Skip to content

Bump the npm_and_yarn group across 1 directory with 25 updates#10

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-ae1e330037
Open

Bump the npm_and_yarn group across 1 directory with 25 updates#10
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-ae1e330037

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Sep 30, 2025

Bumps the npm_and_yarn group with 24 updates in the / directory:

Package From To
@babel/runtime 7.5.5 7.26.10
@babel/traverse 7.5.5 7.28.4
ajv 6.10.2 6.12.6
base-x 3.0.6 3.0.11
bl 1.2.2 1.2.3
browserify-sign 4.0.4 4.2.5
cached-path-relative 1.0.2 1.1.0
cipher-base 1.0.4 1.0.7
copy-props 2.0.4 2.0.5
cross-fetch 2.2.3 2.2.6
decode-uri-component 0.2.0 0.2.2
decompress 4.2.0 4.2.1
express 4.17.1 4.21.2
fsevents 1.2.9 1.2.13
ini 1.3.5 1.3.8
minimist 1.2.5 1.2.8
path-parse 1.0.6 1.0.7
qs 6.5.2 6.5.3
secp256k1 3.7.1 3.8.1
sha.js 2.4.11 2.4.12
shell-quote 1.7.1 1.8.3
simple-get 2.8.1 2.8.2
y18n 3.2.1 3.2.2
yargs-parser 5.0.0 5.0.1

Updates @babel/runtime from 7.5.5 to 7.26.10

Release notes

Sourced from @​babel/runtime's releases.

v7.26.10 (2025-03-11)

Thanks @​jordan-choi and @​mmmsssttt404 for your first PRs!

This release includes a fix for GHSA-968p-4wvh-cqc8, a security vulnerability which affects the .replace method of transpiled regular expressions that use named capturing groups.

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

Committers: 6

v7.26.9 (2025-02-14)

🐛 Bug Fix

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.26.10 (2025-03-11)

👓 Spec Compliance

🐛 Bug Fix

  • babel-parser, babel-template
  • babel-core
  • babel-parser, babel-plugin-transform-typescript
  • babel-traverse
  • babel-generator
  • babel-parser
  • babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3

💅 Polish

  • babel-standalone

🏠 Internal

v7.26.9 (2025-02-14)

🐛 Bug Fix

🏠 Internal

v7.26.7 (2025-01-24)

🐛 Bug Fix

  • babel-helpers, babel-preset-env, babel-runtime-corejs3
  • babel-plugin-transform-typeof-symbol

... (truncated)

Commits

Updates @babel/traverse from 7.5.5 to 7.28.4

Release notes

Sourced from @​babel/traverse's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

Committers: 5

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

Committers: 5

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

v7.28.2 (2025-07-24)

🐛 Bug Fix

  • babel-types
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

v7.28.1 (2025-07-12)

🐛 Bug Fix

  • babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

📝 Documentation

... (truncated)

Commits

Updates ajv from 6.10.2 to 6.12.6

Release notes

Sourced from ajv's releases.

v6.12.6

Fix performance issue of "url" format.

v6.12.5

Fix uri scheme validation (@​ChALkeR). Fix boolean schemas with strictKeywords option (#1270)

v6.12.4

Fix: coercion of one-item arrays to scalar that should fail validation (failing example).

v6.12.3

Pass schema object to processCode function Option for strictNumbers (@​issacgerges, #1128) Fixed vulnerability related to untrusted schemas (CVE-2020-15366)

v6.12.2

Removed post-install script

v6.12.1

Docs and dependency updates

v6.12.0

Improved hostname validation (@​sambauers, #1143) Option keywords to add custom keywords (@​franciscomorais, #1137) Types fixes (@​boenrobot, @​MattiAstedrone) Docs:

v6.11.0

Time formats support two digit and colon-less variants of timezone offset (#1061 , @​cjpillsbury) Docs: RegExp related security considerations Tests: Disabled failing typescript test

Commits
  • fe59143 6.12.6
  • d580d3e Merge pull request #1298 from ajv-validator/fix-url
  • fd36389 fix: regular expression for "url" format
  • 490e34c docs: link to v7-beta branch
  • 9cd93a1 docs: note about v7 in readme
  • 877d286 Merge pull request #1262 from b4h0-c4t/refactor-opt-object-type
  • f1c8e45 6.12.5
  • 764035e Merge branch 'ChALkeR-chalker/fix-comma'
  • 3798160 Merge branch 'chalker/fix-comma' of git://github.com/ChALkeR/ajv into ChALkeR...
  • a3c7eba Merge branch 'refactor-opt-object-type' of github.com:b4h0-c4t/ajv into refac...
  • Additional commits viewable in compare view

Updates base-x from 3.0.6 to 3.0.11

Commits

Updates bl from 1.2.2 to 1.2.3

Commits

Updates browserify-sign from 4.0.4 to 4.2.5

Changelog

Sourced from browserify-sign's changelog.

v4.2.5 - 2025-09-24

Commits

  • [Tests] clean up tests and convert console info skips to tape skips 37b083c
  • [Fix] restore node 0.10 support faade86
  • [Deps] update parse-asn1 5a0f159
  • [actions] drop unsupported nodes from CI 106be97

v4.2.4 - 2025-09-22

Commits

  • [actions] split out node 10-20, and 20+ 17920d9
  • [meta] remove files field 6d5b280
  • [Deps] update bn.js, browserify-rsa, elliptic 31be0c2
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, semver, tape 5f66982
  • [Tests] replace aud with npm audit d44b24d
  • [Dev Deps] add missing peer dep ab975f4
  • [Deps] revert 9e2bf12, now that v3.1.1 is out 428cf7f

v4.2.3 - 2024-03-05

Commits

v4.2.2 - 2023-10-25

Fixed

Commits

  • Only apps should have lockfiles 09a8995
  • [eslint] switch to eslint 83fe463
  • [meta] add npmignore and auto-changelog 4418183
  • [meta] fix package.json indentation 9ac5a5e
  • [Tests] migrate from travis to github actions d845d85
  • [Fix] sign: throw on unsupported padding scheme 8767739
  • [Fix] properly check the upper bound for DSA signatures 85994cd
  • [Tests] handle openSSL not supporting a scheme f5f17c2

... (truncated)

Commits
  • d3a7458 v4.2.5
  • 37b083c [Tests] clean up tests and convert console info skips to tape skips
  • faade86 [Fix] restore node 0.10 support
  • 5a0f159 [Deps] update parse-asn1
  • 106be97 [actions] drop unsupported nodes from CI
  • 9c37172 v4.2.4
  • 6d5b280 [meta] remove files field
  • 17920d9 [actions] split out node 10-20, and 20+
  • 31be0c2 [Deps] update bn.js, browserify-rsa, elliptic
  • ab975f4 [Dev Deps] add missing peer dep
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for browserify-sign since your current version.


Updates cached-path-relative from 1.0.2 to 1.1.0

Commits

Updates cipher-base from 1.0.4 to 1.0.7

Changelog

Sourced from cipher-base's changelog.

v1.0.7 - 2025-09-24

Commits

  • [Refactor] use to-buffer fd1e5ee
  • [Dev Deps] update @ljharb/eslint-config 08ba803

v1.0.6 - 2024-11-26

Commits

  • [Fix] io.js 3.0 - Node.js 5.3 typed array support b7ddd2a

v1.0.5 - 2024-11-17

Commits

  • [Tests] standard -> eslint, make test dir, etc ae02fd6
  • [Tests] migrate from travis to GHA 66387d7
  • [meta] fix package.json indentation 5c02918
  • [Fix] return valid values on multi-byte-wide TypedArray input 8fd1364
  • [meta] add auto-changelog 88dc806
  • [meta] add npmignore and safe-publish-latest 7a137d7
  • Only apps should have lockfiles 42528f2
  • [Deps] update inherits, safe-buffer 0e7a2d9
  • [meta] add missing engines.node f2dc13e
Commits
  • 0056718 v1.0.7
  • fd1e5ee [Refactor] use to-buffer
  • 08ba803 [Dev Deps] update @ljharb/eslint-config
  • f5249f9 v1.0.6
  • b7ddd2a [Fix] io.js 3.0 - Node.js 5.3 typed array support
  • f03cebf v1.0.5
  • 88dc806 [meta] add auto-changelog
  • 7a137d7 [meta] add npmignore and safe-publish-latest
  • 5c02918 [meta] fix package.json indentation
  • 8fd1364 [Fix] return valid values on multi-byte-wide TypedArray input
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for cipher-base since your current version.


