Update dependency @nomicfoundation/slang to v1

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@nomicfoundation/slang (source)	^0.18.3 → ^1.0.0

---

Release Notes

NomicFoundation/slang (@​nomicfoundation/slang)

v1.3.5

Compare Source

Patch Changes

• #​1740 d6df2e5 Thanks @​teofr! - Add support for Solidity 0.8.35, including the new erc7201 builtin.

v1.3.4

Compare Source

Patch Changes

• #​1533 afc9f87 Thanks @​OmarTawfik! - Fixed a panic during constructing binding graphs, when the input has incomplete IdentifierPath expressions.

v1.3.3

Compare Source

Patch Changes

• #​1523 27f07a8 Thanks @​teofr! - Remove constant, view, and pure attributes from UnnamedFunctionDefinition, to disambiguate from StateVariableDefinition that have a function type.

• #​1526 a52001d Thanks @​teofr! - Fixed associativity of AssignmentExpression from left to right.

• #​1525 7f3ea6f Thanks @​teofr! - Add support for Solidity 0.8.34.

• #​1502 6963419 Thanks @​teofr! - Fixed the old style revert calls (revert("oops!")) to be parsed as a FunctionCallExpression rather than a RevertStatement.

v1.3.2

Compare Source

Patch Changes

• #​1495 e3f391c Thanks @​OmarTawfik! - Add support for Solidity 0.8.32 and 0.8.33.

v1.3.1

Compare Source

Patch Changes

• #​1479 f03516d Thanks @​teofr! - Add support for Solidity 0.8.31

v1.3.0

Compare Source

Minor Changes

• #​1396 d568dec Thanks @​beta-ziliani! - Add a rewriter API, allowing the transformation of CSTs by extending the BaseRewriter type, overriding the appropriate methods (User Guide).

• #​1440 4438fc8 Thanks @​OmarTawfik! - add TextIndexExtensions.zero() utility to create an index at offset zero, which is useful for creating cursors from child nodes where parent offset is not needed.

• #​1390 6a0f598 Thanks @​OmarTawfik! - Add new TypeScript APIs for creating nodes and edges:

  • NonterminalNode.create(kind: NonterminalKind, children: Edge[]): NonterminalNode
  • TerminalNode.create(kind: TerminalKind, text: string): TerminalNode
  • createEdge(label: EdgeLabel, node: Node): Edge
  • Edge.createWithNonterminal(label: EdgeLabel, node: NonterminalNode): Edge
  • Edge.createWithTerminal(label: EdgeLabel, node: TerminalNode): Edge

Patch Changes

• #​1424 d54a35c Thanks @​ggiraldez! - Resolve identifiers in assembly blocks to locally imported symbols

• #​1388 4607e6a Thanks @​beta-ziliani! - Fixed the pragma grammar and CST nodes:

  • pragma abicoder <version>:
    • Only enabled starting Solidity 0.7.5.
    • <version> is restricted to new keywords (v1 and v2).
  • pragma experimental <flag>:
    • Only enabled starting Solidity 0.4.16.
    • <flag> is restricted to be a string, or new keywords representing ABIEncoderV2 and SMTChecker.

• #​1431 a62c857 Thanks @​OmarTawfik! - fix CST query matches to return an empty array for unmatched named captures, instead of undefined.

v1.2.1

Compare Source

Patch Changes

• #​1377 f3b51be Thanks @​ggiraldez! - Bind untyped tuple deconstruction elements as references, not declarations

• #​1335 6c3ad5d Thanks @​ggiraldez! - Top-level ConstantDefinitions now bind to their type and resolve extension functions called on them

• #​1338 18be0bc Thanks @​ggiraldez! - Make try/catch parameters and vars in for loop initialization available in Yul

• #​1339 f16e4b5 Thanks @​ggiraldez! - Fixes to the binding rules in Solidity:

  • Make the .length member available in all static-size byte arrays
  • Allow assembly blocks (and nested Yul functions) to access inherited state variables
  • Allow assembly blocks access to constructor/modifier/fallback parameters
  • msg.sender is of address type (not payable) until 0.5.0
  • Top-level constants need to be visible from assembly blocks in files that import them
  • Resolve named arguments when calling an extension function
  • Imported symbols using deconstruction syntax can be bound in assembly blocks

• #​1353 8e718dd Thanks @​ggiraldez! - Fixes to the binding rules in Solidity:

  • Values of the deprecated byte type have a length member until 0.8.0
  • Bind a qualified identifier in the same contract, ie. Foo.x in a method body of Foo
  • Correctly bind external constants and built-ins in nested functions in assembly blocks
  • Literal boolean values should bind to the bool type to chain extension functions
  • Public state variables the generate getters should have members of external functions (such as .selector)
  • Event types have a selector member

• #​1326 045179b Thanks @​ggiraldez! - Fixes to binding rules:

  • Update TupleDeconstructionStatement so that their definiens is the TypedTupleMember/UntypedTupleMember for each variable declared.
  • Update YulVariableDeclarationStatement so that their definiens is the YulIdentifier for each variable declared.

• #​1350 0594fe8 Thanks @​ggiraldez! - Fixes to bindings rules in Solidity:

  • Allow binding of using directives inside interfaces in Solidity < 0.7.1
  • Bind literal fixed arrays types
  • Fix generating binding graph for built-ins: remove the memory location specifier from types so they bind properly
  • Fix return type of value() and gas() legacy call options to allow chaining them
  • Bind legacy call options in the result of new expressions
  • Bind output type of public getters when the state variable is a nested mapping or array
  • A using directive with the global modifier should impact the source unit's lexical scope
  • Relax the Solidity version where the transfer() method works for non-payable addresses; this is a workaround for a Solidity quirk that makes it possible to do address(uint160(to)).transfer(amount) even after 0.5.0
  • Fix bound return types of wrap() and unwrap() methods of a user value defined type
  • Resolve the type of min() and max() of type() expressions for integer types to the integer type given in the expression operand
  • Fix binding of fully qualified modifier invocations
  • Fix #​1321: min() and max() for type() expressions on enum types should bind only after Solidity 0.8.8
  • Bound type for literal number expressions is uint256 by default; this allows correctly binding extension methods operating on literal values
  • The type bytes is an array type and should bind the push() and pop() methods
  • Contract or interface reference values implicitly inherit from the address type on Solidity < 0.5.0
  • Modifiers are allowed inside interfaces until Solidity 0.8.8 and thus should properly bind and be accessible from inheriting contracts
  • Libraries before Solidity 0.5.0 allowed this in function methods and work as an address type

v1.2.0

Compare Source

Minor Changes

• #​1330 56393d5 Thanks @​OmarTawfik! - add support for Solidity 0.8.30

Patch Changes

• #​1314 743d6b0 Thanks @​mjoerussell! - Adding missing YUL built in functions:

  • codesize()
  • codecopy(f, t, s)

v1.1.0

Compare Source

Minor Changes

• #​1288 2090ab8 Thanks @​OmarTawfik! - support Solidity 0.8.29 and Custom Storage Layouts:

  • ContractDefinition nodes will no longer have an optional InheritanceSpecifier child directly, but will hold a list of ContractSpecifier children
  • ContractSpecifier nodes have either InheritanceSpecifier or StorageLayoutSpecifier children

• #​1265 2312260 Thanks @​mjoerussell! - Add LanguageUtils::infer_language_versions(source_code) -> Version[] API, which will analyze version pragmas inside a source file, and return a list of supported language versions that they allow. This can be used to select a valid language version to use with the rest of Slang APIs. Please see the Choosing a Solidity Version guide for more information.

Patch Changes

• #​1291 da1f863 Thanks @​ggiraldez! - Resolve arguments to inheritance specifiers and expressions in storage layout specifiers using the contract's parent scope.

v1.0.0

Compare Source

Major Changes

• #​1279 6de3e41 Thanks @​OmarTawfik! - release Slang v1 🚀🚀🚀

v0.20.1

Compare Source

Patch Changes

• #​1275 ed2cae9 Thanks @​OmarTawfik! - rename ComparisonExpression to InequalityExpression

v0.20.0

Compare Source

Minor Changes

• #​1203 a5c3b1a Thanks @​ggiraldez! - add separate contexts (ie. binding scopes) for Solidity and Yul built-ins

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - export assertUserFileLocation() and assertBuiltInLocation() utilities from the bindings module

• #​1243 99d182f Thanks @​ggiraldez! - add definition.references() API to find all references that resolve to a definition.

• #​1205 103b331 Thanks @​mjoerussell! - Make Edge::label a required field instead of being optional.

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - update user guides with new binding graph and compilation APIs

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - export assertNonterminalNode() and assertTerminalNode() utilities from the cst module

Patch Changes

• #​1246 aea2dd0 Thanks @​OmarTawfik! - unreserve jump and jumpi yul keywords between 0.6.0 and 0.8.0

• #​1203 a5c3b1a Thanks @​ggiraldez! - enable address payable from 0.5.0 and remove transfer built-in from non-payable addresses

• #​1246 aea2dd0 Thanks @​OmarTawfik! - make sure assembly flags are only enabled starting from 0.8.13

• #​1246 aea2dd0 Thanks @​OmarTawfik! - enable yul's true and false keywords starting from 0.6.2

• #​1246 aea2dd0 Thanks @​OmarTawfik! - make sure super and this keywords are unreserved before 0.8.0.

v0.19.0

Compare Source

Minor Changes

• #​1156 3a82f06 Thanks @​OmarTawfik! - add node.descendants() and cursor.descendants() APIs to allow iterating over all descendants of the current node in pre-order traversal.

• #​1156 3a82f06 Thanks @​OmarTawfik! - fix node.children() and parseOutput.errors() return types

• #​1194 7a25d63 Thanks @​OmarTawfik! - split parser/Parser.supportedVersions() into a new utils/LanguageFacts API, with allVersions(), earliestVersion(), and latestVersion() methods.

• #​1194 7a25d63 Thanks @​OmarTawfik! - expose the BingingGraph API to allow querying definitions/references between source files.

• #​1156 3a82f06 Thanks @​OmarTawfik! - add cursor.ancestors() API to allow iterating over all ancestors of the current node, starting with the immediate parent, and moving upwards, ending with the root node.

• #​1156 3a82f06 Thanks @​OmarTawfik! - add cursor.remainingNodes() API to allow iterating over all the remaining nodes in the current tree, moving in pre-order traversal, until the tree is completed.

• #​1223 3e85a14 Thanks @​OmarTawfik! - split Parser.parse() API into parse_file_contents() and parse_nonterminal().

• #​1194 7a25d63 Thanks @​OmarTawfik! - add a CompilationBuilder API to incrementally load and resolve source files and their imports.

• #​1223 3e85a14 Thanks @​OmarTawfik! - rename Query.parse() to Query.create(), and provide exact TextRange for any errors it returns.

• #​1172 6102886 Thanks @​beta-ziliani! - Improved error recovery, where leading trivia are always parsed and included before an erroneous terminal.

• #​1223 3e85a14 Thanks @​OmarTawfik! - add TerminalKindExtensions.is_identifier() API to distinguish terminals like Solidity's Identifier and Yul's YulIdentifier.

• #​1187 6389361 Thanks @​beta-ziliani! - Change ParseOutput and File.tree to return a NonTerminal instead of a Node.

Patch Changes

• #​1134 cfc62f2 Thanks @​OmarTawfik! - remove YulPathComponent and just use YulIdentifier instead.

• #​1138 44a706f Thanks @​OmarTawfik! - add ThisKeyword and SuperKeyword to the grammar, instead of parsing them as identifiers.

• #​1134 cfc62f2 Thanks @​OmarTawfik! - unreserve AddressKeyword, and let it be used for MemberAccessExpression, StructMember, etc...

• #​1154 7b9b478 Thanks @​beta-ziliani! - Adding support for deprecated keywords jump and jumpi

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​8.57.0
	@​changesets/​changelog-github@​0.5.1
	undici@​6.21.2
	@​typescript-eslint/​parser@​7.18.0
	eslint-config-prettier@​9.1.0
	ethers@​6.15.0
	wsrun@​5.2.4
	@​openzeppelin/​docs-utils@​0.1.5
	@​typescript-eslint/​eslint-plugin@​7.18.0
	@​types/​node@​20.19.21
	solidity-ast@​0.4.60
	debug@​4.3.6
	nyc@​17.0.0
	@​ava/​typescript@​5.0.0
	cbor@​10.0.3
	eslint-plugin-unicorn@​51.0.1
	@​nomicfoundation/​slang@​1.3.5
	@​openzeppelin/​contracts@​5.3.0
	typescript@​5.5.4
	prettier@​3.3.3
	bignumber.js@​9.1.2
	@​nomicfoundation/​hardhat-ethers@​3.1.0
	eslint-plugin-prettier@​5.2.1
	@​nomicfoundation/​hardhat-ethers@​4.0.5
	@​changesets/​cli@​2.29.3
	@​openzeppelin/​upgrades-core-legacy@​1.31.3

View full report

[coderabbitai]

Walkthrough

The @nomicfoundation/slang dependency version in packages/core/package.json is updated from ^0.18.3 to ^1.0.0, representing a major version constraint change with no other modifications.

Changes

Cohort / File(s)	Summary
Dependency Version Update packages/core/package.json	Bump @nomicfoundation/slang from ^0.18.3 to ^1.0.0 major version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A carrot for the slang so fine,
From point-one-eight to one, it's mine!
Dependencies hop along the way,
Major versions grow each day! 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update dependency @nomicfoundation/slang to v1' directly and accurately describes the main change in the pull request: bumping the @nomicfoundation/slang dependency from ^0.18.3 to ^1.0.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/nomicfoundation-slang-1.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @eslint/eslintrc is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, well-structured ESLint configuration loader/factory. It reads configuration data from various sources, resolves and loads plugins and parsers, and normalizes configurations for ESLint. While the code is not malicious by itself, it inherently executes user-provided plugin and parser code through require/imports, which is a normal but security-sensitive behavior. In the OpenVSX context, trusted inputs (config files and plugins) should be enforced; untrusted or tampered configs could introduce risk by executing arbitrary code during loading. No explicit malware indicators (exfiltration, backdoors, cryptomining) are present in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/@eslint/eslintrc@2.1.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@eslint/eslintrc@2.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/acorn@8.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/acorn@8.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm eslint is 100.0% likely to have a medium risk anomaly Notes: This module cleanly loads JavaScript rule modules from a directory with simple caching. The primary security consideration is that requiring arbitrary .js files from a directory executes their code during load, which can be risky if the directory contents are untrusted or modifiable by an attacker. In typical usage, this is expected behavior for plugin-like rule loaders, but it represents a potential supply chain risk if an attacker can place malicious JS files in the targeted directory. No hardcoded secrets or malicious network activity are evident in this snippet. Confidence: 1.00 Severity: 0.60 From: package.json → npm/eslint@8.57.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@8.57.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm esquery is 100.0% likely to have a medium risk anomaly Notes: The analyzed file is a legitimate PEG.js-generated parser module. It does not exhibit malicious exfiltration, backdoors, or external I/O mechanisms. The main security consideration is the potential risk around RegExp construction from user input, which should be mitigated by downstream code validating or constraining the resulting patterns. Overall, the security posture of this module is low risk when considered in isolation, with attention recommended for how parsed regexes are subsequently used by the host application. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/esquery@1.6.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esquery@1.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ethers is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment appears to be a conventional ABI interface utility (likely from a library like ethers.js) used to parse, encode, and decode Ethereum function calls, events, and errors. There is no evidence of malicious behavior such as data exfiltration, remote control, or code injection. Minor anomalies (typo in an error message and a partially commented/unfinished block) are present but do not constitute malicious activity. Overall security risk from this fragment is low, assuming it is used as intended within a trusted library context. Confidence: 1.00 Severity: 0.60 From: package.json → npm/ethers@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm istanbul-lib-processinfo is 100.0% likely to have a medium risk anomaly Notes: No explicit malicious activity detected. The module appears to be a dedicated utility for process information management and optional external process spawning for coverage collection. However, silent JSON parse errors, potentially unsafe file deletions in expunge, and unvalidated environment injection for spawned processes warrant careful input validation, robust error handling, and strict access controls in deployment. Overall security risk remains moderate, driven by destructive capabilities and external process control rather than overt malware. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/istanbul-lib-processinfo@2.0.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/istanbul-lib-processinfo@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm json5 is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment appears to be a conventional JSON5 library distribution with polyfills and a JSON5 parser/stringifier. No malicious activity, data exfiltration, or backdoors were detected within the provided code block. The main risk is typical for large bundled libraries (bundle size, maintenance, and potential outdated polyfills) rather than active security abuse. Proceed with standard dependency hygiene (version pinning, integrity checks, and regular updates). Confidence: 1.00 Severity: 0.60 From: ? → npm/json5@2.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json5@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm json5 is 100.0% likely to have a medium risk anomaly Notes: This CLI wrapper for the JSON5 library reads the entire input stream into memory before parsing, which could be abused to cause a denial-of-service by supplying extremely large JSON5 payloads. In addition, the legacy ‑-convert option will write a new .json file alongside the input when no explicit output path is given, risking unintended file overwrites. There is no network activity, no dynamic code execution beyond JSON5.parse, and no embedded secrets or telemetry. Confidence: 1.00 Severity: 0.60 From: ? → npm/json5@2.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json5@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-preload is 100.0% likely to have a medium risk anomaly Notes: The file itself is a small bootstrap that installs a spawn hook and requires a list of modules to execute. By design it executes arbitrary modules and can modify child process behavior, which is a high-impact capability. There is no direct evidence of exfiltration or malicious payloads in this fragment, but the code should be treated as potentially dangerous because it enables execution of other modules (the real risk depends on those modules). Recommend auditing ../preload-list.js, ../internal-preload-module.js, ../hook-spawn.js and every module referenced in the preload list before trusting this package. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/node-preload@0.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-preload@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm nyc is 100.0% likely to have a medium risk anomaly Notes: No malicious activity detected in this code fragment. It implements standard source map extraction, caching, and coverage remapping functionality without external network access or data exfiltration. Security risk is low, with minor IO-related robustness considerations. Confidence: 1.00 Severity: 0.60 From: package.json → npm/nyc@17.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nyc@17.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm semver is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The code is a standard, benign implementation of a semver range-exterior check. No malicious behavior, no data exfiltration, and no suspicious side effects are evident. It operates purely on in-memory data and relies on local modules for comparisons. Overall security risk appears low. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/@typescript-eslint/eslint-plugin@7.18.0 → npm/@typescript-eslint/parser@7.18.0 → npm/@changesets/cli@2.29.3 → npm/eslint-plugin-unicorn@51.0.1 → npm/semver@7.6.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm spawn-wrap is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate spawn-wrapping utility (likely from the spawn-wrap npm package) designed to sandbox/redirect child process creation by rewriting the spawn call parameters and running within a temporary working directory. There are no explicit backdoors, data exfiltration, or malicious network behavior detected in this fragment. It does write files and create temporary binaries, but these actions are part of its documented functionality to wrap the Node runtime and manage process execution. The code does not read or leak environment variables beyond what is used to set up the wrapper, and it cleans up after itself (except when in debug mode). Overall, this appears to be a normal, purposeful tool for controlled process spawning rather than malware. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/spawn-wrap@2.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/spawn-wrap@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm typescript is 100.0% likely to have a medium risk anomaly Notes: This typings installer module appears to be a conventional, legitimate worker that updates a types-registry package and loads registry metadata, with logging and IPC integration. Primary security concerns center on: (1) trusting the npm path and environment to avoid executing a malicious npm binary, (2) guarding log file paths and contents to prevent leakage of sensitive data, and (3) ensuring the types-registry package and its version come from a trusted source to minimize supply-chain risk. No explicit malware detected; however, the runtime npm installation and IPC interfaces introduce non-trivial risk surfaces if inputs are untrusted or if the hosting environment is compromised. Recommended mitigations include validating and constraining log paths, pinning and verifying registry package sources, and restricting npm invocation to trusted environments. Confidence: 1.00 Severity: 0.60 From: package.json → npm/typescript@5.5.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/plugin-hardhat/package.json → npm/undici@6.21.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ws is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: ? → npm/hardhat@3.6.0 → npm/ws@8.18.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.18.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm y18n is 100.0% likely to have a medium risk anomaly Notes: The code is a standard local i18n helper that caches locale strings and writes updates to disk. It does not contain obvious malware or backdoors. However, there are security concerns related to unvalidated locale inputs, potential path traversal when locale is attacker-controlled, and race conditions in multi-process environments. If used in attack-prone contexts, these issues should be mitigated by validating locale values, constraining file paths within the intended directory, and optionally disabling auto-write-back (updateFiles=false) in high-risk deployments. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/y18n@4.0.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/y18n@4.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment represents a legitimate environment-variable integration path for a CLI argument parser (consistent with yargs-parser). There is no evidence of malicious behavior such as data exfiltration or backdoors. The primary security consideration is the potential for environment-driven overrides to affect runtime behavior; this is expected but should be carefully configured to avoid leaking sensitive settings. Overall risk is moderate but acceptable with proper configuration and validation. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/yargs-parser@18.1.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs-parser@18.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The provided code consists of harmless-looking shell completion templates used to generate Bash/Zsh completions by querying the application for possible commands via --get-yargs-completions. There is no malicious behavior evident in the template code itself. The main risk is dependency on the integrity of the app_path binary that provides completions; if that binary is compromised, it could influence completions or run unintended commands. Overall, low likelihood of malware in these templates themselves. Confidence: 1.00 Severity: 0.60 From: ? → npm/wsrun@5.2.4 → npm/yargs@13.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@13.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The module implements a standard extends resolution with circular-extends protection and recursive merging. Primary security concerns are the potential execution of arbitrary code when extends points to a JS module and possible disclosure of local files via path-based extends. Treat untrusted inputs as a high-risk factor; consider enforcing whitelisting of allowed extends or sandboxing JS module extends. Overall risk is moderate due to code execution potential from untrusted configuration sources. Confidence: 1.00 Severity: 0.60 From: ? → npm/wsrun@5.2.4 → npm/yargs@13.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@13.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a typical command-line argument parser (similar to yargs) with localization support, help/version handling, and command/subcommand infrastructure. There is no evidence of malicious behavior such as data exfiltration, reverse shells, hidden backdoors, or cryptomining. Data flows are confined to standard CLI input, environment- and filesystem-derived configuration, and buffered console output. While the code is complex and maintains extensive internal state, it does not exhibit malicious patterns within this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/yargs@15.4.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@15.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The code provides a reasonably solid and conventional configuration extends resolver with circular dependency protection and recursion. The main security concerns center on the potential execution of arbitrary code from extended modules via require and the handling of non-string extends or missing files. No obvious malicious activity is detected, but the trust model for module-based extends should be tightened (e.g., sandboxing, validation, or restricting to JSON-based configs). Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/yargs@15.4.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@15.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report