You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only (yarn up -R within existing semver ranges, plus parent-chain refreshes). No package.json changes, no resolutions added.
parent refresh (terser-webpack-plugin → 5.4.0, drops the dep)
removed from terser chain
webpack-dev-server (partial)
yarn up -R
4.11.1 → 4.15.2 (still <5.2.1, see below)
* audit-only, not in the Dependabot alert list but picked up in the same refresh.
Flagged (not changed)
These require changes outside the safe-only envelope for this sweep:
lodash → 4.18.0 — blocked by npmMinimalAgeGate (1 week); 4.18.0 was published 2026-03-31. Will resolve itself on the next refresh after the gate clears.
@xmldom/xmldom → 0.8.12 — blocked by npmMinimalAgeGate; 0.8.12 was published 2026-03-29. Same as above.
tar (6.x) — no 6.x patch exists; pulled in via @electron/rebuild@3.x, @electron/node-gyp (git pin), and cacache@16 through the @electron-forge/*@8.0.0-alpha.3 chain. Needs a Forge release that moves to @electron/rebuild@4 (tar@^7).
serialize-javascript → 7.0.5 — remaining consumer is copy-webpack-plugin@11 (^6.0.0); fix requires copy-webpack-plugin major bump (11 → 12+).
webpack-dev-server → 5.2.1 — @electron-forge/plugin-webpack@8.0.0-alpha.3 pins ^4.0.0; needs a Forge release with webpack-dev-server@5.
@octokit/plugin-paginate-rest / @octokit/request / @octokit/request-error — vulnerable versions come from @octokit/rest@^17 (runtime dep) and @octokit/core@^3; fix requires a major bump of @octokit/rest.
@tootallnate/once → 3.0.1 — via http-proxy-agent@5 → make-fetch-happen@10 → @electron/node-gyp (git pin); no in-range path.
tmp@0.0.33 — via external-editor@3.1.0 → @inquirer/editor@3 → @inquirer/prompts@6 → @electron-forge/cli; no newer external-editor@3.x drops it.
js-yaml@4.1.0 / markdown-it@14.1.0 — pinned exactly by markdownlint-cli2@0.18.0; fix requires bumping markdownlint-cli2 to 0.22.0 (0.x minor).
ajv@8.12.0 — pinned ~8.12.0 by @microsoft/tsdoc-config@0.17.0 via eslint-plugin-tsdoc@0.3.0; fix requires eslint-plugin-tsdoc 0.3 → 0.5.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/path-to-regexp@0.1.13. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Safe-only sweep of open Dependabot security alerts. All changes are lockfile-only (
yarn up -Rwithin existing semver ranges, plus parent-chain refreshes). Nopackage.jsonchanges, noresolutionsadded.Resolved
globyarn up -Rminimatchyarn up -Rnode-forgeyarn up -Rpicomatchyarn up -Rtar(7.x)yarn up -Ron-headerscompression→ 1.8.1)qsexpress→ 4.22.1,body-parser→ 1.20.4)js-yaml(partial)yarn up -R^4.1.0instances → 4.1.1ajv*yarn up -Rbrace-expansion*yarn up -Ryaml*yarn up -Rmarkdown-it* (partial)yarn up -R^14.1.0instances → 14.1.1path-to-regexp*express→ 4.22.1)serialize-javascript(partial)terser-webpack-plugin→ 5.4.0, drops the dep)webpack-dev-server(partial)yarn up -R* audit-only, not in the Dependabot alert list but picked up in the same refresh.
Flagged (not changed)
These require changes outside the safe-only envelope for this sweep:
lodash→ 4.18.0 — blocked bynpmMinimalAgeGate(1 week); 4.18.0 was published 2026-03-31. Will resolve itself on the next refresh after the gate clears.@xmldom/xmldom→ 0.8.12 — blocked bynpmMinimalAgeGate; 0.8.12 was published 2026-03-29. Same as above.tar(6.x) — no 6.x patch exists; pulled in via@electron/rebuild@3.x,@electron/node-gyp(git pin), andcacache@16through the@electron-forge/*@8.0.0-alpha.3chain. Needs a Forge release that moves to@electron/rebuild@4(tar@^7).serialize-javascript→ 7.0.5 — remaining consumer iscopy-webpack-plugin@11(^6.0.0); fix requirescopy-webpack-pluginmajor bump (11 → 12+).webpack-dev-server→ 5.2.1 —@electron-forge/plugin-webpack@8.0.0-alpha.3pins^4.0.0; needs a Forge release with webpack-dev-server@5.@octokit/plugin-paginate-rest/@octokit/request/@octokit/request-error— vulnerable versions come from@octokit/rest@^17(runtime dep) and@octokit/core@^3; fix requires a major bump of@octokit/rest.@tootallnate/once→ 3.0.1 — viahttp-proxy-agent@5→make-fetch-happen@10→@electron/node-gyp(git pin); no in-range path.tmp@0.0.33— viaexternal-editor@3.1.0→@inquirer/editor@3→@inquirer/prompts@6→@electron-forge/cli; no newerexternal-editor@3.xdrops it.js-yaml@4.1.0/markdown-it@14.1.0— pinned exactly bymarkdownlint-cli2@0.18.0; fix requires bumpingmarkdownlint-cli2to 0.22.0 (0.x minor).ajv@8.12.0— pinned~8.12.0by@microsoft/tsdoc-config@0.17.0viaeslint-plugin-tsdoc@0.3.0; fix requireseslint-plugin-tsdoc0.3 → 0.5.Verification
yarn install --immutablepasses