Updates copy-props from 2.0.4 to 2.0.5

Commits

Updates cross-fetch from 2.2.3 to 2.2.6

Commits

Updates decode-uri-component from 0.2.0 to 0.2.2

Release notes

Sourced from decode-uri-component's releases.

v0.2.2

  • Prevent overwriting previously decoded tokens 980e0bf

SamVerschueren/decode-uri-component@v0.2.1...v0.2.2

v0.2.1

  • Switch to GitHub workflows 76abc93
  • Fix issue where decode throws - fixes #6 746ca5d
  • Update license (#1) 486d7e2
  • Tidelift tasks a650457
  • Meta tweaks 66e1c28

SamVerschueren/decode-uri-component@v0.2.0...v0.2.1

Commits

Updates decompress from 4.2.0 to 4.2.1

Release notes

Sourced from decompress's releases.

v4.2.1

  • Prevent directory traversal (#73) 967146e

kevva/decompress@v4.2.0...v4.2.1

Commits

Updates express from 4.17.1 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

New Contributors

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect

Other Changes

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

  • deps: path-to-regexp@0.1.12
    • Fix backtracking protection
  • deps: path-to-regexp@0.1.11
    • Throws an error on invalid path values

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

  • Deprecate res.location("back") and res.redirect("back") magic string
  • deps: serve-static@1.16.2
    • includes send@0.19.0
  • deps: finalhandler@1.3.1
  • deps: qs@6.13.0

4.20.0 / 2024-09-10

  • deps: serve-static@0.16.0
    • Remove link renderization in html while redirecting
  • deps: send@0.19.0
    • Remove link renderization in html while redirecting
  • deps: body-parser@0.6.0
    • add depth option to customize the depth level in the parser
    • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
  • Remove link renderization in html while using res.redirect
  • deps: path-to-regexp@0.1.10
    • Adds support for named matching groups in the routes using a regex
    • Adds backtracking protection to parameters without regexes defined
  • deps: encodeurl@~2.0.0
    • Removes encoding of \, |, and ^ to align better with URL spec
  • Deprecate passing options.maxAge and options.expires to res.clearCookie
    • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

  • Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

  • Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.


Updates fsevents from 1.2.9 to 1.2.13

Release notes

Sourced from fsevents's releases.

Release v1.2.13

Only build on Mac-OSX

Release v1.2.11

Removing node-pre-gyp so that building fsevents becomes easier and enabled without the download of binaries.

The credentials to the AWS store have been lost. Releasing to AWS is both insecure and no longer possible due to the lost credentials.

Intermediate Release

No release notes provided.

Commits

@dependabot
Bump the npm_and_yarn group across 1 directory with 25 updates
d5d8a09 
Bumps the npm_and_yarn group with 24 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) | `7.5.5` | `7.26.10` |
| [@babel/traverse](https://github.com/babel/babel/tree/HEAD/packages/babel-traverse) | `7.5.5` | `7.28.4` |
| [ajv](https://github.com/ajv-validator/ajv) | `6.10.2` | `6.12.6` |
| [base-x](https://github.com/cryptocoinjs/base-x) | `3.0.6` | `3.0.11` |
| [bl](https://github.com/rvagg/bl) | `1.2.2` | `1.2.3` |
| [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.0.4` | `4.2.5` |
| [cached-path-relative](https://github.com/ashaffer/cached-path-relative) | `1.0.2` | `1.1.0` |
| [cipher-base](https://github.com/crypto-browserify/cipher-base) | `1.0.4` | `1.0.7` |
| [copy-props](https://github.com/gulpjs/copy-prop) | `2.0.4` | `2.0.5` |
| [cross-fetch](https://github.com/lquixada/cross-fetch) | `2.2.3` | `2.2.6` |
| [decode-uri-component](https://github.com/SamVerschueren/decode-uri-component) | `0.2.0` | `0.2.2` |
| [decompress](https://github.com/kevva/decompress) | `4.2.0` | `4.2.1` |
| [express](https://github.com/expressjs/express) | `4.17.1` | `4.21.2` |
| [fsevents](https://github.com/fsevents/fsevents) | `1.2.9` | `1.2.13` |
| [ini](https://github.com/npm/ini) | `1.3.5` | `1.3.8` |
| [minimist](https://github.com/minimistjs/minimist) | `1.2.5` | `1.2.8` |
| [path-parse](https://github.com/jbgutierrez/path-parse) | `1.0.6` | `1.0.7` |
| [qs](https://github.com/ljharb/qs) | `6.5.2` | `6.5.3` |
| [secp256k1](https://github.com/cryptocoinjs/secp256k1-node) | `3.7.1` | `3.8.1` |
| [sha.js](https://github.com/crypto-browserify/sha.js) | `2.4.11` | `2.4.12` |
| [shell-quote](https://github.com/ljharb/shell-quote) | `1.7.1` | `1.8.3` |
| [simple-get](https://github.com/feross/simple-get) | `2.8.1` | `2.8.2` |
| [y18n](https://github.com/yargs/y18n) | `3.2.1` | `3.2.2` |
| [yargs-parser](https://github.com/yargs/yargs-parser) | `5.0.0` | `5.0.1` |



Updates `@babel/runtime` from 7.5.5 to 7.26.10
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.26.10/packages/babel-runtime)

Updates `@babel/traverse` from 7.5.5 to 7.28.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.4/packages/babel-traverse)

Updates `ajv` from 6.10.2 to 6.12.6
- [Release notes](https://github.com/ajv-validator/ajv/releases)
- [Commits](ajv-validator/ajv@v6.10.2...v6.12.6)

Updates `base-x` from 3.0.6 to 3.0.11
- [Commits](cryptocoinjs/base-x@v3.0.6...v3.0.11)

Updates `bl` from 1.2.2 to 1.2.3
- [Release notes](https://github.com/rvagg/bl/releases)
- [Changelog](https://github.com/rvagg/bl/blob/master/CHANGELOG.md)
- [Commits](rvagg/bl@v1.2.2...v1.2.3)

Updates `browserify-sign` from 4.0.4 to 4.2.5
- [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md)
- [Commits](browserify/browserify-sign@v4.0.4...v4.2.5)

Updates `cached-path-relative` from 1.0.2 to 1.1.0
- [Commits](https://github.com/ashaffer/cached-path-relative/commits)

Updates `cipher-base` from 1.0.4 to 1.0.7
- [Changelog](https://github.com/browserify/cipher-base/blob/master/CHANGELOG.md)
- [Commits](browserify/cipher-base@v1.0.4...v1.0.7)

Updates `copy-props` from 2.0.4 to 2.0.5
- [Commits](https://github.com/gulpjs/copy-prop/commits)

Updates `cross-fetch` from 2.2.3 to 2.2.6
- [Release notes](https://github.com/lquixada/cross-fetch/releases)
- [Changelog](https://github.com/lquixada/cross-fetch/blob/v4.x/CHANGELOG.md)
- [Commits](lquixada/cross-fetch@v2.2.3...v2.2.6)

Updates `decode-uri-component` from 0.2.0 to 0.2.2
- [Release notes](https://github.com/SamVerschueren/decode-uri-component/releases)
- [Commits](SamVerschueren/decode-uri-component@v0.2.0...v0.2.2)

Updates `decompress` from 4.2.0 to 4.2.1
- [Release notes](https://github.com/kevva/decompress/releases)
- [Commits](kevva/decompress@v4.2.0...v4.2.1)

Updates `express` from 4.17.1 to 4.21.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md)
- [Commits](expressjs/express@4.17.1...4.21.2)

Updates `fsevents` from 1.2.9 to 1.2.13
- [Release notes](https://github.com/fsevents/fsevents/releases)
- [Commits](fsevents/fsevents@v1.2.9...v1.2.13)

Updates `ini` from 1.3.5 to 1.3.8
- [Release notes](https://github.com/npm/ini/releases)
- [Changelog](https://github.com/npm/ini/blob/main/CHANGELOG.md)
- [Commits](npm/ini@v1.3.5...v1.3.8)

Updates `minimist` from 1.2.5 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

Updates `path-parse` from 1.0.6 to 1.0.7
- [Commits](https://github.com/jbgutierrez/path-parse/commits/v1.0.7)

Updates `qs` from 6.5.2 to 6.5.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.5.2...v6.5.3)

Updates `secp256k1` from 3.7.1 to 3.8.1
- [Release notes](https://github.com/cryptocoinjs/secp256k1-node/releases)
- [Commits](cryptocoinjs/secp256k1-node@v3.7.1...v3.8.1)

Updates `sha.js` from 2.4.11 to 2.4.12
- [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md)
- [Commits](browserify/sha.js@v2.4.11...v2.4.12)

Updates `shell-quote` from 1.7.1 to 1.8.3
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.7.1...v1.8.3)

Updates `simple-get` from 2.8.1 to 2.8.2
- [Commits](feross/simple-get@v2.8.1...v2.8.2)

Updates `tar` from 4.4.8 to 4.4.10
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v4.4.8...v4.4.10)

Updates `y18n` from 3.2.1 to 3.2.2
- [Release notes](https://github.com/yargs/y18n/releases)
- [Changelog](https://github.com/yargs/y18n/blob/master/CHANGELOG.md)
- [Commits](https://github.com/yargs/y18n/commits)

Updates `yargs-parser` from 5.0.0 to 5.0.1
- [Release notes](https://github.com/yargs/yargs-parser/releases)
- [Changelog](https://github.com/yargs/yargs-parser/blob/v5.0.1/CHANGELOG.md)
- [Commits](yargs/yargs-parser@v5.0.0...v5.0.1)

---
updated-dependencies:
- dependency-name: "@babel/runtime"
  dependency-version: 7.26.10
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@babel/traverse"
  dependency-version: 7.28.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ajv
  dependency-version: 6.12.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: base-x
  dependency-version: 3.0.11
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: bl
  dependency-version: 1.2.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: browserify-sign
  dependency-version: 4.2.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cached-path-relative
  dependency-version: 1.1.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cipher-base
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: copy-props
  dependency-version: 2.0.5
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: cross-fetch
  dependency-version: 2.2.6
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: decode-uri-component
  dependency-version: 0.2.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: decompress
  dependency-version: 4.2.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-version: 4.21.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: fsevents
  dependency-version: 1.2.13
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ini
  dependency-version: 1.3.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-version: 1.2.8
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: path-parse
  dependency-version: 1.0.7
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-version: 6.5.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: secp256k1
  dependency-version: 3.8.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: sha.js
  dependency-version: 2.4.12
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.8.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: simple-get
  dependency-version: 2.8.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 4.4.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: y18n
  dependency-version: 3.2.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: yargs-parser
  dependency-version: 5.0.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Sep 30, 2025
This was referenced Sep 30, 2025
Closed
Closed
Closed
Closed
Closed
@socket-security
Copy link
Copy Markdown

socket-security bot commented Sep 30, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedhasown@​2.0.2671007253100
Updatedtar@​4.4.8 ⏵ 4.4.1099 +150100 +189100
Addedhas-tostringtag@​1.0.2671008252100
Addedhas-property-descriptors@​1.0.2671008052100
Addedset-function-length@​1.2.2661008552100
Addedavailable-typed-arrays@​1.0.7671008452100
Updatedpath-parse@​1.0.6 ⏵ 1.0.767100 +479 -152100
Addedes-define-property@​1.0.1671008252100
Addedtyped-array-buffer@​1.0.3671007852100
Addedgopd@​1.2.0671007853100
Addedside-channel@​1.1.0661008752100
Updatedfor-each@​0.3.3 ⏵ 0.3.567 +11008054100
Addedwhich-typed-array@​1.1.19661009154100
Addedis-typed-array@​1.1.15661009054100
Addedgenerator-function@​2.0.0621008186100
Addedtr46@​0.0.31001006589100
Addedbrowserify-rsa@​4.1.11001006683100
Addedasync-generator-function@​1.0.0701008378100
Addedparse-asn1@​5.1.91001007192100
Addedpicocolors@​1.1.11001007378100
Updatedbrowserify-sign@​4.0.4 ⏵ 4.2.599100 +1573 +192100
Added@​babel/​helper-validator-identifier@​7.27.11001007391100
Addedsetprototypeof@​1.2.01001007377100
Added@​babel/​helper-string-parser@​7.27.11001007491100
Added@​babel/​helper-globals@​7.28.01001007688100
Updatedcached-path-relative@​1.0.2 ⏵ 1.1.0100100 +157877100
Updatedpath-to-regexp@​0.1.7 ⏵ 0.1.12100 +1100 +2277 +189100
Updateddecode-uri-component@​0.2.0 ⏵ 0.2.2100100 +1594 +577100
Updatedmerge-descriptors@​1.0.1 ⏵ 1.0.310010081 +177100
Addedes-errors@​1.3.01001008577100
Addeddefine-data-property@​1.1.41001009177100
Updatedfast-deep-equal@​2.0.1 ⏵ 3.1.3100 +110099 +1678100
Added@​jridgewell/​resolve-uri@​3.1.21001008278100
See 54 more rows in the dashboard

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Sep 30, 2025

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
generator-function@2.0.0 has Unstable ownership.

Author: ljharb

From: yarn.locknpm/generator-function@2.0.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/generator-function@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
ripemd160@2.0.3 has Unstable ownership.

Author: ljharb

From: yarn.locknpm/parse-asn1@5.1.9npm/ripemd160@2.0.3

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ripemd160@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
async-function@1.0.0 has a New author.

New Author: ljharb

Previous Author: eduardorfs

From: yarn.locknpm/async-function@1.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async-function@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
body-parser@1.20.3 has a New author.

New Author: ulisesgascon

Previous Author: dougwilson

From: yarn.locknpm/express@4.21.2npm/body-parser@1.20.3

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/body-parser@1.20.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
browserify-rsa@4.1.1 has a New author.

New Author: ljharb

Previous Author: cwmma

From: yarn.locknpm/browserify-rsa@4.1.1

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/browserify-rsa@4.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
encodeurl@2.0.0 has a New author.

New Author: blakeembrey

Previous Author: dougwilson

From: yarn.locknpm/encodeurl@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/encodeurl@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
express@4.21.2 has a New author.

New Author: jonchurch

Previous Author: ulisesgascon

From: yarn.locknpm/express@4.21.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/express@4.21.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
generator-function@2.0.0 has a New author.

New Author: ljharb

Previous Author: timothygu

From: yarn.locknpm/generator-function@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/generator-function@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
ripemd160@2.0.3 has a New author.

New Author: ljharb

Previous Author: dcousens

From: yarn.locknpm/parse-asn1@5.1.9npm/ripemd160@2.0.3

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ripemd160@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
send@0.19.0 has a New author.

New Author: ulisesgascon

Previous Author: wesleytodd

From: yarn.locknpm/send@0.19.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/send@0.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
sha.js@2.4.12 has a New author.

New Author: ljharb

Previous Author: dcousens

From: yarn.locknpm/create-hash@1.2.0npm/sha.js@2.4.12

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
fsevents@1.2.13 has Install scripts.

Install script: install

Source: node install.js

From: yarn.locknpm/fsevents@1.2.13

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fsevents@1.2.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants