[Snyk] Fix for 3 vulnerabilities

[Dustin4444]

Snyk has created this PR to fix 3 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue	Score
	Regular Expression Denial of Service (ReDoS) SNYK-JS-CROSSSPAWN-8303230	756
	Origin Validation Error SNYK-JS-PARCELREPORTERDEVSERVER-12878606	621
	Regular Expression Denial of Service (ReDoS) SNYK-JS-BRACEEXPANSION-9789073	436

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Regular Expression Denial of Service (ReDoS)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
datatracker	Error		Feb 8, 2026 11:13pm

[coderabbitai]

Important

Review skipped

Ignore keyword(s) in the title.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch snyk-fix-fe3d87ab3b1910caae06e5081be03e45

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @Dustin4444, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request, automatically generated by Snyk, focuses on improving the project's security by updating critical development dependencies. The primary objective is to remediate three identified vulnerabilities, which vary in severity from low to high, through the upgrade of html-validate and parcel to their latest secure versions. This ensures the project benefits from the most recent security patches and enhancements.

Highlights

• Dependency Upgrades: The html-validate dependency has been upgraded from version 8.18.1 to 10.5.0.
• Dependency Upgrades: The parcel dependency has been upgraded from version 2.12.0 to 2.16.4.
• Vulnerability Fixes: This PR addresses three vulnerabilities: a high-severity Regular Expression Denial of Service (ReDoS), a medium-severity Origin Validation Error, and a low-severity Regular Expression Denial of Service (ReDoS).

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• package.json
  • Updated html-validate from 8.18.1 to 10.5.0.
  • Updated parcel from 2.12.0 to 2.16.4.

Activity

• This pull request was automatically created by Snyk to fix identified vulnerabilities.
• A warning has been issued that the yarn.lock file failed to update and requires manual intervention before merging.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request from Snyk aims to fix three security vulnerabilities by upgrading html-validate and parcel dependencies. While these upgrades are important for security, the pull request is incomplete because the yarn.lock file has not been updated. As the PR description warns, this is a critical issue that must be addressed before merging. Without an updated lock file, your project may not use the specified new versions, leaving the vulnerabilities unresolved in your application. Please run yarn install (or yarn) to update yarn.lock. If you are using Yarn's zero-installs feature, this will also update the .yarn/cache directory, which should also be committed.

[gemini-code-assist]

The dependencies html-validate and parcel have been updated, but the yarn.lock file has not been updated to reflect these changes. This can lead to inconsistent dependency resolution and may mean the security vulnerabilities are not actually fixed. Please run yarn install (or simply yarn with Yarn v2+) and commit the resulting changes to yarn.lock and, if applicable, the .yarn/cache directory.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	nanoid@​5.1.5
	nanoid-dictionary@​5.0.0
	@​octokit/​core@​4.2.4

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Network access: npm @octokit/endpoint in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/@octokit/endpoint@7.0.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/endpoint@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @octokit/request in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/@octokit/request@6.2.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/request@6.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @octokit/types in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/@octokit/types@9.0.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/types@9.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @types/node in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/deploy-to-container/package-lock.json → npm/dockerode@4.0.6 → npm/@types/node@22.10.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@22.10.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm node-fetch in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/node-fetch@2.6.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm node-fetch in module http Module: http Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/node-fetch@2.6.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm node-fetch in module https Module: https Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/node-fetch@2.6.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici-types in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: dev/deploy-to-container/package-lock.json → npm/dockerode@4.0.6 → npm/undici-types@6.20.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici-types@6.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @octokit/endpoint URLs: https://api.github.com, https://fetch.spec.whatwg.org/#methods Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/@octokit/endpoint@7.0.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/endpoint@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @octokit/types URLs: https://example.com/foo/bar, https://enterprise.acme-inc.com/api/v3, https://enterprise.acme-inc.com/api/v3/orgs/ Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/@octokit/types@9.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@octokit/types@9.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @types/node URLs: https://nodejs.org/docs/latest-v22.x/api/test.html#test-runner-execution-model, https://nodejs.org/api/cli.html#--experimental-test-snapshots, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#String_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Number_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Boolean_type, readable.map, https://nodejs.org/docs/latest-v22.x/api/process.html#a-note-on-process-io, https://github.com/nodejs/node/blob/v22.x/lib/console.js, https://developer.mozilla.org/en-US/docs/Glossary/Falsy, https://nodejs.org/docs/latest-v22.x/api/util.html#utilformatformat-args, https://developer.mozilla.org/en-US/docs/Glossary/Truthy, https://nodejs.org/docs/latest-v22.x/api/util.html#utilinspectobject-options, http://man7.org/linux/man-pages/man3/printf.3.html, https://nodejs.org/docs/latest-v22.x/api/process.html#processstdout, https://nodejs.org/docs/latest-v22.x/api/process.html#processstderr, example.org, 93.184.216.34, archive.org, nodejs.org, example.com, https://nodejs.org/docs/latest-v22.x/api/errors.html#class-error, https://nodejs.org/docs/latest-v22.x/api/util.html#utilpromisifyoriginal, https://tools.ietf.org/html/rfc8482, https://nodejs.org/docs/latest-v22.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v22.x/api/dns.html#dnspromiseslookuphostname-options, https://tools.ietf.org/html/rfc5952#section-6, https://man7.org/linux/man-pages/man5/resolv.conf.5.html, https://datatracker.ietf.org/doc/html/rfc5952#section-6, https://nodejs.org/docs/latest-v22.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v22.x/api/worker_threads.html, 4.4.4.4, 0.0.0.0, http://man7.org/linux/man-pages/man2/fdatasync.2.html, http://man7.org/linux/man-pages/man2/fsync.2.html, https://developer.mozilla.org/en-US/docs/Web/API/ArrayBufferView, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error, https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file, https://docs.microsoft.com/en-us/windows/desktop/FileIO/using-streams, http://man7.org/linux/man-pages/man2/readlink.2.html, http://man7.org/linux/man-pages/man2/lstat.2.html, http://man7.org/linux/man-pages/man2/link.2.html, http://man7.org/linux/man-pages/man2/unlink.2.html, https://tc39.github.io/ecma262/#sec-asynciterable-interface, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Iteration_protocols#The_iterable_protocol, http://man7.org/linux/man-pages/man3/opendir.3.html, encrypted.google.com, github.com, https://encrypted.google.com/, https://nodejs.org/docs/latest-v22.x/api/async_hooks.html#promise-execution-tracking, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer, https://developer.mozilla.org/en-US/docs/Web/API/File, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView, https://developer.mozilla.org/en-US/docs/Web/JavaScript/-, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/set, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf, https://nodejs.org/api/buffer.html#class-blob, https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html, https://tools.ietf.org/html/rfc5929, options.ca, https://nodejs.org/docs/latest-v22.x/api/modules.md#loading-ecmascript-modules-using-require, fs.read, README.md, process.report.directory, https://nodejs.org/docs/latest-v22.x/api/os.html#dlopen-constants, http://man7.org/linux/man-pages/man2/getgid.2.html, http://man7.org/linux/man-pages/man2/setgid.2.html, http://man7.org/linux/man-pages/man2/getuid.2.html, http://man7.org/linux/man-pages/man2/setuid.2.html, http://man7.org/linux/man-pages/man2/geteuid.2.html, http://man7.org/linux/man-pages/man2/seteuid.2.html, http://man7.org/linux/man-pages/man2/getegid.2.html, http://man7.org/linux/man-pages/man2/setegid.2.html, https://sourcemaps.info/spec.html, http://man7.org/linux/man-pages/man2/kill.2.html, process.pid, https://github.com/nodejs/node/blob/HEAD/BUILDING.md#androidandroid-based-devices-eg-firefox-os, https://nodejs.org/en/docs/guides/event-loop-timers-and-nexttick/#process-nexttick, https://nodejs.org/api/cli.html#--experimental-permission, https://nodejs.org/api/permissions.html#permission-model, https://nodejs.org/download/release/v18.12.0/node-v18.12.0.tar.gz, https://nodejs.org/download/release/v18.12.0/node-v18.12.0-headers.tar.gz, https://nodejs.org/download/release/v18.12.0/win-x64/node.lib, https://nodejs.org/docs/latest-v22.x/api/report.html, process.report, https://github.com/nodejs/node/blob/v22.x/src/node_sea.cc, https://nodejs.org/docs/latest-v22.x/api/cli.html#warning-binding-inspector-to-a-public-ipport-combination-is-insecure, ws://127.0.0.1:9229/166e272e-7a30-4d09-97ce-f1c012b43c34, https://nodejs.org/en/docs/inspector, https://github.com/nodejs/node/blob/v22.x/lib/inspector/promises.js, https://chromedevtools.github.io/devtools-protocol/v8/, 224.0.0.114, 127.0.0.1, https://en.wikipedia.org/wiki/IPv6_address#Scoped_literal_IPv6_addresses, https://tools.ietf.org/html/rfc4007, 10.0.0.2, 127.0.0.1:8000, process.env.HOST, req.headers.host, https://nodejs.org/docs/latest-v22.x/api/net.html#socketconnectoptions-connectlistener, performanceEntry.name, https://w3c.github.io/hr-time/#dom-performance-timeorigin, https://developer.mozilla.org/en-US/docs/Web/API/Performance/toJSON, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Equality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Inequality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions, https://nodejs.org/docs/latest-v22.x/api/errors.html#err_invalid_return_value, http://man7.org/linux/man-pages/man3/readdir.3.html, http://man7.org/linux/man-pages/man2/mkdir.2.html, http://man7.org/linux/man-pages/man2/pwrite.2.html, fs.watch, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER, xn--fsq.com, xn--maana-pta.com, ana.com, xn----dqo34k.com, https://docs.libuv.org/en/v1.x/misc.html#c.uv_available_parallelism, https://linux.die.net/man/3/uname, https://en.wikipedia.org/wiki/Uname#Examples, https://nodejs.org/docs/latest-v22.x/api/errors.html#class-systemerror, https://nodejs.org/docs/latest-v22.x/api/process.html#processarch, 4.4.4.4:1053, https://nodejs.org/docs/latest-v20.x/api/errors.html#class-error, https://nodejs.org/docs/latest-v20.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromiseslookuphostname-options, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromisessetdefaultresultorderorder, https://nodejs.org/docs/latest-v20.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v20.x/api/worker_threads.html, https://nodejs.org/dist/latest-v22.x/docs/api/repl.html#repl_customizing_repl_output, https://nodejs.org/dist/latest-v22.x/docs/api/readline.html#readline_use_of_the_completer_function, https://nodejs.org/dist/latest-v22.x/docs/api/repl.html#repl_commands_and_special_keys, https://nodejs.org/dist/latest-v22.x/docs/api/repl.html#repl_assignment_of_the_underscore_variable, https://nodejs.org/dist/latest-v22.x/docs/api/repl.html#repl_class_replserver, https://nodejs.org/docs/latest-v22.x/api/child_process.html#child_processspawncommand-args-options, https://nodejs.org/docs/latest-v22.x/api/child_process.html#advanced-serialization, https://nodejs.org/docs/latest-v22.x/api/child_process.html#child_processforkmodulepath-args-options, https://nodejs.org/docs/latest-v22.x/api/child_process.html#subprocesssendmessage-sendhandle-options-callback, https://nodejs.org/docs/latest-v22.x/api/process.html#processkillpid-signal, http://example.org:8000, https://example.org:80, https://example.org/foo/bar, https://example.