Skip to content

chore: Bump ses from 2.1.0 to 2.2.0#4037

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/ses-2.2.0
Open

chore: Bump ses from 2.1.0 to 2.2.0#4037
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/ses-2.2.0

chore: Bump ses from 2.1.0 to 2.2.0

5512664
Select commit
Loading
Failed to load commit list.
Socket Security / Socket Security: Pull Request Alerts failed Jul 13, 2026 in 43s

Pull Request #4037 Alerts: Complete with warnings

Report Status Message
PR #4037 Alerts ⚠️ Found 4 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Details

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Publisher changed: npm ses is now published by kriscendobot

Author: kriscendobot

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm ses is 70.0% likely risky

Notes: This module is a dynamic evaluator generator that ultimately performs eval(arguments[0]) on caller-supplied code, after dynamically generating and injecting destructuring bindings into a nested with(...) scope environment. While it does not itself show exfiltration/persistence behavior, it creates a high-impact arbitrary code execution primitive, which becomes a serious security risk if any attacker-controlled data reaches arguments[0] or the scope/context objects.

Confidence: 0.70

Severity: 0.80

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm ses is now published by kriscendobot instead of boneskull

New Author: kriscendobot

Previous Author: boneskull

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ses is 70.0% likely to have a medium risk anomaly

Notes: The file package/dist/ses.umd.min.js contains an SES/Compartment-based module loader/runtime fragment that uses dynamic evaluation and can modify global intrinsics. While heavily obfuscated, there is no evidence of malware behavior such as data exfiltration or backdoors; the behavior aligns with sandbox hardening rather than active exploitation.

Confidence: 0.70

Severity: 0.35

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report