Skip to content

Bump the all-dependencies group across 1 directory with 32 updates#2144

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/all-dependencies-d1de4a9dbb
Open

Bump the all-dependencies group across 1 directory with 32 updates#2144
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/all-dependencies-d1de4a9dbb

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps the all-dependencies group with 32 updates in the / directory:

Package From To
@amplitude/analytics-browser 2.23.7 2.44.4
@ledgerhq/hw-app-str 7.2.9 7.7.5
@ledgerhq/hw-transport-webhid 6.30.9 6.36.0
@next/third-parties 15.5.7 16.2.10
@sentry/nextjs 10.29.0 10.63.0
@stellar-expert/contract-wasm-interface-parser 4.1.0 5.0.1
@tanstack/react-query 5.87.4 5.101.2
@tanstack/react-query-devtools 5.87.4 5.101.2
@trezor/connect-web 9.6.4 9.7.3
bignumber.js 9.3.1 11.1.5
dompurify 3.2.6 3.4.11
html-react-parser 5.2.6 6.1.4
immer 10.1.3 11.1.11
lodash 4.17.21 4.18.1
@types/lodash 4.17.20 4.17.24
lossless-json 4.2.0 4.3.0
next 15.5.15 16.2.10
uuid 11.1.0 14.0.1
zustand-querystring 0.0.19 0.7.0
@next/eslint-plugin-next 15.5.3 16.2.10
@playwright/test 1.57.0 1.61.1
@types/node 24.3.1 26.1.0
@typescript-eslint/eslint-plugin 8.62.0 8.63.0
@typescript-eslint/parser 8.62.0 8.63.0
eslint 9.35.0 10.6.0
eslint-config-next 15.4.4 16.2.10
eslint-plugin-react-hooks 5.2.0 7.1.1
jest 30.2.0 30.4.2
lint-staged 16.1.6 17.0.8
prettier 3.6.2 3.9.4
sass 1.92.1 1.101.0
typescript 5.9.2 6.0.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.44.4

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.44.4

2.44.4 (2026-06-30)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.44.3

2.44.3 (2026-06-25)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.44.2

2.44.2 (2026-06-24)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.44.2-element-path-v1.0

2.44.2-element-path-v1.0 (2026-06-23)

Note: Version bump only for package @​amplitude/analytics-browser

Commits
  • b20abd0 chore(release): publish
  • 5c4d1d7 feat(session-replay-browser): custom transport hooks for authenticated proxie...
  • dbc4422 refactor(analytics-core): implement a Heartbeat class (#1837)
  • 9c90104 chore(release): publish
  • 93df7dc feat(analytics-react-native): Android native connectivity module + Robolectri...
  • 2055e0c test(analytics-react-native): native iOS XCTest coverage for connectivity mod...
  • e5638eb feat(analytics-react-native): iOS native connectivity module (SDKRN-5) [2/5] ...
  • 4235485 test(sr-react-native): add New Architecture verification example app (#1855)
  • 670111d feat(analytics-react-native): offline connectivity plugin + JS wiring (SDKRN-...
  • e49e8b6 feat(session-replay-react-native): add New Architecture support (#1854)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​amplitude/analytics-browser since your current version.


Updates @ledgerhq/hw-app-str from 7.2.9 to 7.7.5

Commits

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.36.0

Commits
  • 782f01b Merge release into main
  • e60462f chore(release): 🚀 prepare release [skip ci]
  • bbdd288 Merge pull request #19127 from LedgerHQ/lwd_410_release_notes
  • 5c97666 LWD 4.10 release notes
  • bace3e1 Merge pull request #19109 from LedgerHQ/support/qaa_release_fix_settings
  • 9b71dcf Merge pull request #19106 from LedgerHQ/support/qaa_fix_my_wallet_setting
  • 4e38e75 chore(prerelease): 🚀 release prerelease [LLD(4.10.0-next.6), LLM(4.10....
  • eec1dad Merge pull request #19098 from LedgerHQ/support/cherry-pick-ff-env-resolve-at...
  • 6a0d89f Merge pull request #19097 from LedgerHQ/support/release_fix_q1_w40
  • 98eb6d6 Merge pull request #19073 from LedgerHQ/fix/ff-env-flags-base-resolved
  • Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.2.10

Release notes

Sourced from @​next/third-parties's releases.

v16.2.10

Contains no changes except publishing @next/swc-wasm-web which was accidentally not published since 16.2.4.

v16.2.9

Empty release to ensure next@latest points at a stable release. Next.js only allows publishing with Trusted Publishing enabled. In order to fix NPM dist-tags, we have to release a new version. Updating dist-tags is not possible with Trusted Publishing.

v16.2.8

Release with no changes in an attempt to fix next@latest pointing at a prerelease version.

v16.2.7

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

  • Backport documentation fixes for v16.2 (#93804)
  • [backport] Patch playwright-core to resolve _finishedPromise on requestFailed (#93920)
  • [backport] Fix dev mode hydration failure when page is served from HTTP cache (#93492)
  • [backport] Fix catch-all router.query corruption with basePath + rewrites (#93917)
  • [backport] Encode non-ASCII characters in cache tags at construction (#93918)
  • [backport] Fix server action forwarding loop with middleware rewrites (#93919)
  • [backport] Turbopack: switch from base40 to base38 hash encoding (#93932)
  • [ci] Disable hanging node 24 typescript tests on 16.2 backport branch (#94164)
  • [backport] Fix "type: module" in project dir when using standalone or adapters (#94050)
  • [backport] Propagate adapter preferred regions (#94200)
  • [16.2.x] Don't drop FormData entries (#94240)
  • [backport] feat(turbopack): add LocalPathOrProjectPath PostCSS config resolution (#94284)

Credits

Huge thanks to @​eps1lon, @​icyJoseph, @​unstubbable, @​mischnic, @​bgw, @​timneutkens, and @​lukesandberg for helping!

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

Moderate:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.


Updates @sentry/nextjs from 10.29.0 to 10.63.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.63.0

  • feat(browser): Add url.full attribute to resource spans (#21846)
  • feat(core): Add extendIntegration method (#21759)
  • feat(core): Add isTracingSuppressed to the async context strategy (#21785)
  • feat(core): Pass normalizedRequest to the sampling context for root spans (#21833)
  • feat(node): Add lru-memoizer diagnostics-channel integration to experimentalUseDiagnosticsChannelInjection (#21786)
  • feat(node): Expose channel-based, streamlined fastifyIntegration (#21706)
  • fix(browser): Defer sending session envelope until browser is idle (#21844)
  • fix(core): Improve waiting for tracing channel bindings (#21815)
  • fix(core): Serialize streamed span status message to sentry.status.message attribute (#21811)
  • fix(nextjs): Don't inject trace meta tags when Cache Components is enabled (#21141)
  • fix(opentelemetry): Strip leading ? and # from inferred http.query and http.fragment (#21848)
  • fix(tanstackstart-react): Drop server transactions for tunnel route requests (#21769)
  • chore: Add external contributor to CHANGELOG.md (#21832)
  • chore: Hoist transitive imports for bundles (#21858)
  • chore: Mark http.query/http.fragment stripping for v11 url.query migration (#21852)
  • docs: Use Cloudflare nodejs_compat flag (#21659)
  • feat(server-utils): Add lru-memoizer diagnostics-channel integration (#21786)
  • feat(server-utils): Expose channel-based, streamlined fastifyIntegration (#21706)
  • feat(server-utils): Restore caller context for callback tracing channels (#21863)
  • ref(core): Move spanStreamingIntegration setup into ServerRuntimeClient (#21814)
  • ref(node): Infer orchestrion integration names (#21834)
  • ref(node): Move node-fetch instrumentation away from InstrumentBase (#21778)
  • ref(node): Streamline Prisma instrumentation (v6 and v7) (#21819)
  • ref(node): Streamline vendored mysql instrumentation (#21568)
  • ref(server-utils): Ensure ts3.8 has diagnostics channel shim (#21845)
  • ref(server-utils): Move mysql orchestrion integration onto bindTracingChannelToSpan (#21865)
  • ref(server-utils): Set error attributes on span and simplify error info extraction (#21822)
  • test: Introduce .unordered in node-integration-tests (#21697)
  • test(cloudflare): Align CF types and compat flags (#21835)
  • test(e2e/hono): Isolate request-data extraction tests onto a dedicated route (#21869)
  • test(node-integration): Harden knex mysql2 healthcheck to fix flaky test (#21868)
  • test(node-integration-tests): Fix flaky postgresjs basic transaction/error ordering (#21870)
  • test(node-integration-tests): Retry transient docker compose up failures (#21860)
  • test(nuxt): Test mysql instrumentation with orchestrion bundler plugin (#21782)

Work in this release was contributed by @​suzunn. Thank you for your contribution!

Bundle size 📦

Path Size
@​sentry/browser 26.97 KB
@​sentry/browser - with treeshaking flags 25.44 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.63.0

  • feat(browser): Add url.full attribute to resource spans (#21846)
  • feat(core): Add extendIntegration method (#21759)
  • feat(core): Add isTracingSuppressed to the async context strategy (#21785)
  • feat(core): Pass normalizedRequest to the sampling context for root spans (#21833)
  • feat(node): Add lru-memoizer diagnostics-channel integration to experimentalUseDiagnosticsChannelInjection (#21786)
  • feat(node): Expose channel-based, streamlined fastifyIntegration (#21706)
  • fix(browser): Defer sending session envelope until browser is idle (#21844)
  • fix(core): Improve waiting for tracing channel bindings (#21815)
  • fix(core): Serialize streamed span status message to sentry.status.message attribute (#21811)
  • fix(nextjs): Don't inject trace meta tags when Cache Components is enabled (#21141)
  • fix(opentelemetry): Strip leading ? and # from inferred http.query and http.fragment (#21848)
  • fix(tanstackstart-react): Drop server transactions for tunnel route requests (#21769)
  • chore: Add external contributor to CHANGELOG.md (#21832)
  • chore: Hoist transitive imports for bundles (#21858)
  • chore: Mark http.query/http.fragment stripping for v11 url.query migration (#21852)
  • docs: Use Cloudflare nodejs_compat flag (#21659)
  • feat(server-utils): Add lru-memoizer diagnostics-channel integration (#21786)
  • feat(server-utils): Expose channel-based, streamlined fastifyIntegration (#21706)
  • feat(server-utils): Restore caller context for callback tracing channels (#21863)
  • ref(core): Move spanStreamingIntegration setup into ServerRuntimeClient (#21814)
  • ref(node): Infer orchestrion integration names (#21834)
  • ref(node): Move node-fetch instrumentation away from InstrumentBase (#21778)
  • ref(node): Streamline Prisma instrumentation (v6 and v7) (#21819)
  • ref(node): Streamline vendored mysql instrumentation (#21568)
  • ref(server-utils): Ensure ts3.8 has diagnostics channel shim (#21845)
  • ref(server-utils): Move mysql orchestrion integration onto bindTracingChannelToSpan (#21865)
  • ref(server-utils): Set error attributes on span and simplify error info extraction (#21822)
  • test: Introduce .unordered in node-integration-tests (#21697)
  • test(cloudflare): Align CF types and compat flags (#21835)
  • test(e2e/hono): Isolate request-data extraction tests onto a dedicated route (#21869)
  • test(node-integration): Harden knex mysql2 healthcheck to fix flaky test (#21868)
  • test(node-integration-tests): Fix flaky postgresjs basic transaction/error ordering (#21870)
  • test(node-integration-tests): Retry transient docker compose up failures (#21860)
  • test(nuxt): Test mysql instrumentation with orchestrion bundler plugin (#21782)

Work in this release was contributed by @​suzunn. Thank you for your contribution!

10.62.0

Important Changes

  • feat(server-runtimes): Add v7 support for vercelAiIntegration (#21613)

... (truncated)

Commits
  • 2362e9f release: 10.63.0
  • 5b51d5e Merge pull request #21874 from getsentry/prepare-release/10.63.0
  • 4e16503 meta(changelog): Update changelog for 10.63.0
  • 690f778 test(node-integration): Harden knex mysql2 healthcheck to fix flaky test (#21...
  • 429cdaf test(node-integration-tests): Fix flaky postgresjs basic transaction/error or...
  • 35998e6 test(e2e/hono): Isolate request-data extraction tests onto a dedicated route ...
  • 88e7ad5 feat(server-utils): Expose channel-based, streamlined fastifyIntegration (#...
  • e316151 ref(server-utils): Move mysql orchestrion integration onto bindTracingChannel...
  • e7c24a5 feat(server-utils): Restore caller context for callback tracing channels (#21...
  • bf21b16 fix(nextjs): Don't inject trace meta tags when Cache Components is enabled (#...
  • Additional commits viewable in compare view

Updates @stellar-expert/contract-wasm-interface-parser from 4.1.0 to 5.0.1

Commits
Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates @tanstack/react-query from 5.87.4 to 5.101.2

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.101.2

Patch Changes

@​tanstack/react-query-next-experimental@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.101.2

@​tanstack/react-query-persist-client@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.101.2
    • @​tanstack/react-query@​5.101.2

@​tanstack/react-query@​5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.101.2

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-next-experimental@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-persist-client@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-persist-client-core@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query@​5.101.1

Patch Changes

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.101.2

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.101.2

5.101.1

Patch Changes

  • Updated dependencies [9eff92e]:
    • @​tanstack/query-core@​5.101.1

5.101.0

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.101.0

5.100.14

Patch Changes

  • fix(react-query): do not go into optimistic fetching state when not subscribed (#10759)

  • Updated dependencies []:

    • @​tanstack/query-core@​5.100.14

5.100.13

Patch Changes

  • Updated dependencies [d423168]:
    • @​tanstack/query-core@​5.100.13

5.100.12

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.100.12

5.100.11

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-core@​5.100.11

... (truncated)

Commits
  • 610e8d1 ci: Version Packages (#10996)
  • 1f84256 docs: document the select typing caveat for parallel-queries hooks (#10984)
  • b809297 ci: Version Packages (#10977)
  • ccc843e test({react,preact}-query/useQueries): move type-only tests to 'useQueries.te...
  • 4154613 test({react,preact}-query/useMutation): split 'should handle conditional logi...
  • 8bb5fde test({react,preact}-query/useMutation): split 'should pass meta to mutation' ...
  • 87426a3 test(react-query): replace deprecated 'toBeCalledTimes' with 'toHaveBeenCalle...
  • feb1efd test(*): move 'vi.useRealTimers' to the end of 'afterEach' so cleanup runs un...
  • f3d8d2a ci: Version Packages (#10774)
  • 532bb29 fix(tests): disable local coverage instrumentation (#10776)
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.


Updates @tanstack/react-query-devtools from 5.87.4 to 5.101.2

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.101.2

Patch Changes

@​tanstack/react-query-devtools@​5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1

@​tanstack/react-query-devtools@​5.101.0

Patch Changes

@​tanstack/react-query-devtools@​5.100.14

Patch Changes

  • Updated dependencies [ed20b6d]:
    • @​tanstack/react-query@​5.100.14
    • @​tanstack/query-devtools@​5.100.14
Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.101.2

Patch Changes

5.101.1

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.101.1
    • @​tanstack/react-query@​5.101.1

5.101.0

Patch Changes

5.100.14

Patch Changes

  • Updated dependencies [ed20b6d]:
    • @​tanstack/react-query@​5.100.14
    • @​tanstack/query-devtools@​5.100.14

5.100.13

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.100.13
    • @​tanstack/react-query@​5.100.13

5.100.12

Patch Changes

  • Updated dependencies []:
    • @​tanstack/query-devtools@​5.100.12
    • @​tanstack/react-query@​5.100.12

5.100.11

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query-devtools since your current version.


Updates @trezor/connect-web from 9.6.4 to 9.7.3

Release notes

Sourced from @​trezor/connect-web's releases.

v26.6.1@mobile

Trezor Suite 26.6.1 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.6.1

🚀 New features

  • A network filter is now available in the My Assets tab.
  • Solana transaction expiration is shown as a countdown while signing on device.
  • Internal ETH transfers now appear in the transaction list and detail view.
  • Tron support is now available to all users, out of experimental features.
  • DEX swaps are now available in mobile trading.
  • DEX swap token approval and revoke flow is now supported on mobile.
  • The Coins selection screen has been redesigned with Bitcoin backend settings included.
  • Unacquired devices now appear in the device switcher so you can switch back from Portfolio Tracker.

🎨 Improvements

  • Bitcoin is now included in phishing address detection when sending.
  • Contract address checks are now enforced on all EVM networks when sending.
  • The swap From asset picker now includes search and a network filter.
  • Payment method names are now localized on mobile trade screens.
  • The minimum Bitcoin fee rate for normal priority has been lowered to 0.2 sat/vB.
  • The Eject Wallets action now uses a clearer eject icon instead of a bookmark icon.
  • The caps lock indicator during passphrase entry is now clearer and more consistent.

🔧 Bug fixes

  • Fixed a biometric authentication bypass that allowed unauthenticated access to the app.
  • Fixed incorrect APY displayed for non-Everstake Cardano staking accounts.
  • Fixed staking transactions being created before the user confirms by tapping Stake.
  • Fixed the missing Review & Sign button when sending ETH on mobile.
  • Minor bugs and usability improvements across the app.

v26.5.1@mobile

Trezor Suite 26.5.1 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.5.1

🚀 New features

  • ERC-681 QR codes are now supported in the send form, making it easier to scan token transfer requests.
  • Concierge trading (OTC) is now available on mobile for large trades.
  • DEX swaps are now available on mobile.
  • Stablecoin yield positions are now visible in the Earn tab in view-only mode.
  • Token management has been improved, including better control over hidden tokens.
  • A congratulations screen now appears after completing device onboarding.
  • Device authenticity verification now includes MCU MLDSA support.
  • BIP329 labels can now be exported from mobile.
  • WalletConnect now warns when your account balance is insufficient before confirming a transaction.
  • Trading offers in the US are now separated by state for more accurate results.

🎨 Improvements

  • Address spacing can now be enabled or disabled for all networks.
  • The mobile trade form has been simplified for a cleaner experience.
  • Device onboarding no longer includes a redundant coin selection step.

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​trezor/connect-web since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.


Updates bignumber.js from 9.3.1 to 11.1.5

Release notes

Sourced from bignumber.js's releases.

v11.1.3

v11.1 adds a few useful improvements around formatting, parsing, rounding, and interoperability.

BigNumber.sum() now returns zero when called with no arguments, which makes patterns like BigNumber.sum(...arr) work cleanly even when the array is empty.

BigNumber.sum(...[]).toString()      // "0"

toBigInt() has been added, so BigNumber values can now be converted directly to native BigInt values.

new BigNumber("123.9").toBigInt(BigNumber.ROUND_DOWN)        // 123n

There is also a new BigNumber.fromFormat() method for parsing formatted strings back into BigNumber values.

const options =  {  prefix"€",  groupSeparator".",  decimalSeparator"," }
BigNumber.fromFormat("€1.234.567,89", options).toString()      // "1234567.89"

Negative decimal places are now supported by decimalPlaces(), toFixed(), and toFormat(), making it easier to round to tens, hundreds, and thousands etc.

new BigNumber("1234.5").toFormat(-2)      // "1,200"

toFormat() has also been expanded to support minimum and maximum decimal places, and per-call formatting options now fall back to the configured global FORMAT values for anything not explicitly overridden.

new BigNumber("12.3456789").toFormat([2, 5])      // "12.34568"

This release also includes a fix for slow hexadecimal integer base conversion when DECIMAL_PLACES is very large, plus improved TypeScript API test coverage.

Changelog

Sourced from bignumber.js's changelog.

11.1.5

  • 05/07/26
  • #409 toFraction returning a sub-optimal rational approximation.

11.1.4

  • 16/06/26
  • [BUGFIX] #407 Fix toFormat duplicating the fraction when groupSize is 0.

11.1.3

  • 05/06/26
  • #406 Fix EXPONENTIAL_AT default value documentation.

11.1.2

  • 30/05/26
  • [BUGFIX] #405 Fix invalid toFormat output for -0.

11.1.1

  • 02/05/26
  • Docs: fix version number and decimalPlaces API description.

11.1.0

  • 30/04/26
  • #401 BigNumber.sum: return zero if there are no arguments.
  • #352 Add toBigInt method.
  • #286 Add fromFormat method.
  • #262 decimalPlaces, toFixed and toFormat: support negative decimal places.
  • #260 toFormat: support minimum/maximum decimal places.
  • toFormat: fallback to FORMAT for each property not in options.
  • [BUGFIX] #342 Large DECIMAL_PLACES causing slow hex integer base conversion.
  • Typescript: add test_api.ts to improved typed API test coverage.

11.0.0

  • 14/04/26
  • Add STRICT configuration option: if true (default), throw an exception on invalid input. if false, return NaN on invalid input.
  • toFraction: return [1, 0] for Infinity and [0, 0] for NaN.
  • Support underscores as separators.
  • If a base is supplied, reject non-finite values and base prefixes.

10.0.2

  • 24/02/26

... (truncated)

Commits

Updates dompurify from 3.2.6 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

  • Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
  • Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
  • Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
  • Updated up the linting tool-chain and removed now-redundant lint directives
  • Updated the documentation is several spots, README, wiki, etc.
  • Bumped several dependencies where possible

DOMPurify 3.4.10

  • Refactored codebase for clarity: extracted the public type declarations into types.ts
  • Decomposed the three largest sanitizer functions into focused helpers
  • Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
  • Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
  • Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
  • Reduced CI cost by running the full three-engine browser suite once per PR
  • Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
  • Documented the bench and test:happydom scripts in the README
  • Completed the Attack Classes & Bypass History wiki page
  • Bumped several dependencies where possible
  • Description has been truncated

Bumps the all-dependencies group with 32 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [@amplitude/analytics-browser](https://github.com/amplitude/Amplitude-TypeScript) | `2.23.7` | `2.44.4` |
| [@ledgerhq/hw-app-str](https://github.com/LedgerHQ/ledger-live) | `7.2.9` | `7.7.5` |
| [@ledgerhq/hw-transport-webhid](https://github.com/LedgerHQ/ledger-live) | `6.30.9` | `6.36.0` |
| [@next/third-parties](https://github.com/vercel/next.js/tree/HEAD/packages/third-parties) | `15.5.7` | `16.2.10` |
| [@sentry/nextjs](https://github.com/getsentry/sentry-javascript) | `10.29.0` | `10.63.0` |
| [@stellar-expert/contract-wasm-interface-parser](https://github.com/stellar-expert/contract-wasm-interface-parser) | `4.1.0` | `5.0.1` |
| [@tanstack/react-query](https://github.com/TanStack/query/tree/HEAD/packages/react-query) | `5.87.4` | `5.101.2` |
| [@tanstack/react-query-devtools](https://github.com/TanStack/query/tree/HEAD/packages/react-query-devtools) | `5.87.4` | `5.101.2` |
| [@trezor/connect-web](https://github.com/trezor/trezor-suite) | `9.6.4` | `9.7.3` |
| [bignumber.js](https://github.com/MikeMcl/bignumber.js) | `9.3.1` | `11.1.5` |
| [dompurify](https://github.com/cure53/DOMPurify) | `3.2.6` | `3.4.11` |
| [html-react-parser](https://github.com/remarkablemark/html-react-parser) | `5.2.6` | `6.1.4` |
| [immer](https://github.com/immerjs/immer) | `10.1.3` | `11.1.11` |
| [lodash](https://github.com/lodash/lodash) | `4.17.21` | `4.18.1` |
| [@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash) | `4.17.20` | `4.17.24` |
| [lossless-json](https://github.com/josdejong/lossless-json) | `4.2.0` | `4.3.0` |
| [next](https://github.com/vercel/next.js) | `15.5.15` | `16.2.10` |
| [uuid](https://github.com/uuidjs/uuid) | `11.1.0` | `14.0.1` |
| [zustand-querystring](https://github.com/nitedani/zustand-querystring) | `0.0.19` | `0.7.0` |
| [@next/eslint-plugin-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-plugin-next) | `15.5.3` | `16.2.10` |
| [@playwright/test](https://github.com/microsoft/playwright) | `1.57.0` | `1.61.1` |
| [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) | `24.3.1` | `26.1.0` |
| [@typescript-eslint/eslint-plugin](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/eslint-plugin) | `8.62.0` | `8.63.0` |
| [@typescript-eslint/parser](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser) | `8.62.0` | `8.63.0` |
| [eslint](https://github.com/eslint/eslint) | `9.35.0` | `10.6.0` |
| [eslint-config-next](https://github.com/vercel/next.js/tree/HEAD/packages/eslint-config-next) | `15.4.4` | `16.2.10` |
| [eslint-plugin-react-hooks](https://github.com/facebook/react/tree/HEAD/packages/eslint-plugin-react-hooks) | `5.2.0` | `7.1.1` |
| [jest](https://github.com/jestjs/jest/tree/HEAD/packages/jest) | `30.2.0` | `30.4.2` |
| [lint-staged](https://github.com/lint-staged/lint-staged) | `16.1.6` | `17.0.8` |
| [prettier](https://github.com/prettier/prettier) | `3.6.2` | `3.9.4` |
| [sass](https://github.com/sass/dart-sass) | `1.92.1` | `1.101.0` |
| [typescript](https://github.com/microsoft/TypeScript) | `5.9.2` | `6.0.3` |



Updates `@amplitude/analytics-browser` from 2.23.7 to 2.44.4
- [Release notes](https://github.com/amplitude/Amplitude-TypeScript/releases)
- [Commits](https://github.com/amplitude/Amplitude-TypeScript/compare/@amplitude/analytics-browser@2.23.7...@amplitude/analytics-browser@2.44.4)

Updates `@ledgerhq/hw-app-str` from 7.2.9 to 7.7.5
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/commits/@ledgerhq/hw-app-str@7.7.5)

Updates `@ledgerhq/hw-transport-webhid` from 6.30.9 to 6.36.0
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/compare/@ledgerhq/hw-transport-http@6.30.9...@ledgerhq/hw-transport-webhid@6.36.0)

Updates `@next/third-parties` from 15.5.7 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/third-parties)

Updates `@sentry/nextjs` from 10.29.0 to 10.63.0
- [Release notes](https://github.com/getsentry/sentry-javascript/releases)
- [Changelog](https://github.com/getsentry/sentry-javascript/blob/develop/CHANGELOG.md)
- [Commits](getsentry/sentry-javascript@10.29.0...10.63.0)

Updates `@stellar-expert/contract-wasm-interface-parser` from 4.1.0 to 5.0.1
- [Commits](https://github.com/stellar-expert/contract-wasm-interface-parser/commits)

Updates `@tanstack/react-query` from 5.87.4 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query@5.101.2/packages/react-query)

Updates `@tanstack/react-query-devtools` from 5.87.4 to 5.101.2
- [Release notes](https://github.com/TanStack/query/releases)
- [Changelog](https://github.com/TanStack/query/blob/main/packages/react-query-devtools/CHANGELOG.md)
- [Commits](https://github.com/TanStack/query/commits/@tanstack/react-query-devtools@5.101.2/packages/react-query-devtools)

Updates `@trezor/connect-web` from 9.6.4 to 9.7.3
- [Release notes](https://github.com/trezor/trezor-suite/releases)
- [Commits](https://github.com/trezor/trezor-suite/commits)

Updates `bignumber.js` from 9.3.1 to 11.1.5
- [Release notes](https://github.com/MikeMcl/bignumber.js/releases)
- [Changelog](https://github.com/MikeMcl/bignumber.js/blob/main/CHANGELOG.md)
- [Commits](MikeMcl/bignumber.js@v9.3.1...v11.1.5)

Updates `dompurify` from 3.2.6 to 3.4.11
- [Release notes](https://github.com/cure53/DOMPurify/releases)
- [Commits](cure53/DOMPurify@3.2.6...3.4.11)

Updates `html-react-parser` from 5.2.6 to 6.1.4
- [Release notes](https://github.com/remarkablemark/html-react-parser/releases)
- [Changelog](https://github.com/remarkablemark/html-react-parser/blob/master/CHANGELOG.md)
- [Commits](remarkablemark/html-react-parser@v5.2.6...v6.1.4)

Updates `immer` from 10.1.3 to 11.1.11
- [Release notes](https://github.com/immerjs/immer/releases)
- [Commits](immerjs/immer@v10.1.3...v11.1.11)

Updates `lodash` from 4.17.21 to 4.18.1
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.21...4.18.1)

Updates `@types/lodash` from 4.17.20 to 4.17.24
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash)

Updates `lossless-json` from 4.2.0 to 4.3.0
- [Changelog](https://github.com/josdejong/lossless-json/blob/main/CHANGELOG.md)
- [Commits](josdejong/lossless-json@v4.2.0...v4.3.0)

Updates `next` from 15.5.15 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](vercel/next.js@v15.5.15...v16.2.10)

Updates `uuid` from 11.1.0 to 14.0.1
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](uuidjs/uuid@v11.1.0...v14.0.1)

Updates `zustand-querystring` from 0.0.19 to 0.7.0
- [Release notes](https://github.com/nitedani/zustand-querystring/releases)
- [Commits](https://github.com/nitedani/zustand-querystring/commits)

Updates `@next/eslint-plugin-next` from 15.5.3 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/eslint-plugin-next)

Updates `@playwright/test` from 1.57.0 to 1.61.1
- [Release notes](https://github.com/microsoft/playwright/releases)
- [Commits](microsoft/playwright@v1.57.0...v1.61.1)

Updates `@types/lodash` from 4.17.20 to 4.17.24
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash)

Updates `@types/node` from 24.3.1 to 26.1.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node)

Updates `@typescript-eslint/eslint-plugin` from 8.62.0 to 8.63.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/eslint-plugin/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.63.0/packages/eslint-plugin)

Updates `@typescript-eslint/parser` from 8.62.0 to 8.63.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/parser/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.63.0/packages/parser)

Updates `eslint` from 9.35.0 to 10.6.0
- [Release notes](https://github.com/eslint/eslint/releases)
- [Commits](eslint/eslint@v9.35.0...v10.6.0)

Updates `eslint-config-next` from 15.4.4 to 16.2.10
- [Release notes](https://github.com/vercel/next.js/releases)
- [Commits](https://github.com/vercel/next.js/commits/v16.2.10/packages/eslint-config-next)

Updates `eslint-plugin-react-hooks` from 5.2.0 to 7.1.1
- [Release notes](https://github.com/facebook/react/releases)
- [Changelog](https://github.com/react/react/blob/main/packages/eslint-plugin-react-hooks/CHANGELOG.md)
- [Commits](https://github.com/facebook/react/commits/eslint-plugin-react-hooks@7.1.1/packages/eslint-plugin-react-hooks)

Updates `jest` from 30.2.0 to 30.4.2
- [Release notes](https://github.com/jestjs/jest/releases)
- [Changelog](https://github.com/jestjs/jest/blob/main/CHANGELOG.md)
- [Commits](https://github.com/jestjs/jest/commits/v30.4.2/packages/jest)

Updates `lint-staged` from 16.1.6 to 17.0.8
- [Release notes](https://github.com/lint-staged/lint-staged/releases)
- [Changelog](https://github.com/lint-staged/lint-staged/blob/main/CHANGELOG.md)
- [Commits](lint-staged/lint-staged@v16.1.6...v17.0.8)

Updates `prettier` from 3.6.2 to 3.9.4
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.6.2...3.9.4)

Updates `sass` from 1.92.1 to 1.101.0
- [Release notes](https://github.com/sass/dart-sass/releases)
- [Changelog](https://github.com/sass/dart-sass/blob/main/CHANGELOG.md)
- [Commits](sass/dart-sass@1.92.1...1.101.0)

Updates `typescript` from 5.9.2 to 6.0.3
- [Release notes](https://github.com/microsoft/TypeScript/releases)
- [Commits](microsoft/TypeScript@v5.9.2...v6.0.3)

---
updated-dependencies:
- dependency-name: "@amplitude/analytics-browser"
  dependency-version: 2.44.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@ledgerhq/hw-app-str"
  dependency-version: 7.7.5
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@ledgerhq/hw-transport-webhid"
  dependency-version: 6.36.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@next/third-parties"
  dependency-version: 16.2.10
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: "@sentry/nextjs"
  dependency-version: 10.63.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@stellar-expert/contract-wasm-interface-parser"
  dependency-version: 5.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: "@tanstack/react-query"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@tanstack/react-query-devtools"
  dependency-version: 5.101.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@trezor/connect-web"
  dependency-version: 9.7.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: bignumber.js
  dependency-version: 11.1.5
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: dompurify
  dependency-version: 3.4.11
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: html-react-parser
  dependency-version: 6.1.4
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: immer
  dependency-version: 11.1.11
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: lodash
  dependency-version: 4.18.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@types/lodash"
  dependency-version: 4.17.24
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: lossless-json
  dependency-version: 4.3.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: next
  dependency-version: 16.2.10
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: uuid
  dependency-version: 14.0.1
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: zustand-querystring
  dependency-version: 0.7.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@next/eslint-plugin-next"
  dependency-version: 16.2.10
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: "@playwright/test"
  dependency-version: 1.61.1
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@types/lodash"
  dependency-version: 4.17.24
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: all-dependencies
- dependency-name: "@types/node"
  dependency-version: 26.1.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: "@typescript-eslint/eslint-plugin"
  dependency-version: 8.63.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: "@typescript-eslint/parser"
  dependency-version: 8.63.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: eslint
  dependency-version: 10.6.0
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: eslint-config-next
  dependency-version: 16.2.10
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: eslint-plugin-react-hooks
  dependency-version: 7.1.1
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: jest
  dependency-version: 30.4.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: lint-staged
  dependency-version: 17.0.8
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
- dependency-name: prettier
  dependency-version: 3.9.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: sass
  dependency-version: 1.101.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: all-dependencies
- dependency-name: typescript
  dependency-version: 6.0.3
  dependency-type: direct:development
  update-type: version-update:semver-major
  dependency-group: all-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 6, 2026
Copilot AI review requested due to automatic review settings July 6, 2026 21:49
@github-project-automation github-project-automation Bot moved this to Backlog (Not Ready) in DevX Jul 6, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@chatgpt-codex-connector

Copy link
Copy Markdown

Codex usage limits have been reached for code reviews. Please check with the admins of this repo to increase the limits by adding credits.
Credits must be used to enable repository wide code reviews.

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @amplitude/plugin-custom-enrichment-browser is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@amplitude/analytics-browser@2.44.4npm/@amplitude/plugin-custom-enrichment-browser@0.1.13

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/plugin-custom-enrichment-browser@0.1.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @ethereumjs/rlp under MPL-2.0

Location: Package overview

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@ethereumjs/rlp@10.1.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/rlp@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @ethereumjs/tx under MPL-2.0

Location: Package overview

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@ethereumjs/tx@10.1.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/tx@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @ethereumjs/util under MPL-2.0

Location: Package overview

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@ethereumjs/util@10.1.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/util@10.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT

License: LicenseRef-FSL-1.1-MIT - The applicable license policy does not permit this license (5) (package/LICENSE)

From: pnpm-lock.yamlnpm/@sentry/nextjs@10.63.0npm/@sentry/cli@2.58.6

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL

License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md)

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@trezor/blockchain-link@2.6.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL

License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md)

From: package.jsonnpm/@trezor/connect-web@9.7.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @trezor/connect under LicenseRef-T-RSL

License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md)

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@trezor/connect@9.7.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm @trezor/transport under LicenseRef-T-RSL

License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md)

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/@trezor/transport@1.6.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm axe-core under MIT AND MPL-2.0

Location: Package overview

From: pnpm-lock.yamlnpm/eslint-config-next@16.2.10npm/axe-core@4.12.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/eslint-config-next@16.2.10npm/es-abstract@1.24.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm next

Location: Package overview

From: package.jsonnpm/next@16.2.10

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript under MIT-Khronos-old

License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

From: package.jsonnpm/typescript@6.0.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm usb under GPL-1.0-only

License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.h)

License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.c)

License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/fxload.c)

From: pnpm-lock.yamlnpm/@trezor/connect-web@9.7.3npm/@creit.tech/stellar-wallets-kit@2.5.0npm/@trezor/connect-plugin-stellar@9.2.3npm/usb@2.18.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/usb@2.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/jest@30.4.2npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

Status: Backlog (Not Ready)

Development

Successfully merging this pull request may close these issues.

1 participant