Skip to content

Update dependency void to ^0.10.0#27

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/void-0.x
Open

Update dependency void to ^0.10.0#27
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/void-0.x

Conversation

@renovate

@renovate renovate Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
void (source) ^0.9.3^0.10.0 age confidence

Release Notes

voidzero-dev/void (void)

v0.10.3

Compare Source

v0.10.2

Compare Source

v0.10.1

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm better-sqlite3 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/void@0.10.4npm/better-sqlite3@12.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/better-sqlite3@12.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm drizzle-orm is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/void@0.10.4npm/drizzle-orm@0.45.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/drizzle-orm@0.45.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Potentially malicious package (AI signal): npm void is 88.0% likely malicious

Notes: High-risk design. The module includes an explicit remote code execution mechanism (user-controlled AsyncFunction evaluation) that runs with access to an authenticated platform SDK. This enables capability abuse and potential sensitive data exposure or remote administrative changes, and it can also write local project configuration via sdk.link. Without strong external isolation/authorization and strict constraints on who can call the 'query' tool, this is effectively backdoor-level behavior for any attacker who can reach the service.

Confidence: 0.88

Severity: 0.98

From: package.jsonnpm/void@0.10.4

ℹ Read more on: This package | This alert | What is AI-detected potential malware?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/void@0.10.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate renovate Bot force-pushed the renovate/void-0.x branch 17 times, most recently from d2e1fd9 to 2c3be08 Compare July 1, 2026 07:54
@fengmk2 fengmk2 added the needs-bundle-rebuild Dep compiled into the publish-action bundle; run pnpm build:action and commit the dist label Jul 1, 2026
@renovate renovate Bot force-pushed the renovate/void-0.x branch 3 times, most recently from 460c458 to bfccf5d Compare July 4, 2026 09:40
@renovate renovate Bot force-pushed the renovate/void-0.x branch from bfccf5d to 2949bd6 Compare July 4, 2026 11:21
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedvoid@​0.10.4741009797100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

needs-bundle-rebuild Dep compiled into the publish-action bundle; run pnpm build:action and commit the dist

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant