build(deps): bump the npm_and_yarn group across 4 directories with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /pkgs/applications/editors/vim/plugins/patches/markdown-preview-nvim directory: next.
Bumps the npm_and_yarn group with 4 updates in the /pkgs/by-name/re/react-static directory: axios, tar-fs, webpack-dev-server and react-dev-utils.
Bumps the npm_and_yarn group with 1 update in the /pkgs/servers/home-assistant/custom-lovelace-modules/button-card directory: semantic-release.
Bumps the npm_and_yarn group with 2 updates in the /pkgs/tools/admin/meshcentral directory: ws and aedes.

Updates next from 7.0.3 to 15.5.2

Release notes

Sourced from next's releases.

v15.5.2

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: disable unknownatrules lint rule entirely (#83059)
• revert: add ?dpl to fonts in /_next/static/media (#83062)

Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: aliased navigations should apply scroll handling (#82900)
• Turbopack: fix invalid NFT entry with file behind symlink (#82887)
• fix: typesafe linking to route handlers and pages API routes (#82858)
• fix: change "noUnknownAtRules" to "warn" for Biome (#82974)
• fix: add path normalization to getRelativePath for Windows (#82918)
• feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#82860)
• fix: avoid importing types that will be unused (#82856)
• fix: update the config.api.responseLimit type (#82852)
• fix: update validation return types (#82854)

Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

v15.5.1-canary.20

Misc Changes

• Turbopack: hide blocking spans in trace server: #83167
• Update Rspack production test manifest: #83207
• [create-next-app] Generate route types after setup: #82956
• Update Rspack development test manifest: #83208
• docs: fix snippets in getting started: #83228

Credits

Huge thanks to @​sokra, @​vercel-release-bot, @​bgub, and @​icyJoseph for helping!

v15.5.1-canary.19

Core Changes

• [sourcemaps] Always check for vendor chunks regardless of Node.js version: #83114
• Turbopack: Remove undocumented legacy syntax for built-in conditions (e.g. foreign, browser): #83068
• [metadata] update metadata routes cache headers: #83215

... (truncated)

Commits

• 497ec6a v15.5.2
• bc72f41 [backport] revert: add ?dpl to fonts in /_next/static/media (#83062) (#83066)
• c8faf68 [backport] fix: disable unknownatrules lint rule entirely (#83059) (#83060)
• cc68ced v15.5.1
• 1ce9857 [backport] fix: update validation return types (#82854) (#83027)
• b93c894 [backport] fix: update the config.api.responseLimit type (#82852) (#83028)
• 8a92f28 [backport] fix: avoid importing types that will be unused (#82856) (#83026)
• 19617ab [backport] feat: add typesafety with config.typedRoutes to redirect() and per...
• 822e4c0 [backport] fix: add path normalization to getRelativePath for Windows (#82918...
• bb67ca9 [backport] fix: change "noUnknownAtRules" to "warn" for Biome (#82974) (#83022)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by vercel-release-bot, a new releaser for next since your current version.

Updates axios from 0.21.4 to 1.11.0

Release notes

Sourced from axios's releases.

Release v1.11.0

Release notes:

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

Release v1.10.0

Release notes:

Bug Fixes

• adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
• form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
• package: add module entry point for React Native; (#6933) (3d343b8)

Features

• types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Dimitrios Lazanas
• Adrian Knapp
• Howie Zhao
• Uhyeon Park
• Sampo Silvennoinen

Release v1.9.0

Release notes:

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)
• headers: fixed support for setting multiple header values from an iterated source; (#6885) (f7a3b5e)
• http: send minimal end multipart boundary (#6661) (987d2e2)
• types: fix autocomplete for adapter config (#6855) (e61a893)

... (truncated)

Changelog

Sourced from axios's changelog.

1.11.0 (2025-07-22)

Bug Fixes

• form-data npm pakcage (#6970) (e72c193)
• prevent RangeError when using large Buffers (#6961) (a2214ca)
• types: resolve type discrepancies between ESM and CJS TypeScript declaration files (#6956) (8517aa1)

Contributors to this release

• izzy goldman
• Manish Sahani
• Noritaka Kobayashi
• James Nail
• Tejaswi1305

1.10.0 (2025-06-14)

Bug Fixes

• adapter: pass fetchOptions to fetch function (#6883) (0f50af8)
• form-data: convert boolean values to strings in FormData serialization (#6917) (5064b10)
• package: add module entry point for React Native; (#6933) (3d343b8)

Features

• types: improved fetchOptions interface (#6867) (63f1fce)

Contributors to this release

• Dmitriy Mozgovoy
• Noritaka Kobayashi
• Dimitrios Lazanas
• Adrian Knapp
• Howie Zhao
• Uhyeon Park
• Sampo Silvennoinen

1.9.0 (2025-04-24)

Bug Fixes

• core: fix the Axios constructor implementation to treat the config argument as optional; (#6881) (6c5d4cd)
• fetch: fixed ERR_NETWORK mapping for Safari browsers; (#6767) (dfe8411)
• headers: allow iterable objects to be a data source for the set method; (#6873) (1b1f9cc)
• headers: fix getSetCookie by using 'get' method for caseless access; (#6874) (d4f7df4)

... (truncated)

Commits

• b76c4ac chore(release): v1.11.0 (#6974)
• e72c193 fix: form-data npm pakcage (#6970)
• 8517aa1 fix(types): resolve type discrepancies between ESM and CJS TypeScript declara...
• a2214ca fix: prevent RangeError when using large Buffers (#6961)
• 6161947 refactor: use spread operator instead of '.apply()' (#6938)
• a1d16dd refactor: use an object spread instead of Object.assign (#6939)
• 07183cd chore(sponsor): update sponsor block (#6952)
• ef36347 docs(CONTRIBUTING): update docs link for accuracy (#6894)
• b29bd6a chore(sponsor): update sponsor block (#6948)
• a406a93 chore(sponsor): update sponsor block (#6937)
• Additional commits viewable in compare view

Updates tar-fs from 2.1.3 to 3.1.0

Commits

• cb1c571 3.1.0
• 374460e add optional disablement of symlink validation (#119)
• 5bfe6df 3.0.10
• 63e12f9 bare support
• 2ceedf4 3.0.9
• 647447b check windows tweak (#115)
• e4a7a40 3.0.8
• 504ca0f upgrade bare packages
• 1e4cc04 3.0.7
• a1dd7e7 refactor and throw on bad symlink
• Additional commits viewable in compare view

Updates webpack-dev-server from 3.11.3 to 5.2.2

Release notes

Sourced from webpack-dev-server's releases.

v5.2.2

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#5447) (309991f)
• remove unnecessary header X_TEST (#5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

v5.2.1

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

v5.2.0

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

v5.1.0

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

... (truncated)

Changelog

Sourced from webpack-dev-server's changelog.

5.2.2 (2025-06-03)

Bug Fixes

• "Overlay enabled" false positive (18e72ee)
• do not crush when error is null for runtime errors (#5447) (309991f)
• remove unnecessary header X_TEST (#5451) (64a6124)
• respect the allowedHosts option for cross-origin header check (#5510) (03d1214)

5.2.1 (2025-03-26)

Security

• cross-origin requests are not allowed unless allowed by Access-Control-Allow-Origin header
• requests with an IP addresses in the Origin header are not allowed to connect to WebSocket server unless configured by allowedHosts or it different from the Host header

The above changes may make the dev server not work if you relied on such behavior, but unfortunately they carry security risks, so they were considered as fixes.

Bug Fixes

• prevent overlay for errors caught by React error boundaries (#5431) (8c1abc9)
• take the first network found instead of the last one, this restores the same behavior as 5.0.4 (#5411) (ffd0b86)

5.2.0 (2024-12-11)

Features

• added getClientEntry and getClientHotEntry methods to get clients entries (dc642a8)

Bug Fixes

• speed up initial client bundling (145b5d0)

5.1.0 (2024-09-03)

Features

• add visual progress indicators (a8f40b7)
• added the app option to be Function (by default only with connect compatibility frameworks) (3096148)
• allow the server option to be Function (#5275) (02a1c6d)
• http2 support for connect and connect compatibility frameworks which support HTTP2 (#5267) (6509a3f)

Bug Fixes

• check the platform property to determinate the target (#5269) (c3b532c)

... (truncated)

Commits

• 195a7e6 chore(release): 5.2.2
• 620bef1 chore(deps): update (#5511)
• 03d1214 fix: respect the allowedHosts option for cross-origin header check (#5510)
• 5ba862e chore(deps-dev): bump the dependencies group across 1 directory with 7 update...
• f7fec94 chore: fix typo (#5508)
• 6ee8cd0 ci: add Node.js v24 (#5492)
• d30f963 chore: update http-proxy-middleware to ^2.0.9 (#5503)
• 66cf033 chore(deps-dev): bump the dependencies group with 2 updates (#5504)
• 4367a5c refactor: use 'String#startsWith' & replace if-then-else (#5501)
• 8e6604f chore(deps): bump the dependencies group across 1 directory with 4 updates (#...
• Additional commits viewable in compare view

Updates react-dev-utils from 9.1.0 to 12.0.1

Changelog

Sourced from react-dev-utils's changelog.

2.0.3 and Newer Versions

Please refer to CHANGELOG-2.x.md for the 2.x range, and https://github.com/facebook/create-react-app/blob/main/CHANGELOG.md for the newer versions.

1.1.5 (August 24, 2018)

• react-scripts

  • Update the webpack-dev-server dependency

• react-dev-utils

  • #4866 Fix a Windows-only vulnerability (CVE-2018-6342) in the development server (@​acdlite)
  • Update the sockjs-client dependency

Committers: 1

• Andrew Clark (acdlite)

Migrating from 1.1.4 to 1.1.5

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.5

or

yarn add --exact react-scripts@1.1.5

1.1.4 (April 3, 2018)

🐛 Bug Fix

• react-dev-utils

  • #4250 Upgrade detect-port-alt to fix #4189. (@​Timer)

Committers: 1

• Joe Haddad (Timer)

Migrating from 1.1.3 to 1.1.4

Inside any created project that has not been ejected, run:

</tr></table> 

... (truncated)

Commits

• 19fa58d Publish
• a422bf2 Ensure posix compliant joins for urls in middleware (#11640)
• 221e511 Publish
• 3afbbc0 Update all dependencies (#11624)
• 3880ba6 Remove dependency pinning (#11474)
• 5cedfe4 Bump browserslist from 4.14.2 to 4.16.5 (#11476)
• 63bba07 Upgrade jest and related packages from 26.6.0 to 27.1.0 (#11338)
• 960b21e Bump immer from 8.0.4 to 9.0.6 (#11364)
• f0a837c Webpack 5 (#11201)
• 369fccf fix: fast refresh stops on needed bail outs (#11105)
• Additional commits viewable in compare view

Updates semantic-release from 17.4.7 to 24.2.7

Release notes

Sourced from semantic-release's releases.

v24.2.7

24.2.7 (2025-07-11)

Performance Improvements

• get-tags.js: bulk get for tags notes (#3732) (85187e2)

v24.2.6

24.2.6 (2025-06-29)

Bug Fixes

• deps: update @​semantic-release/npm to ^12.0.2 (#3791) (93177d0)

v24.2.5

24.2.5 (2025-05-23)

Bug Fixes

• deps: raise the minimum of the defined range for marked-terminal (#3742) (fb1ccd4)

v24.2.4

24.2.4 (2025-05-16)

Bug Fixes

• deps: update dependency marked to v15 (#3499) (e45040e)

v24.2.3

24.2.3 (2025-02-15)

Bug Fixes

• types: fixed typescript definition (0e08b5c), closes #3601

v24.2.2

24.2.2 (2025-02-09)

Bug Fixes

• get-git-auth-url.js: Added debug for success (#3595) (2616d93)

v24.2.1

24.2.1 (2025-01-03)

... (truncated)

Commits

• 85187e2 perf(get-tags.js): bulk get for tags notes (#3732)
• 672f951 chore(deps): update dependency @​types/node to v22.16.3 (#3801)
• de54db9 chore(deps): update dependency @​types/node to v22.16.2 (#3799)
• c6da348 chore(deps): update dependency @​types/node to v22.16.1 (#3798)
• fae2a78 chore(deps): lock file maintenance (#3797)
• fb26b13 docs(plugins): add semantic-release-openapi community plugin (#3787)
• 985f165 chore(deps): update dependency @​types/node to v22.16.0 (#3794)
• c8fea35 ci(action): update github/codeql-action action to v3.29.2 (#3793)
• fab4d88 chore(deps): lock file maintenance (#3792)
• 93177d0 fix(deps): update @​semantic-release/npm to ^12.0.2 (#3791)
• Additional commits viewable in compare view

Updates ws from 8.18.0 to 8.18.3

Release notes

Sourced from ws's releases.

8.18.3

Bug fixes

• Fixed a spec violation where the Sec-WebSocket-Version header was not added to the HTTP response if the client requested version was either invalid or unacceptable (33f5dbaf).

8.18.2

Bug fixes

• Fixed an issue that, during message decompression when the maximum size was exceeded, led to the emission of an inaccurate error and closure of the connection with an improper close code (#2285).

8.18.1

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to make them work when run via CITGM (021f7b8b).

Commits

• dabbdec [dist] 8.18.3
• 33f5dba [fix] Respond with the supported protocol versions (#2291)
• 22a5a17 [ci] Test on node 24
• e67eb7a [ci] Do not test on node 23
• fa670f2 [ci] Run the lint step on node 22
• 0eb8535 [dist] 8.18.2
• 4f20aed [fix] Handle oversized messages with designated error (#2285)
• aa998e3 [pkg] Update globals to version 16.0.0
• cf25954 [minor] Fix nit in error message
• b92745a [dist] 8.18.1
• Additional commits viewable in compare view

Updates aedes from 0.39.0 to 0.42.1

Release notes

Sourced from aedes's releases.

Release 0.42.1

• fix: clean up the write callbacks in case of error (#492) (e11148d)
• docs: sdd Kuzzle to made with aedes section (#500) (379182f)
• fix: remove useless empty buff (#497) (e60f85d)
• docs: authorizePublish clarification (#496) (86b6815)
• fix: catch writeToStream errors (#493) (8d34ee5)
• Bump markdownlint-cli from 0.22.0 to 0.23.1 (#490) (28c6cbb)

Release 0.42.0

• fix: remove subs only when clean flag is false (#488) (684aa51)
• Bump @​types/node from 13.13.6 to 14.0.1 (#485) (8494fe7)
• Bump uuid from 7.0.3 to 8.0.0 (#481) (d5ab3de)
• Bump deps and fixed tests (#479) (5fc092c)
• fix: upgrade aedes in proxy example from 0.40.1 to 0.41.0 (#478) (49276ec)
• Improved clusters example (#476) (b2393ab)
• feat: emptyOutgoingQueue (#474) (ab81dce)
• Update README.md (#471) (24cfa8d)
• Return granted qos in broker subscribe event and better subAck docs (#468) (2955388)

Release 0.41.0

• release script (#466) (1635fd5)
• Fix typo (#463) (276fb0f)
• Enhance subscription basic tests (#461) (d64faeb)
• Add more badges (#460) (e3e5b1d)
• Update README.md (f68cd77)
• Update dependencies (#457) (d0991fa)
• Expose protocol version in Client object (#456) (237d253)
• Added test on unrecognised params in sub packet structure (#455) (76cdd8e)
• Handle unsubscription safer while client closes (#454) (05d2ee3)
• Update uuid & deps (#453) (209efd0)
• Upgrade github actions/checkout to v2 (#452) (6d729b2)
• Clusters docs (#448) (aaa5f0b)
• Add a non-blocking concurrent connection test (#445) (fc45bc6)
• Refactored validationTopics into utils (#447) (323d535)
• Refactored EventEmitter (#446) (c5ee57e)
• Enhanced retain.js tests by fake timers (#444) (e4b78df)
• Enhanced auth.js test by fake timers (#443) (9176beb)
• Enhanced keep-alive tests by fake timers (#442) (fbd800d)
• Enhanced not-blocking tests by fake timers (#441) (8bdbb71)
• docs: Made with Aedes (#440) (37b04b7)
• Add MQTT spec reference in empty topic validation (#439) (1756d68)
• Update README.md (#432) (a61f899)
• Fix: Single-level wildcard match empty level (#433) (c6e049c)
• Refactored Subscribe Handler (#408) (1c3aa35)
• feat: Max clients Id length option for MQTT 3.1.0 (#435) (ade3c8a)
• Extend coverage to 100% (#429) (9c90d2e)
• Added opencollective links/images (#431) (2bba8cc)
• Rewrite README.md & Fix typings (#430) (5d25741)
• Update CoC (#427) (cfe8d1a)
• Fixed tests & use readable-stream (#426) (903a449)

... (truncated)

Commits

• 0a0e26c Release 0.42.1
• e11148d fix: clean up the write callbacks in case of error (#492)
• 379182f docs: sdd Kuzzle to made with aedes section (#500)
• e60f85d fix: remove useless empty buff (#497)
• 86b6815 docs: authorizePublish clarification (#496)
• 8d34ee5 fix: catch writeToStream errors (#493)
• 28c6cbb Bump markdownlint-cli from 0.22.0 to 0.23.1 (#490)
• 6586768 Release 0.42.0
• 684aa51 fix: remove subs only when clean flag is false (#488)
• 8494fe7 Bump @​types/node from 13.13.6 to 14.0.1 (#485)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by roberts_lando, a new releaser for aedes since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​node-windows@​0.1.14
	npm/​safer-buffer@​2.1.2
	npm/​set-function-length@​1.2.2
	npm/​safe-regex-test@​1.1.0
	npm/​side-channel@​1.1.0
	npm/​is-arguments@​1.2.0
	npm/​safe-buffer@​5.2.1
	npm/​node-sspi@​0.2.10
	npm/​process-nextick-args@​2.0.1
	npm/​shebang-command@​2.0.0
	npm/​shebang-regex@​3.0.0
	npm/​archiver-utils@​5.0.2
	npm/​@​duosecurity/​duo_universal@​3.0.0
	npm/​utils-merge@​1.0.1
	npm/​node-pushover@​1.0.0
	npm/​setprototypeof@​1.2.0
	npm/​strip-ansi@​3.0.1 ⏵ 7.1.0	+1		+11
	npm/​@​crowdsec/​express-bouncer@​0.1.0
	npm/​process@​0.11.10
	npm/​bare-events@​2.6.0
	npm/​unpipe@​1.0.0
	npm/​random-bytes@​1.0.0
	npm/​@​isaacs/​cliui@​8.0.2
	npm/​connect-flash@​0.1.1
	npm/​ipcheck@​0.1.0
	npm/​wordwrap@​1.0.0
	npm/​input@​1.0.1
	npm/​util-deprecate@​1.0.2
	npm/​@​mysql/​xdevapi@​8.0.33
	npm/​is-fullwidth-code-point@​3.0.0
	npm/​tsscmp@​1.0.6
	npm/​eastasianwidth@​0.2.0
	npm/​loadavg-windows@​1.1.1
See 108 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		npm/minimist@0.0.10 has a Critical CVE. CVE: GHSA-xvch-5gv4-984h Prototype Pollution in minimist (CRITICAL) Affected versions: >= 1.0.0 < 1.2.6; < 0.2.4 Patched version: 0.2.4 From: ? → npm/node-windows@0.1.14 → npm/minimist@0.0.10 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimist@0.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/node-windows@0.1.14 has a Critical CVE. CVE: GHSA-53xv-c2hx-5w6q Command Injection in node-windows (CRITICAL) Affected versions: < 1.0.0-beta.6 Patched version: 1.0.0-beta.6 From: pkgs/tools/admin/meshcentral/package.json → npm/node-windows@0.1.14 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-windows@0.1.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/@duosecurity/duo_universal@3.0.0 has Obfuscated code. Confidence: 0.98 Location: Package overview From: pkgs/tools/admin/meshcentral/package.json → npm/@duosecurity/duo_universal@3.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@duosecurity/duo_universal@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/@mysql/xdevapi@8.0.33 has Obfuscated code. Confidence: 0.93 Location: Package overview From: pkgs/tools/admin/meshcentral/package.json → npm/@mysql/xdevapi@8.0.33 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@mysql/xdevapi@8.0.33. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/es5-ext@0.10.64 is Protestware or potentially unwanted behavior. Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale From: ? → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/es5-ext@0.10.64 is Protestware or potentially unwanted behavior. Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: ? → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		npm/safer-buffer@2.1.2 has Obfuscated code. Confidence: 0.94 Location: Package overview From: pkgs/development/tools/yarn2nix-moretea/yarn2nix/yarn.lock → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report