| Block |
 |
Obfuscated code: npm vite is 91.0% likely obfuscated
Confidence: 0.91
Location: Package overview
From: package-lock.json → npm/vite@8.0.0
ℹ Read more on: This package | This alert | What is obfuscated code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/vite@8.0.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Network access: npm @emnapi/core in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/core@1.9.0
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/core@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Dynamic code execution: npm @emnapi/core
Eval Type: Function
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/core@1.9.0
ℹ Read more on: This package | This alert | What is dynamic code execution?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/core@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Dynamic code execution: npm @emnapi/core
Eval Type: eval
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/core@1.9.0
ℹ Read more on: This package | This alert | What is dynamic code execution?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/core@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Dynamic code execution: npm @emnapi/runtime
Eval Type: Function
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/runtime@1.9.0
ℹ Read more on: This package | This alert | What is dynamic code execution?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/runtime@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Network access: npm @tybys/wasm-util in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@tybys/wasm-util@0.10.1
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Network access: npm rolldown in module globalThis["fetch"]
Module: globalThis["fetch"]
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/rolldown@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is network access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rolldown@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Minified code present: npm @emnapi/core with 100.0% likelihood
Confidence: 1.00
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/core@1.9.0
ℹ Read more on: This package | This alert | What's wrong with minified code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/core@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @emnapi/core reads NODE_ENV
Env Vars: NODE_ENV
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/core@1.9.0
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/core@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @emnapi/runtime reads NODE_ENV
Env Vars: NODE_ENV
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/runtime@1.9.0
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/runtime@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Minified code present: npm @emnapi/runtime with 100.0% likelihood
Confidence: 1.00
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/runtime@1.9.0
ℹ Read more on: This package | This alert | What's wrong with minified code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/runtime@1.9.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @emnapi/wasi-threads reads NODE_ENV
Env Vars: NODE_ENV
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/wasi-threads@1.2.0
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/wasi-threads@1.2.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Minified code present: npm @emnapi/wasi-threads with 100.0% likelihood
Confidence: 1.00
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@emnapi/wasi-threads@1.2.0
ℹ Read more on: This package | This alert | What's wrong with minified code?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: In many cases minified code is harmless, however minified code can be used to hide a supply chain attack. Consider not shipping minified code on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@emnapi/wasi-threads@1.2.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Embedded URLs or IPs: npm @oxc-project/types with typescript.rs
URLs: typescript.rs
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@oxc-project/types@0.115.0
ℹ Read more on: This package | This alert | What are URL strings?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@oxc-project/types@0.115.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @rolldown/binding-wasm32-wasi
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @rolldown/binding-wasm32-wasi
Env Vars: NAPI_RS_ASYNC_WORK_POOL_SIZE
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @rolldown/binding-wasm32-wasi reads UV_THREADPOOL_SIZE
Env Vars: UV_THREADPOOL_SIZE
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly
Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism.
Confidence: 1.00
Severity: 0.60
From: package-lock.json → npm/vite@8.0.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Potential code anomaly (AI signal): npm @rolldown/binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly
Notes: The JS loader is not itself executing obvious malicious JavaScript (no eval, no external network calls, no hard-coded credentials). However it intentionally grants a WebAssembly module broad privileges: it passes the full process.env into WASI and the worker, and preopens the host filesystem root so the wasm can access the filesystem. It also forwards worker messages into a filesystem proxy function. These design choices make running an untrusted or tampered-with wasm binary dangerous: a malicious wasm could read environment variables, enumerate and modify host files, and exfiltrate data via any network capability inside the wasm or worker. Therefore the module should be treated as high-risk if the wasm artifact (local file or npm package) is not from a trusted source. Recommended mitigations: avoid preopening the root (limit to specific directories), avoid passing full process.env, validate integrity of the wasm binary (signing/checksums), and avoid installing untrusted package replacements.
Confidence: 1.00
Severity: 0.60
From: package-lock.json → npm/vite@8.0.0 → npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@rolldown/binding-wasm32-wasi@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @tybys/wasm-util reads NODE_ENV
Env Vars: NODE_ENV
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@tybys/wasm-util@0.10.1
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm @tybys/wasm-util reads NODE_DEBUG_NATIVE
Env Vars: NODE_DEBUG_NATIVE
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/@tybys/wasm-util@0.10.1
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm rolldown reads NAPI_RS_NATIVE_LIBRARY_PATH
Env Vars: NAPI_RS_NATIVE_LIBRARY_PATH
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/rolldown@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rolldown@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm rolldown
Env Vars: NAPI_RS_ENFORCE_VERSION_CHECK
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/rolldown@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rolldown@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm rolldown reads NAPI_RS_FORCE_WASI
Env Vars: NAPI_RS_FORCE_WASI
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/rolldown@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rolldown@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
| Block |
 |
Environment variable access: npm rolldown
Location: Package overview
From: package-lock.json → npm/vite@8.0.0 → npm/rolldown@1.0.0-rc.9
ℹ Read more on: This package | This alert | What is environment variable access?
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/rolldown@1.0.0-rc.9. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
|
See 6 more rows in the dashboard
|