Bump @playform/build from 0.2.5 to 0.2.6 by dependabot[bot] · Pull Request #77 · PlayForm/Dispatch

dependabot · 2026-01-08T02:19:40Z

Bumps @playform/build from 0.2.5 to 0.2.6.

Release notes

Sourced from @playform/build's releases.

v0.2.6

Full Changelog: PlayForm/Build@v0.2.5...v0.2.6

Build/v0.2.6

What's Changed

Bump @types/node from 24.0.8 to 24.0.10 by @dependabot[bot] in PlayForm/Build#258

Bump dependabot/fetch-metadata from 2.3.0 to 2.4.0 by @dependabot[bot] in PlayForm/Build#259

Bump esbuild from 0.25.5 to 0.25.6 by @dependabot[bot] in PlayForm/Build#260

Bump @types/node from 24.0.10 to 24.0.11 by @dependabot[bot] in PlayForm/Build#261

Bump @types/node from 24.0.11 to 24.0.12 by @dependabot[bot] in PlayForm/Build#262

Bump @types/node from 24.0.12 to 24.0.13 by @dependabot[bot] in PlayForm/Build#263

Bump @types/node from 24.0.13 to 24.0.14 by @dependabot[bot] in PlayForm/Build#264

Bump esbuild from 0.25.6 to 0.25.8 by @dependabot[bot] in PlayForm/Build#265

Bump @types/node from 24.0.14 to 24.1.0 by @dependabot[bot] in PlayForm/Build#266

Bump typescript from 5.8.3 to 5.9.2 by @dependabot[bot] in PlayForm/Build#267

Bump @types/node from 24.1.0 to 24.2.0 by @dependabot[bot] in PlayForm/Build#268

Bump @types/node from 24.2.0 to 24.2.1 by @dependabot[bot] in PlayForm/Build#269

Bump actions/checkout from 4.2.2 to 5.0.0 by @dependabot[bot] in PlayForm/Build#270

Bump esbuild from 0.25.8 to 0.25.9 by @dependabot[bot] in PlayForm/Build#271

Bump @types/node from 24.2.1 to 24.3.0 by @dependabot[bot] in PlayForm/Build#272

Bump actions/setup-node from 4.4.0 to 5.0.0 by @dependabot[bot] in PlayForm/Build#273

Bump @types/node from 24.3.0 to 24.3.1 by @dependabot[bot] in PlayForm/Build#274

Bump commander from 14.0.0 to 14.0.1 by @dependabot[bot] in PlayForm/Build#275

Bump @types/node from 24.3.1 to 24.3.2 by @dependabot[bot] in PlayForm/Build#276

Bump @types/node from 24.3.2 to 24.5.0 by @dependabot[bot] in PlayForm/Build#277

Bump esbuild from 0.25.9 to 0.25.10 by @dependabot[bot] in PlayForm/Build#278

Bump @types/node from 24.5.0 to 24.5.1 by @dependabot[bot] in PlayForm/Build#279

Bump @types/node from 24.5.1 to 24.5.2 by @dependabot[bot] in PlayForm/Build#280

Bump @types/node from 24.5.2 to 24.6.0 by @dependabot[bot] in PlayForm/Build#281

Bump @types/node from 24.6.0 to 24.6.1 by @dependabot[bot] in PlayForm/Build#282

Bump typescript from 5.9.2 to 5.9.3 by @dependabot[bot] in PlayForm/Build#283

Bump @types/node from 24.6.1 to 24.6.2 by @dependabot[bot] in PlayForm/Build#284

Bump @types/node from 24.6.2 to 24.7.0 by @dependabot[bot] in PlayForm/Build#285

Bump pnpm/action-setup from 4.1.0 to 4.2.0 by @dependabot[bot] in PlayForm/Build#286

Bump @types/node from 24.7.0 to 24.7.1 by @dependabot[bot] in PlayForm/Build#287

Bump @types/node from 24.7.1 to 24.7.2 by @dependabot[bot] in PlayForm/Build#288

Bump actions/setup-node from 5.0.0 to 6.0.0 by @dependabot[bot] in PlayForm/Build#289

Bump esbuild from 0.25.10 to 0.25.11 by @dependabot[bot] in PlayForm/Build#290

Bump @types/node from 24.7.2 to 24.8.0 by @dependabot[bot] in PlayForm/Build#291

Bump @types/node from 24.8.0 to 24.8.1 by @dependabot[bot] in PlayForm/Build#292

Bump @types/node from 24.8.1 to 24.9.0 by @dependabot[bot] in PlayForm/Build#293

Bump @types/node from 24.9.0 to 24.9.1 by @dependabot[bot] in PlayForm/Build#294

Bump actions/upload-artifact from 4.6.2 to 5.0.0 by @dependabot[bot] in PlayForm/Build#295

Bump commander from 14.0.1 to 14.0.2 by @dependabot[bot] in PlayForm/Build#296

Bump @types/node from 24.9.1 to 24.9.2 by @dependabot[bot] in PlayForm/Build#297

Bump esbuild from 0.25.11 to 0.25.12 by @dependabot[bot] in PlayForm/Build#298

Bump @types/node from 24.9.2 to 24.10.0 by @dependabot[bot] in PlayForm/Build#299

Bump esbuild from 0.25.12 to 0.27.0 by @dependabot[bot] in PlayForm/Build#300

Bump @types/node from 24.10.0 to 24.10.1 by @dependabot[bot] in PlayForm/Build#301

Bump actions/checkout from 5.0.0 to 5.0.1 by @dependabot[bot] in PlayForm/Build#302

... (truncated)

Changelog

Sourced from @playform/build's changelog.

0.2.6

Change

Updated version to 0.2.6

Updated dependencies:

@types/node from 24.0.8 to 25.0.3

commander from 14.0.0 to 14.0.2

esbuild from 0.25.5 to 0.27.2

typescript from 5.8.3 to 5.9.3

Commits

df8f04f 0.2.6
2fcc2fd squash!
76e79ac squash!
030412a squash!
8604bcf squash!
bfcd598 squash!
af16740 squash!
93f011d squash!
0fdf5fd squash!
2987f9c squash!
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @playform/build since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@playform/build](https://github.com/PlayForm/Build) from 0.2.5 to 0.2.6. - [Release notes](https://github.com/PlayForm/Build/releases) - [Changelog](https://github.com/PlayForm/Build/blob/Current/CHANGELOG.md) - [Commits](PlayForm/Build@v0.2.5...v0.2.6) --- updated-dependencies: - dependency-name: "@playform/build" dependency-version: 0.2.6 dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-01-08T02:19:55Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@playform/build@0.2.5 ⏵ 0.2.6	^-6		^-1	⁺⁶

View full report

socket-security · 2026-01-08T02:19:56Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Obfuscated code: npm `@playform/build` is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `@playform/build` with 100.0% likelihood Confidence: 1.00 Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `@playform/build` with 98.0% likelihood Confidence: 0.98 Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Minified code present: npm `@playform/build` with 99.0% likelihood Confidence: 0.99 Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What's wrong with minified code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `@playform/build` reads NODE_ENV Env Vars: NODE_ENV Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm `@playform/build` reads VERSION_PACKAGE Env Vars: VERSION_PACKAGE Location: Package overview From: package.json → `npm/@playform/build@0.2.6` ℹ Read more on: This package \| This alert \| What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@playform/build@0.2.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `@types/node` URLs: https://nodejs.org/docs/latest-v25.x/api/test.html#test-runner-execution-model, https://nodejs.org/docs/latest-v25.x/api/cli.html#--test-update-snapshots, 0.0.0.0, 192.168.1.1, 74.125.127.100, 127.0.0.1, 123.123.123.123, 10.0.0.1, 10.0.0.10, 10.0.0.3, 222.111.111.222, 192.168.1.0/24, 10.0.0.5, 127.000.000.001, 127.0.0.1/24, https://v8docs.nodesource.com/node-13.2/d5/dda/classv8_1_1_isolate.html#a6079122af17612ef54ef3348ce170866, https://nodejs.org/docs/latest-v25.x/api/cli.html#--heapsnapshot-near-heap-limitmax_count, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Equality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Inequality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions, https://nodejs.org/docs/latest-v25.x/api/errors.html#err_invalid_return_value, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-error, IO.read, https://chromedevtools.github.io/devtools-protocol/v8/, encrypted.google.com, example.com, github.com, https://encrypted.google.com/, https://github.com/nodejs/node/blob/v25.x/src/node_sea.cc, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://github.com/nodejs/node/blob/v25.x/lib/crypto.js, https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html, https://nodejs.org/dist/latest-v25.x/docs/api/crypto.html#crypto-constants, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html., https://en.wikipedia.org/wiki/Initialization_vector, https://www.rfc-editor.org/rfc/rfc2412.txt, https://www.rfc-editor.org/rfc/rfc3526.txt, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf, https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger, https://www.w3.org/TR/capability-urls/, https://nodejs.org/docs/latest-v25.x/api/crypto.html#asymmetric-key-types, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532, https://www.rfc-editor.org/rfc/rfc2818.txt, https://www.rfc-editor.org/rfc/rfc5280.txt, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt, https://www.rfc-editor.org/rfc/rfc9106.html, https://nodejs.org/docs/latest-v25.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView, https://developer.mozilla.org/en-US/docs/Web/JavaScript/-, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/set, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf, example.org, 93.184.216.34, archive.org, nodejs.org, https://nodejs.org/docs/latest-v25.x/api/util.html#utilpromisifyoriginal, https://tools.ietf.org/html/rfc8482, https://nodejs.org/docs/latest-v25.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v25.x/api/dns.html#dnspromiseslookuphostname-options, https://tools.ietf.org/html/rfc5952#section-6, https://man7.org/linux/man-pages/man5/resolv.conf.5.html, https://datatracker.ietf.org/doc/html/rfc5952#section-6, https://nodejs.org/docs/latest-v25.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v25.x/api/worker_threads.html, 4.4.4.4, https://docs.libuv.org/en/v1.x/misc.html#c.uv_available_parallelism, https://linux.die.net/man/3/uname, https://en.wikipedia.org/wiki/Uname#Examples, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-systemerror, https://nodejs.org/docs/latest-v25.x/api/process.html#processarch, https://github.com/nodejs/node/blob/HEAD/BUILDING.md#androidandroid-based-devices-eg-firefox-os, https://github.com/nodejs/node/blob/v25.x/lib/child_process.js, subprocess.channel, https://nodejs.org/docs/latest-v25.x/api/net.html#class-netsocket, https://nodejs.org/docs/latest-v25.x/api/net.html#class-netserver, https://nodejs.org/docs/latest-v25.x/api/dgram.html#class-dgramsocket, test.sh, https://nodejs.org/docs/latest-v25.x/api/vm.html#support-of-dynamic-import-in-compilation-apis, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval, https://es5.github.io/#x10.4.2, https://tc39.es/ecma262/#sec-abstract-module-records, https://tc39.es/ecma262/#sec-cyclic-module-records, https://tc39.es/ecma262/#sec-getmodulenamespace, https://tc39.es/ecma262/#sec-moduleevaluation, https://heycam.github.io/webidl/#synthetic-module-records, 127.0.0.1:8000, process.env.HOST, req.headers.host, https://nodejs.org/docs/latest-v25.x/api/http.html#built-in-proxy-support, https://nodejs.org/docs/latest-v25.x/api/net.html#socketconnectoptions-connectlistener, sql.run, https://www.sqlite.org/c3ref/changes.html, https://nodejs.org/docs/latest-v25.x/api/v8.html, https://www.chromium.org/developers/how-tos/trace-event-profiling-tool, https://nodejs.org/docs/latest-v25.x/api/worker_threads.html#class-worker, https://github.com/nodejs/node/blob/v25.x/lib/trace_events.js, https://nodejs.org/docs/latest-v25.x/api/stream.html#streamcomposestreams, readable.map, https://nodejs.org/docs/latest-v25.x/api/stream.html#readablecomposestream-options, 224.0.0.114, https://en.wikipedia.org/wiki/IPv6_address#Scoped_literal_IPv6_addresses, https://tools.ietf.org/html/rfc4007, 10.0.0.2, 4.4.4.4:1053, https://nodejs.org/docs/latest-v20.x/api/errors.html#class-error, https://nodejs.org/docs/latest-v20.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromiseslookuphostname-options, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromisessetdefaultresultorderorder, https://nodejs.org/docs/latest-v20.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v20.x/api/worker_threads.html, http://example.org:8000, https://example.org:80, https://example.org/foo/bar, https://example.org, http2stream.id, https://example.com, request.stream, http://example.com, http://example.com/status?name=ryan, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-typeerror, response.stream, https://tools.ietf.org/html/rfc7540, https://http2.github.io/faq/#does-http2-require-encryption, ws://127.0.0.1:9229/166e272e-7a30-4d09-97ce-f1c012b43c34, https://nodejs.org/en/docs/inspector, app.js.map, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#String_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Number_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Boolean_type, http://man7.org/linux/man-pages/man3/readdir.3.html, http://man7.org/linux/man-pages/man2/readlink.2.html, http://man7.org/linux/man-pages/man2/mkdir.2.html, https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file, https://docs.microsoft.com/en-us/windows/desktop/FileIO/using-streams, http://man7.org/linux/man-pages/man2/fsync.2.html, http://man7.org/linux/man-pages/man2/pwrite.2.html, fs.read, fs.watch, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER, http://man7.org/linux/man-pages/man2/fdatasync.2.html, http://man7.org/linux/man-pages/man3/opendir.3.html, xn--fsq.com, xn--maana-pta.com, ana.com, xn----dqo34k.com, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/subarray, https://nodejs.org/docs/latest-v25.x/api/child_process.html#optionsstdio, https://man7.org/linux/man-pages/man2/setuid.2.html, https://man7.org/linux/man-pages/man2/setgid.2.html, https://nodejs.org/docs/latest-v25.x/api/process.html#a-note-on-process-io, https://github.com/nodejs/node/blob/v25.x/lib/console.js, https://nodejs.org/docs/latest-v25.x/api/util.html#utilinspectobject-options, https://nodejs.org/docs/latest-v25.x/api/async_context.html, https://nodejs.org/docs/latest-v25.x/api/module.html#module-compile-cache, options.directory, module.id, https://nodejs.org/docs/latest-v25.x/api/async_hooks.html#promise-execution-tracking, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_customizing_repl_output, https://nodejs.org/dist/latest-v25.x/docs/api/readline.html#readline_use_of_the_completer_function, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_class_replserver, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_commands_and_special_keys, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_assignment_of_the_underscore_variable, https://chromedevtools.github.io/devtools-protocol/1-3/Runtime/#type-ScriptId, https://nodejs.org/docs/latest-v25.x/api/util.html#modifiers, https://github.com/microsoft/TypeScript/issues/12936, https://example.com/some/path?page=1&#x26, urlObject.host, urlObject.search, http://example.com/, http://example.com/one, http://example.com/two, https://tools.ietf.org/html/rfc5891#section-4.4, https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API, https://nodejs.org/docs/latest-v25.x/api/modules.md#loading-ecmascript-modules-using-require, process.report.directory, https://nodejs.org/docs/latest-v25.x/api/os.html#dlopen-constants, http://man7.org/linux/man-pages/man7/environ.7.html, process.pid, https://docs.libuv.org/en/v1.x/misc.html#c.uv_get_constrained_memory, https://nodejs.org/docs/latest-v25.x/api/process.html#processavailablememory, https://nodejs.org/api/cli.html#--permission, https://nodejs.org/api/permissions.html#permission-model, https://nodejs.org/download/release/v18.12.0/node-v18.12.0.tar.gz, https://nodejs.org/download/release/v18.12.0/node-v18.12.0-headers.tar.gz, https://nodejs.org/download/release/v18.12.0/win-x64/node.lib, https://nodejs.org/docs/latest-v25.x/api/report.html, process.report, https://github.com/WebAssembly/wabt, https://github.com/nodejs/node/blob/v25.x/lib/wasi.js, https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html, https://tools.ietf.org/html/rfc5929, https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Undefined_type, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531, options.ca, https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt, https://tc39.github.io/ecma262/#sec-asynciterable-interface, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Iteration_protocols#The_iterable_protocol, https://developer.mozilla.org/en-US/docs/Web/API/ArrayBufferView, http://man7.org/linux/man-pages/man2/open.2.html, http://man7.org/linux/man-pages/man2/lstat.2.html, http://man7.org/linux/man-pages/man2/link.2.html, http://man7.org/linux/man-pages/man2/unlink.2.html, https://github.com/mdn/content/pull/38027 Location: Package overview From: `?` → `npm/@playform/build@0.2.6` → `npm/@types/node@25.0.3` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@types/node@25.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm `esbuild` URLs: https://stackoverflow.com/questions/49580725, https://esbuild.github.io/api/#build, https://esbuild.github.io/api/#transform, https://esbuild.github.io/api/#analyze, https://esbuild.github.io/api/#browser, https://yarnpkg.com/configuration/yarnrc/#supportedArchitectures, https://nodejs.org/en/download/. Location: Package overview From: `?` → `npm/@playform/build@0.2.6` → `npm/esbuild@0.27.2` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/esbuild@0.27.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 1 more row in the dashboard

View full report

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jan 8, 2026

github-actions bot approved these changes Jan 8, 2026

View reviewed changes

github-actions bot merged commit 0774378 into Current Jan 8, 2026
9 of 10 checks passed

github-actions bot assigned NikolaRHristov Jan 8, 2026

github-actions bot deleted the dependabot/npm_and_yarn/playform/build-0.2.6 branch January 8, 2026 02:19

github-actions bot requested a review from NikolaRHristov January 8, 2026 02:19

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump @playform/build from 0.2.5 to 0.2.6#77

Bump @playform/build from 0.2.5 to 0.2.6#77
github-actions[bot] merged 1 commit intoCurrentfrom
dependabot/npm_and_yarn/playform/build-0.2.6

dependabot bot commented on behalf of github Jan 8, 2026

Uh oh!

Uh oh!

socket-security bot commented Jan 8, 2026

Uh oh!

socket-security bot commented Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

dependabot bot commented on behalf of github Jan 8, 2026

v0.2.6

Build/v0.2.6

What's Changed

0.2.6

Change

Uh oh!

Uh oh!

socket-security bot commented Jan 8, 2026

Uh oh!

socket-security bot commented Jan 8, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant