CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 4.0.4

From: package-lock.json → npm/form-data@4.0.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code implements a standard SourceMap remapping mechanism. There is no inherent malicious behavior or backdoor within the shown fragment. The only potential risk lies in the use of the user-supplied loader callback, which could be misused by a project integrating this library. If the loader is trusted and sandboxed, the code poses no evident security threats. Overall, the security risk is moderate due to loader trust requirements.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code is a conventional, loader-driven Source Map remapping utility. It exhibits a legitimate trust boundary at the loader. No intrinsic malware present; security concerns hinge on loader trust and content exposure. Recommend reviewing loader implementations and ensuring options properly redact or restrict sourcesContent when distributing SourceMaps.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed code segment is a standard RPC service wrapper (protobufjs style) with conventional input validation, encoding/decoding, event emission, and end handling. No malicious behavior is evident, and there are no observable security vulnerabilities beyond ordinary library-level error handling. It does not exhibit data exfiltration, backdoors, or other anti-security patterns.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@apollo/protobufjs@1.2.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The source code contains hardcoded sensitive credentials and cryptographic material that are directly exported, posing a high security risk if used in production or published publicly. There is no evidence of malware or obfuscation, but the insecure practice of embedding plaintext passwords and keys in source code can lead to credential leakage and compromise. It is strongly recommended to remove hardcoded secrets, implement secure credential management, and restrict exposure of sensitive data.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@audius/hedgehog@3.0.0-alpha.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@audius/hedgehog@3.0.0-alpha.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/core@7.23.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/core@7.23.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/helpers@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: Selected report 1 provides a thorough evaluation of decorator-related runtime utilities and concludes low risk with potential for finishers to alter constructors if used with untrusted inputs. The improved assessment confirms normal, expected behavior for Babel decorator infrastructure and notes that the primary risk lies in the finishers channel if untrusted code is supplied. Security risk remains low to moderate depending on input provenance; malware likelihood is negligible based on the fragment.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/@babel/runtime@7.24.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The fragment represents a standard, legitimate OTA update mechanism for React Native, with normal update orchestration, user prompts, retry/rollback, and status reporting. There is no obvious malicious behavior or backdoor within this code fragment. The main security considerations relate to the integrity and authenticity of updates, secure transport, and the security of the native bridge implementation. Overall risk is moderate due to remote updates, but not due to internal malicious code in this snippet.

Confidence: 0.75

Severity: 0.55

From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bravemobile/react-native-code-push@12.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code fragment appears to be a part of a larger project related to CLI interactions and logging. The heavy obfuscation, incomplete functions, and potential untrusted input handling raise concerns about its security and reliability.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@clack/prompts@0.7.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clack/prompts@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The fragment is consistent with a legitimate source-map support utility (likely source-map-support) used to enhance debugging by resolving and applying source maps. While it performs long-lived network/file I/O and intensively manipulates error reporting, there is no concrete evidence of malicious activity or data exfiltration beyond what such debugging tooling normally performs. The security risk is modest and largely dependent on trust in remote map sources and logging practices.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@cspotcode/source-map-support@0.8.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: Overall, this code fragment is a standard and legitimate binding/runtime infrastructure for Node.js native addon interoperability (EMNAPI). There is no evidence of data exfiltration, remote control, backdoors, or malware behavior within this snippet. The primary security considerations relate to the complexity and correct handling of finalizers, weak references, and policy-driven warning paths; misconfiguration or misuse by host applications could introduce risk, but the code itself does not demonstrate malicious activity.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@emnapi/runtime@1.5.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed fragment is a legitimate part of Emotion’s CSS-in-JS cache that manages hydration of server-rendered styles and style insertion. It does not exhibit malicious behavior or supply chain exploits within this snippet. The security risk is low to moderate (primarily DOM manipulation, which is expected for a UI library), with no evident data leakage or external communications.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/cache@11.14.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/cache@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: Overall, this is a standard, non-malicious portion of the Emotion styling library. No evidence of backdoors, credential theft, or external network/data exfiltration. The primary risk vector is the CSS-in-DOM injection path via dangerouslySetInnerHTML, which is expected but should be reviewed in the context of trusted inputs. Security posture is low-to-moderate; no immediate danger, but maintain caution with user-supplied template literals and ensure dependencies are trusted.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/@emotion/styled@11.14.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/styled@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/axios@1.7.4

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/axios@1.7.4

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/cacache@18.0.4

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@18.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Notes: The code represents a standard Commander-like CLI framework with dynamic subcommand execution via spawning local executables. It is not inherently malicious, but the external-executable dispatch mechanism introduces a legitimate supply-chain risk: untrusted or misconfigured subcommands can execute arbitrary local code. Recommend tightening executable discovery (absolute trusted paths only, explicit allowlists), validating subcommand targets before spawning, and ensuring regular security reviews of any projects using this pattern.

Confidence: 1.00

Severity: 0.60

From: package-lock.json → npm/commander@5.1.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.