| Block |
 |
Obfuscated code: npm @pnpm/network.ca-file is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/@pnpm/network.ca-file@1.0.2
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@pnpm/network.ca-file@1.0.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm @surma/rollup-plugin-off-main-thread is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/react-scripts@5.0.1 → npm/@surma/rollup-plugin-off-main-thread@2.2.3
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@surma/rollup-plugin-off-main-thread@2.2.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm css-minimizer-webpack-plugin is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/css-minimizer-webpack-plugin@2.0.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/css-minimizer-webpack-plugin@2.0.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm cssom is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/react-scripts@5.0.1 → npm/eslint-plugin-jest@27.9.0 → npm/cssom@0.4.4
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/cssom@0.4.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm damerau-levenshtein is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/react-scripts@5.0.1 → npm/damerau-levenshtein@1.0.8
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/damerau-levenshtein@1.0.8. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm diff-sequences is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/react-scripts@5.0.1 → npm/eslint-plugin-jest@27.9.0 → npm/diff-sequences@27.5.1
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/diff-sequences@27.5.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm es-abstract is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/eslint-import-resolver-typescript@3.7.0 → npm/react-scripts@5.0.1 → npm/eslint-plugin-import@2.32.0 → npm/es-abstract@1.24.2
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/es-abstract@1.24.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Protestware or unwanted behavior: npm es5-ext
Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts.
From: ? → npm/gatsby@5.16.1 → npm/es5-ext@0.10.64
ℹ Read more on: This package | This alert | What is protestware?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/es5-ext@0.10.64. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm eslint-plugin-jest is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/react-scripts@5.0.1 → npm/eslint-plugin-jest@25.7.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/eslint-plugin-jest@25.7.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm eslint-plugin-react is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/react-scripts@5.0.1 → npm/eslint-plugin-react@7.37.5
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/eslint-plugin-react@7.37.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm fast-xml-parser is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/@metamask/snaps-cli@6.7.0 → npm/fast-xml-parser@4.5.6
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/fast-xml-parser@4.5.6. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm gatsby is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: packages/snaps/simple-keyring/packages/site/package.json → npm/gatsby@5.16.1
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/gatsby@5.16.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm hash-wasm is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby-plugin-manifest@5.16.0 → npm/gatsby@5.16.1 → npm/hash-wasm@4.12.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/hash-wasm@4.12.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm js-yaml is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/eslint@9.39.4 → npm/eslint@8.57.1 → npm/@metamask/snaps-cli@6.7.0 → npm/react-scripts@5.0.1 → npm/js-yaml@4.2.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/js-yaml@4.2.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm node-forge is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/react-scripts@5.0.1 → npm/node-forge@1.4.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/node-forge@1.4.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
High CVE: npm path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters
CVE: GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters (HIGH)
Affected versions: < 0.1.13
Patched version: 0.1.13
From: ? → npm/gatsby@5.16.1 → npm/path-to-regexp@0.1.12
ℹ Read more on: This package | This alert | What is a CVE?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/path-to-regexp@0.1.12. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Publisher changed: npm postcss-selector-parser is now published by moox
Author: moox
From: ? → npm/gatsby@5.16.1 → npm/react-scripts@5.0.1 → npm/gatsby-plugin-webfonts@2.3.2 → npm/postcss-selector-parser@6.1.4
ℹ Read more on: This package | This alert | What is unstable ownership?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/postcss-selector-parser@6.1.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Publisher changed: npm postcss-selector-parser is now published by moox
Author: moox
From: ? → npm/gatsby@5.16.1 → npm/react-scripts@5.0.1 → npm/postcss-selector-parser@7.1.4
ℹ Read more on: This package | This alert | What is unstable ownership?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/postcss-selector-parser@7.1.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm rollup is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: ? → npm/react-scripts@5.0.1 → npm/rollup@2.80.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rollup@2.80.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Obfuscated code: npm webpack is 90.0% likely obfuscated
Confidence: 0.90
Location: Package overview
From: packages/snaps/simple-keyring/packages/site/package.json → npm/webpack@5.107.2
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/webpack@5.107.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
System shell access: npm @ardatan/relay-compiler in module child_process
Module: child_process
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/@ardatan/relay-compiler@12.0.0
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@ardatan/relay-compiler@12.0.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
System shell access: npm @expo/devcert in module child_process
Module: child_process
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/@expo/devcert@1.2.1
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@expo/devcert@1.2.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
System shell access: npm @expo/sudo-prompt in module child_process
Module: child_process
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/@expo/sudo-prompt@9.3.2
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@expo/sudo-prompt@9.3.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Potential security risk (AI signal): npm @lavamoat/allow-scripts
Notes: undefined
Confidence: undefined
Severity: undefined
From: packages/snaps/simple-keyring/packages/snap/package.json → npm/@lavamoat/allow-scripts@2.5.1
ℹ Read more on: This package | This alert | What are AI-detected potential security risks?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@lavamoat/allow-scripts@2.5.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
System shell access: npm @lavamoat/allow-scripts in module child_process
Module: child_process
Location: Package overview
From: packages/snaps/simple-keyring/packages/snap/package.json → npm/@lavamoat/allow-scripts@2.5.1
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@lavamoat/allow-scripts@2.5.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Network access: npm @metamask/snaps-cli in module http
Module: http
Location: Package overview
From: packages/snaps/simple-keyring/packages/snap/package.json → npm/@metamask/snaps-cli@6.7.0
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@metamask/snaps-cli@6.7.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
System shell access: npm @parcel/package-manager in module child_process
Module: child_process
Location: Package overview
From: ? → npm/gatsby@5.16.1 → npm/@parcel/package-manager@2.8.3
ℹ Read more on: This package | This alert | What is shell access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@parcel/package-manager@2.8.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
|
See 346 more rows in the dashboard
|