Bump minimatch and mocha by dependabot[bot] · Pull Request #5 · Dustin4444/solidity-parser-antlr

dependabot · 2026-03-01T20:54:59Z

Bumps minimatch to 3.1.5 and updates ancestor dependency mocha. These dependencies need to be updated together.

Updates minimatch from 3.0.4 to 3.1.5

Commits

7bba978 3.1.5
bd25942 docs: add warning about ReDoS
1a9c27c fix partial matching of globstar patterns
1a2e084 3.1.4
ae24656 update lockfile
b100374 limit recursion for **, improve perf considerably
26ffeaa lockfile update
9eca892 lock node version to 14
00c323b 3.1.3
30486b2 update CI matrix and actions
Additional commits viewable in compare view

Updates mocha from 6.2.0 to 11.7.5

Release notes

v11.7.5

11.7.5 (2025-11-04)

🩹 Fixes

swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

run tests on PRs for and pushes to v11.x (#5525) (8b21b38)

setup release-please for v11 (#5522) (663fff4)

v11.7.4

11.7.4 (2025-10-01)

🩹 Fixes

watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

remove trailing spaces (#5475) (7f68e5c)

v11.7.3

11.7.3 (2025-09-30)

🩹 Fixes

use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

add security escalation policy (#5466) (4122c7d)

fix duplicate global leak documentation (#5461) (1164b9d)

migrate third party UIs wiki page to docs (#5434) (6654704)

update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

... (truncated)

Changelog

Sourced from mocha's changelog.

11.7.5 (2025-11-04)

🩹 Fixes

swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

run tests on PRs for and pushes to v11.x (#5525) (8b21b38)

setup release-please for v11 (#5522) (663fff4)

11.7.4 (2025-10-01)

🩹 Fixes

watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

remove trailing spaces (#5475) (7f68e5c)

11.7.3 (2025-09-30)

🩹 Fixes

use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

add security escalation policy (#5466) (4122c7d)

fix duplicate global leak documentation (#5461) (1164b9d)

migrate third party UIs wiki page to docs (#5434) (6654704)

update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

deps: bump actions/setup-node in the github-actions group (#5459) (48c6f40)

... (truncated)

Commits

9a6a5db chore(v11.x): release 11.7.5 (#5523)
8b21b38 chore: run tests on PRs for and pushes to v11.x (#5525)
663fff4 chore: setup release-please for v11 (#5522)
8d97220 Update release-please to include v11.x and use Node ^22
d89dbaf fix: swallow more require errors from *ts files (#5498)
8649f39 chore(main): release 11.7.4 (#5473)
c2667c3 fix: watch mode using chokidar v4 (#5379)
7f68e5c chore: remove trailing spaces (#5475)
bff9166 Docs: migrate remaining legacy wiki pages to main documentation (#5465)
c805327 chore(main): release 11.7.3 (#5455)
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [minimatch](https://github.com/isaacs/minimatch) to 3.1.5 and updates ancestor dependency [mocha](https://github.com/mochajs/mocha). These dependencies need to be updated together. Updates `minimatch` from 3.0.4 to 3.1.5 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.4...v3.1.5) Updates `mocha` from 6.2.0 to 11.7.5 - [Release notes](https://github.com/mochajs/mocha/releases) - [Changelog](https://github.com/mochajs/mocha/blob/v11.7.5/CHANGELOG.md) - [Commits](mochajs/mocha@v6.2.0...v11.7.5) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.5 dependency-type: indirect - dependency-name: mocha dependency-version: 11.7.5 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>

socket-security · 2026-03-01T20:55:15Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance
eslint@10.0.2 ⏵ 6.8.0	⁺²		^-46
eslint-plugin-standard@5.0.0 ⏵ 4.1.0			⁺²⁵
eslint-plugin-node@11.1.0 ⏵ 9.2.0	⁺¹
yarn@2.4.3 ⏵ 1.22.22	^-8	⁺¹⁷
eslint-plugin-promise@7.2.1 ⏵ 4.3.1	⁺¹
nyc@18.0.0 ⏵ 14.1.1	⁺¹
prettier@3.8.1 ⏵ 1.19.1	⁺⁴	⁺²

View full report

socket-security · 2026-03-01T20:55:16Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Dynamic code execution: npm `async-function` Eval Type: Function Location: Package overview From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/async-function@1.0.0` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/async-function@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `generator-function` Eval Type: Function Location: Package overview From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/generator-function@2.0.1` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/generator-function@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `get-intrinsic` Eval Type: Function Location: Package overview From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/get-intrinsic@1.3.0` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/get-intrinsic@1.3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `get-symbol-description` Eval Type: Function Location: Package overview From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/get-symbol-description@1.1.0` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/get-symbol-description@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential typosquat (AI signal): npm `is-typed-array` as a typo of is-typedarray Did you mean: is-typed~~-~~array From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/is-typed-array@1.1.15` ℹ Read more on: This package \| This alert \| What is AI-detected potential typosquatting? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Given the AI system's identification of this package as a potential typosquat, please verify that you did not intend to install a different package. Be cautious, as malicious packages often use names similar to popular ones. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/is-typed-array@1.1.15`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Trivial package: npm `isarray` has 4 lines of code Location: Package overview From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/isarray@2.0.5` ℹ Read more on: This package \| This alert \| What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/isarray@2.0.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm `workerpool` Eval Type: Function Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/workerpool@9.3.4` ℹ Read more on: This package \| This alert \| What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/workerpool@9.3.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm `workerpool` in module child_process Module: child_process Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/workerpool@9.3.4` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/workerpool@9.3.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm `yarn` during preinstall Install script: preinstall Source: `:; (node ./preinstall.js > /dev/null 2>&1 \|\| true)` From: package.json → `npm/yarn@1.22.22` ℹ Read more on: This package \| This alert \| What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/yarn@1.22.22`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm `yarn` in module child_process Module: child_process Location: Package overview From: package.json → `npm/yarn@1.22.22` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/yarn@1.22.22`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `@pkgjs/parseargs` URLs: https://github.com/nodejs/node/pull/38248, Function.prototype.call Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/@pkgjs/parseargs@0.11.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@pkgjs/parseargs@0.11.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `acorn` URLs: https://bugzilla.mozilla.org/show_bug.cgi?id=745678, super.property, https://www.ecma-international.org/ecma-262/8.0/#prod-Pattern, https://www.ecma-international.org/ecma-262/8.0/#prod-Disjunction, https://www.ecma-international.org/ecma-262/8.0/#prod-Alternative, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Term, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-Assertion, https://www.ecma-international.org/ecma-262/8.0/#prod-Quantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-QuantifierPrefix, https://www.ecma-international.org/ecma-262/8.0/#sec-term, https://www.ecma-international.org/ecma-262/8.0/#prod-Atom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-InvalidBracedQuantifier, https://www.ecma-international.org/ecma-262/8.0/#prod-SyntaxCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-PatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ExtendedPatternCharacter, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-AtomEscape, https://www.ecma-international.org/ecma-262/8.0/#sec-atomescape, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-CharacterEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-ControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-RegExpUnicodeEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-IdentityEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClassEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-CharacterClass, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRanges, https://www.ecma-international.org/ecma-262/8.0/#prod-NonemptyClassRangesNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtom, https://www.ecma-international.org/ecma-262/8.0/#prod-ClassAtomNoDash, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassEscape, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-ClassControlLetter, https://www.ecma-international.org/ecma-262/8.0/#prod-HexEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-DecimalDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigits, https://www.ecma-international.org/ecma-262/8.0/#prod-annexB-LegacyOctalEscapeSequence, https://www.ecma-international.org/ecma-262/8.0/#prod-OctalDigit, https://www.ecma-international.org/ecma-262/8.0/#prod-Hex4Digits, https://www.ecma-international.org/ecma-262/8.0/#prod-HexDigit, https://github.com/estree/estree/blob/a27003adf4fd7bfad44de9cef372a2eacd527b1c/es5.md#regexpliteral, https://developer.mozilla.org/en-US/docs/SpiderMonkey/Parser_API Location: Package overview From: `?` → `npm/eslint@6.8.0` → `npm/acorn@7.4.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/acorn@7.4.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ajv` URLs: min.js.map, http://json-schema.org/draft-07/schema, schema.id, http://json-schema.org/schema, https://raw.githubusercontent.com/ajv-validator/ajv/master/lib/refs/data.json#, https://github.com/ajv-validator/ajv/blob/master/lib/definition_schema.js, http://json-schema.org/draft-07/schema#, https://gist.github.com/dperini/729294, https://mathiasbynens.be/demo/url-regex, https://github.com/eslint/eslint/issues/7983., http://tools.ietf.org/html/rfc3339#section-5.6, https://github.com/mafintosh/is-my-json-valid/blob/master/formats.js, http://stackoverflow.com/questions/201323/using-a-regular-expression-to-validate-an-email-address#answer-8829363, http://www.w3.org/TR/html5/forms.html#valid-e-mail-address, https://www.safaribooksonline.com/library/view/regular-expressions-cookbook/9780596802837/ch07s16.html, http://stackoverflow.com/questions/53497/regular-expression-that-matches-valid-ipv6-addresses, http://tools.ietf.org/html/rfc4122, https://tools.ietf.org/html/rfc6901, https://tools.ietf.org/html/rfc3986#appendix-A, http://tools.ietf.org/html/draft-luff-relative-json-pointer-00, https://tools.ietf.org/html/rfc3339#appendix-C, http://jmrware.com/articles/2009/uri_regexp/URI_regex.html, https://mathiasbynens.be/notes/javascript-encoding, https://github.com/bestiejs/punycode.js, https://tools.ietf.org/html/rfc3492#section-3.4, gary.court@gmail.com, https://github.com/epoberezkin/fast-json-stable-stringify Location: Package overview From: `?` → `npm/eslint@6.8.0` → `npm/ajv@6.14.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@6.14.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint@6.8.0` → `npm/ajv@6.14.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@6.14.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `ajv` is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint@6.8.0` → `npm/ajv@6.14.0` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ajv@6.14.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ansi-regex` with https://github.com URLs: https://github.com Location: Package overview From: `?` → `npm/eslint@6.8.0` → `npm/mocha@11.7.5` → `npm/ansi-regex@5.0.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ansi-regex@5.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ansi-regex` with https://github.com URLs: https://github.com Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/ansi-regex@6.2.2` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ansi-regex@6.2.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `ansi-styles` URLs: https://github.com/Qix-/color-convert/blob/3f0e0d4e92e235796ccb17f6e85c72094a651f49/conversions.js Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/ansi-styles@6.2.3` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ansi-styles@6.2.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `argparse` URLs: https://github.com/python/cpython/blob/v3.9.0b4/Lib/textwrap.py, https://github.com/python/cpython/blob/v3.9.0rc1/Lib/argparse.py Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/argparse@2.0.1` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/argparse@2.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm `async-function` is now published by ljharb instead of eduardorfs New Author: ljharb Previous Author: eduardorfs From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/async-function@1.0.0` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/async-function@1.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `chalk` is 100.0% likely to have a medium risk anomaly Notes: The code is a non-malicious, well-scoped parser and applier for Chalk-like styling templates. It validates and applies styles, handles escapes, and provides explicit errors for malformed templates. No suspicious data exfiltration, network, or system manipulation behaviors are present. Given its context as a library fragment for styling output, the risk is low. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/mocha@11.7.5` → `npm/chalk@4.1.2` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/chalk@4.1.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `chalk` URLs: chalk.red.yellow.green, chalk.green Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/chalk@4.1.2` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/chalk@4.1.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `chokidar` URLs: https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L612, https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L553 Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/chokidar@4.0.3` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/chokidar@4.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `cp-file` with module fs Module: fs Location: Package overview From: `?` → `npm/nyc@14.1.1` → `npm/cp-file@6.2.0` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/cp-file@6.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `debug` is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a benign debug utility (Node.js debug library) used to format and emit colored log messages to standard error based on environment-configured namespaces. It safely handles optional dependencies and avoids dubious data flows or side effects. No evidence of malware, data exfiltration, backdoors, or supply-chain abuse is present in this fragment. Overall security risk is low. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/eslint-plugin-import@2.32.0` → `npm/debug@3.2.7` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/debug@3.2.7`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm `diff` URLs: https://www.artima.com/weblogs/viewpost.jsp?thread=164293, https://stackoverflow.com/a/60422853/1709587, https://en.wikipedia.org/wiki/Latin_script_in_Unicode, https://github.com/kpdecker/jsdiff/issues/160#issuecomment-1866099640, https://github.com/kpdecker/jsdiff/issues/180, https://github.com/kpdecker/jsdiff/issues/211 Location: Package overview From: `?` → `npm/mocha@11.7.5` → `npm/diff@7.0.0` ℹ Read more on: This package \| This alert \| What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/diff@7.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 85 more rows in the dashboard

View full report

dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 1, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump minimatch and mocha#5

Bump minimatch and mocha#5
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-829fc934ed

dependabot bot commented on behalf of github Mar 1, 2026

Uh oh!

socket-security bot commented Mar 1, 2026

Uh oh!

socket-security bot commented Mar 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot bot commented on behalf of github Mar 1, 2026

v11.7.5

11.7.5 (2025-11-04)

🩹 Fixes

🧹 Chores

v11.7.4

11.7.4 (2025-10-01)

🩹 Fixes

📚 Documentation

🧹 Chores

v11.7.3

11.7.3 (2025-09-30)

🩹 Fixes

📚 Documentation

🤖 Automation

11.7.5 (2025-11-04)

🩹 Fixes

🧹 Chores

11.7.4 (2025-10-01)

🩹 Fixes

📚 Documentation

🧹 Chores

11.7.3 (2025-09-30)

🩹 Fixes

📚 Documentation

🤖 Automation

Uh oh!

socket-security bot commented Mar 1, 2026

Uh oh!

socket-security bot commented Mar 1, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants