Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Sign up
Appearance settings

Snyk fix cad645a0511a80339810d91e2854a929#7966

Open
Dargon789 wants to merge 17 commits intoUniswap:main from
Dargon789:snyk-fix-cad645a0511a80339810d91e2854a929
Open

Snyk fix cad645a0511a80339810d91e2854a929 #7966
Dargon789 wants to merge 17 commits intoUniswap:main from
Dargon789:snyk-fix-cad645a0511a80339810d91e2854a929

Conversation

@Dargon789
Copy link

@Dargon789 Dargon789 commented Oct 1, 2025

No description provided.

Dargon789 and others added 10 commits September 23, 2025 15:48 
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
...updates (#61)
Bumps the npm_and_yarn group with 2 updates in the /apps/extension directory: [webpack](https://github.com/webpack/webpack) and [webpack-dev-server](https://github.com/webpack/webpack-dev-server).
Bumps the npm_and_yarn group with 1 update in the /apps/mobile directory: [react-native-mmkv](https://github.com/mrousavy/react-native-mmkv).
Bumps the npm_and_yarn group with 3 updates in the /apps/web directory: [webpack](https://github.com/webpack/webpack), [graphql](https://github.com/graphql/graphql-js) and [hono](https://github.com/honojs/hono).
Bumps the npm_and_yarn group with 2 updates in the /packages/uniswap directory: [react-native-mmkv](https://github.com/mrousavy/react-native-mmkv) and [graphql](https://github.com/graphql/graphql-js).
Bumps the npm_and_yarn group with 1 update in the /packages/utilities directory: [graphql](https://github.com/graphql/graphql-js).
Bumps the npm_and_yarn group with 1 update in the /packages/wallet directory: [graphql](https://github.com/graphql/graphql-js).
Updates `webpack` from 5.90.0 to 5.94.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v5.90.0...v5.94.0)
Updates `webpack-dev-server` from 4.15.1 to 5.2.1
- [Release notes](https://github.com/webpack/webpack-dev-server/releases)
- [Changelog](https://github.com/webpack/webpack-dev-server/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack-dev-server@v4.15.1...v5.2.1)
Updates `react-native-mmkv` from 2.10.1 to 2.11.0
- [Release notes](https://github.com/mrousavy/react-native-mmkv/releases)
- [Commits](mrousavy/react-native-mmkv@v2.10.1...v2.11.0)
Updates `webpack` from 5.90.0 to 5.94.0
- [Release notes](https://github.com/webpack/webpack/releases)
- [Commits](webpack/webpack@v5.90.0...v5.94.0)
Updates `graphql` from 16.6.0 to 16.8.1
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.6.0...v16.8.1)
Updates `hono` from 4.8.4 to 4.9.7
- [Release notes](https://github.com/honojs/hono/releases)
- [Commits](honojs/hono@v4.8.4...v4.9.7)
Updates `react-native-mmkv` from 2.10.1 to 2.11.0
- [Release notes](https://github.com/mrousavy/react-native-mmkv/releases)
- [Commits](mrousavy/react-native-mmkv@v2.10.1...v2.11.0)
Updates `graphql` from 16.6.0 to 16.8.1
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.6.0...v16.8.1)
Updates `graphql` from 16.6.0 to 16.8.1
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.6.0...v16.8.1)
Updates `graphql` from 16.6.0 to 16.8.1
- [Release notes](https://github.com/graphql/graphql-js/releases)
- [Commits](graphql/graphql-js@v16.6.0...v16.8.1)
---
updated-dependencies:
- dependency-name: webpack
 dependency-version: 5.94.0
 dependency-type: direct:development
 dependency-group: npm_and_yarn
- dependency-name: webpack-dev-server
 dependency-version: 5.2.1
 dependency-type: direct:development
 dependency-group: npm_and_yarn
- dependency-name: react-native-mmkv
 dependency-version: 2.11.0
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: webpack
 dependency-version: 5.94.0
 dependency-type: direct:development
 dependency-group: npm_and_yarn
- dependency-name: graphql
 dependency-version: 16.8.1
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: hono
 dependency-version: 4.9.7
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: react-native-mmkv
 dependency-version: 2.11.0
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: graphql
 dependency-version: 16.8.1
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: graphql
 dependency-version: 16.8.1
 dependency-type: direct:production
 dependency-group: npm_and_yarn
- dependency-name: graphql
 dependency-version: 16.8.1
 dependency-type: direct:production
 dependency-group: npm_and_yarn
...
Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
...ession for hostnames (#63)
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
* Update issue templates
* Update .github/ISSUE_TEMPLATE/feature_request.md
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
---------
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: gemini-code-assist[bot] <176961590+gemini-code-assist[bot]@users.noreply.github.com>
...ession for hostnames (#65)
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Configure tag_and_release GitHub Actions workflow with explicit write permissions and annotate the GITHUB_TOKEN usage.
CI:
Add explicit contents, issues, and pull-requests write permissions to the workflow
Chores:
Add comment noting alternative use of a personal access token for GITHUB_TOKEN
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_gdev_19 <64915515+Dargon789@users.noreply.github.com>
Copy link
Author

@Dargon789 Dargon789 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Snyk fix cad645a0511a80339810d91e2854a929 #7966

Dargon789 and others added 6 commits October 1, 2025 21:12 
...ession for hostnames
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: AU_019 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_019 <64915515+Dargon789@users.noreply.github.com>
...ing or encoding
Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: AU_019 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_019 <64915515+Dargon789@users.noreply.github.com>
Signed-off-by: AU_019 <64915515+Dargon789@users.noreply.github.com>
@Dargon789 Dargon789 force-pushed the snyk-fix-cad645a0511a80339810d91e2854a929 branch from 6c168fe to bdef851 Compare October 1, 2025 14:22
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated npm/​@​tamagui/​theme-base@​1.125.17 ⏵ 1.114.4 71 -7100 52 96 100
Updated npm/​@​tamagui/​remove-scroll@​1.125.17 ⏵ 1.114.4 100 100 63 96 +1100
Updated npm/​@​tamagui/​helpers-icon@​1.125.17 ⏵ 1.114.4 96 -2100 66 +196 +1100
Updated gem/​fastlane@​2.214.0 ⏵ 2.215.0 67 +1100 100 100 100
Updated npm/​@​tamagui/​animations-moti@​1.125.17 ⏵ 1.114.4 98 -1100 68 96 +1100
Added npm/​@​tamagui/​react-native-media-driver@​1.114.4 100 100 68 96 100
Updated npm/​@​tamagui/​animations-react-native@​1.125.17 ⏵ 1.114.4 98 -1100 69 96 +1100
Updated npm/​@​tamagui/​font-inter@​1.125.17 ⏵ 1.114.4 100 100 71 +196 +1100
Added npm/​@​storybook/​react@​8.4.2 99 100 71 100 100
Added npm/​@​tamagui/​core@​1.114.4 100 100 76 96 100
Updated npm/​tamagui@​1.125.17 ⏵ 1.114.4 95 -2100 76 97 +1100
Added npm/​@​shopify/​react-native-skia@​1.4.2 99 100 78 100 100
Added npm/​expo-linear-gradient@​12.7.2 100 100 83 99 100
Added npm/​@​react-native-masked-view/​masked-view@​0.2.9 100 100 100 83 100
Updated gem/​cocoapods@​1.14.3 ⏵ 1.15.0 84 -1100 100 100 100
Updated npm/​webpack-dev-server@​4.15.1 ⏵ 5.2.1 97 +1100 +8100 84 100
Added npm/​@​testing-library/​react-hooks@​7.0.2 99 100 100 85 100
Added npm/​ethers@​6.0.0 97 100 100 86 100
Updated npm/​react-native-mmkv@​2.10.1 ⏵ 2.11.0 100 100 +5100 95 +1180
Added npm/​react-native-safe-area-context@​4.9.0 100 100 100 88 100
Added npm/​@​tamagui/​build@​1.114.4 99 100 90 96 100
Updated npm/​graphql@​16.6.0 ⏵ 16.8.1 100 +1100 +4100 91 100
Added npm/​react-native-reanimated@​3.15.0 99 100 92 100 100
Added npm/​react-native-svg@​15.1.0 99 100 100 92 100
Added npm/​react-native-webview@​11.23.1 99 100 100 92 100
Added npm/​@​shopify/​flash-list@​1.6.3 100 100 92 97 100
Added npm/​@​gorhom/​bottom-sheet@​4.5.1 99 100 97 93 100
Added npm/​react-native-gesture-handler@​2.19.0 99 100 93 96 100
Updated npm/​hono@​4.8.4 ⏵ 4.9.7 100 +1100 +1997 -196 100
Updated npm/​webpack@​5.90.0 ⏵ 5.94.0 97 +1100 +5100 96 +1100
Added npm/​react-native@​0.73.6 98 100 100 100 100
Added npm/​@​testing-library/​react-native@​11.5.0 99 100 100 99 100

View full report

Copy link

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert (click "▶" to expand/collapse)
Block Medium
npm/@jsonjoy.com/codegen@1.0.0 has a Potential vulnerability.

Location: Package overview

From: ?npm/webpack-dev-server@5.2.1npm/@jsonjoy.com/codegen@1.0.0

i Read more on: This package | This alert | Navigating potential vulnerabilities

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@jsonjoy.com/codegen@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
gem/httpclient@2.9.0 has Shell access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/cocoapods@1.15.0gem/fastlane@2.215.0gem/httpclient@2.9.0

i Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/httpclient@2.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
gem/nkf@0.2.0 has Shell access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/xcodeproj@1.27.0gem/fastlane@2.215.0gem/nkf@0.2.0

i Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/nkf@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
npm/@react-native-community/cli-platform-ios@12.3.6 has Shell access.

Module: child_process

Location: Package overview

From: ?npm/react-native@0.73.6npm/@react-native-community/cli-platform-ios@12.3.6

i Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli-platform-ios@12.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
gem/google-cloud-env@2.3.1 has Filesystem access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/fastlane@2.215.0gem/google-cloud-env@2.3.1

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/google-cloud-env@2.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
gem/google-logging-utils@0.2.0 has Filesystem access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/fastlane@2.215.0gem/google-logging-utils@0.2.0

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/google-logging-utils@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
gem/logger@1.7.0 has Filesystem access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/fastlane@2.215.0gem/logger@1.7.0

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/logger@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
gem/nkf@0.2.0 has Filesystem access.

Location: Package overview

From: apps/mobile/Gemfile.lockgem/xcodeproj@1.27.0gem/fastlane@2.215.0gem/nkf@0.2.0

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore gem/nkf@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
npm/@react-native-community/cli-platform-ios@12.3.6 has Filesystem access.

Module: fs

Location: Package overview

From: ?npm/react-native@0.73.6npm/@react-native-community/cli-platform-ios@12.3.6

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli-platform-ios@12.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
npm/@react-native-community/cli-platform-ios@12.3.6 has a Dynamic require.

Location: Package overview

From: ?npm/react-native@0.73.6npm/@react-native-community/cli-platform-ios@12.3.6

i Read more on: This package | This alert | What is dynamic require?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli-platform-ios@12.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
npm/@react-native-community/cli-platform-ios@12.3.6 has Filesystem access.

Module: fs-extra

Location: Package overview

From: ?npm/react-native@0.73.6npm/@react-native-community/cli-platform-ios@12.3.6

i Read more on: This package | This alert | What is filesystem access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli-platform-ios@12.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Comments

AltStyle によって変換されたページ (->オリジナル) /