chore(deps): bump the npm_and_yarn group across 3 directories with 6 updates

[dependabot]

Bumps the npm_and_yarn group with 2 updates in the /examples/astro directory: @astrojs/node and astro.
Bumps the npm_and_yarn group with 1 update in the /examples/fastify directory: fastify.
Bumps the npm_and_yarn group with 3 updates in the /examples/firebase-functions directory: fast-xml-parser, hono and protobufjs.

Updates @astrojs/node from 9.5.5 to 10.0.5

Release notes

Sourced from @​astrojs/node's releases.

@​astrojs/node@​10.0.5

Patch Changes

• #16319 940afd5 Thanks @​matthewp! - Fixes static asset error responses incorrectly including immutable cache headers. Conditional request failures (e.g. If-Match mismatch) now return the correct status code without far-future cache directives.

@​astrojs/node@​10.0.4

Patch Changes

• #16002 846f27f Thanks @​buley! - Fixes file descriptor leaks from read streams that were not destroyed on client disconnect or read errors

• #15941 f41584a Thanks @​ematipico! - Fixes an infinite loop in resolveClientDir() when the server entry point is bundled with esbuild or similar tools. The function now throws a descriptive error instead of hanging indefinitely when the expected server directory segment is not found in the file path.

@​astrojs/node@​10.0.3

Patch Changes

• #15735 9685e2d Thanks @​fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.

  When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling next(), causing a memory leak warning. This fix makes sure to run the cleanup before calling next().

Changelog

Sourced from @​astrojs/node's changelog.

10.0.5

Patch Changes

• #16319 940afd5 Thanks @​matthewp! - Fixes static asset error responses incorrectly including immutable cache headers. Conditional request failures (e.g. If-Match mismatch) now return the correct status code without far-future cache directives.

10.0.4

Patch Changes

• #16002 846f27f Thanks @​buley! - Fixes file descriptor leaks from read streams that were not destroyed on client disconnect or read errors

• #15941 f41584a Thanks @​ematipico! - Fixes an infinite loop in resolveClientDir() when the server entry point is bundled with esbuild or similar tools. The function now throws a descriptive error instead of hanging indefinitely when the expected server directory segment is not found in the file path.

10.0.3

Patch Changes

• #15735 9685e2d Thanks @​fa-sharp! - Fixes an EventEmitter memory leak when serving static pages from Node.js middleware.

  When using the middleware handler, requests that were being passed on to Express / Fastify (e.g. static files / pre-rendered pages / etc.) weren't cleaning up socket listeners before calling next(), causing a memory leak warning. This fix makes sure to run the cleanup before calling next().

10.0.2

Patch Changes

• #15934 6f8f0bc Thanks @​ematipico! - Updates the Astro peerDependencies#astro to be 6.0.0.

10.0.1

Patch Changes

• #15868 bb2b8f5 Thanks @​ematipico! - Fixes an issue where the adapter would cause a series of warnings during the build.

10.0.0

Major Changes

• #15654 a32aee6 Thanks @​florian-lefebvre! - Removes the experimentalErrorPageHost option

  This option allowed fetching a prerendered error page from a different host than the server is currently running on.

  However, there can be security implications with prefetching from other hosts, and often more customization was required to do this safely. This has now been removed as a built-in option so that you can implement your own secure solution as needed and appropriate for your project via middleware.

  What should I do?

  If you were previously using this feature, you must remove the option from your adapter configuration as it no longer exists:

  // astro.config.mjs

... (truncated)

Commits

• eca29c1 [ci] release (#16314)
• 940afd5 Fix static asset error responses including immutable cache headers (#16319)
• fab9c00 chore: upgrade biome (#16246)
• 711f837 Prevent static assets from being caught by catch-all routes (#16047)
• 88fcc98 fix integrations links across docs (#16098)
• 4a6ff2a [ci] release (#16020)
• b9e96da fix(deps): update dependency vitest to v4 (#15372)
• 846f27f fix: destroy read streams to prevent file descriptor leaks (#16002)
• f41584a fix(node): recursion fs loop (#15941)
• 878791f [ci] release (#15985)
• Additional commits viewable in compare view

Updates astro from 5.18.1 to 6.2.1

Release notes

Sourced from astro's releases.

astro@6.2.1

Patch Changes

• #16531 76db01d Thanks @​rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

• #16535 7df0fe4 Thanks @​rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

• #16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

astro@6.2.0

Minor Changes

• #16187 fe58071 Thanks @​gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

  When provided by an adapter, runtime cache providers receive context.waitUntil in CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate without blocking the response. The Cloudflare adapter now forwards ExecutionContext.waitUntil to this API.

• #16290 a49637a Thanks @​ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.

• #15725 4108ec1 Thanks @​meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  compressHTML: 'jsx',
  });

  In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:

  <div>
    <span>foo</span>
    <span>bar</span>
  </div>

  will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.

• #16477 28fb3e1 Thanks @​ematipico! - Adds experimental support for configurable log handlers.

  This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

  By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

  JSON logging

... (truncated)

Changelog

Sourced from astro's changelog.

6.2.1

Patch Changes

• #16531 76db01d Thanks @​rodrigosdev! - Fixes config validation for omitted integrations fields with newer Zod versions.

• #16535 7df0fe4 Thanks @​rururux! - Fixed an issue where a warning was displayed when the server property was missing during config validation, even though it is not required.

• #16534 5cf6c51 Thanks @​matthewp! - Fixes compatibility with Zod 4.4.0 for the server config property and error formatting

6.2.0

Minor Changes

• #16187 fe58071 Thanks @​gllmt! - Adds a waitUntil option to the RenderOptions so that adapters can forward runtime background-task hooks to Astro.

  When provided by an adapter, runtime cache providers receive context.waitUntil in CacheProvider.onRequest(), which allows background cache work such as stale-while-revalidate without blocking the response. The Cloudflare adapter now forwards ExecutionContext.waitUntil to this API.

• #16290 a49637a Thanks @​ViVaLaDaniel! - Ensures that server.allowedHosts (and vite.preview.allowedHosts) configuration is respected when using astro preview with the @astrojs/cloudflare adapter. This improves security by preventing DNS rebinding attacks when previewing Cloudflare builds locally.

• #15725 4108ec1 Thanks @​meyer! - Adds support for a new 'jsx' value for the compressHTML option. When set, whitespace is stripped using JSX whitespace rules instead of the default HTML compression strategy.

  // astro.config.mjs
  import { defineConfig } from 'astro/config';
  export default defineConfig({
  compressHTML: 'jsx',
  });

  In JSX, whitespaces never matter, as such, no amount of indentation, or newlines will not affect the rendered output. For instance, the following code:

  <div>
    <span>foo</span>
    <span>bar</span>
  </div>

  will be rendered as foobar, whereas with HTML whitespace rules, a space would be present between the words due to the newline and indentation between the tags.

• #16477 28fb3e1 Thanks @​ematipico! - Adds experimental support for configurable log handlers.

  This experimental feature provides better control over Astro's logging infrastructure by allowing users to replace the default console output with custom logging implementations (e.g., structured JSON). This is particularly useful for users using on-demand rendering and wishing to connect their log aggregation services, such as Kibana, Logstash, CloudWatch, Grafana, or Loki.

  By default, Astro provides three built-in log handlers (json, node, and console), but you can also create your own.

... (truncated)

Commits

• cc02799 [ci] release (#16533)
• 5cf6c51 fix: Zod 4.4.0 compat for server config and error map (#16534)
• 7df0fe4 fix(astro): make server property correctly optional in config validation (#...
• 76db01d fix(config): update validation for omitted integrations fields with newer Z...
• 3af3543 [ci] release (#16512)
• b7916ef docs: improve readability of remotePattern section (#16508)
• 449b51d fix(test): type html minification properties (#16514)
• f832c3b fix: cloudflare allowed hosts test (#16513)
• b9a5b58 [ci] format
• 0f7c3c8 feat: svg optimizer (#16333)
• Additional commits viewable in compare view

Updates fastify from 5.8.4 to 5.8.5

Release notes

Sourced from fastify's releases.

v5.8.5

⚠️ Security Release

This fixes CVE CVE-2026-33806 GHSA-247c-9743-5963.

What's Changed

• chore: Fix port parsing by @​jsumners in fastify/fastify#6603
• chore: upgrade to typescript v6.0.2 by @​Tony133 in fastify/fastify#6605
• fix: restore trustProxy function for number and string types, add null check for socketAddr by @​mcollina in fastify/fastify#6613
• ci: reduce cron scheduled workflows from daily/weekly to monthly by @​Fdawgs in fastify/fastify#6623
• chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 by @​dependabot[bot] in fastify/fastify#6629
• chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 by @​dependabot[bot] in fastify/fastify#6632
• chore: Bump borp from 0.21.0 to 1.0.0 by @​dependabot[bot] in fastify/fastify#6633
• chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 by @​dependabot[bot] in fastify/fastify#6630
• docs(ecosystem): add @​pompelmi/fastify-plugin by @​SonoTommy in fastify/fastify#6610

New Contributors

• @​SonoTommy made their first contribution in fastify/fastify#6610

Full Changelog: fastify/fastify@v5.8.4...v5.8.5

Commits

• 3983cce Bumped v5.8.5
• 3ce3ae6 Merge commit from fork
• b06a196 docs(ecosystem): add @​pompelmi/fastify-plugin (#6610)
• 909c5d5 chore: Bump actions/dependency-review-action from 4.8.3 to 4.9.0 (#6630)
• 4db21a3 chore: Bump borp from 0.21.0 to 1.0.0 (#6633)
• 0f4e544 chore: Bump markdownlint-cli2 from 0.21.0 to 0.22.0 (#6632)
• 33a2fcd chore: Bump pnpm/action-setup from 4.2.0 to 5.0.0 (#6629)
• fd35d82 ci: reduce cron schedules from daily/weekly to monthly (#6623)
• 8dee9be fix: restore trustProxy function for number and string types, add null check ...
• d457aed chore: upgrade to typescript v6.0.2 (#6605)
• Additional commits viewable in compare view

Updates fast-xml-parser from 5.5.8 to 5.7.2

Release notes

Sourced from fast-xml-parser's releases.

backward compatibility for numerical external entity, fix #705, #817

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

upgrade @​nodable/entities and FXB

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to use entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

use @​nodable/entities to replace entities

• No API change
• No change in performance for basic usage
• No typing change
• No config change
• new dependency
• breaking: error messages for entities might have been changed.

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.12...v5.6.0

performance improvment, increase entity expansion default limit

• increase default entity explansion limit as many projects demand for that

maxEntitySize: 10000,
maxExpansionDepth: 10000,
maxTotalExpansions: Infinity,
maxExpandedLength: 100000,
maxEntityCount: 1000,

• performance improvement
  • reduce calls to toString
  • early return when entities are not present
  • prepare rawAttrsForMatcher only if user sets jPath: false

Full Changelog: NaturalIntelligence/fast-xml-parser@v5.5.9...v5.5.10

fix typins and matcher instance in callbacks

combine typings file to avoid configuration changes

... (truncated)

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.7.3

• fix: alwaysCreateTextNode should create text node when attributes are present for self closing node
• fix stop node expression when ns prefix is removed (found by iruizsalinas)
• update XML Builder to 1.1.6
• mark addEntity deprecated

5.7.2 / 2026-04-25

• allow numerical external entity for backward compatibility
• fix #705: attributesGroupName working with preserveOrder
• fix #817: stackoverflow when tag expression is very long

5.7.1 / 2026-04-20

• fix typo in CJS typing file

5.7.0 / 2026-04-17

• Use @nodable/entities v2.1.0
  • breaking changes
    • single entity scan. You're not allowed to user entity value to form another entity name.
    • you cant add numeric external entity
    • entity error message when expantion limit is crossed might change
  • typings are updated for new options related to process entity
  • please follow documentation of @nodable/entities for more detail.
  • performance
    • if processEntities is false, then there should not be impact on performance.
    • if processEntities is true, but you dont pass entity decoder separately then performance may degrade by approx 8-10%
    • if processEntities is true, and you pass entity decoder separately
      • if no entity then performance should be same as before
      • if there are entities then performance should be increased from past versions
  • ignoreAttributes is not required to be set to set xml version for NCR entity value
• update 'fast-xml-builder' to sanitize malicious CDATA and comment's content

5.6.0 / 2026-04-15

• fix: entity replacement for numeric entities
• use @​nodable/entities to replace entities
  • this may change some error messages related to entities expansion limit or inavlid use
  • post check would be exposed in future version

5.5.12 / 2026-04-13

• Performance Improvement: update path-expression-matcher
  • use proxy pattern than Proxy class

5.5.11 / 2026-04-08

• Performance Improvement
  • integrate ExpressionSet for stopNodes

... (truncated)

Commits

• b1d5b90 update releas info
• 78571ae tests for long tag expression
• ebaedc0 allow numerical external entities for backward compatibility
• 91245eb update changelog
• 79dd40d fix #705: don not group and nest attributes when both preserveOrder and attri...
• d6bce3b allow long attribute expressions
• 9a2561b remove unnecessary
• 0f08303 fix typo
• f529642 update to release v5.7.0
• 52a8583 Revert "improve performance of attributes reading"
• Additional commits viewable in compare view

Updates hono from 4.12.12 to 4.12.16

Release notes

Sourced from hono's releases.

v4.12.16

Security fixes

This release includes fixes for the following security issues:

Unvalidated JSX Tag Names in hono/jsx May Allow HTML Injection

Affects: hono/jsx. Fixes missing validation of JSX tag names when using jsx() or createElement(), which could allow HTML injection if untrusted input is used as the tag name. GHSA-69xw-7hcm-h432

bodyLimit() can be bypassed for chunked / unknown-length requests

Affects: Body Limit Middleware. Fixes late enforcement for request bodies without a reliable Content-Length (e.g. chunked requests), where oversized requests could reach handlers and return successful responses before being rejected. GHSA-9vqf-7f2p-gf9v

v4.12.15

What's Changed

• fix(jwt): support single-line PEM keys by @​hiendv in honojs/hono#4889

New Contributors

• @​hiendv made their first contribution in honojs/hono#4889

Full Changelog: honojs/hono@v4.12.14...v4.12.15

v4.12.14

Security fixes

This release includes fixes for the following security issues:

Improper handling of JSX attribute names in hono/jsx SSR

Affects: hono/jsx. Fixes missing validation of JSX attribute names during server-side rendering, which could allow malformed attribute keys to corrupt the generated HTML output and inject unintended attributes or elements. GHSA-458j-xx4x-4375

Other changes

• fix(aws-lambda): handle invalid header names in request processing (#4883) fa2c74fe

v4.12.13

What's Changed

• fix(types): infer response type from last handler in app.on 9-/10-handler overloads by @​T4ko0522 in honojs/hono#4865
• feat(trailing-slash): add skip option by @​yusukebe in honojs/hono#4862
• feat(cache): add onCacheNotAvailable option by @​yusukebe in honojs/hono#4876

New Contributors

• @​T4ko0522 made their first contribution in honojs/hono#4865

Full Changelog: honojs/hono@v4.12.12...v4.12.13

Commits

• 90d4182 4.12.16
• db05b96 Merge commit from fork
• 614b834 Merge commit from fork
• 027e3df fix(method-override): handle Content-Type with charset parameter (#4894)
• f774f8d 4.12.15
• 18fe604 fix(jwt): support single-line PEM keys (#4889)
• cf2d2b7 4.12.14
• 66daa2e Merge commit from fork
• fa2c74f fix(aws-lambda): handle invalid header names in request processing (#4883)
• 3779927 4.12.13
• Additional commits viewable in compare view

Updates protobufjs from 7.5.4 to 7.5.6

Release notes

Sourced from protobufjs's releases.

protobufjs: v7.5.6

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

v7.5.5

This release backports two reported security issues to 7.x branch.

• fix: do not allow setting __proto__ in Message constructor (#2126)
• fix: filter invalid characters from the type name (#2127)

Full Changelog: protobufjs/protobuf.js@protobufjs-v7.5.4...protobufjs-v7.5.5

Changelog

Sourced from protobufjs's changelog.

7.5.6 (2026-04-27)

Bug Fixes

• Backport input hardening and CLI fixes to 7.x (#2173) (75392ea)

Commits

• 2189e5b chore: release protobufjs-v7.x (#2174)
• 75392ea fix: Backport input hardening and CLI fixes to 7.x (#2173)
• 8af8d7c chore(ci): Fix 7.x release please configuration (#2169)
• e92ca42 chore(ci): Enable release-please for 7.x (#2166)
• b7bdfaf chore: release 7.5.5
• ff7b2af fix: filter invalid characters from the type name (#2127)
• 086b19d fix: do not allow setting proto in Message constructor (#2126)
• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for protobufjs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​astrojs/​node@​9.5.5 ⏵ 10.0.5	+1	+3	+1	+1
	npm/​astro@​5.18.1 ⏵ 6.2.1	+1	+2	+1
	npm/​fastify@​5.8.4 ⏵ 5.8.5	+1	+16

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @astrojs/compiler is 100.0% likely to have a medium risk anomaly Notes: The code is a wasm-backed Astro compiler wrapper that is legitimate in normal tooling but contains a high-risk pattern: dynamically importing and executing a base64-encoded payload derived from input t via a data URL. If t can be influenced by an attacker or untrusted source, this constitutes remote code execution risk within the host environment. The rest of the design (wasm loading, transform/parse/convertToTSX wrappers, and teardown) is conventional for such tooling. Mitigation is essential to prevent untrusted input from driving the data URL import. Confidence: 1.00 Severity: 0.60 From: examples/astro/package-lock.json → npm/astro@6.2.1 → npm/@astrojs/compiler@4.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@astrojs/compiler@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: The code represents a thorough and sophisticated installer for esbuild with multiple fallback mechanisms to acquire platform-appropriate binaries. While largely legitimate, its use of direct tarball downloads, manual extraction without explicit integrity validation, and the override/wrapper mechanism create nontrivial supply-chain and abuse risks. Recommend enabling strict binary integrity checks (checksums/signatures), minimizing or auditing the override/wrapper feature, and implementing tighter error visibility and logging to reduce operational risk and potential misuse. Confidence: 1.00 Severity: 0.60 From: examples/astro/package-lock.json → npm/astro@6.2.1 → npm/esbuild@0.27.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm protobufjs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code segment is a standard RPC service wrapper (protobufjs style) with conventional input validation, encoding/decoding, event emission, and end handling. No malicious behavior is evident, and there are no observable security vulnerabilities beyond ordinary library-level error handling. It does not exhibit data exfiltration, backdoors, or other anti-security patterns. Confidence: 1.00 Severity: 0.60 From: examples/firebase-functions/package-lock.json → npm/firebase-admin@13.7.0 → npm/firebase-functions@7.1.1 → npm/firebase-tools@15.10.0 → npm/protobufjs@7.5.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/protobufjs@7.5.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: examples/astro/package-lock.json → npm/astro@6.2.1 → npm/zod@4.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm fast-wrap-ansi Location: Package overview From: examples/astro/package-lock.json → npm/astro@6.2.1 → npm/fast-wrap-ansi@0.2.0 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-wrap-ansi@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm @protobufjs/inquire Location: Package overview From: examples/firebase-functions/package-lock.json → npm/firebase-admin@13.7.0 → npm/firebase-functions@7.1.1 → npm/firebase-tools@15.10.0 → npm/@protobufjs/inquire@1.1.1 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@protobufjs/inquire@1.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report