You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.
Details
Caution
MetaMask internal reviewing guidelines:
Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe. @SocketSecurity ignore npm/PACKAGE@VERSION
Action
Severity
Alert (click "▶" to expand/collapse)
Block
Publisher changed: npm loader-runner is now published by evilebottnawi instead of sokra
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/loader-runner@4.3.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm html-bundler-webpack-plugin is 90.0% likely to have a medium risk anomaly
Notes: The code is a thin wrapper around vm.Script and is not itself obfuscated or demonstrably malicious. However it is inherently risky: it executes arbitrary code strings in a vm context that inherits any objects supplied by the caller. If untrusted code or an unsafe context is used, this can lead to arbitrary code execution, data leakage, or access to OS resources. Mitigations would be to ensure contexts do not contain host capabilities, add execution time/memory limits, and validate or sandbox inputs. No hardcoded secrets or obvious backdoors were found in this fragment.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/html-bundler-webpack-plugin@4.22.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
