution.

Confidence: 0.70

Severity: 0.75

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/es-module-lexer@2.3.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-module-lexer@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm ses is 70.0% likely risky

Notes: This module is a dynamic evaluator generator that ultimately performs eval(arguments[0]) on caller-supplied code, after dynamically generating and injecting destructuring bindings into a nested with(...) scope environment. While it does not itself show exfiltration/persistence behavior, it creates a high-impact arbitrary code execution primitive, which becomes a serious security risk if any attacker-controlled data reaches arguments[0] or the scope/context objects.

Confidence: 0.70

Severity: 0.80

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm webpack is 72.0% likely risky

Notes: No direct malware behaviors (exfiltration, command execution, backdoors) are evident in this fragment. However, there is a meaningful security risk: deserialize reads nested name values from untrusted file content and uses them to build filesystem paths containing a literal ../${name}. Without strict validation of name and safe path normalization, this can enable directory traversal and arbitrary file read/write within the permissions of the running process. Additional DOS risks exist via decompression/length handling.

Confidence: 0.72

Severity: 0.78

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/webpack@5.108.4

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.108.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm webpack is 65.0% likely risky

Notes: This module is primarily a programmable rules engine plus plugin-based compilation. It does not show classic malware behaviors (no network/filesystem/process/obfuscated payloads), but it intentionally executes function objects supplied via the ruleset (condition predicates and effect handlers) and executes arbitrary plugin code during construction/hook time. Therefore, the security posture hinges on strict trust boundaries for plugins and ruleSet. Additional risks include potential denial-of-service from unbounded recursion and possible information disclosure via error messages that include attacker-controlled values.

Confidence: 0.65

Severity: 0.70

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/webpack@5.108.4

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.108.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm http-errors is now published by ulisesgascon instead of dougwilson

New Author: ulisesgascon

Previous Author: dougwilson

From: package-lock.jsonnpm/@docusaurus/core@3.10.1npm/http-errors@2.0.1

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-errors@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm ses is now published by kriscendobot instead of boneskull

New Author: kriscendobot

Previous Author: boneskull

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm statuses is now published by ulisesgascon instead of dougwilson

New Author: ulisesgascon

Previous Author: dougwilson

From: package-lock.jsonnpm/@docusaurus/core@3.10.1npm/statuses@2.0.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/statuses@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @webassemblyjs/helper-buffer is 69.0% likely to have a medium risk anomaly

Notes: The code is a focused utility to compare two wasm binary buffers by decoding them into textual dumps and diffing the results. It does not exhibit data exfiltration or network activity. The main concern is the temporary override of console.log, which could affect the host environment or other concurrent code. Overall, functional risk is moderate due to side effects rather than a security vulnerability.

Confidence: 0.69

Severity: 0.60

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/@webassemblyjs/helper-buffer@1.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/helper-buffer@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @webassemblyjs/helper-wasm-section is 78.0% likely to have a medium risk anomaly

Notes: The code appears to be a legitimate utility for inserting an empty section into a WebAssembly module binary and updating both the in-memory AST and the binary buffer. There is no evidence of data leakage, remote control, or malicious behavior in this fragment.

Confidence: 0.78

Severity: 0.60

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/@webassemblyjs/helper-wasm-section@1.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/helper-wasm-section@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @webassemblyjs/wasm-edit is 68.0% likely to have a medium risk anomaly

Notes: The analyzed code is a WASM binary editor utility that applies structural edits (add/update/delete) to a WASM module by manipulating an AST and an in-memory byte buffer. It carefully maintains section sizes and node locations to preserve a consistent binary, and performs validations for certain node types (Func, Global) to ensure proper termination of expressions. There is no indication of malicious behavior, such as data exfiltration, arbitrary code execution, or external network access. The primary risk is operational: incorrect or malicious op sequences could corrupt the wasm binary. With trusted inputs, the component is appropriate for its purpose.

Confidence: 0.68

Severity: 0.55

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/@webassemblyjs/wasm-edit@1.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-edit@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @webassemblyjs/wasm-parser is 75.0% likely to have a medium risk anomaly

Notes: The code is a legitimate WebAssembly binary decoder/AST builder. It decodes a WASM module into a rich AST representation without performing harmful actions, network activity, or data exfiltration. The primary security considerations are ensuring trust in the library's source and keeping dependencies current, as with any third-party tool. If kept updated and used with proper input validation, the component poses no immediate malicious risk based on this fragment.

Confidence: 0.75

Severity: 0.50

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/@webassemblyjs/wasm-parser@1.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-parser@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm es-module-lexer is 62.0% likely to have a medium risk anomaly

Notes: The package/dist/lexer.js WebAssembly-based parser exposes a parse() function that can feed attacker-controlled substrings into eval() during token parsing, creating a potential arbitrary JavaScript execution pathway in the current context. A quote-prefix heuristic is used to gate what reaches eval, but unsafe input can still reach the dynamic evaluator. Additional risks include DoS from WASM memory growth and information disclosure through error messages containing attacker-controlled content.

Confidence: 0.62

Severity: 0.60

From: package-lock.jsonnpm/@docusaurus/types@3.10.1npm/@docusaurus/core@3.10.1npm/@docusaurus/plugin-content-docs@3.10.1npm/@docusaurus/plugin-client-redirects@3.10.1npm/@docusaurus/plugin-google-gtag@3.10.1npm/@docusaurus/theme-common@3.10.1npm/@docusaurus/plugin-content-pages@3.10.1npm/@docusaurus/preset-classic@3.10.1npm/@docusaurus/plugin-google-tag-manager@3.10.1npm/@docusaurus/theme-mermaid@3.10.1npm/node-polyfill-webpack-plugin@2.0.1npm/docusaurus-plugin-sass@0.2.5npm/es-module-lexer@2.3.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-module-lexer@2.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm mermaid is 62.0% likely to have a medium risk anomaly

Notes: No direct evidence of overt malware (network exfiltration, credential theft, filesystem/process actions) is present in the provided fragment. The main supply-chain/security concern is the presence of direct dynamic code execution via (0,eval)(e) and dynamic global access via Function('return this')(), plus heavy dynamic RegExp compilation/execution that can amplify availability risks when patterns are untrusted. Malware intent cannot be confirmed from this excerpt, but the eval primitive should be treated as high priority for audit and for verifying whether attacker-controlled data can reach jd()/eval at runtime.

Confidence: 0.62

Severity: 0.58

From: package-lock.jsonnpm/@docusaurus/theme-mermaid@3.10.1npm/@mermaid-js/layout-elk@0.1.9npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ses is 70.0% likely to have a medium risk anomaly

Notes: The file package/dist/ses.umd.min.js contains an SES/Compartment-based module loader/runtime fragment that uses dynamic evaluation and can modify global intrinsics. While heavily obfuscated, there is no evidence of malware behavior such as data exfiltration or backdoors; the behavior aligns with sandbox hardening rather than active exploitation.

Confidence: 0.70

Severity: 0.35

From: package-lock.jsonnpm/@metamask/profile-sync-controller@28.3.0npm/ses@2.2.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 3 more rows in the dashboard

View full report

@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Contributor Author

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/npm_and_yarn-c3b279e660 branch July 13, 2026 08:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant