Update ui deps sync (major) #685

renovate · 2025-10-06T07:39:24Z

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
openai	`5.13.1` -> `6.2.0`
openai	`5.13.1` -> `6.2.0`
svelte-check	`^3.0.1` -> `^4.3.3`
svelte-preprocess	`^5.0.0` -> `^6.0.3`
tailwindcss (source)	`^3.0.15` -> `^4.1.14`

Release Notes

openai/openai-node (openai)

`v6.2.0`

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

api: dev day 2025 launches (f2816db)

Chores

internal: codegen related update (b6f64b7)
jsdoc: fix @link annotations to refer only to parts of the package‘s public interface (73e465d)

`v6.1.0`

Compare Source

Full Changelog: v6.1.0...v6.2.0

Features

api: dev day 2025 launches (f2816db)

Chores

internal: codegen related update (b6f64b7)
jsdoc: fix @link annotations to refer only to parts of the package‘s public interface (73e465d)

`v6.0.1`

Compare Source

Full Changelog: v6.0.1...v6.1.0

Features

api: add support for realtime calls (5de9585)

`v6.0.0`

Compare Source

Full Changelog: v6.0.0...v6.0.1

Bug Fixes

api: add status, approval_request_id to MCP tool call (498c6a5)

`v5.23.2`

Compare Source

Full Changelog: v5.23.2...v6.0.0

⚠ BREAKING CHANGES

api: ResponseFunctionToolCallOutputItem.output and ResponseCustomToolCallOutput.output now return string | Array<ResponseInputText | ResponseInputImage | ResponseInputFile> instead of string only. This may break existing callsites that assume output is always a string.

Features

api: Support images and files for function call outputs in responses, BatchUsage (abe56f8)

Chores

compat with zod v4 (#1658) (94569a0)

`v5.23.1`

Compare Source

Full Changelog: v5.23.1...v5.23.2

Chores

env-tests: upgrade jest-fixed-jsdom 0.0.9 -> 0.0.10 (6d6d0b0)
internal: codegen related update (1b684af)
internal: ignore .eslintcache (da9e146)

`v5.23.0`

Compare Source

Full Changelog: v5.23.0...v5.23.1

Bug Fixes

realtime: remove beta header from GA classes (a5e9e70)

Performance Improvements

faster formatting (d56f309)

Chores

internal: fix incremental formatting in some cases (166d28f)
internal: remove deprecated compilerOptions.baseUrl from tsconfig.json (dfab408)

`v5.22.1`

Compare Source

Full Changelog: v5.22.1...v5.23.0

Features

api: gpt-5-codex (2e4ece6)

`v5.22.0`

Compare Source

Full Changelog: v5.22.0...v5.22.1

Bug Fixes

api: fix mcp tool name (fa9f305)

Chores

api: openapi updates for conversations (975c075)
do not install brew dependencies in ./scripts/bootstrap by default (6f5e45f)
improve example values (b336a64)

`v5.21.0`

Compare Source

Full Changelog: v5.21.0...v5.22.0

Features

api: add reasoning_text (7ff6186)

Chores

api: manual fixes for streaming (3a2ae4c)

`v5.20.3`

Compare Source

Full Changelog: v5.20.3...v5.21.0

Features

api: type updates for conversations, reasoning_effort and results for evals (f243f54)

`v5.20.2`

Compare Source

Full Changelog: v5.20.2...v5.20.3

Chores

api: docs and spec refactoring (05b4498)

`v5.20.1`

Compare Source

Full Changelog: v5.20.1...v5.20.2

Bug Fixes

coerce nullable values to undefined (836d1b4)

Chores

api: Minor docs and type updates for realtime (ccb00dc)

`v5.20.0`

Compare Source

Full Changelog: v5.20.0...v5.20.1

Chores

api: fix realtime GA types (1c0d314)

`v5.19.1`

Compare Source

Full Changelog: v5.19.1...v5.20.0

Features

api: ship the RealtimeGA API shape (4286ddd)

Chores

ci build action (c8ce143)

`v5.19.0`

Compare Source

Full Changelog: v5.19.0...v5.19.1

Bug Fixes

azure: correctly send API key (#1635) (08f6178)

`v5.18.1`

Compare Source

Full Changelog: v5.18.1...v5.19.0

Features

api: Add gpt-realtime models (256d932)

`v5.18.0`

Compare Source

Full Changelog: v5.18.0...v5.18.1

Chores

api: manual updates for ResponseInputAudio (570501b)

`v5.17.0`

Compare Source

Full Changelog: v5.17.0...v5.18.0

Features

client: support api key provider functions (#1587) (c3a92c7)

Bug Fixes

update non beta realtime websockets helpers (265a42f)

`v5.16.0`

Compare Source

Full Changelog: v5.16.0...v5.17.0

Features

api: realtime API updates (e817255)

Chores

internal: update global Error reference (e566ff3)

`v5.15.0`

Compare Source

Full Changelog: v5.15.0...v5.16.0

Features

api: add web search filters (975b141)

Chores

client: qualify global Blob (7998d3f)
update CI script (accb0c1)

sveltejs/language-tools (svelte-check)

`v4.3.3`

Compare Source

Patch Changes

fix: prevent file watcher issue (#2859)
fix: allow undefined and null values for #each in Svelte 5 (#2863)
perf: check if file content changed in tsconfig file watch (#2859)

`v4.3.2`

Compare Source

Patch Changes

perf: tweak some snapshot hot paths (#2852)
perf: more precise module cache invalidation (#2853)
fix: properly handle runes={false} in <svelte:options> (#2847)

See https://github.com/sveltejs/language-tools/releases

`v4.3.1`

Compare Source

fix: handle object literal in MustacheTag (#2805)

`v4.3.0`

Compare Source

feat: zero types for params (#2795)
feat: add await support (#2799)
fix: strip doctype using AST instead of regex (#2798)
chore: make human output more concise and readable (#2748)

`v4.2.2`

Compare Source

fix: invalidate project file cache and handle watcher race condition (#2779)
fix: prevent error with bind:this={get, set} (#2781)
fix: don't treat derived imported from svelte/store as a potential store (#2780)
fix: key block can have its own block scope (#2768)

`v4.2.1`

Compare Source

feat: support generics on snippets (#2761)

`v4.2.0`

Compare Source

feat: support attachments (#2760)
fix: deduplicate definition for rune-mode components (#2759)

`v4.1.7`

Compare Source

fix: robustify hoisting logic around prop types (#2740)
fix: ensure typed exports are marked as used (#2746)
chore: bump vscode-html/css-language-service (#2752)
fix: ensure eligible snippets can be referenced in module script (#2753)
fix: prevent error with unclosed tag followed by LF or end of file (#2750)

`v4.1.6`

Compare Source

fix: prevent unused variable error for bindable
fix: ensure exports in runes mode are marked as used
fix: add color CLI options

`v4.1.5`

Compare Source

fix: take other snippets into account when checking for hoistability (#2668)
fix: disambiguate render in module script (#2667)
fix: properly transform $props.id when $props is assigned to props (#2694)
fix: handle booleanish popover (#2702)
chore: bump vscode-html/css-language-service (#2677)
fix: use referenced project's compiler option to get resolution mode (#2676)

`v4.1.4`

Compare Source

fix: don't hoist types/snippets referencing stores or destructured variables (#2661)

`v4.1.3`

Compare Source

fix: move snippets to correct place when only module script present

`v4.1.2`

Compare Source

feat: support generics attribute for JSDoc (#2624)
fix: better snippet/interface hoistability analysis (#2655)
chore: TypeScript 5.7 support (#2585)

`v4.1.1`

Compare Source

fix: support each without as (#2615)

`v4.1.0`

Compare Source

fix: don't move appended content from previous node while hoisting interface (#2596)
fix: ensure hoisted interfaces are moved after hoisted imports (#2597)
fix: preserve bind:... mapping on elements for better source maps
feat: prepare for some upcoming features of Svelte 5

`v4.0.9`

Compare Source

fix: detect shadowed variables/types during type hoisting (#2590)

`v4.0.8`

Compare Source

fix: fall back to any instead of unknown for untyped $props (#2582)
fix: robustify and fix file writing (#2584)
fix: hoist types related to $props rune if possible (#2571)

`v4.0.7`

Compare Source

fix: $props: infer types for $bindable, infer function type from arrow function

`v4.0.6`

Compare Source

chore: autotype const load = ... declarations (#2540)
chore: provide component instance type in Svelte 5 (#2553)
chore: support typescript 5.6 (#2545)
fix: infer object and array shapes from fallback types (#2562)

`v4.0.5`

Compare Source

fix: include named exports in svelte 5 type (#2528)

`v4.0.4`

Compare Source

fix: relax component constructor type (#2524)

`v4.0.3`

Compare Source

breaking(svelte5): only generate function component shape in runes mode (#2517). This means you can no longer just do Component in type positions. Instead you need to prepend it with typeof. Here's how you do it:
- ...when typing a component instance: Before: let x: Component. After: let x: ReturnType<typeof Component>
- ...when typing a component constructor/function: Before let x: typeof Component. After let x: typeof Component (no change)
fix: revert additional two-way-binding checks as they were causing bugs (#2508)
fix: include files indirectly belonging to a project into correct project (#2488)
fix: check project files update more aggressively before assigning service (#2518)
chore: upgrade to chokidar 4 (#2502)

`v4.0.2`

Compare Source

fix: ensure components typed through Svelte 5's Component interface get proper intellisense

`v4.0.1`

Compare Source

fix: remove ancient process augmentation from internal d.ts file

`v4.0.0`

Compare Source

chore: bump magic-string (#2476)
chore: switch from fast-glob to fdir (#2433)
fix: detect <script module> tag (#2482)
feat: better type checking for bindings in Svelte 5 (#2477)
feat: replace svelte-preprocess with barebones TS preprocessor (#2452)
feat: project reference support (#2463)

Breaking changes

require Svelte 4 or later (#2453)
make TypeScript a peer dependency, require TS 5 or later (#2453)
require node 18 or later (#2453)
process augmentation (declaring a process.browser field) was removed
slight changes to how files are assigned to which tsconfig.json (#1234, #2463)
slight changes to how Svelte module resolution works; .svelte files now take precedence over .svelte.js/ts files (if both exist) (#2481)
language-server now forces fewer TypeScript options. Most notably skipLibCheck is no longer forced to true, which may result in d.ts files now being checked in your project, which they were not before, revealing type errors. Either fix those or add "skipLibCheck": true to your tsconfig.json (#1976, #2463)

sveltejs/svelte-preprocess (svelte-preprocess)

`v6.0.3`

Compare Source

Bug Fixes

add pug mixins to support svelte-5 syntax (#654) (9d49f3d)
ignore sass deprecation warning (#657) (9b54325), closes #656

`v6.0.2`

Compare Source

Bug Fixes

remove customConditions tsconfig option (#648) (afb80ae), closes #646

`v6.0.1`

Compare Source

Bug Fixes

deprecate default export in favor of named export (#641) (a43de10), closes #591

`v6.0.0`

Compare Source

BREAKING CHANGES

remove TS mixed imports support, require TS 5.0 or higher
remove preserve option as it's unnecessary
require Svelte 4+, Node 18+
add exports map

Bug Fixes

adjust globalifySelector to not split selectors with parentheses. (#632) (c435ebd), closes #501
fix: allow TS filename to be undefined, fixes #488
fix: adjust Svelte compiler type import
fix: remove pug types and magic-string from dependencies
chore: bump peer deps, fixes #553

5.1.4 (2024-04-16)

Bug Fixes

remove pnpm version restriction (#629) (2713b82)

5.1.3 (2023-12-18)

Bug Fixes

sass dependency list referencing source file in win32 (#621) (209312f)

5.1.2 (2023-12-12)

chore: mark postcss-load-config 5 as supported (3b5b1f0)

5.1.1 (2023-11-21)

Bug Fixes

force module(resolution) (66d3cf9)

tailwindlabs/tailwindcss (tailwindcss)

`v4.1.14`

Compare Source

Fixed

Handle ' syntax in ClojureScript when extracting classes (#18888)
Handle @variant inside @custom-variant (#18885)
Merge suggestions when using @utility (#18900)
Ensure that file system watchers created when using the CLI are always cleaned up (#18905)
Do not generate grid-column utilities when configuring grid-column-start or grid-column-end (#18907)
Do not generate grid-row utilities when configuring grid-row-start or grid-row-end (#18907)
Prevent duplicate CSS when overwriting a static utility with a theme key (#18056)
Show Lightning CSS warnings (if any) when optimizing/minifying (#18918)
Use default export condition for @tailwindcss/vite (#18948)
Re-throw errors from PostCSS nodes (#18373)
Detect classes in markdown inline directives (#18967)
Ensure files with only @theme produce no output when built (#18979)
Support Maud templates when extracting classes (#18988)
Upgrade: Do not migrate variant = 'outline' during upgrades (#18922)
Upgrade: Show version mismatch (if any) when running upgrade tool (#19028)
Upgrade: Ensure first class inside className is migrated (#19031)
Upgrade: Migrate classes inside *ClassName and *Class attributes (#19031)

`v4.1.13`

Compare Source

Changed

Drop warning from browser build (#18731)
Drop exact duplicate declarations when emitting CSS (#18809)

Fixed

Don't transition visibility when using transition (#18795)
Discard matched variants with unknown named values (#18799)
Discard matched variants with non-string values (#18799)
Show suggestions for known matchVariant values (#18798)
Replace deprecated clip with clip-path in sr-only (#18769)
Hide internal fields from completions in matchUtilities (#18820)
Ignore .vercel folders by default (can be overridden by @source … rules) (#18855)
Consider variants starting with @- to be invalid (e.g. @-2xl:flex) (#18869)
Do not allow custom variants to start or end with a - or _ (#18867, #18872)
Upgrade: Migrate aria theme keys to @custom-variant (#18815)
Upgrade: Migrate data theme keys to @custom-variant (#18816)
Upgrade: Migrate supports theme keys to @custom-variant (#18817)

`v4.1.12`

Compare Source

Fixed

Don't consider the global important state in @apply (#18404)
Add missing suggestions for flex-<number> utilities (#18642)
Fix trailing ) from interfering with extraction in Clojure keywords (#18345)
Detect classes inside Elixir charlist, word list, and string sigils (#18432)
Track source locations through @plugin and @config (#18345)
Allow boolean values of process.env.DEBUG in @tailwindcss/node (#18485)
Ignore consecutive semicolons in the CSS parser (#18532)
Center the dropdown icon added to an input with a paired datalist by default (#18511)
Extract candidates in Slang templates (#18565)
Improve error messages when encountering invalid functional utility names (#18568)
Discard CSS AST objects with false or undefined properties (#18571)
Allow users to disable URL rebasing in @tailwindcss/postcss via transformAssetUrls: false (#18321)
Fix false-positive migrations in addEventListener and JavaScript variable names (#18718)
Fix Standalone CLI showing default Bun help when run via symlink on Windows (#18723)
Read from --border-color-* theme keys in divide-* utilities for backwards compatibility (#18704)
Don't scan .hdr and .exr files for classes by default (#18734)

`v4.1.11`

Compare Source

Fixed

Add heuristic to skip candidate migrations inside emit(…) (#18330)
Extract candidates with variants in Clojure/ClojureScript keywords (#18338)
Document --watch=always in the CLI's usage (#18337)
Add support for Vite 7 to @tailwindcss/vite (#18384)

`v4.1.10`

Compare Source

Fixed

Fix incorrectly generated CSS when using percentages in arbitrary values with calc, e.g.: w-[calc(100%-var(--offset))] (#18289)

`v4.1.9`

Compare Source

Fixed

Correctly parse custom properties with strings containing semicolons (#18251)
Upgrade: Migrate arbitrary modifiers without percentage signs to bare values (e.g. /[0.16] → /16) (#18184)
Upgrade: Migrate CSS variable shorthands where fallback value contains function call (#18184)
Upgrade: Migrate negative arbitrary values to negative bare values (e.g. mb-[-32rem] → -mb-128) (#18212)
Upgrade: Do not migrate blur in wire:model.blur (#18216)
Don't add spaces around CSS dashed idents when formatting math expressions (#18220)

`v4.1.8`

Compare Source

Added

Improve error messages when @apply fails (#18059)

Fixed

Upgrade: Do not migrate declarations that look like candidates in <style> blocks (#18057, 18068)
Upgrade: Don't error when looking for tailwindcss in pnpm monorepos (#18065)
Upgrade: Don't error when updating dependencies in pnpm monorepos (#18065)
Upgrade: Migrate deprecated order-none to order-0 (#18126)
Support Leptos class: attributes when extracting classes (#18093)
Fix "Cannot read properties of undefined" crash on malformed arbitrary value (#18133)
Upgrade: Migrate -mt-[0px] to mt-[0px] instead of the other way around (#18154)
Fix Haml pre-processing crash when there is no \n at the end of the file (#18155)
Ignore .pnpm-store folders by default (can be overridden by @source … rules) (#18163)
Fix PostCSS crash when calling toJSON() (#18083)

`v4.1.7`

Compare Source

Added

Upgrade: Migrate bare values to named values (#18000)
Upgrade: Added cache to improve template migration performance (#18025)

Fixed

Allow _ before numbers during candidate extraction (#17961)
Prevent duplicate suggestions when using @theme and @utility together (#17675)
Ensure that media queries within ::before and ::after pseudo selectors create valid CSS rules in production builds (#17979)
Ensure that the standalone CLI does not leave temporary files behind (#17981)
Ensure -rotate-* utilities properly negate arbitrary values (#18014)
Ignore custom variants using :merge(…) selectors in legacy JS plugins (#18020)
Ensure classes containing . are properly extracted from Clojure files (#18038)
Upgrade: Fix error when using @import … source(…) (#17963)
Upgrade: Change casing of utilities with named values to kebab-case to match updated theme variables (#18017)
Upgrade: Don't migrate strings that match utility names in Vue attribute bindings other than class (#18025)

`v4.1.6`

Compare Source

Added

Upgrade: Automatically convert arbitrary values to named values when possible (e.g. h-[1lh] to h-lh) (#17831, #17854)
Upgrade: Update dependencies in parallel for improved performance (#17898)
Add detailed logging about @source directives, discovered files and scanned files when using DEBUG=* (#17906, #17952)
Add support for generating source maps in development (#17775)

Fixed

Ensure negative arbitrary scale values generate negative values (#17831)
Fix HAML extraction with embedded Ruby (#17846)
Don't scan files for utilities when using @reference (#17836)
Fix incorrectly replacing _ with in arbitrary modifier shorthand bg-red-500/(--my_opacity) (#17889)
Don't scan .log files for classes by default (#17906)
Ensure that custom utilities applying other custom utilities don't swallow nested @apply rules (#17925)
Download platform specific package if optionalDependencies are skipped (#17929)

`v4.1.5`

Compare Source

Added

Support using @tailwindcss/upgrade to upgrade between versions of v4.* (#17717)
Add h-lh / min-h-lh / max-h-lh utilities (#17790)
Transition display, visibility, content-visibility, overlay, and pointer-events when using transition to simplify @starting-style usage (#17812)

Fixed

Don't scan .geojson or .db files for classes by default (#17700, #17711)
Hide default shadow suggestions when missing default shadow theme keys (#17743)
Replace _ with . in theme suggestions for @utility if surrounded by digits (#17733)
Skip color-mix(…) when opacity is 100% (#17815)
PostCSS: Ensure that errors in imported stylesheets are recoverable (#17754)
Upgrade: Bump all Tailwind CSS related dependencies during upgrade (#17763)
Upgrade: Don't add - to variants starting with @ (#17814)
Upgrade: Don't format stylesheets that didn't change when upgrading (#17824)

Changed

Ignore .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders by default (can be overridden by @source … rules) (#17892)
@source rules that point inside .hg, .svn, .venv, venv, .yarn, .next, .turbo, .parcel-cache, __pycache__, and .svelte-kit folders no longer consider your .gitignore rules (#17892)

`v4.1.4`

[Compare Source](https://redirect.github.com/tailwindla

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

coderabbitai · 2025-10-06T07:39:49Z

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

socket-security · 2025-10-08T16:46:12Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@nomicfoundation/hardhat-toolbox@6.1.0
	hardhat@2.26.3
	@openzeppelin/contracts@5.4.0

View full report

socket-security · 2025-10-08T16:46:15Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		`[email protected]` has a High CVE. CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` has a Low CVE. CVE: GHSA-pxg6-pf52-xh8x cookie accepts cookie name, path, and domain with out of bounds characters (LOW) Affected versions: < 0.7.0 Patched version: 0.7.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code appears to be a WebAssembly (WASM) module implementing HTTP parsing functionality. The code contains suspicious elements such as ability to handle HTTP headers, message bodies, and chunk extensions. While it may be legitimate parser code, the obfuscated nature and presence of low-level binary operations warrants careful review due to potential for misuse in HTTP request/response manipulation or header injection attacks. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		`[email protected]` is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → `npm/@nomicfoundation/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate bot requested a review from a team as a code owner October 6, 2025 07:39

renovate bot force-pushed the renovate/major-ui-deps-sync branch 5 times, most recently from e49ac46 to 394311c Compare October 8, 2025 16:38

Update ui deps sync

1f45864

renovate bot force-pushed the renovate/major-ui-deps-sync branch from 394311c to 1f45864 Compare October 8, 2025 20:24

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Update ui deps sync (major) #685

Update ui deps sync (major) #685

renovate bot commented Oct 6, 2025 •

edited

Loading

Uh oh!

coderabbitai bot commented Oct 6, 2025 •

edited

Loading

Review skipped

Uh oh!

socket-security bot commented Oct 8, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Oct 8, 2025 •

edited

Loading

Uh oh!

Uh oh!

Update ui deps sync (major) #685

Are you sure you want to change the base?

Update ui deps sync (major) #685

Conversation

renovate bot commented Oct 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Features

Chores

Features

Chores

Features

Bug Fixes

⚠ BREAKING CHANGES

Features

Chores

Chores

Bug Fixes

Performance Improvements

Chores

Features

Bug Fixes

Chores

Features

Chores

Features

Chores

Bug Fixes

Chores

Chores

Features

Chores

Bug Fixes

Features

Chores

Features

Bug Fixes

Features

Chores

Features

Chores

Patch Changes

Patch Changes

Breaking changes

Bug Fixes

Bug Fixes

Bug Fixes

BREAKING CHANGES

Bug Fixes

5.1.4 (2024-04-16)

Bug Fixes

5.1.3 (2023-12-18)

Bug Fixes

5.1.2 (2023-12-12)

5.1.1 (2023-11-21)

Bug Fixes

Fixed

Changed

Fixed

Fixed

Fixed

Fixed

Fixed

Added

Fixed

Added

Fixed

Added

Fixed

Added

Fixed

Changed

Configuration

Uh oh!

coderabbitai bot commented Oct 6, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Review skipped

Uh oh!

socket-security bot commented Oct 8, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

renovate bot commented Oct 6, 2025 •

edited

Loading

coderabbitai bot commented Oct 6, 2025 •

edited

Loading

socket-security bot commented Oct 8, 2025 •

edited

Loading

socket-security bot commented Oct 8, 2025 •

edited

Loading