Bump minimatch, truffle and electron-builder

[dependabot]

Bumps minimatch to 3.1.5 and updates ancestor dependencies minimatch, truffle and electron-builder. These dependencies need to be updated together.

Updates minimatch from 3.0.4 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates truffle from 5.1.20 to 5.11.5

Release notes

Sourced from truffle's releases.

v5.11.5 — Dessertressed

Hello all! Tiny release this week, just internal improvements and dependency updates. Thanks once again to @​legobeat for getting all of these! That's it for now!

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle npm install -g truffle 

Changelog

Internal improvements

• Enforce deduped lockfile when linting dependencies (#6193 by @​legobeat)

Dependency updates

• Deduplicate all dependencies and devDependencies (#6194 by @​legobeat)
• Dedupe and lockbump ethers, ethereumjs, web3 (#6192 by @​legobeat)
• Dedupe runtime libraries (#6191 by @​legobeat)
• Dedupe devDependencies and library packages (#6188 by @​legobeat)

v5.11.4 — Malted milk powder

Hello all! Not much this week, primarily just a bunch of internal improvements and dependency updates. 🏗️ Thanks to @​legobeat for getting a bunch of these! 🧱🥁 We've also updated the list of Sourcify networks, even though the fetcher no longer actually checks it.

That's it for now! 👋

How to upgrade

We recommend upgrading to the latest version of Truffle by running:

npm uninstall -g truffle npm install -g truffle 

Changelog

Enhancements

• Add new sourcify networks; fix problem with beam testnet (#6182 by @​haltman-at)

Internal improvements

• Remove gitHead field that snuck its way in (#6187 by @​haltman-at)
• Indicate Node.js supported versions (#6180 by @​legobeat)
• Pin nodejs 20 to 20.5 due to regression in 20.6 (#6186 by @​legobeat)

... (truncated)

Commits

• a26df1f Publish
• 9b23a59 devDeps: webpack@^5.73.0->^5.88.2
• 033fc64 Publish
• 4c80841 Merge pull request #6180 from legobeat/node-version
• 005ebb9 deps: semver@7.5.2->7.5.4
• 56cab73 chore: set engines.node in package manifests
• 3fa384f Publish
• 878725a Turn off mysteriously failing test (sorry)
• c519492 Update Ganache to 7.9.1
• a9ca7ea Publish
• Additional commits viewable in compare view

Updates electron-builder from 23.6.0 to 26.8.1

Release notes

Sourced from electron-builder's releases.

electron-builder@26.8.1

What's Changed

• fix: always use package key when reading from dependency list instead of package name by @​mmaietta in electron-userland/electron-builder#9583
• chore: add logging summary to end of node collector to flag any special cases/alerts by @​mmaietta in electron-userland/electron-builder#9587
• chore: adding tolerance threshold (within 10 bytes) to vitest snapshots to adjust for package manager instabilities by @​mmaietta in electron-userland/electron-builder#9591
• chore: update node_modules snapshots due to transitive fixture dependency changed by @​mmaietta in electron-userland/electron-builder#9592
• fix(appimage): fix mime type directory in AppDir by @​sabonerune in electron-userland/electron-builder#9589
• chore(deploy): Release (next) by @​electron-builder-release-bot[bot] in electron-userland/electron-builder#9585

Full Changelog: https://github.com/electron-userland/electron-builder/compare/electron-builder@26.8.0...electron-builder@26.8.1

electron-builder@26.8.0

What's Changed

• refactor: simplify YarnNodeModulesCollector by extending NpmNodeModulesCollector by @​beyondkmp in electron-userland/electron-builder#9506
• chore: adding settings to force LF line endings across mac+win by @​mmaietta in electron-userland/electron-builder#9559
• chore: Remove console logs for linux autoupdater platform check by @​Kilian in electron-userland/electron-builder#9561
• chore(tests-only): migrate to auto-sharding/balancing Vitest CI workflow by @​mmaietta in electron-userland/electron-builder#9565
• fix: quote tempBatFile path in cmd.exe args to support paths with spaces in electron-userland/electron-builder#9566
• chore(deps): update actions/checkout action to v6.0.2 by @​renovate[bot] in electron-userland/electron-builder#9552
• chore(tests): migrate to only programmatic vitest API by @​mmaietta in electron-userland/electron-builder#9571
• chore: resolve flaky functional tests by @​mmaietta in electron-userland/electron-builder#9572
• chore: change vitest sharding approach to be platform-specific time estimations by @​mmaietta in electron-userland/electron-builder#9576
• feat: updating win-codesign resources by @​mmaietta in electron-userland/electron-builder#9430
• chore: add additional e2e auto-update tests and support link: protocol by @​mmaietta in electron-userland/electron-builder#9578
• feat(appimage): support static appimage runtime by @​mmaietta in electron-userland/electron-builder#9558
• chore(deploy): Release (next) by @​electron-builder-release-bot[bot] in electron-userland/electron-builder#9556

New Contributors

• @​Copilot made their first contribution in electron-userland/electron-builder#9566

Full Changelog: https://github.com/electron-userland/electron-builder/compare/electron-builder@26.7.0...electron-builder@26.8.0

electron-builder@26.7.0

What's Changed

• feat: add size option to DmgOptions for explicit DMG filesystem size by @​BarakXYZ in electron-userland/electron-builder#9543
• chore(deps): update tar again -> v7.5.7 by @​mmaietta in electron-userland/electron-builder#9547
• fix: after-install.tpl: Fix stdio redirects in update-alternative invocation by @​joshtriplett in electron-userland/electron-builder#9536
• chore(deps): update actions/setup-node action to v6.2.0 by @​renovate[bot] in electron-userland/electron-builder#9553
• chore(deps): update actions/cache action to v5.0.3 by @​renovate[bot] in electron-userland/electron-builder#9554
• chore(deps): update actions/setup-python action to v6.2.0 by @​renovate[bot] in electron-userland/electron-builder#9555
• fix: restore duplicate dependency and workspace tree resolution by @​mmaietta in electron-userland/electron-builder#9548
• fix(updater): ignore releases with non-semver tags when collecting full changelog by @​AbdulrhmanGoni in electron-userland/electron-builder#9550
• feat(windows): capabilities by @​regnete in electron-userland/electron-builder#9437
• chore(deploy): Release (next) by @​electron-builder-release-bot[bot] in electron-userland/electron-builder#9549

New Contributors

• @​BarakXYZ made their first contribution in electron-userland/electron-builder#9543
• @​joshtriplett made their first contribution in electron-userland/electron-builder#9536
• @​AbdulrhmanGoni made their first contribution in electron-userland/electron-builder#9550

... (truncated)

Changelog

Sourced from electron-builder's changelog.

26.8.1

Patch Changes

4edd695 8940ec6 4edd695 dde4309

• app-builder-lib@26.8.1
• builder-util@26.8.1
• dmg-builder@26.8.1

26.8.0

Minor Changes

• Feat(win): adding support for latest artifacts for win-codesign tooling to be pulled from electron-builder-binaries [#9430](https://github.com/electron-userland/electron-builder/tree/HEAD/packages/electron-builder/issues/9430) 1b39a8e @​mmaietta

Patch Changes

cd7c0d9 c18f0eb 769b608 9ba36f9 1b113b7 1b39a8e

• app-builder-lib@26.8.0
• builder-util@26.8.0
• dmg-builder@26.8.0

26.7.0

Patch Changes

bfee115 3fa2d89 ec9e2db aec9157 64b40fe

... (truncated)

Commits

• 9418d2c chore(deploy): Release v26.8.1 (#9585)
• 3a3f439 chore(deploy): Release v26.8.0 (electron-updater@6.8.3) (#9556)
• 1b39a8e feat: adding additional toolsets support for win-codesign/windows-kits (#9430)
• f1c2ec3 chore(deploy): Release v26.7.0 (electron-updater@6.8.2) (#9549)
• e394e0c chore(deploy): Release v26.6.0 (#9531)
• 7b5901b chore(deploy): Release v26.5.0 (electron-updater@6.8.1) (#9503)
• 06de969 chore(deploy): Release v26.4.1 (electron-updater@6.8.0) (#9458)
• caf2cb2 chore(deploy): Release v26.4.0 (#9447)
• 85437a7 chore(deploy): Release v26.3.6 (#9433)
• 5f9c143 chore(deploy): Release v26.3.5 (electron-updater@6.7.3) (#9422)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for electron-builder since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	ganache-core@​2.13.1
	@​truffle/​decoder@​3.0.16
	@​truffle/​config@​1.2.17
	electron@​26.1.0
	electron-fetch@​1.7.3
	ganache@​7.9.1
	fs-extra@​10.1.0 ⏵ 9.0.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Protestware or unwanted behavior: npm es5-ext Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: static/node/package-lock.json → npm/@truffle/decoder@3.0.16 → npm/es5-ext@0.10.62 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.62. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Includes npm shrinkwrap: npm ganache-core Location: Package overview From: static/node/package-lock.json → npm/ganache-core@2.13.1 ℹ Read more on: This package | This alert | What is a shrinkwrap file? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should never use npm shrinkwrap files due to the dangers they pose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ganache-core@2.13.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Includes npm shrinkwrap: npm ganache Location: Package overview From: static/node/package-lock.json → npm/ganache@7.9.1 ℹ Read more on: This package | This alert | What is a shrinkwrap file? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should never use npm shrinkwrap files due to the dangers they pose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ganache@7.9.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		GitHub dependency: npm web3-eth-accounts depends on github:web3-js/scrypt-shim Dependency: scrypt-shim@github:web3-js/scrypt-shim Location: Package overview From: static/node/package-lock.json → npm/@truffle/decoder@3.0.16 → npm/web3-eth-accounts@1.2.2 ℹ Read more on: This package | This alert | What are GitHub dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Publish the GitHub dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/web3-eth-accounts@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		GitHub dependency: npm web3-providers-ws depends on github:web3-js/WebSocket-Node Dependency: websocket@github:web3-js/WebSocket-Node@#polyfi Location: Package overview From: static/node/package-lock.json → npm/@truffle/decoder@3.0.16 → npm/web3-providers-ws@1.2.2 ℹ Read more on: This package | This alert | What are GitHub dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Publish the GitHub dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/web3-providers-ws@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Git dependency: npm web3 depends on git+https://github.com/debris/bignumber.js.git#94d7146671b9719e00a09c29b01a691bc85048c2 Dependency: bignumber.js@git+https://github.com/debris/bignumber.js.git#94d7146671b9719e00a09c29b01a691bc85048c2 Location: Package overview From: static/node/package-lock.json → npm/@truffle/decoder@3.0.16 → npm/web3@0.18.4 ℹ Read more on: This package | This alert | What are git dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Publish the git dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/web3@0.18.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm @apollo/protobufjs during postinstall Install script: postinstall Source: node scripts/postinstall From: static/node/package-lock.json → npm/@apollo/protobufjs@1.2.6 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @apollo/protobufjs in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@apollo/protobufjs@1.2.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm @apollo/protobufjs during postinstall Install script: postinstall Source: node scripts/postinstall From: static/node/package-lock.json → npm/@apollo/protobufjs@1.2.7 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @apollo/protobufjs in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@apollo/protobufjs@1.2.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @apollo/usage-reporting-protobuf in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@apollo/usage-reporting-protobuf@4.1.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/usage-reporting-protobuf@4.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @ethersproject/providers in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@ethersproject/providers@5.7.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/providers@5.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @ethersproject/providers in module net Module: net Location: Package overview From: static/node/package-lock.json → npm/@ethersproject/providers@5.7.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/providers@5.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @ethersproject/web in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@truffle/config@1.2.17 → npm/@truffle/decoder@3.0.16 → npm/@ethersproject/web@5.7.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @ethersproject/web in module http Module: http Location: Package overview From: static/node/package-lock.json → npm/@truffle/config@1.2.17 → npm/@truffle/decoder@3.0.16 → npm/@ethersproject/web@5.7.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @ethersproject/web in module https Module: https Location: Package overview From: static/node/package-lock.json → npm/@truffle/config@1.2.17 → npm/@truffle/decoder@3.0.16 → npm/@ethersproject/web@5.7.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethersproject/web@5.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @redux-saga/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@redux-saga/core@1.2.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@redux-saga/core@1.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm @truffle/abi-utils Eval Type: Function Location: Package overview From: static/node/package-lock.json → npm/@truffle/abi-utils@1.0.2 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/abi-utils@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @truffle/db in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@truffle/db@2.0.33 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/db@2.0.33. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @truffle/decoder in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@truffle/decoder@3.0.16 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/decoder@3.0.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @truffle/events in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@truffle/events@0.1.24 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/events@0.1.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm abortcontroller-polyfill in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/@truffle/config@1.2.17 → npm/@truffle/decoder@3.0.16 → npm/abortcontroller-polyfill@1.7.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/abortcontroller-polyfill@1.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm apollo-reporting-protobuf in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/apollo-reporting-protobuf@3.4.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/apollo-reporting-protobuf@3.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm apollo-server-core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/apollo-server-core@3.12.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/apollo-server-core@3.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm apollo-server-core in module https Module: https Location: Package overview From: static/node/package-lock.json → npm/apollo-server-core@3.12.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/apollo-server-core@3.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm apollo-server-env in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: static/node/package-lock.json → npm/apollo-server-env@4.2.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/apollo-server-env@4.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 347 more rows in the dashboard

View full report