org, http2stream.id, https://example.com, request.stream, http://example.com, http://example.com/status?name=ryan, https://nodejs.org/docs/latest-v22.x/api/errors.html#class-typeerror, response.stream, https://tools.ietf.org/html/rfc7540, https://http2.github.io/faq/#does-http2-require-encryption, https://github.com/nodejs/node/blob/v22.x/lib/child_process.js, subprocess.channel, https://nodejs.org/docs/latest-v22.x/api/net.html#class-netsocket, https://nodejs.org/docs/latest-v22.x/api/net.html#class-netserver, https://nodejs.org/docs/latest-v22.x/api/dgram.html#class-dgramsocket, test.sh, https://nodejs.org/docs/latest-v22.x/api/v8.html, https://www.chromium.org/developers/how-tos/trace-event-profiling-tool, https://nodejs.org/docs/latest-v22.x/api/worker_threads.html#class-worker, https://github.com/nodejs/node/blob/v22.x/lib/trace_events.js, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/isArray, https://github.com/nodejs/node/issues/4179, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/constructor, options.stream, https://bmeck.github.io/node-proposal-mime-api/, https://github.com/WebAssembly/wabt, https://github.com/nodejs/node/blob/v22.x/lib/wasi.js, https://v8docs.nodesource.com/node-13.2/d5/dda/classv8_1_1_isolate.html#a6079122af17612ef54ef3348ce170866, https://nodejs.org/docs/latest-v22.x/api/cli.html#--heapsnapshot-near-heap-limitmax_count, https://developer.mozilla.org/en-US/docs/Web/API/MessagePort/onmessage, https://developer.mozilla.org/en-US/docs/Web/API/EventTarget, https://nodejs.org/api/globals.html#broadcastchannel, https://nodejs.org/api/globals.html#messagechannel, https://github.com/nodejs/node/blob/v22.x/lib/crypto.js, https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html, https://nodejs.org/dist/latest-v22.x/docs/api/crypto.html#crypto-constants, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html., https://en.wikipedia.org/wiki/Initialization_vector, https://www.rfc-editor.org/rfc/rfc2412.txt, https://www.rfc-editor.org/rfc/rfc3526.txt, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf, https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger, https://www.w3.org/TR/capability-urls/, https://nodejs.org/docs/latest-v22.x/api/buffer.html#buffers-and-character-encodings, https://www.rfc-editor.org/rfc/rfc4122.txt, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532, https://www.rfc-editor.org/rfc/rfc2818.txt, https://www.rfc-editor.org/rfc/rfc5280.txt, https://nodejs.org/docs/latest/api/webcrypto.html, https://nodejs.org/docs/latest/api/webcrypto.html#cryptokeyusages, https://tools.ietf.org/html/rfc7517, https://example.com/some/path?page=1&#x26, urlObject.host, urlObject.search, http://example.com/, http://example.com/one, http://example.com/two, https://tools.ietf.org/html/rfc5891#section-4.4, https://url.spec.whatwg.org/#example-url-parsing, https://example.org/, https://example.org/foo#bar, https://example.org/foo#baz, https://example.org:81/foo, https://example.com:82/foo, url.host, https://example.com:81/foo, https://example.org:82/foo, https://example.org/foo, https://example.com/bar, https://example.org/foo/bar?baz, https://example.org/abc/xyz?123, https://example.org/abcdef?123, https://example.org:8888, https://example.org:1234/, ftp://example.org/, https://example.org/abc?123, https://example.org/abc?abc=xyz, https://example.org/abc?foo=~bar, https://www.example.com, https://test.example.org, https://www.example.com/, https://test.example.org/, https://example.org/?abc=123, https://example.org/?abc=123&#x26, https://example.org/?a=b, https://example.org/?a=b&#x26, https://nodejs.org/docs/latest-v22.x/api/vm.html#support-of-dynamic-import-in-compilation-apis, https://nodejs.org/docs/latest-v22.x/api/vm.html#what-does-it-mean-to-contextify-an-object, https://nodejs.org/docs/latest-v22.x/api/vm.html#scriptrunincontextcontextifiedobject-options, https://es5.github.io/#x15.1, http://127.0.0.1:8124/, https://tc39.es/ecma262/#sec-cyclic-module-records, https://tc39.es/ecma262/#sec-hostresolveimportedmodule, https://tc39.es/ecma262/#sec-moduledeclarationlinking, https://tc39.es/ecma262/#sec-source-text-module-records, https://heycam.github.io/webidl/#synthetic-module-records, https://developer.mozilla.org/docs/Web/API/Storage/setItem, https://developer.mozilla.org/docs/Web/API/DOMException/code, https://developer.mozilla.org/docs/Web/API/DOMException/message, https://developer.mozilla.org/docs/Web/API/DOMException/name, https://v8.dev/docs/stack-trace-api#customizing-stack-traces, https://github.com/microsoft/TypeScript/blob/38da7c600c83e7b31193a62495239a0fe478cb67/lib/lib.webworker.d.ts#L633, https://developer.mozilla.org/docs/Web/API/Storage, https://developer.mozilla.org/en-US/docs/Web/API/Window/localStorage, https://developer.mozilla.org/en-US/docs/Web/API/Window/sessionStorage, https://developer.mozilla.org/docs/Web/API/DOMException, 192.168.1.1, 74.125.127.100, 123.123.123.123, 10.0.0.1, 10.0.0.10, 10.0.0.3, 222.111.111.222, 127.000.000.001, 127.0.0.1/24, https://www.sqlite.org/c3ref/changes.html Location: Package overview From: dev/deploy-to-container/package-lock.json → npm/dockerode@4.0.6 → npm/@types/node@22.10.5 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@22.10.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm before-after-hook URLs: https://git.io/upgrade-before-after-hook-to-1.4 Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/before-after-hook@2.2.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/before-after-hook@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm html-validate URLs: http://json-schema.org/draft-06/schema#, https://html-validate.org/schemas/elements.json, https://html-validate.org/rules/allowed-links.html, https://html-validate.org/rules/area-alt.html, https://html-validate.org/rules/aria-hidden-body.html, https://html-validate.org/rules/aria-label-misuse.html, https://html-validate.org/rules/attr-case.html, https://html-validate.org/rules/attr-quotes.html, https://html-validate.org/rules/hidden-focusable.html, https://html-validate.org/rules/id-pattern.html, https://html-validate.org/rules/input-attributes.html, https://html-validate.org/rules/input-missing-label.html, https://html-validate.org/rules/long-title.html, https://html-validate.org/rules/map-dup-name.html, https://html-validate.org/rules/map-id-name.html, https://html-validate.org/rules/meta-refresh.html, https://html-validate.org/rules/prefer-button.html, https://html-validate.org/rules/prefer-native-element.html, https://html-validate.org/rules/prefer-tbody.html, https://html-validate.org/rules/require-csp-nonce.html, https://html-validate.org/rules/require-sri.html, https://html-validate.org/rules/script-element.html, https://html-validate.org/rules/script-type.html, https://html-validate.org/rules/svg-focusable.html, https://html-validate.org/rules/tel-non-breaking.html, https://html-validate.org/rules/text-content.html, https://html-validate.org/rules/unique-landmark.html, https://html.spec.whatwg.org/multipage/named-characters.html, https://html-validate.org/rules/unrecognized-char-ref.html, https://html-validate.org/rules/valid-autocomplete.html, https://html-validate.org/rules/valid-id.html, https://html-validate.org/rules/void-content.html, https://html-validate.org/rules/void-style.html, https://html-validate.org/rules/wcag/h30.html, https://html-validate.org/rules/wcag/h32.html, https://html-validate.org/rules/wcag/h36.html, https://html-validate.org/rules/wcag/h37.html, https://html-validate.org/rules/wcag/h63.html, https://html-validate.org/rules/wcag/h67.html, https://html-validate.org/rules/wcag/h71.html, https://html-validate.org/schemas/config.json, https://gitlab.com/html-validate/html-validate/issues/new, https://git-scm.com/docs/gitignore, https://git-scm.com/docs/gitignore/2.22.1, http://html-validate.org/rules/presets.html, input.data Location: Package overview From: ? → npm/html-validate@10.5.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/html-validate@10.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm node-fetch URLs: https://fetch.spec.whatwg.org/#concept-body-total-bytes, https://tools.ietf.org/html/rfc3986#section-3.1, https://tools.ietf.org/html/rfc3986#section-4.3, https://github.com/bitinn/node-fetch, http://stackoverflow.com/questions/37519828 Location: Package overview From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/node-fetch@2.6.7 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm node-fetch is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to be a standard, legitimate node-fetch-like implementation with robust redirect handling, proper decompression, and careful header management to mitigate cross-domain credential leakage. No malicious activity detected within this fragment. Security risk remains tied to network communication and dependency supply chain (need to keep versions updated and monitor CVEs).Recommendation: treat as safe within typical usage; continue standard dependency hygiene (version pinning, audit for CVEs, and monitor for upstream changes). Confidence: 1.00 Severity: 0.60 From: dev/del-old-packages/package-lock.json → npm/@octokit/core@4.2.4 → npm/node-fetch@2.6.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm undici-types URLs: https://fetch.spec.whatwg.org/#body-mixin, https://mimesniff.spec.whatwg.org/#parse-a-mime-type, https://tools.ietf.org/html/rfc7230#section-6.3.2, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://developer.mozilla.org/en-US/docs/Web/API/File Location: Package overview From: dev/deploy-to-container/package-lock.json → npm/dockerode@4.0.6 → npm/undici-types@6.20.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici-types@6.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report