| Block |
 |
High CVE: React Router vulnerable to XSS via Open Redirects in npm @remix-run/router
CVE: GHSA-2w69-qvjg-hvjx React Router vulnerable to XSS via Open Redirects (HIGH)
Affected versions: < 1.23.2
Patched version: 1.23.2
From: manager/frontend/package-lock.json → npm/react-router-dom@6.30.2 → npm/@remix-run/router@1.23.1
ℹ Read more on: This package | This alert | What is a CVE?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@remix-run/router@1.23.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
|
Obfuscated code: npm vite is 91.0% likely obfuscated
Confidence: 0.91
Location: Package overview
From: manager/frontend/package-lock.json → npm/vite@6.4.1
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/vite@6.4.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Low adoption: npm lodash
Location: Package overview
From: manager/frontend/package-lock.json → npm/recharts@2.15.4 → npm/lodash@4.17.21
ℹ Read more on: This package | This alert | What are unpopular packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Unpopular packages may have less maintenance and contain other problems.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/lodash@4.17.21. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Low adoption: npm recharts
Location: Package overview
From: manager/frontend/package-lock.json → npm/recharts@2.15.4
ℹ Read more on: This package | This alert | What are unpopular packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Unpopular packages may have less maintenance and contain other problems.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/recharts@2.15.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
 |
Filesystem access: npm @babel/core with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/@vitejs/plugin-react@4.7.0 → npm/@babel/core@7.28.5
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@babel/core@7.28.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Filesystem access: npm browserslist with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/@vitejs/plugin-react@4.7.0 → npm/browserslist@4.28.1
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/browserslist@4.28.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Filesystem access: npm convert-source-map with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/@emotion/react@11.14.0 → npm/@emotion/styled@11.14.1 → npm/convert-source-map@1.9.0
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/convert-source-map@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Unmaintained: npm decimal.js-light was last published 5 years ago
Last Publish: 9/30/2020, 9:10:57 PM
From: manager/frontend/package-lock.json → npm/recharts@2.15.4 → npm/decimal.js-light@2.5.1
ℹ Read more on: This package | This alert | What are unmaintained packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/decimal.js-light@2.5.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Unmaintained: npm find-root was last published 9 years ago
Last Publish: 6/29/2017, 9:25:58 PM
From: manager/frontend/package-lock.json → npm/@emotion/react@11.14.0 → npm/@emotion/styled@11.14.1 → npm/find-root@1.1.0
ℹ Read more on: This package | This alert | What are unmaintained packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/find-root@1.1.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Filesystem access: npm find-root with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/@emotion/react@11.14.0 → npm/@emotion/styled@11.14.1 → npm/find-root@1.1.0
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/find-root@1.1.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Unmaintained: npm gensync was last published 5 years ago
Last Publish: 10/27/2020, 8:43:40 PM
From: manager/frontend/package-lock.json → npm/@vitejs/plugin-react@4.7.0 → npm/gensync@1.0.0-beta.2
ℹ Read more on: This package | This alert | What are unmaintained packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/gensync@1.0.0-beta.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Unmaintained: npm hoist-non-react-statics was last published 6 years ago
Last Publish: 1/22/2020, 11:21:02 PM
From: manager/frontend/package-lock.json → npm/@emotion/react@11.14.0 → npm/hoist-non-react-statics@3.3.2
ℹ Read more on: This package | This alert | What are unmaintained packages?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/hoist-non-react-statics@3.3.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Filesystem access: npm update-browserslist-db with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/@vitejs/plugin-react@4.7.0 → npm/update-browserslist-db@1.2.3
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/update-browserslist-db@1.2.3. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Warn |
|
Filesystem access: npm vite with module fs
Module: fs
Location: Package overview
From: manager/frontend/package-lock.json → npm/vite@6.4.1
ℹ Read more on: This package | This alert | What is filesystem access?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/vite@6.4.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
