Bump the npm_and_yarn group across 1 directory with 11 updates

[dependabot]

Bumps the npm_and_yarn group with 6 updates in the / directory:

Package	From	To
web3	1.2.6	1.5.3
json5	0.5.1	removed
webpack	3.12.0	5.95.0
flat	4.1.1	5.0.2
mocha	7.2.0	10.7.3
tough-cookie	2.5.0	removed
web3	1.5.3	4.13.0

Updates web3 from 1.2.6 to 1.5.3

Release notes

Sourced from web3's releases.

web3-eth@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-eth@4.0.0-alpha.0

web3-core-requestmanager@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-core-requestmanager@4.0.0-alpha.0

web3-providers-http@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-providers-http@4.0.0-alpha.0

web3-providers-base@1.0.0-alpha.1

Changed

• Update version to 1.0.0-alpha.1 for web3-providers-base
• Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

web3-utils@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-utils@4.0.0-alpha.0

web3-packagetemplate@1.0.0-alpha.0

Initial alpha release

Install with yarn add web3-packagetemplate@1.0.0-alpha.0

Changelog

Sourced from web3's changelog.

[1.2.6]

Added

• Görli testnet ENS registry added to the known registries (#3338)

Changed

• ENS registry addresses updated (#3353, https://medium.com/the-ethereum-name-service/ens-registry-migration-bug-fix-new-features-64379193a5a)

[1.2.7]

Added

• Add revert reason support to sendSignedTransaction (#3345)
• ENS module extended with the possibility to add a custom registry (#3301)
• Missing ENS Registry methods and Resolver.supportsInterface method added (#3325)
• Add optional gas type to AbiItem typescript definitions (for ABIs generated by Vyper) (#3437)
• Add görli testnet ENS registry to the known registries (#3252)
• Add auto-reconnect option for Websockets (#3092, #1085, #1391, #1558, #1852, #1646)

Changed

• Ensure '0x' prefix is existing for Accounts.sign and Accounts.privateKeyToAccount (#3041)
• Repository cleanup (#3443)
  • Removed old docs/_build folder
  • Removed old bower and meteor artifacts
  • Moved logo assets to own folder
  • Moved github assets to own folder
  • Remove @​types/node from (non-dev) dependency tree (#3965, #3227)
• Please note: Geth v1.9.12 contains a breaking change for eth_call that will not default to your first account anymore if from is not set. If a sender is not explicitly defined, the eth_call will be executed from address(0). (#3467)
  • This was done to avoid the same input behaving differently in different environments. You should never do eth_call without explicitly setting a sender.
  • This means that if you're calling view methods that refer to a msg.sender without explicitly setting a from address in your request options, you may see unexpected behavior.
  • In web3.js, the from address can be specified on a per-call basis or by setting the defaultAccount property.

Fixed

• Add missing subscription.on('connected') TS type definition (#3319)
• Add missing bignumber.js dependency for TS types (#3386)
• Upgrade swarm-js to 0.1.40 to remove npm vulnerability warning (#3399)
• Upgrade devDeps to resolve security warnings (#3464)
  • dtslint 0.4.2 => 3.4.1
  • definitelytyped-header-parser 1.0.1 => 3.9.0
• Race-condition when subscribing to historical logs as first client request (#3389)
• Fix crash when using Web-Workers by removing any-promise dependency (#3377 #2211 #1774)
• MaxListenersExceededWarning event emitter warning mitigated (#1648)

[1.2.8]

Added

... (truncated)

Commits

• c82db7a npm i and build for v1.5.3
• 7f525d8 v1.5.3
• 7fcb2ff v1.5.3-rc.0
• ac9aafd Build for 1.5.3-rc.0
• a58173b Update CHANGELOG for 1.5.3 release
• 3f5cb38 signTransaction fix (#4295)
• c70722b EIP-1559 Fix Issue #4258 (#4277)
• 1547b18 Bump maxPriorityFeePerGas to 2.5 Gwei - Closes #4283 (#4284)
• 8e8785e Junaid/1xlibsfix (#4231)
• 44b72f8 Release 1.5.2 (#4242)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by spacesailor, a new releaser for web3 since your current version.

Removes json5

Updates webpack from 3.12.0 to 5.95.0

Release notes

Sourced from webpack's releases.

v5.95.0

Bug Fixes

• Fixed hanging when attempting to read a symlink-like file that it can't read
• Handle default for import context element dependency
• Merge duplicate chunks call after split chunks
• Generate correctly code for dynamically importing the same file twice and destructuring
• Use content hash as [base] and [name] for extracted DataURI's
• Distinguish module and import in module-import for externals import's
• [Types] Make EnvironmentPlugin default values types less strict
• [Types] Typescript 5.6 compatibility

New Features

• Add new optimization.entryIife option (true by default for the production mode)
• Pass output.hash* options to loader context

Performance

• Avoid unneeded re-visit in build chunk graph

v5.94.0

Bug Fixes

• Added runtime condition for harmony reexport checked
• Handle properly data/http/https protocols in source maps
• Make bigint optimistic when browserslist not found
• Move @​types/eslint-scope to dev deps
• Related in asset stats is now always an array when no related found
• Handle ASI for export declarations
• Mangle destruction incorrect with export named default properly
• Fixed unexpected asi generation with sequence expression
• Fixed a lot of types

New Features

• Added new external type "module-import"
• Support webpackIgnore for new URL() construction
• [CSS] @import pathinfo support

Security

• Fixed DOM clobbering in auto public path

v5.93.0

Bug Fixes

• Generate correct relative path to runtime chunks
• Makes DefinePlugin quieter under default log level
• Fixed mangle destructuring default in namespace import

... (truncated)

Commits

• e20fd63 chore(release): 5.95.0
• 4866b0d feat: added new optimization.entryIife option
• d90f692 fix: merge duplicate chunks after split chunks
• 90dec30 fix(externals): distinguish “module” and “import” in “module-import”
• c1a0a46 fix(externals): distinguish “module” and “import” in “module-import”
• 14d8fa8 fix: all tests cases
• dae16ad feat: pass output.hash* options to loader context
• 75d185d feat: pass output.hash* options to loader context
• 46e0b9c test: update
• 8e62f9f test
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for webpack since your current version.

Updates braces from 2.3.2 to 3.0.3

Changelog

Sourced from braces's changelog.

Release history

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog and this project adheres to Semantic Versioning.

• Changelogs are for humans, not machines.
• There should be an entry for every single version.
• The same types of changes should be grouped.
• Versions and sections should be linkable.
• The latest version comes first.
• The release date of each versions is displayed.
• Mention whether you follow Semantic Versioning.

Changelog entries are classified using the following labels (from keep-a-changelog):

• Added for new features.
• Changed for changes in existing functionality.
• Deprecated for soon-to-be removed features.
• Removed for now removed features.
• Fixed for any bug fixes.
• Security in case of vulnerabilities.

[3.0.0] - 2018-04-08

v3.0 is a complete refactor, resulting in a faster, smaller codebase, with fewer deps, and a more accurate parser and compiler.

Breaking Changes

• The undocumented .makeRe method was removed

Non-breaking changes

• Caching was removed

Commits

• See full diff in compare view

Updates elliptic from 6.3.3 to 6.5.4

Commits

• 43ac7f2 6.5.4
• f4bc72b package: bump deps
• 441b742 ec: validate that a point before deriving keys
• e71b2d9 lib: relint using eslint
• 8421a01 build(deps): bump elliptic from 6.4.1 to 6.5.3 (#231)
• 8647803 6.5.3
• 856fe4d signature: prevent malleability and overflows
• 6048941 6.5.2
• 9984964 package: bump dependencies
• ec735ed utils: leak less information in getNAF()
• Additional commits viewable in compare view

Updates flat from 4.1.1 to 5.0.2

Commits

• e5ffd66 Release 5.0.2
• fdb79d5 Update dependencies, refresh lockfile, format with standard.
• e52185d Test against node 14 in CI.
• 0189cb1 Avoid arrow function syntax.
• f25d3a1 Release 5.0.1
• 54cc7ad use standard formatting
• 779816e drop dependencies
• 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
• a61a554 Bump acorn from 7.1.0 to 7.4.0
• 20ef0ef Fix prototype pollution on unflatten
• Additional commits viewable in compare view

Updates mocha from 7.2.0 to 10.7.3

Release notes

Sourced from mocha's releases.

v10.7.3

10.7.3 (2024-08-09)

🩹 Fixes

• make release-please build work (#5194) (afd66ef)

v10.7.2

10.7.2 (2024-08-06)

📚 Documentation

• improve filtering (#5191) (1ac5b55)

🧹 Chores

• fix failing markdown linting (#5193) (7e7a2ec)

v10.7.1

10.7.1 (2024-08-06)

🩹 Fixes

• crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

• add knip to validate included dependencies (5c2989f)
• more fully remove assetgraph-builder and canvas (#5175) (1883c41)
• replace nps with npm scripts (#5128) (c44653a), closes #5126

v10.7.0

What's Changed

• feat: add option to not fail on failing test suite by @​ilgonmic in mochajs/mocha#4771

New Contributors

• @​ilgonmic made their first contribution in mochajs/mocha#4771

Full Changelog: mochajs/mocha@v10.6.1...v10.7.0

v10.6.1

What's Changed

• fix: do not exit when only unref'd timer is present in test code by @​boneskull in mochajs/mocha#3825
• fix: support canonical module by @​JacobLey in mochajs/mocha#5040

... (truncated)

Changelog

Sourced from mocha's changelog.

10.7.3 (2024-08-09)

🩹 Fixes

• make release-please build work (#5194) (afd66ef)

10.7.2 (2024-08-06)

📚 Documentation

• improve filtering (#5191) (1ac5b55)

🧹 Chores

• fix failing markdown linting (#5193) (7e7a2ec)

10.7.1 (2024-08-06)

🩹 Fixes

• crash with --parallel and --retries both enabled (#5173) (d7013dd)

🧹 Chores

• add knip to validate included dependencies (5c2989f)
• more fully remove assetgraph-builder and canvas (#5175) (1883c41)
• replace nps with npm scripts (#5128) (c44653a), closes #5126

10.7.0 / 2024-07-20

🎉 Enhancements

• #4771 feat: add option to not fail on failing test suite (@​ilgonmic)

10.6.1 / 2024-07-20

🐛 Fixes

• #3825 fix: do not exit when only unref'd timer is present in test code (@​boneskull)
• #5040 fix: support canonical module (@​JacobLey)

10.6.0 / 2024-07-02

🎉 Enhancements

... (truncated)

Commits

• d5766c8 chore(main): release 10.7.3 (#5195)
• afd66ef fix: make release-please build work (#5194)
• 9e0a4bd chore(main): release 10.7.2 (#5192)
• 7e7a2ec chore: fix failing markdown linting (#5193)
• 1ac5b55 docs: improve filtering (#5191)
• 1528c42 chore(main): release 10.7.1 (#5189)
• d7013dd fix: crash with --parallel and --retries both enabled (#5173)
• 5c2989f chore: add knip to validate included dependencies
• a777fd1 ci: automate releases (#5186)
• ac5574e ci: update to windows-latest in actions (#5185)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Updates got from 7.1.0 to 9.6.0

Release notes

Sourced from got's releases.

v9.6.0

• Add init hook (#683) 677d0a4
• Add beforeError hook (#696) 29ffb44

sindresorhus/got@v9.5.1...v9.6.0

v9.5.1

• Fix memory leak when using socket timeout and keepalive agent (#694) 203dadc
• Fix strange timing data for HTTP requests d136e61
• Correctly preserve original status code when returning cached responses d136e61

sindresorhus/got@v9.5.0...v9.5.1

v9.5.0

• Remove error thrown for URLs with auth component (#676) 5d20a43
• Upgrade dependencies a1eadfe

sindresorhus/got@v9.4.0...v9.5.0

v9.4.0

• Add ability to specify which network error codes to retry on. 9f3a099
• Add Got options onto responses and errors. 33b838f
• Correctly clear socket timeout on error. c8e358f

sindresorhus/got@v9.3.2...v9.4.0

v9.3.2

• No new timeouts after an error. sindresorhus/got@d8dd881
• Fix the retry math. sindresorhus/got@07b3ce5

sindresorhus/got@v9.3.1...v9.3.2

v9.3.1

• Don't override headers defined in the url argument when it's an object. 191e00a
• Don't set content-length header when upload body size is null. 311b184

sindresorhus/got@v9.3.0...v9.3.1

v9.3.0

• Add option to allow defaults to be mutable. b392f60
• Add beforeRedirect, beforeRetry, and afterResponse hooks. 325409c
• Retry on a few more errors. fbaaa2a
• Include body property in HTTPError. fdc0fa6
• Transform user set headers to lowercase. a07b2be
• Support Electron renderer timings. 25f18be

sindresorhus/got@v9.2.0...v9.3.0

v9.2.2

• Gracefully handle invalid Location redirect URLs. (#605) 7ae6939

... (truncated)

Commits

• a45e071 9.6.0
• 29ffb44 Add beforeError hook (#696)
• 677d0a4 Add init hook (#683)
• e2d3602 Bump XO
• 6ce603e 9.5.1
• 203dadc Fix memory leak when using socket timeout and keepalive agent (#694)
• 73428f9 Add superagent to the comparison table (#691)
• d136e61 Update dependencies
• 877a6c1 Remove badge labels from the Comparison section
• 5653c1a Add failing test for #687 (#688)
• Additional commits viewable in compare view

Removes tough-cookie

Updates web3 from 1.5.3 to 4.13.0

Release notes

Sourced from web3's releases.

web3-eth@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-eth@4.0.0-alpha.0

web3-core-requestmanager@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-core-requestmanager@4.0.0-alpha.0

web3-providers-http@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-providers-http@4.0.0-alpha.0

web3-providers-base@1.0.0-alpha.1

Changed

• Update version to 1.0.0-alpha.1 for web3-providers-base
• Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

web3-utils@4.0.0-alpha.0

Initial alpha release

Install with yarn add web3-utils@4.0.0-alpha.0

web3-packagetemplate@1.0.0-alpha.0

Initial alpha release

Install with yarn add web3-packagetemplate@1.0.0-alpha.0

Changelog

Sourced from web3's changelog.

[1.2.6]

Added

• Görli testnet ENS registry added to the known registries (#3338)

Changed

• ENS registry addresses updated (#3353, https://medium.com/the-ethereum-name-service/ens-registry-migration-bug-fix-new-features-64379193a5a)

[1.2.7]

Added

• Add revert reason support to sendSignedTransaction (#3345)
• ENS module extended with the possibility to add a custom registry (#3301)
• Missing ENS Registry methods and Resolver.supportsInterface method added (#3325)
• Add optional gas type to AbiItem typescript definitions (for ABIs generated by Vyper) (#3437)
• Add görli testnet ENS registry to the known registries (#3252)
• Add auto-reconnect option for Websockets (#3092, #1085, #1391, #1558, #1852, #1646)

Changed

• Ensure '0x' prefix is existing for Accounts.sign and Accounts.privateKeyToAccount (#3041)
• Repository cleanup (#3443)
  • Removed old docs/_build folder
  • Removed old bower and meteor artifacts
  • Moved logo assets to own folder
  • Moved github assets to own folder
  • Remove @​types/node from (non-dev) dependency tree (#3965, #3227)
• Please note: Geth v1.9.12 contains a breaking change for eth_call that will not default to your first account anymore if from is not set. If a sender is not explicitly defined, the eth_call will be executed from address(0). (#3467)
  • This was done to avoid the same input behaving differently in different environments. You should never do eth_call without explicitly setting a sender.
  • This means that if you're calling view methods that refer to a msg.sender without explicitly setting a from address in your request options, you may see unexpected behavior.
  • In web3.js, the from address can be specified on a per-call basis or by setting the defaultAccount property.

Fixed

• Add missing subscription.on('connected') TS type definition (#3319)
• Add missing bignumber.js dependency for TS types (#3386)
• Upgrade swarm-js to 0.1.40 to remove npm vulnerability warning (#3399)
• Upgrade devDeps to resolve security warnings (#3464)
  • dtslint 0.4.2 => 3.4.1
  • definitelytyped-header-parser 1.0.1 => 3.9.0
• Race-condition when subscribing to historical logs as first client request (#3389)
• Fix crash when using Web-Workers by removing any-promise dependency (#3377 #2211 #1774)
• MaxListenersExceededWarning event emitter warning mitigated (#1648)

[1.2.8]

Added

... (truncated)

Commits

• c82db7a npm i and build for v1.5.3
• 7f525d8 v1.5.3
• 7fcb2ff v1.5.3-rc.0
• ac9aafd Build for 1.5.3-rc.0
• a58173b Update CHANGELOG for 1.5.3 release
• 3f5cb38 signTransaction fix (#4295)
• c70722b EIP-1559 Fix Issue #4258 (#4277)
• 1547b18 Bump maxPriorityFeePerGas to 2.5 Gwei - Closes #4283 (#4284)
• 8e8785e Junaid/1xlibsfix (#4231)
• 44b72f8 Release 1.5.2 (#4242)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by spacesailor, a new releaser for web3 since your current version.

Updates yargs-parser from 7.0.0 to 20.2.9

Release notes

Sourced from yargs-parser's releases.

yargs-parser yargs-parser-v20.2.9

Bug Fixes

• build: fixed automated release pipeline (1fe9135)

yargs-parser yargs-parser-v20.2.8

Bug Fixes

• deno: force relese for Deno (6687c97)
• locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
• perf: address slow parse when using unknown-options-as-args (#394) (441f059)
• string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

yargs-parser yargs-parser-v15.0.3

Bug Fixes

• build: should use releases_created when using manifest (49ea4ef)

yargs-parser yargs-parser-v15.0.2

Bug Fixes

• perf: address slow parse when using unknown-options-as-args (#400) (bc387ec)

Changelog

Sourced from yargs-parser's changelog.

20.2.9 (2021-06-20)

Bug Fixes

• build: fixed automated release pipeline (1fe9135)

20.2.8 (2021-06-20)

Bug Fixes

• locale: Turkish camelize and decamelize issues with toLocaleLowerCase/toLocaleUpperCase (2617303)
• perf: address slow parse when using unknown-options-as-args (#394) (441f059)
• string-utils: detect [0,1] ranged values as numbers (#388) (efcc32c)

20.2.7 (2021-03-10)

Bug Fixes

• deno: force release for Deno (6687c97)

20.2.6 (2021-02-22)

Bug Fixes

• populate--: -- should always be array (#354) (585ae8f)

20.2.5 (2021-02-13)

Bug Fixes

• do not lowercase camel cased string (#348) (5f4da1f)

20.2.4 (2020-11-09)

Bug Fixes

• deno: address import issues in Deno (#339) (3b54e5e)

20.2.3 (2020-10-16)

Bug Fixes

• exports: node 13.0 and 13.1 require the dotted object form with a string fallback (#336) (3ae7242)

... (truncated)

Commits

• 3859e74 chore: release main (#404)
• 1fe9135 fix(build): fixed automated release pipeline
• 9eb9c2f chore: release main (#398)
• 4b9e134 build: should be releases_created
• 441f059 fix(perf): address slow parse when using unknown-options-as-args (#394)
• fb22816 build: switch from master to main
• a0a0814 build: switch to manifest based releases (#396)
• 088481c docs: fix typos in README.md (#379)
• 6877a2d test: add test for optimized output (#373)
• 2cfab05 refactor: quote properties used for meta-programming
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by oss-bot, a new releaser for yargs-parser since your current version.

Updates ws from 3.3.3 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

• 976c53c [dist] 8.18.0
• 59b9629 [feature] Add support for Blob (#2229)
• 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
• 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Report too large to display inline

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
New author	npm/merge-stream@2.0.0	New Author: stevemao Previous Author: shinnn	package-lock.json	🚫
Network access	npm/node-fetch@2.7.0	Module: http Location: Package overview	package-lock.json	🚫
Network access	npm/node-fetch@2.7.0	Module: https Location: Package overview	package-lock.json	🚫
Network access	npm/node-fetch@2.7.0	Module: globalThis["fetch"] Location: Package overview	package-lock.json	🚫
Shell access	npm/jest-worker@27.5.1	Module: child_process Location: Package overview	package-lock.json	🚫
Network access	npm/cross-fetch@4.0.0	Module: globalThis["fetch"] Location: Package overview	package-lock.json	🚫
Network access	npm/web3-providers-ipc@4.0.7	Module: net Location: Package overview	package-lock.json	🚫
Network access	npm/web3-providers-ipc@4.0.7	Module: net Location: Package overview	package-lock.json	🚫
New author	npm/diff@5.2.0	New Author: explodingcabbage Previous Author: kpdecker	package-lock.json	🚫
New author	npm/web3-net@4.1.0	New Author: luu-alex Previous Author: mpetrunic	package-lock.json	🚫
Network access	npm/ws@8.18.0	Module: net Location: Package overview	package-lock.json	🚫
Network access	npm/ws@8.18.0	Module: tls Location: Package overview	package-lock.json	🚫
New author	npm/web3-providers-ws@4.0.8	New Author: luu-alex Previous Author: mpetrunic	package-lock.json	🚫

View full report↗︎

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

What is network access?

This module accesses the network.

Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/merge-stream@2.0.0
• @SocketSecurity ignore npm/node-fetch@2.7.0
• @SocketSecurity ignore npm/jest-worker@27.5.1
• @SocketSecurity ignore npm/cross-fetch@4.0.0
• @SocketSecurity ignore npm/web3-providers-ipc@4.0.7
• @SocketSecurity ignore npm/diff@5.2.0
• @SocketSecurity ignore npm/web3-net@4.1.0
• @SocketSecurity ignore npm/ws@8.18.0
• @SocketSecurity ignore npm/web3-providers-ws@4.0.8

[legobeat]

@dependabot rebase

[dependabot]

Superseded by #22.