chore(deps): Bump on-headers, compression and morgan

[dependabot]

Bumps on-headers to 1.1.0 and updates ancestor dependencies on-headers, compression and morgan. These dependencies need to be updated together.

Updates on-headers from 1.0.2 to 1.1.0

Release notes

Sourced from on-headers's releases.

1.1.0

Important

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

What's Changed

• Migrate CI pipeline to GitHub actions by @​carpasse in jshttp/on-headers#12
• fix README.md badges by @​carpasse in jshttp/on-headers#13
• add OSSF scorecard action by @​carpasse in jshttp/on-headers#14
• fix: use ubuntu-latest as ci runner by @​UlisesGascon in jshttp/on-headers#19
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in jshttp/on-headers#20
• 👷 add upstream change detection by @​ctcpip in jshttp/on-headers#31
• ✨ add script to update known hashes by @​ctcpip in jshttp/on-headers#32
• 💚 update CI - add newer node versions by @​ctcpip in jshttp/on-headers#33

New Contributors

• @​carpasse made their first contribution in jshttp/on-headers#12
• @​UlisesGascon made their first contribution in jshttp/on-headers#19
• @​ctcpip made their first contribution in jshttp/on-headers#31

Full Changelog: jshttp/on-headers@v1.0.2...v1.1.0

Changelog

Sourced from on-headers's changelog.

1.1.0 / 2025-07-17

• Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• 4b017af 1.1.0
• b636f2d ♻️ refactor header array code
• 3e2c2d4 ✨ ignore falsy header keys, matching node behavior
• 172eb41 ✨ support duplicate headers
• c6e3849 🔒️ fix array handling
• 6893518 💚 update CI - add newer node versions
• 56a345d ✨ add script to update known hashes
• 175ab21 👷 add upstream change detection (#31)
• ce0b2c8 ci: apply OSSF Scorecard security best practices (#20)
• 1a38c54 fix: use ubuntu-latest as ci runner (#19)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for on-headers since your current version.

Updates compression from 1.7.4 to 1.8.1

Release notes

Sourced from compression's releases.

v1.8.1

What's Changed

• fix(docs): update multiple links from http to https by @​Phillip9587 in expressjs/compression#222
• ci: add dependabot for github actions by @​bjohansebas in expressjs/compression#207
• build(deps): bump github/codeql-action from 2.23.2 to 3.28.15 by @​dependabot[bot] in expressjs/compression#228
• build(deps): bump ossf/scorecard-action from 2.3.1 to 2.4.1 by @​dependabot[bot] in expressjs/compression#229
• build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 by @​dependabot[bot] in expressjs/compression#230
• build(deps-dev): bump supertest from 6.2.3 to 6.3.4 by @​dependabot[bot] in expressjs/compression#231
• [StepSecurity] ci: Harden GitHub Actions by @​step-security-bot in expressjs/compression#235
• build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 by @​dependabot[bot] in expressjs/compression#243
• build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 by @​dependabot[bot] in expressjs/compression#239
• build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 by @​dependabot[bot] in expressjs/compression#240
• build(deps): bump actions/checkout from 4.1.1 to 4.2.2 by @​dependabot[bot] in expressjs/compression#241
• build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 by @​dependabot[bot] in expressjs/compression#244
• deps: on-headers@1.1.0 by @​UlisesGascon in expressjs/compression#246
• Release: 1.8.1 by @​UlisesGascon in expressjs/compression#247

New Contributors

• @​dependabot[bot] made their first contribution in expressjs/compression#228
• @​step-security-bot made their first contribution in expressjs/compression#235

Full Changelog: expressjs/compression@1.8.0...v1.8.1

v1.8.0

What's Changed

• Refactor chunkLength function for improved readability and consistency by @​Ayoub-Mabrouk in expressjs/compression#203
• Refactor toBuffer function to simplify buffer check logic by @​Ayoub-Mabrouk in expressjs/compression#201
• ci: add CodeQL (SAST) by @​bjohansebas in expressjs/compression#204
• Use headersSent instead of _header by @​maritz in expressjs/compression#129
• Bugfix/use write head instead of implicit header by @​Icehunter in expressjs/compression#170
• feat: add default option by @​bjohansebas in expressjs/compression#191
• ci: update ci workflow by @​bjohansebas in expressjs/compression#206
• feat: support for brotli by @​bjohansebas in expressjs/compression#194
• docs: improve readme by @​bjohansebas in expressjs/compression#209
• docs: keywords field by @​bjohansebas in expressjs/compression#210
• refactor: simplify encoding negotiation logic by @​bjohansebas in expressjs/compression#213

New Contributors

• @​Ayoub-Mabrouk made their first contribution in expressjs/compression#203
• @​maritz made their first contribution in expressjs/compression#129
• @​Icehunter made their first contribution in expressjs/compression#170

Full Changelog: expressjs/compression@1.7.5...v1.8.0

1.7.5

What's Changed

• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/compression#186
• ci: fix errors in ci github action for node 8 and 9 by @​inigomarquinez in expressjs/compression#187
• docs: fix spelling by @​dijonkitchen in expressjs/compression#174
• deps: bytes@3.1.2 by @​bjohansebas in expressjs/compression#192

... (truncated)

Changelog

Sourced from compression's changelog.

1.8.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

1.8.0 / 2025-02-10

• Use res.headersSent when available
• Replace _implicitHeader with writeHead property
• add brotli support for versions of node that support it
• Add the enforceEncoding option for requests without Accept-Encoding header

1.7.5 / 2024-10-31

• deps: Replace accepts with negotiator@~0.6.4
  • Add preference option
• deps: bytes@3.1.2
  • Add petabyte (pb) support
  • Fix "thousandsSeparator" incorrecting formatting fractional part
  • Fix return value for un-parsable strings
• deps: compressible@~2.0.18
  • Mark font/ttf as compressible
  • Remove compressible from multipart/mixed
  • deps: mime-db@'>= 1.43.0 < 2'
• deps: safe-buffer@5.2.1

Commits

• 83a0c45 1.8.1
• ce62713 deps: on-headers@1.1.0 (#246)
• f4acb23 build(deps-dev): bump eslint-plugin-import from 2.31.0 to 2.32.0 (#244)
• 6eaebe6 build(deps): bump actions/checkout from 4.1.1 to 4.2.2 (#241)
• 37e0623 build(deps): bump ossf/scorecard-action from 2.4.1 to 2.4.2 (#240)
• bc436b2 build(deps): bump actions/upload-artifact from 4.3.1 to 4.6.2 (#239)
• 2f9f572 build(deps): bump github/codeql-action from 3.28.15 to 3.29.2 (#243)
• 5f13b14 [StepSecurity] ci: Harden GitHub Actions (#235)
• 76e0945 build(deps-dev): bump supertest from 6.2.3 to 6.3.4 (#231)
• ae6ee80 build(deps-dev): bump eslint-plugin-import from 2.26.0 to 2.31.0 (#230)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for compression since your current version.

Updates morgan from 1.10.0 to 1.10.1

Release notes

Sourced from morgan's releases.

1.10.1

What's Changed

• renaming simple to sample in readme by @​ryhinchey in expressjs/morgan#237
• adding installation instructions to readme by @​ryhinchey in expressjs/morgan#233
• chore: add support for OSSF scorecard reporting by @​inigomarquinez in expressjs/morgan#291
• ci: replace travis with github actions by @​inigomarquinez in expressjs/morgan#290
• docs: add example output for log formats by @​jonchurch in expressjs/morgan#299
• ci: use ubuntu-latest by @​bjohansebas in expressjs/morgan#301
• ci: apply OSSF Scorecard security best practices by @​UlisesGascon in expressjs/morgan#300
• remove --bail by @​jonchurch in expressjs/morgan#314
• ⬆️ bump on-headers by @​ctcpip in expressjs/morgan#319

New Contributors

• @​inigomarquinez made their first contribution in expressjs/morgan#291
• @​jonchurch made their first contribution in expressjs/morgan#299
• @​bjohansebas made their first contribution in expressjs/morgan#301
• @​UlisesGascon made their first contribution in expressjs/morgan#300
• @​ctcpip made their first contribution in expressjs/morgan#319

Full Changelog: expressjs/morgan@1.10.0...1.10.1

Changelog

Sourced from morgan's changelog.

1.10.1 / 2025-07-17

• deps: on-headers@~1.1.0
  • Fix CVE-2025-7339 (GHSA-76c9-3jph-rj3q)

Commits

• c1c7f10 🔖 1.10.1
• eb896c2 ⬆️ bump on-headers
• 1c3eec6 remove --bail (#314)
• b144728 ci: apply OSSF Scorecard security best practices (#300)
• 68c2d21 ci: use ubuntu-latest (#301)
• 8740a19 docs: add example output for log formats (#299)
• efd6bff ci: migra to GitHub actions (#290)
• 3b89789 ci: add support for OSSF scorecard reporting (#291)
• 19a6aa5 docs: add installation section
• b94f3ff docs: change simple to sample in example descriptions
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for morgan since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	supertest@​7.0.0
	ts-node@​10.9.2
	morgan@​1.10.0 ⏵ 1.10.1
	prom-client@​15.1.3
	compression@​1.7.4 ⏵ 1.8.1			+1
	winston@​3.14.2
	puppeteer@​24.36.0
	wrangler@​4.78.0
	redis@​4.7.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Filesystem access: npm pgpass with module fs Module: fs Location: Package overview From: package-lock.json → npm/pg@8.12.0 → npm/pgpass@1.0.5 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pgpass@1.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm progress was last published 7 years ago Last Publish: 12/5/2018, 4:57:58 PM From: package-lock.json → npm/puppeteer@24.36.0 → npm/progress@2.0.3 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/progress@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm prom-client with module fs Module: fs Location: Package overview From: package-lock.json → npm/prom-client@15.1.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prom-client@15.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm pstree.remy was last published 6 years ago Last Publish: 5/16/2020, 2:58:43 PM From: package-lock.json → npm/nodemon@3.1.7 → npm/pstree.remy@1.1.8 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pstree.remy@1.1.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm pump with module fs Module: fs Location: Package overview From: package-lock.json → npm/puppeteer@24.36.0 → npm/pump@3.0.3 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pump@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm range-parser was last published 7 years ago Last Publish: 5/11/2019, 12:27:37 AM From: package-lock.json → npm/express@4.22.1 → npm/range-parser@1.2.1 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/range-parser@1.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm readdirp with module fs Module: fs Location: Package overview From: package-lock.json → npm/nodemon@3.1.7 → npm/readdirp@3.6.0 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/readdirp@3.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm require-directory with module fs Module: fs Location: Package overview From: package-lock.json → npm/puppeteer@24.36.0 → npm/concurrently@9.1.0 → npm/jest@29.7.0 → npm/require-directory@2.1.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/require-directory@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm require-directory was last published 11 years ago Last Publish: 5/28/2015, 8:31:04 AM From: package-lock.json → npm/puppeteer@24.36.0 → npm/concurrently@9.1.0 → npm/jest@29.7.0 → npm/require-directory@2.1.1 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/require-directory@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm resolve-cwd was last published 7 years ago Last Publish: 4/30/2019, 12:53:23 PM From: package-lock.json → npm/jest@29.7.0 → npm/resolve-cwd@3.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve-cwd@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm resolve with module fs Module: fs Location: Package overview From: package-lock.json → npm/eslint-plugin-node@11.1.0 → npm/jest@29.7.0 → npm/resolve@1.22.10 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm safer-buffer was last published 8 years ago Last Publish: 4/8/2018, 10:42:42 AM From: package-lock.json → npm/express@4.22.1 → npm/safer-buffer@2.1.2 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm send with module fs Module: fs Location: Package overview From: package-lock.json → npm/express@4.22.1 → npm/send@0.19.2 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/send@0.19.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm setprototypeof was last published 7 years ago Last Publish: 7/18/2019, 4:49:56 AM From: package-lock.json → npm/express@4.22.1 → npm/setprototypeof@1.2.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/setprototypeof@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm sharp with module fs Module: fs Location: Package overview From: package-lock.json → npm/wrangler@4.78.0 → npm/sharp@0.34.5 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm simple-update-notifier with module fs Module: fs Location: Package overview From: package-lock.json → npm/nodemon@3.1.7 → npm/simple-update-notifier@2.0.0 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/simple-update-notifier@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm sisteransi was last published 6 years ago Last Publish: 3/18/2020, 12:53:26 PM From: package-lock.json → npm/jest@29.7.0 → npm/sisteransi@1.0.5 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sisteransi@1.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm source-map-support with module fs Module: fs Location: Package overview From: package-lock.json → npm/jest@29.7.0 → npm/source-map-support@0.5.13 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/source-map-support@0.5.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm string_decoder was last published 7 years ago Last Publish: 8/7/2019, 9:20:36 AM From: package-lock.json → npm/winston@3.14.2 → npm/string_decoder@1.3.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/string_decoder@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm superagent with module fs Module: fs Location: Package overview From: package-lock.json → npm/supertest@7.0.0 → npm/superagent@9.0.2 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/superagent@9.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm tar-fs with module fs Module: fs Location: Package overview From: package-lock.json → npm/puppeteer@24.36.0 → npm/tar-fs@3.1.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar-fs@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm tar-stream with module fs Module: fs Location: Package overview From: package-lock.json → npm/puppeteer@24.36.0 → npm/tar-stream@3.1.7 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar-stream@3.1.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm text-hex was last published 8 years ago Last Publish: 7/17/2018, 10:09:21 AM From: package-lock.json → npm/winston@3.14.2 → npm/text-hex@1.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/text-hex@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm touch with module fs Module: fs Location: Package overview From: package-lock.json → npm/nodemon@3.1.7 → npm/touch@3.1.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/touch@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm tree-kill was last published 6 years ago Last Publish: 12/11/2019, 6:34:21 PM From: package-lock.json → npm/concurrently@9.1.0 → npm/tree-kill@1.2.2 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tree-kill@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm ts-node with module fs Module: fs Location: Package overview From: package-lock.json → npm/ts-node@10.9.2 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ts-node@10.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Unmaintained: npm unpipe was last published 11 years ago Last Publish: 6/14/2015, 8:30:19 PM From: package-lock.json → npm/express@4.22.1 → npm/unpipe@1.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unpipe@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 16 more rows in the dashboard

View full report

[github-actions]

CI Summary

Job Results

• Python Lint: skipped
• Python Unit: skipped
• Python Integration: skipped
• Web Build: success
• Docker Smoke: skipped
• Security: success
• License: success

Branch: 87/merge | Commit: e16ff6c | Run: #440