Skip to content

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2986

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-41b64d3343
Open

chore(deps): bump the npm_and_yarn group across 1 directory with 7 updates#2986
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-41b64d3343

chore(deps): bump the npm_and_yarn group across 1 directory with 7 up…

79e1a31
Select commit
Loading
Failed to load commit list.
Socket Security / Socket Security: Pull Request Alerts failed Jul 15, 2026 in 27s

Pull Request #2986 Alerts: Complete with warnings

Report Status Message
PR #2986 Alerts ⚠️ Found 4 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Details

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm mermaid is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@docusaurus/theme-mermaid@3.10.1npm/@mermaid-js/layout-elk@0.1.9npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm http-errors is now published by ulisesgascon instead of dougwilson

New Author: ulisesgascon

Previous Author: dougwilson

From: package-lock.jsonnpm/@docusaurus/core@3.10.1npm/http-errors@2.0.1

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-errors@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm statuses is now published by ulisesgascon instead of dougwilson

New Author: ulisesgascon

Previous Author: dougwilson

From: package-lock.jsonnpm/@docusaurus/core@3.10.1npm/statuses@2.0.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/statuses@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm mermaid is 62.0% likely to have a medium risk anomaly

Notes: No direct evidence of overt malware (network exfiltration, credential theft, filesystem/process actions) is present in the provided fragment. The main supply-chain/security concern is the presence of direct dynamic code execution via (0,eval)(e) and dynamic global access via Function('return this')(), plus heavy dynamic RegExp compilation/execution that can amplify availability risks when patterns are untrusted. Malware intent cannot be confirmed from this excerpt, but the eval primitive should be treated as high priority for audit and for verifying whether attacker-controlled data can reach jd()/eval at runtime.

Confidence: 0.62

Severity: 0.58

From: package-lock.jsonnpm/@docusaurus/theme-mermaid@3.10.1npm/@mermaid-js/layout-elk@0.1.9npm/mermaid@11.16.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mermaid@11.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report