Update dependency eslint-plugin-unicorn to v62

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eslint-plugin-unicorn	^61.0.0 → ^62.0.0

---

Release Notes

sindresorhus/eslint-plugin-unicorn (eslint-plugin-unicorn)

v62.0.0

Compare Source

New rules

• no-immediate-mutation (#​2787) e1c7d2e
• no-useless-collection-argument (#​2777) 2d07c9a
• prefer-response-static-json (#​2778) ffe5943

Improvements

• text-encoding-identifier-case: Add withDash option (#​2780) 9025386
• no-useless-undefined: Check one undefined at a time (#​2792) 27f7509
• prefer-single-call: Check optional chaining (#​2788) 8a132ac
• text-encoding-identifier-case: Enforce 'utf-8' in form[acceptCharset] and TextDecoder (#​2785) 46b3974
• prefer-node-protocol: Handle TypeScript import types (#​2774) 13a37a0
• no-array-for-each: Ignore forEach for Effect library (#​2783) 2ef6f83
• prefer-string-raw: Ignore more places that requires a string (#​2776) 43bc429
• prefer-string-raw: Add support for template literals (#​2691) 52723a2
• prefer-global-this: Add navigation to windowSpecificAPIs (#​2770) 0c93998
• prefer-code-point: Report cases where String.fromCharCode is not called directly (#​2766) 1d682a1
• no-useless-spread: Safely remove empty array and object (#​2764) 7aeabab

Fixes

• consistent-function-scoping: Fix inconsistent behavior (#​2748) a546444

---

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Walkthrough

The eslint-plugin-unicorn devDependency version constraint was updated from ^61.0.0 to ^62.0.0 in package.json. This allows the package manager to install compatible versions within the 62.x release series.

Changes

Cohort / File(s)	Summary
Dependency version update package.json	Updated eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update dependency eslint-plugin-unicorn to v62" directly and accurately reflects the primary change in the changeset, which updates the eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0. The title is concise, specific, and clearly communicates the main objective of the PR in a way that would be easily understood by someone reviewing the commit history.
Description check	✅ Passed	The pull request description clearly relates to the changeset, detailing the eslint-plugin-unicorn version update from ^61.0.0 to ^62.0.0 with comprehensive release notes and metadata.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

• 📝 Generate docstrings

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Malicious package: npm terser Note: This VS Code extension is classified as malware because it exhibits high-confidence brandjacking and typosquatting indicators that strongly imply deceptive distribution and user impersonation: Publisher impersonation: The VSIX claims to be “JFrog VSCode Extension,” but it is published by Artifactory-Software-Studio, not the official JFrog publisher. Typosquatted identifier: The extension’s identity is vscode-jrrog-extension (note the “jrrog” typo), which is a look-alike of the official JFrog extension identifier and consistent with marketplace typosquat tactics. Abuse of trust via branding: The manifest and package metadata deliberately reuse JFrog’s brand name (“JFrog VSCode Extension”) to induce installation under false provenance. High-risk capability overlap: The extension’s functionality includes reading JFrog CLI configuration/credentials and initiating outbound network connections for scanning workflows. In a typosquatted/impersonating package, these capabilities materially increase the likelihood of credential theft or sensitive project metadata leakage, regardless of whether the current bundle contains overt C2 logic. Together, the deceptive provenance (non-official publisher + typo-lookalike ID + brand reuse) is sufficient to classify the extension as malicious because it is designed to obtain installs by masquerading as a trusted vendor extension, a common precursor to credential harvesting and supply-chain compromise. From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is known malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: It is strongly recommended that malware is removed from your codebase. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default in npm @modelcontextprotocol/sdk CVE: GHSA-w48q-cv73-mx4w Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default (HIGH) Affected versions: < 1.24.0 Patched version: 1.24.0 From: packages/mcp/package.json → npm/@modelcontextprotocol/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@modelcontextprotocol/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Anthropic's MCP TypeScript SDK has a ReDoS vulnerability in npm @modelcontextprotocol/sdk CVE: GHSA-8r9q-7v3j-jr4g Anthropic's MCP TypeScript SDK has a ReDoS vulnerability (HIGH) Affected versions: < 1.25.2 Patched version: 1.25.2 From: packages/mcp/package.json → npm/@modelcontextprotocol/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@modelcontextprotocol/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion CVE: GHSA-6rw7-vpxm-498p qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion (HIGH) Affected versions: < 6.14.1 Patched version: 6.14.1 From: ? → npm/@modelcontextprotocol/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @humanwhocodes/retry is 100.0% likely to have a medium risk anomaly Notes: The Retrier class implements a conventional, well-scoped retry mechanism with abort support and backoff-like scheduling. There is no evidence of malicious behavior, data exfiltration, or backdoors in this fragment. The primary security considerations relate to the trustworthiness of the host-provided function (fn) and the external timing constants that govern bail/retry behavior. Overall risk is moderate due to the possibility of executing arbitrary host code, but this is expected for a retry utility; no external communications or data leakage are evident here. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/@humanwhocodes/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanwhocodes/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/@modelcontextprotocol/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm consola is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm css-tree is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped parser fragment for a DSL-like FeatureFunction construct. It uses dynamic feature dispatch with proper balance checks and safe fallbacks, and emits a consistent AST node. No malicious behavior detected; the main risks relate to misconfiguration of the features map rather than code-level exploits. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm detect-libc is 100.0% likely to have a medium risk anomaly Notes: The code represents a robust, multi-source libc detection utility for Linux, prioritizing filesystem data, then runtime reports, and finally command-based inference. It shows no malicious behavior and aligns with expected patterns for environment introspection. The main improvement areas are strengthening error visibility and handling edge cases where outputs differ from standard expectations. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly Notes: The code implements a subprocess-based transport to offload event sending. While this can reduce main-process dependencies, it creates a cross-process data path that exposes the serialized event via environment variables to an external subprocess. The subprocess script (not present here) becomes a critical trust boundary. Without inspecting the subprocess implementation and package contents, there is a non-trivial risk of data leakage or tampering via the external process. No explicit malware detected in this fragment, but the design warrants careful review of the subprocess code and supply chain integrity. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm object-hash is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The code appears to be a standard, open-source-like object hashing/serialization utility with streaming capabilities. No active malicious behavior detected within this fragment. Minor issues (typos, blob handling edge-case, and potential performance considerations for large inputs) should be addressed to reduce risk in supply-chain contexts. Overall security risk remains moderate and workload/usage controls should govern integration. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm openai is 100.0% likely to have a medium risk anomaly Notes: The script itself is not evidently malicious but poses a moderate-to-high supply-chain risk: it invokes npx to download and execute a GitHub-hosted tarball and passes a local migration-config.json path and the process environment to the remote code. That remote code could perform arbitrary actions, read local configuration or environment secrets, or exfiltrate data. Mitigations: avoid using tarball URLs in runtime invocations, pin to vetted packages in package.json, verify integrity (checksums/signatures), vendor the migration tool or require an explicit local installation, and avoid passing sensitive file paths or environment variables to untrusted code. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm prettier is 100.0% likely to have a medium risk anomaly Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins. Confidence: 1.00 Severity: 0.60 From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm proxy-addr is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped IP trust utility (proxy-addr) with no evidence of malicious behavior. It reads IPs from request headers, validates and normalizes them, and applies a trust policy to determine the client address. No backdoors, exfiltration, or dangerous operations are present. The security posture appears acceptable for its intended purpose when used as a dependency in an Open Source project. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm resolve is 100.0% likely to have a medium risk anomaly Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@rollup/[email protected] → npm/[email protected] → npm/[email protected] → npm/@rollup/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rimraf is 100.0% likely to have a medium risk anomaly Notes: The rimraf module analyzed appears to be a conventional, dependable recursive deletion utility with thoughtful cross-platform safeguards and backoff strategies. There is no evidence of malicious activity, data leakage, or backdoors. The primary risk is accidental or intentional destructive file system changes if misused; treat as legitimate utility with appropriate access controls. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rollup-plugin-terser is 100.0% likely to have a medium risk anomaly Notes: This file is a terser wrapper that unsafely evaluates a caller-supplied string to produce options. The code itself contains no explicit exfiltration, hard-coded credentials, or network calls, and appears non-obfuscated. However, eval(optionsString) is a high-severity issue: if optionsString can be influenced by an attacker, the application can be fully compromised (RCE). Replace eval with safe parsing and validate inputs. Avoid returning mutable objects from evaluated input. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rxjs is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, well-scoped implementation of an RxJS-like concat operator. No malicious behavior, data exfiltration, or suspicious I/O detected in this fragment. Security risk is low; malware likelihood is negligible for this isolated operator function. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d34a00 and 1fbdd51.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: build (stylus, default)
• GitHub Check: build (solidity, default)
• GitHub Check: build (stellar, default)
• GitHub Check: build (cairo, default)
• GitHub Check: build (stellar, compile)
• GitHub Check: ui
• GitHub Check: mcp
• GitHub Check: format-lint
• GitHub Check: check
• GitHub Check: deno-check
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify eslint-plugin-unicorn v62 breaking changes and config compatibility.

This is a major version bump (v61 → v62) for a linter plugin. Major version updates often introduce breaking changes, rule removals, or behavioral changes that may require eslint configuration updates or could cause lint failures.

Please verify:

1. Whether v62.0.0 introduces breaking changes (check the release notes)
2. Whether any eslint configuration updates are needed in .eslintrc files or linter configs
3. Whether the lint script (eslint) will pass without errors with v62.0.0

If breaking changes exist, ensure that related configuration changes have been applied to the repository before merging.

---

🌐 Web query:

What are the breaking changes in eslint-plugin-unicorn v62.0.0 compared to v61?

💡 Result:

I couldn't find any release notes or a published v62.0.0 for eslint-plugin-unicorn. The official repo (sindresorhus/eslint-plugin-unicorn) and release listings don't show a v62 tag/releases, and the latest changelog I located is for v60.0.0. [1][2]

If you have a specific release URL or tag for v62 (or want me to keep searching other sources), share it and I’ll fetch the breaking changes and summarize them.

Sources:

• eslint-plugin-unicorn GitHub repo. [1]
• v60.0.0 changelog listing. [2]

---

🏁 Script executed:

#!/bin/bash
# Check the actual package.json content for eslint-plugin-unicorn version
cat package.json | grep -A2 -B2 "eslint-plugin-unicorn"

Length of output: 186

---

🏁 Script executed:

#!/bin/bash
# Query npm registry for eslint-plugin-unicorn versions (check latest and v62 specifically)
curl -s https://registry.npmjs.org/eslint-plugin-unicorn | jq '.versions | keys | sort | .[-10:]'

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
# Check npm registry for v62 specifically
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq 'if .error then "Version not found" else .version end'

Length of output: 8

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Find eslint configuration files in the repository
fd -t f -e json -e js -e yml -e yaml -e mjs -e cjs -g '*eslintrc*' .

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Also check for common eslint config locations
find . -maxdepth 2 -type f \( -name ".eslintrc*" -o -name "eslint.config.*" \) 2>/dev/null

Length of output: 19

---

🌐 Web query:

eslint-plugin-unicorn v62.0.0 changelog breaking changes

💡 Result:

There is no published eslint-plugin-unicorn v62.0.0 release. The latest published release series on npm/GitHub is v61 (most-recent tags show v61.x in Sep 2025), and npm's package page lists v60/v59 as recent stable releases. See the release list and npm info. [1][2]

Sources:

• Release list for eslint-plugin-unicorn (shows up through v61.x). [1]
• npm package page for eslint-plugin-unicorn (latest published versions). [2]

---

🏁 Script executed:

#!/bin/bash
# Check npm package metadata for v62.0.0 to see if it's a pre-release
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq '{version, dist_tags: .["dist-tags"], prerelease: (.version | contains("-")), published: .time["62.0.0"]}'

Length of output: 90

---

🏁 Script executed:

#!/bin/bash
# Check eslint.config.mjs to see which rules are configured
cat eslint.config.mjs

Length of output: 1348

---

Revert eslint-plugin-unicorn to stable v61 release; v62.0.0 is unreleased.

The version v62.0.0 exists on npm but is marked as unreleased (null published timestamp, no dist tags, not listed on GitHub releases). While the config imports eslint-plugin-unicorn, it doesn't explicitly enable any unicorn rules—so breaking changes wouldn't immediately break linting—using an unreleased, undocumented version introduces unnecessary stability risk.

Revert to the latest stable version: "eslint-plugin-unicorn": "^61.0.2"

🤖 Prompt for AI Agents

In package.json around line 37, the dependency "eslint-plugin-unicorn":
"^62.0.0" references an unreleased/unstable npm version; change it back to the
latest stable release by replacing the version string with "^61.0.2" so the
project uses the documented stable unicorn plugin; update package-lock/yarn.lock
by running the appropriate install command afterwards to ensure the lockfile
reflects the reverted version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​uniswap-hooks@​1.2.1
	rollup-plugin-terser@​7.0.2
	@​modelcontextprotocol/​sdk@​1.17.3
	@​changesets/​changelog-github@​0.5.1
	typescript-eslint@​8.39.1
	highlightjs-cairo@​0.4.0
	@​types/​semver@​7.7.0
	@​types/​semver@​7.7.1
	path-browserify@​1.0.1
	file-saver@​2.0.5
	sirv-cli@​3.0.1
	@​types/​file-saver@​2.0.7
	@​types/​resize-observer-browser@​0.1.11
	jszip@​3.10.1
	tippy.js@​6.3.7
	rollup-plugin-livereload@​2.0.5
	rollup-plugin-styles@​4.0.0
	@​types/​node@​22.7.5 ⏵ 20.19.21	+1		+1	+1
	@​types/​node@​22.7.5 ⏵ 20.19.10	+1		+1
	solidity-ast@​0.4.60
	postcss-load-config@​6.0.1
	@​uniswap/​v4-core@​1.0.2
	@​uniswap/​v4-periphery@​1.0.3
	postcss@​8.5.6
	svelte-preprocess@​5.1.4
	ethereum-cryptography@​1.2.0 ⏵ 3.2.0	+1		+1
	concurrently@​9.2.0
	highlightjs-solidity@​2.0.6
	ava@​6.4.1
	@​rollup/​plugin-json@​6.1.0
	highlight.js@​11.11.1
	@​rollup/​plugin-alias@​5.1.1
	@​rollup/​plugin-replace@​6.0.2
See 26 more rows in the dashboard

View full report