chore(deps): update dependency selenium-webdriver to v4.0.0 - autoclosed

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
selenium-webdriver (source)	devDependencies	patch	4.0.0-alpha.7 → 4.0.0

By merging this PR, the below issues will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	GitHub Issue
Low	2.5	CVE-2025-54798	#10376

---

• If you want to rebase/retry this PR, check this box

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 37e8f47.

Path	Line	Severity	Description
yarn.lock	21681	low	selenium-webdriver jumps from 4.0.0-alpha.7 to 4.41.0 — a very large version gap — and introduces two new runtime dependencies: @bazel/runfiles and ws (WebSocket). While both are plausible for the WebDriver BiDi protocol, the magnitude of the update and the addition of a WebSocket library warrant manual verification that the resolved package hash matches the official selenium-webdriver 4.41.0 release on npm.
yarn.lock	2640	low	@bazel/runfiles@6.5.0 is newly introduced as a transitive dependency of selenium-webdriver. The package is legitimate (Google/Bazel ecosystem), but it is unusual to see a Bazel runtime helper in a browser-dashboard project. Confirm this is truly required at runtime and was not injected as a dependency-confusion or phantom-package attempt.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 0 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit e6271b8.

Path	Line	Severity	Description
yarn.lock	2644	high	@bazel/runfiles@6.5.0 is added as a runtime dependency of selenium-webdriver. This is a Bazel build system tool with no legitimate purpose as a runtime dependency in a browser automation library. The real selenium-webdriver does not list @bazel/runfiles in its known dependency tree. This pattern is consistent with a supply chain attack where a tampered or malicious package version introduces an unexpected dependency that may contain or execute malicious code at install/runtime.
yarn.lock	21683	medium	selenium-webdriver jumps from 4.0.0-alpha.7 to 4.41.0 — an unusually large version leap. The real selenium-webdriver should be verified against the official npm registry; a malicious actor could publish a high version number to shadow or supersede legitimate versions. The integrity hash (sha512-1XxuK...) should be cross-checked against registry.npmjs.com to confirm authenticity.
yarn.lock	21687	low	ws@^8.19.0 (WebSocket library) is newly added as a transitive dependency via selenium-webdriver. While selenium-webdriver legitimately uses WebSocket for Chrome DevTools Protocol communication, combined with the suspicious @bazel/runfiles addition, this introduces a full bidirectional network communication channel whose legitimacy depends on confirming the selenium-webdriver package is untampered.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 1 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 4b33d60.

Path	Line	Severity	Description
yarn.lock	21684	medium	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0 — an unusually large version leap. As of early 2026, stable selenium-webdriver versions were in the 4.16–4.18 range; version 4.41.0 does not appear to exist on the public npm registry and the resolved tgz hash cannot be independently verified without registry access. This pattern is consistent with a supply chain substitution attack where a malicious version is published to match a lockfile entry.
yarn.lock	21690	low	ws@^8.19.0 is introduced as a new transitive dependency of selenium-webdriver. While plausible for WebDriver BiDi protocol support, adding a WebSocket library without explicit documentation in the PR increases the potential attack surface for covert communication channels if the parent package (selenium-webdriver 4.41.0) is itself malicious.
yarn.lock	2643	low	@bazel/runfiles@^6.5.0 is added as a new transitive dependency of selenium-webdriver. This package is not a typical runtime dependency for a browser automation library and its inclusion without explanation is anomalous. It is a legitimate Google/Bazel package, but its necessity here warrants confirmation from the selenium-webdriver 4.41.0 release notes.
yarn.lock	20680	low	The readable-stream@~2.3.6 resolution specifier was moved from the 2.3.7 entry to the 2.3.8 entry, silently upgrading the resolved version for any consumer depending on that range. On its own this is benign (2.3.8 is a legitimate patch release), but combined with other changes in this diff it is worth noting as an unexpected lockfile manipulation.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 1 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit e3f7fc6.

Path	Line	Severity	Description
yarn.lock	14968	medium	Integrity hashes for 'immediate' and 'isarray' changed from sha1 to sha512 without a version bump. While sha1 deprecation is legitimate, unexplained hash-only changes to existing locked packages can indicate tampering with package integrity verification.
yarn.lock	21684	low	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0, adding '@bazel/runfiles' and 'ws' (WebSocket) as new transitive dependencies. The ws WebSocket library adds network communication capability. This appears to be a legitimate upstream version upgrade, but the new WebSocket dependency warrants verification that it is only used for WebDriver protocol communication.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 3ab0a8a.

Path	Line	Severity	Description
yarn.lock	14972	medium	Integrity hashes for 'immediate@3.0.6' and 'isarray@1.0.0' changed from SHA1 to SHA512 while resolved URLs and versions remain identical. Unverified hash replacement is a known supply-chain vector; the new SHA512 values should be independently verified against the npm registry to confirm they match the original tarballs.
yarn.lock	2644	low	@bazel/runfiles@6.5.0 added as a new runtime dependency via selenium-webdriver upgrade. Bazel is a build-system tool; its inclusion as a runtime dependency is atypical and increases attack surface. Should be confirmed as legitimate for selenium-webdriver 4.41.0.
yarn.lock	21690	low	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0, introducing multiple new transitive dependencies including @bazel/runfiles and ws@^8.19.0. The large version gap and new dependency tree should be reviewed against official release notes.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 1 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 5a8fd98.

Path	Line	Severity	Description
yarn.lock	21686	low	selenium-webdriver jumps from 4.0.0-alpha.7 to 4.41.0, a very large version gap that introduces new runtime dependencies including ws (WebSocket) and @bazel/runfiles not present before. While likely a legitimate upgrade, the expanded attack surface warrants verifying these dependencies match the official selenium-webdriver 4.41.0 manifest.
yarn.lock	2643	low	@bazel/runfiles is added as a runtime dependency via selenium-webdriver. Bazel is normally a build-time tool; its inclusion as a resolved runtime package is atypical and worth confirming against the official selenium-webdriver 4.41.0 package.json to rule out a tampered dependency tree.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 0 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 2d45bd7.

Path	Line	Severity	Description
yarn.lock	14972	medium	Integrity hash for `immediate@3.0.6` changed from sha1 to sha512 without a version change. Old stable packages like this do not get republished; a manual hash substitution here is a known supply chain attack vector where a malicious tarball is swapped in and a new hash computed to match.
yarn.lock	15795	medium	Integrity hash for `isarray@1.0.0` changed from sha1 to sha512 without a version change. Same concern as `immediate`: this long-frozen package should never have its hash change unless the lock file was fully regenerated, which is not consistent with the rest of the diff being a targeted selenium-webdriver upgrade.
yarn.lock	2643	low	New package `@bazel/runfiles@6.5.0` added as a transitive dependency of the upgraded selenium-webdriver. Bazel tooling is unusual in a browser-testing dependency; verify this is genuinely required by selenium-webdriver 4.41.0 on the official npm registry and that the resolved hash matches.
yarn.lock	21686	low	selenium-webdriver updated from alpha.7 to 4.41.0 adds `ws@^8.19.0`, a WebSocket client/server library, as a new direct dependency. While legitimate for newer selenium versions, any new network-capable dependency in a test framework should be confirmed against the official release notes.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 2 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 3d0b87c.

Path	Line	Severity	Description
yarn.lock	21683	low	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0 — a massive version leap that rewrites the dependency tree. While likely a legitimate upgrade, the large surface change (removing rimraf, adding @bazel/runfiles and ws) warrants verifying the resolved hash against the official npm registry to rule out a substituted package.
yarn.lock	21686	low	ws@^8.19.0 is introduced as a new transitive dependency of selenium-webdriver. WebSocket libraries can be abused for covert channels; however, this is consistent with selenium-webdriver 4.x using the WebDriver BiDi protocol and is likely legitimate.
yarn.lock	2643	low	@bazel/runfiles@6.5.0 is a new transitive dependency pulled in by selenium-webdriver. It is an unusual runtime dependency for a test-driver package (it is normally a build-tool concern). The package appears legitimate (published by the Bazel org), but the integrity hash should be confirmed against the npm registry.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 0 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 24b4ebd.

Path	Line	Severity	Description
yarn.lock	14972	low	Integrity hash for 'immediate@3.0.6' changed from SHA1 to SHA512 format. While SHA1→SHA512 migration is a legitimate improvement, hash replacements in lock files can mask package substitution if the resolved URL were also changed. URL is unchanged here, so this is likely benign.
yarn.lock	15795	low	Integrity hash for 'isarray@1.0.0' changed from SHA1 to SHA512. Same pattern as above — likely a legitimate hash format upgrade, but warrants confirmation that the new hash matches the canonical package.
yarn.lock	2643	low	'@bazel/runfiles@^6.5.0' is a new dependency introduced via the selenium-webdriver upgrade. It is a Bazel build system helper with file system access capabilities. New transitive dependencies expand the attack surface and should be verified against the official package.
yarn.lock	21690	low	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0 and now brings in 'ws@^8.19.0' (WebSocket library) as a new dependency. WebSocket libraries add network communication capability; the addition is expected for a WebDriver upgrade but increases the dependency footprint.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 0 | Low: 4

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 7f76de1.

Path	Line	Severity	Description
yarn.lock	14972	medium	immediate@3.0.6: integrity hash changed from sha1 to sha512 without a version bump. While sha1→sha512 migration is a known npm pattern, changing a hash without changing the version could indicate a tampered package if the sha512 does not correspond to the original tarball. Should be verified against the npm registry.
yarn.lock	15795	medium	isarray@1.0.0: integrity hash changed from sha1 to sha512 without a version bump. Same concern as above — the new sha512 hash should be verified to confirm it corresponds to the published package at registry.yarnpkg.com, not a substituted payload.
yarn.lock	2643	low	New dependency @bazel/runfiles@6.5.0 introduced as a transitive dependency of selenium-webdriver 4.41.0. While this is a legitimate Google Bazel package, it is an unusual runtime dependency for a browser automation library and its necessity in a non-Bazel build environment should be confirmed.
yarn.lock	21686	low	selenium-webdriver jumped from 4.0.0-alpha.7 to 4.41.0 — a very large version gap that replaces rimraf, tmp@0.0.30, and jszip@3.2.2 with new versions and adds @bazel/runfiles and ws@^8.19.0. The scope of new transitive dependencies warrants review to ensure no unexpected network behavior is introduced.
yarn.lock	21693	low	ws@^8.19.0 is implicitly added as a new transitive dependency through selenium-webdriver 4.41.0. WebSocket libraries are capable of establishing persistent outbound connections; confirm this dependency is expected and that the version resolving in the lock file matches the published package.

The table above displays the top 10 most important findings.

Total: 5 | Critical: 0 | High: 0 | Medium: 2 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 003250e.

Path	Line	Severity	Description
yarn.lock	21686	medium	selenium-webdriver upgraded from 4.0.0-alpha.7 to 4.41.0, a very large version jump that simultaneously swaps multiple dependencies (removes rimraf, adds @bazel/runfiles and ws). While each change may be legitimate, the combination introduces several new transitive dependencies in a single lockfile change, broadening the supply chain surface.
yarn.lock	14972	low	immediate@3.0.6 has its integrity hash changed from SHA1 (sha1-nbHb0Pr43m++) to SHA512 without any version or resolved-URL change. While yarn legitimately migrates to stronger hashes, a hash swap on the same version/URL warrants verification that the published tarball content is unchanged.
yarn.lock	15795	low	isarray@1.0.0 has its integrity hash changed from SHA1 to SHA512 with the same version and resolved URL — same observation as above; low risk but worth confirming against the registry.
yarn.lock	2643	low	@bazel/runfiles@6.5.0 is a new indirect dependency pulled in by selenium-webdriver. Bazel's runfiles helper is unrelated to browser automation; its presence is unexpected for a Selenium driver and should be confirmed as an intentional upstream selenium-webdriver 4.41.0 dependency rather than an injected package.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 1 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 83a6011.

Path	Line	Severity	Description
yarn.lock	2643	medium	@bazel/runfiles is a Bazel build-system runtime helper and has no legitimate reason to be a runtime dependency of selenium-webdriver. Its presence as a declared dependency of selenium-webdriver 4.41.0 is anomalous: if the resolved package on the registry actually lists this dependency, it may indicate a tampered or typosquatted version of selenium-webdriver. Verify the integrity hash and the actual published package manifest on the npm registry.
yarn.lock	21686	low	selenium-webdriver jumps from 4.0.0-alpha.7 to 4.41.0, an unusually large version increment. While plausible given the current date (March 2026), the version should be verified against the official npm registry to confirm it is a genuine published release and not a phantom version pointing to a malicious tarball.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit ef5e53f.

Path	Line	Severity	Description
yarn.lock	14972	low	Integrity hash for `immediate@3.0.6` changed from SHA1 to SHA512 without a version bump. While SHA1→SHA512 migration is a legitimate yarn behavior, the new hash should be verified against the npm registry to confirm it corresponds to the expected package tarball.
yarn.lock	15795	low	Integrity hash for `isarray@1.0.0` changed from SHA1 to SHA512 without a version bump. Same concern as above — the resolved URL is unchanged but the hash should be cross-checked against the registry to rule out a tampered tarball.
yarn.lock	2643	low	New package `@bazel/runfiles@6.5.0` introduced as a transitive dependency of the heavily upgraded `selenium-webdriver` (4.0.0-alpha.7 → 4.41.0). The package is from the legitimate `@bazel` npm scope and the upgrade is plausible, but the dramatic version jump and new dependency surface area warrant confirming this upgrade was intentional and that the resolved hash matches the registry.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 0 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 3c154b8.

Path	Line	Severity	Description
yarn.lock	14972	medium	Integrity hash for 'immediate@3.0.6' changed from sha1 to sha512 without a version or resolved URL change. While sha1→sha512 migration is standard practice, changing the hash for an already-pinned package without bumping its version could mask a substituted/tampered package. Should be verified against the official registry.
yarn.lock	15795	medium	Integrity hash for 'isarray@1.0.0' changed from sha1 to sha512 without a version or resolved URL change. Same concern as above — the package identity is unchanged but the cryptographic attestation was swapped. Warrants independent verification.
yarn.lock	21686	low	'@bazel/runfiles@^6.5.0' added as a runtime dependency of selenium-webdriver@4.41.0. This package is a Bazel build-system helper for resolving in-sandbox data paths and is atypical as a runtime npm dependency for a browser automation tool. Worth confirming this is present in the official selenium-webdriver 4.41.0 manifest on the npm registry.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 1 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 084806b.

Path	Line	Severity	Description
yarn.lock	21683	medium	selenium-webdriver upgraded from 4.0.0-alpha.7 to 4.41.0 — an extremely large version jump that also replaces multiple dependencies (rimraf removed, @bazel/runfiles and ws added, tmp and jszip changed). While likely a legitimate upgrade, the scope of change warrants verification that the resolved package hashes match the official npm registry.
yarn.lock	2640	medium	New package @bazel/runfiles@6.5.0 introduced as a transitive dependency of selenium-webdriver. This is a Bazel build tooling package that is atypical for a browser automation library. Should be verified against the official selenium-webdriver 4.41.0 dependency manifest to confirm it is not an injected supply-chain dependency.
yarn.lock	21683	low	ws@^8.19.0 added as a new transitive dependency via selenium-webdriver. WebSocket libraries can be used as covert communication channels. This is legitimate for selenium-webdriver 4.x BiDi protocol support, but the package version and integrity should be validated against the official registry.
yarn.lock	14969	low	Integrity hash for immediate@3.0.6 changed from sha1 to sha512, and similarly for isarray@1.0.0. While migrating from sha1 to sha512 is a security improvement, manually altered integrity fields in a lockfile are a known supply-chain attack vector. The new sha512 values should be verified against the npm registry.

The table above displays the top 10 most important findings.

Total: 4 | Critical: 0 | High: 0 | Medium: 2 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

🔗 Workflow run · commit b4773e9ccadbd8415e032ba07d4c5dba06c0c865

❌ 1 Jest Test Failure(s)

📄 junit-jest-integration-Linux/TEST-Jest Integration Tests.xml

❌ applies filter function specified (0.003s)

Jest Integration Tests.src/dev/build/lib/integration_tests

Error: expect(received).toBe(expected) // Object.is equality

Expected: 403
Received: 503
    at Object.<anonymous> (/home/runner/work/OpenSearch-Dashboards/OpenSearch-Dashboards/src/core/server/ui_settings/integration_tests/doc_permission_controlled.ts:227:26)
    at processTicksAndRejections (node:internal/process/task_queues:103:5)

---

1 failure(s) across 1 suite(s). Full XML reports are in the junit-jest-* artifacts.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit f24274d.

Path	Line	Severity	Description
yarn.lock	21686	medium	@bazel/runfiles is added as a runtime dependency of selenium-webdriver 4.41.0. This is a Bazel build-system library that is highly unusual as a runtime dependency for a browser automation tool. Warrants verification that selenium-webdriver 4.41.0 on the registry matches expected content and that this dependency is not used to load or execute arbitrary runfiles at test/runtime.
yarn.lock	14972	low	The integrity hash for immediate@3.0.6 was changed from sha1 to sha512 without a version change. While migrating from SHA-1 to SHA-512 is generally a security improvement and the resolved URL is unchanged, replacing integrity hashes for packages that did not change versions warrants verification that the new sha512 value corresponds to the authentic published package.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 76ec216.

Path	Line	Severity	Description
yarn.lock	21686	medium	selenium-webdriver jumps from 4.0.0-alpha.7 to 4.41.0 (extreme version leap) and gains two new dependencies: ws@^8.19.0 (WebSocket client capable of outbound network communication) and @bazel/runfiles@^6.5.0 (unusual for a WebDriver package). The ws addition is especially notable as it introduces a persistent bidirectional network channel. While newer Selenium versions legitimately use WebSockets for Chrome DevTools Protocol, this combination of a massive version jump and new network-capable dependencies should be verified against official selenium-webdriver release notes.
yarn.lock	14972	low	Integrity hash for immediate@3.0.6 changed from SHA-1 to SHA-512 without any version bump. SHA-1 to SHA-512 migration is a known npm practice, but changing a hash on an unchanged version could mask a tampered package. The resolved .tgz URL and checksum should be verified against the official npm registry.
yarn.lock	15795	low	Integrity hash for isarray@1.0.0 changed from SHA-1 to SHA-512 without a version change. Same concern as immediate — legitimate migration is plausible, but the SHA-512 hash should be independently verified against the official npm registry to rule out package tampering.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 1 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 1bec189.

Path	Line	Severity	Description
yarn.lock	14972	low	Integrity hash for `immediate@3.0.6` changed from SHA1 to SHA512 without a version bump. While SHA1→SHA512 migration is standard yarn behavior and a security improvement, manually verifying the new hash against the registry is advisable to rule out tampered package substitution.
yarn.lock	15795	low	Integrity hash for `isarray@1.0.0` changed from SHA1 to SHA512 without a version bump. Same concern as `immediate` — consistent with legitimate yarn hash migration, but worth cross-checking against npm registry.
yarn.lock	2640	low	`@bazel/runfiles@6.5.0` is a new transitive dependency pulled in by selenium-webdriver 4.41.0. This is a Bazel build-system runtime package from Google, unusual in a browser-testing dependency but explained by the alpha→stable selenium-webdriver upgrade. No malicious indicators, but adding a Bazel runtime to a JS project is worth confirming against the selenium-webdriver 4.41.0 changelog.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 0 | Low: 3

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit 6048c8a.

Path	Line	Severity	Description
yarn.lock	21693	medium	@bazel/runfiles is a Bazel build-system runtime tool added as a production dependency of selenium-webdriver@4.41.0. Bazel runfiles are typically a build/dev-time concern, not a runtime dependency of a WebDriver client library. This is anomalous and warrants verification against the official selenium-webdriver 4.41.0 package manifest on the npm registry to confirm the dependency is authentic and not an injected supply chain payload.
yarn.lock	21697	low	ws@^8.19.0 (WebSocket library) is introduced as a new transitive dependency of selenium-webdriver@4.41.0. While plausibly legitimate for WebDriver BiDi protocol support, the addition of a new network-capable library in a lock file upgrade is worth confirming against the official package metadata.
yarn.lock	14972	low	Integrity hashes for immediate@3.0.6 and isarray@1.0.0 are changed from SHA1 to SHA512 format. This is a normal npm registry migration pattern and is not inherently malicious, but the new SHA512 values should be spot-checked against the npm registry to rule out hash substitution pointing to tampered tarballs.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 1 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit da6084d.

Path	Line	Severity	Description
yarn.lock	21686	medium	selenium-webdriver upgraded from 4.0.0-alpha.7 to 4.41.0, adding 'ws@^8.19.0' (WebSocket library) as a new direct dependency. WebSocket libraries introduce persistent bidirectional network communication capability. While selenium-webdriver is a legitimate testing tool and ws is used for the WebDriver BiDi protocol, the ws dependency was not present before and warrants verification that it is not being leveraged for unexpected outbound communication in the test harness.
yarn.lock	14972	low	Integrity hash for 'immediate@3.0.6' changed from SHA1 (sha1-nbHb0Pr43m++D13V5Wu2BigN5ps=) to SHA512. While migrating away from SHA1 is a security improvement, the new SHA512 value cannot be independently verified in this review without querying the registry. If the hash does not match the published package, it could indicate a substituted/tampered package.
yarn.lock	15795	low	Integrity hash for 'isarray@1.0.0' changed from SHA1 (sha1-u5NdSFgsuhaMBoNJV6VKPgcSTxE=) to SHA512. Same concern as immediate@3.0.6 — SHA1-to-SHA512 migration is legitimate, but the new hash value should be confirmed against the npm registry to rule out package substitution.

The table above displays the top 10 most important findings.

Total: 3 | Critical: 0 | High: 0 | Medium: 1 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit f9b9e58.

Path	Line	Severity	Description
yarn.lock	2643	medium	@bazel/runfiles is a Bazel internal build-system tool that has no legitimate place as a runtime npm dependency of selenium-webdriver. Published npm packages strip Bazel build artifacts before release; its presence here suggests either a tampered selenium-webdriver package entry in the lockfile or a manipulated registry resolution that could pull in a malicious version of this package as a side-channel.
yarn.lock	14972	low	Integrity hashes for 'immediate' and 'isarray' were changed from sha1 to sha512 without a version bump. While migrating away from SHA1 is generally positive, silently swapping hashes on pinned packages without a version change can mask substitution of tampered tarballs. The new sha512 values should be independently verified against the official registry.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 1 | Low: 1

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

PR Code Analyzer ❗

AI-powered 'Code-Diff-Analyzer' found issues on commit bfbcce7.

Path	Line	Severity	Description
yarn.lock	21683	low	selenium-webdriver upgraded from 4.0.0-alpha.7 to 4.41.0 — a very large version jump (alpha to stable, skipping ~40 minor versions). The dependency set also changed significantly (removed rimraf, added @bazel/runfiles and ws). While all resolved URLs point to the official npm registry with valid SHA512 hashes, such a large jump could mask behavioral changes worth auditing if selenium-webdriver is used in CI/CD pipelines with privileged access.
yarn.lock	2640	low	@bazel/runfiles@6.5.0 added as a new transitive dependency via selenium-webdriver. This is a Bazel build-system runtime helper typically used in Bazel monorepos. Its presence as a runtime dependency of a browser automation library is atypical in non-Bazel environments, though it is a documented dependency of newer selenium-webdriver releases. The package resolves from the official npm registry with a valid integrity hash, so no direct supply chain risk is evident.

The table above displays the top 10 most important findings.

Total: 2 | Critical: 0 | High: 0 | Medium: 0 | Low: 2

---

Pull Requests Author(s): Please update your Pull Request according to the report above.

Repository Maintainer(s): You can bypass diff analyzer by adding label skip-diff-analyzer after reviewing the changes carefully, then re-run failed actions. To re-enable the analyzer, remove the label, then re-run all actions.

---

⚠️ Note: The Code-Diff-Analyzer helps protect against potentially harmful code patterns. Please ensure you have thoroughly reviewed the changes beforehand.

Thanks.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.

[github-actions]

❌ Invalid Changelog Heading

The '## Changelog' heading in your PR description is either missing or malformed. Please make sure that your PR description includes a '## Changelog' heading with proper spelling, capitalization, spacing, and Markdown syntax.