Update ui deps sync

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/confidential-contracts (source)	^0.3.1 → ^0.4.0
@rollup/plugin-commonjs (source)	^28.0.8 → ^28.0.9
@rollup/plugin-replace (source)	^6.0.2 → ^6.0.3
@rollup/plugin-typescript (source)	^12.1.4 → ^12.3.0
@types/node (source)	^20.19.21 → ^20.19.41
@upstash/redis (source)	1.35.6 → 1.38.0
@upstash/redis (source)	1.35.6 → 1.38.0
autoprefixer	^10.4.21 → ^10.5.0
jszip	3.6.0 → 3.10.1
postcss (source)	^8.5.6 → ^8.5.15
semver	^7.7.3 → ^7.8.1
tailwindcss (source)	^3.4.18 → ^3.4.19

---

Release Notes

OpenZeppelin/openzeppelin-confidential-contracts (@​openzeppelin/confidential-contracts)

v0.4.0

Compare Source

• Migrate @fhevm/solidity dependency to 0.11.1 (#​311)
• Upgrade openzeppelin/contracts and openzeppelin/contracts-upgradeable to v5.6.1 (#​314)

Token

• ERC7984ERC20Wrapper: use a bytes32 unwrap request identifier instead of identifying batches by the euint64 unwrap amount. (#​326)
• ERC7984ERC20Wrapper: Support ERC-165 interface detection on ERC7984ERC20Wrapper. (#​267)
• ERC7984ERC20Wrapper: return the amount of wrapped token sent on wrap calls. (#​307)
• ERC7984ERC20Wrapper: return unwrapped amount on unwrap calls (#​288)
• ERC7984ERC20Wrapper: revert on wrap if there is a chance of total supply overflow. (#​268)
• ERC7984Restricted, ERC7984Rwa: Rename isUserAllowed to canTransact (#​291)

Finance

• BatcherConfidential: A batching primitive that enables routing between two ERC7984ERC20Wrapper contracts via a non-confidential route. (#​293)

Utils

• HandleAccessManager: change _validateHandleAllowance to return a boolean and validate it. (#​303)

rollup/plugins (@​rollup/plugin-commonjs)

v28.0.9

2025-10-24

Bugfixes

• fix: handle node: builtins with strictRequires: auto (#​1930)

rollup/plugins (@​rollup/plugin-replace)

v6.0.3

2025-10-29

Bugfixes

• fix: update delimiters to respect valid js identifier chars (#​1938)

rollup/plugins (@​rollup/plugin-typescript)

v12.3.0

2025-10-23

Features

• feat: expose latest Program to transformers in watch mode (#​1923)

v12.2.0

2025-10-22

Features

• feat: process .js when allowJs is enabled (#​1920)

upstash/redis-js (@​upstash/redis)

v1.38.0

Compare Source

Minor Changes

• c71f581: Separate read/write commands into separate pipelines in auto pipeline. As a
  result, mixed read/write Promise.all batches may now be split across multiple
  pipeline HTTP requests instead of a single request, and read-after-write
  ordering may no longer be preserved within those mixed batches.

v1.37.0

Compare Source

Minor Changes

• 6f2a831: Release redis search

Patch Changes

• 3980b45: Add monorepo structure

v1.36.4

Compare Source

What's Changed

• fix: prevent more than one script init running at once by @​myandrienko in #​1411
• DX-2479: strip v prefix from version in release workflow by @​CahidArda in #​1417

New Contributors

• @​myandrienko made their first contribution in #​1411

Full Changelog: upstash/redis-js@v1.36.3...v1.36.4

v1.36.3

Compare Source

What's Changed

• DX-2278: use npm OIDC by @​CahidArda in #​1408
• DX-2446: expose TData generic on xrange and xrevrange by @​CahidArda in #​1414
• DX-2439: add sintercard by @​CahidArda in #​1413

Full Changelog: upstash/redis-js@v1.36.2...v1.36.3

v1.36.2

Compare Source

What's Changed

• DX-2363: add redis-js skills by @​CahidArda in #​1406
• Dx 2353: Add commands HGETDEL, HGETEX, HSETEX, XDELEX, XACKDEL, CLIENT SETINFO and add new options to BITOP and XADD by @​alitariksahin in #​1407

Full Changelog: upstash/redis-js@v1.36.1...v1.36.2

v1.36.1

Compare Source

What's Changed

• feat: support chunked messages by @​joschan21 in #​1404

Full Changelog: upstash/redis-js@v1.36.0...v1.36.1

v1.36.0

Compare Source

What's Changed

• feat: add redis functions support by @​ytkimirti in #​1401

Full Changelog: upstash/redis-js@v1.35.8...v1.36.0

v1.35.8

Compare Source

What's Changed

• DX-2280: Remove large-group runners by @​CahidArda in #​1398
• fix: bump next by @​CahidArda in #​1400
• fix: improve env variable access by @​ytkimirti in #​1399

Full Changelog: upstash/redis-js@v1.35.7...v1.35.8

v1.35.7

Compare Source

What's Changed

• DX-2204: document telemetry configuration option by @​CahidArda in #​1393
• DX-2265: add Requester type declaration by @​CahidArda in #​1397
• Fix: zremrangebyscore should accept string | number for min/max scores by @​mvonschledorn in #​1396

New Contributors

• @​mvonschledorn made their first contribution in #​1396

Full Changelog: upstash/redis-js@v1.35.6...v1.35.7

postcss/autoprefixer (autoprefixer)

v10.5.0

Compare Source

• Added mask-position-x and mask-position-y support (by @​toporek).

v10.4.27

Compare Source

• Removed development key from package.json.

v10.4.26

Compare Source

• Reduced package size.

v10.4.25

Compare Source

• Fixed broken gradients on CSS Custom Properties (by @​serger777).

v10.4.24

Compare Source

• Made Autoprefixer a little faster (by @​Cherry).

v10.4.23

Compare Source

• Reduced dependencies (by @​hyperz111).

v10.4.22

Compare Source

• Fixed stretch prefixes on new Can I Use database.
• Updated fraction.js.

Stuk/jszip (jszip)

v3.10.1

Compare Source

• Add sponsorship files.
  • If you appreciate the time spent maintaining JSZip then I would really appreciate your sponsorship.
• Consolidate metadata types and expose OnUpdateCallback #​851 and #​852
• use const instead var in example from README.markdown #​828
• Switch manual download link to HTTPS #​839

Internals:

• Replace jshint with eslint #​842
• Add performance tests #​834

v3.10.0

Compare Source

• Change setimmediate dependency to more efficient one. Fixes #​617 (see #​829)
• Update types of currentFile metadata to include null (see #​826)

v3.9.1

Compare Source

• Fix recursive definition of InputFileFormat introduced in 3.9.0.

v3.9.0

Compare Source

• Update types JSZip#loadAsync to accept a promise for data, and remove arguments from new JSZip() (see #​752)
• Update types for compressionOptions to JSZipFileOptions and JSZipGeneratorOptions (see #​722)
• Add types for generateInternalStream (see #​774)

v3.8.0

Compare Source

• Santize filenames when files are loaded with loadAsync, to avoid "zip slip" attacks. The original filename is available on each zip entry as unsafeOriginalName. See the documentation. Many thanks to McCaulay Hudson for reporting.

v3.7.1

Compare Source

• Fix build of dist files.
  • Note: this version ensures the changes from 3.7.0 are actually included in the dist files. Thanks to Evan W for reporting.

v3.7.0

Compare Source

• Fix: Use a null prototype object for this.files (see #​766)
  • This change might break existing code if it uses prototype methods on the .files property of a zip object, for example zip.files.toString(). This approach is taken to prevent files in the zip overriding object methods that would exist on a normal object.

postcss/postcss (postcss)

v8.5.15

Compare Source

• Fixed declaration parsing performance (by @​homanp).

v8.5.14

Compare Source

• Fixed custom syntax regression (by @​43081j).

v8.5.13

Compare Source

• Fixed postcss-scss commend regression.

v8.5.12

Compare Source

• Fixed reading any file via user-generated CSS.
• Added opts.unsafeMap to disable checks.

v8.5.11

Compare Source

• Fixed nested brackets parsing performance (by @​offset).

v8.5.10

Compare Source

• Fixed XSS via unescaped </style> in non-bundler cases (by @​TharVid).

v8.5.9

Compare Source

• Speed up source map encoding paring in case of the error.

v8.5.8

Compare Source

• Fixed Processor#version.

v8.5.7

Compare Source

• Improved source map annotation cleaning performance (by CodeAnt AI).

npm/node-semver (semver)

v7.8.1

Compare Source

Bug Fixes

• 17aa702 #​869 strip build metadata before comparator trimming (#​869) (@​owlstronaut)
• 5f3ca13 #​867 handle prerelease bounds in subset (#​867) (@​puneetdixit200, Puneet Dixit)

v7.8.0

Compare Source

Features

• 0d0a0a2 #​855 Add truncate function (#​855) (@​pjohnmeyer, @​owlstronaut)

Bug Fixes

• 3905343 #​859 Warn when defaulting to --inc=patch in CLI (@​pjohnmeyer)

Documentation

• c368af6 #​853 fix typos in documentation (#​853) (@​ankitkumar572005)
• 37776c3 #​846 fix BNF grammar to distinguish prerelease from build identifiers (#​846) (@​abhu85, @​claude)

Chores

• 9542e09 #​860 template-oss-apply (@​owlstronaut)
• 937bc2c #​860 template-oss-apply@5.0.0 (@​owlstronaut)
• 6946fef #​852 bump @​npmcli/template-oss from 4.29.0 to 4.30.0 (#​852) (@​dependabot[bot], @​npm-cli-bot)

v7.7.4

Compare Source

Bug Fixes

• a29faa5 #​835 cli: pass options to semver.valid() for loose version validation (#​835) (@​mldangelo)

Documentation

• 1d28d5e #​836 fix typos and update -n CLI option documentation (#​836) (@​mldangelo)

Dependencies

• 120968b #​840 @npmcli/template-oss@4.29.0 (#​840)

Chores

• 44d7130 #​824 bump @​npmcli/eslint-config from 5.1.0 to 6.0.0 (#​824) (@​dependabot[bot])
• 7073576 #​820 reorder parameters in invalid-versions.js test (#​820) (@​reggi)
• 5816d4c #​829 bump @​npmcli/template-oss from 4.28.0 to 4.28.1 (#​829) (@​dependabot[bot], @​npm-cli-bot)

tailwindlabs/tailwindcss (tailwindcss)

v3.4.19

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: npm fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names CVE: GHSA-m7jm-9gc2-mpf2 fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names (CRITICAL) Affected versions: >= 5.0.0 < 5.3.5; >= 4.1.3 < 4.5.4 Patched version: 5.3.5 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm fast-xml-parser has RangeError DoS Numeric Entities Bug CVE: GHSA-37qj-frw5-hhjh fast-xml-parser has RangeError DoS Numeric Entities Bug (HIGH) Affected versions: >= 5.0.9 < 5.3.4 Patched version: 5.3.4 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) CVE: GHSA-jmr7-xgp7-cmfj fast-xml-parser affected by DoS through entity expansion in DOCTYPE (no expansion limit) (HIGH) Affected versions: >= 4.1.3 < 4.5.4; >= 5.0.0 < 5.3.6 Patched version: 5.3.6 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) CVE: GHSA-8gc5-j5rx-235r fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278) (HIGH) Affected versions: >= 5.0.0 < 5.5.6; >= 4.0.0-beta.3 < 4.5.5 Patched version: 5.5.6 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client CVE: GHSA-f269-vfmq-vjvj Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client (HIGH) Affected versions: >= 6.0.0 < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 6.24.0 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/undici@6.21.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @aws-sdk/core is 100.0% likely to have a medium risk anomaly Notes: The fragment implements a conventional XML parsing utility suitable for REST/XML responses with normal error normalization. The key security risk is potential leakage of the raw XML payload via error objects ($responseBodyText) if error objects are logged or surfaced. Mitigation should include sanitizing or omitting raw bodies in exceptions, or providing controlled, redacted error details. No malware or backdoors detected; overall risk remains moderate due to potential data leakage in error pathways. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@aws-sdk/core@3.864.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/core@3.864.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @aws-sdk/credential-provider-process is 100.0% likely to have a medium risk anomaly Notes: The code implements credential retrieval via a credential_process mechanism, but the primary risk is executing an external, potentially untrusted command through a shell. This creates a command-injection surface and potential data leakage during credential discovery. Recommended mitigations include replacing exec with a more restricted execution method (e.g., execFile with whitelisted commands or a dedicated, sandboxed runner), validating the credential_process value against a allowlist, adding strict timeouts, and enforcing integrity checks on the credentials source to reduce supply-chain risk. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@aws-sdk/credential-provider-process@3.864.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/credential-provider-process@3.864.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value in npm @smithy/config-resolver CVE: GHSA-6475-r3vj-m8vf AWS SDK for JavaScript v3 adopted defense in depth enhancement for region parameter value (LOW) Affected versions: < 4.4.0 Patched version: 4.4.0 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@smithy/config-resolver@4.1.5 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/config-resolver@4.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @smithy/eventstream-serde-universal is 100.0% likely to have a medium risk anomaly Notes: The code implements a conventional, well-structured event-stream unmarshalling pipeline with explicit handling for error, exception, and event message types. The primary security considerations are: potential exposure of header/body content through thrown errors, reliance on the deserializer contract (notably the $unknown flag), and ensuring that downstream consumers appropriately trust the deserialized payloads. In a supply-chain context, ensure that eventStreamCodec, deserializer implementations, and error handling are trusted and audited to avoid leaking sensitive metadata, and consider sanitizing error messages in production. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@smithy/eventstream-serde-universal@4.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/eventstream-serde-universal@4.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @smithy/node-http-handler is 100.0% likely to have a medium risk anomaly Notes: The code implements conventional 100-continue handling and robust body transmission for HTTP requests. No malicious activity, backdoors, or data exfiltration behaviors are observed in this fragment. While generally safe, consider validating and constraining extremely large bodies and ensuring proper error handling for client/server timeouts in production. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@smithy/node-http-handler@4.1.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/node-http-handler@4.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @smithy/shared-ini-file-loader is 100.0% likely to have a medium risk anomaly Notes: The code is straightforward and not inherently malicious. However, it handles potentially sensitive tokens from the filesystem without error handling, validation, or security controls. The primary risk is exposure of SSO tokens if the calling code mishandles them, and potential path traversal if id is not properly sanitized by getSSOTokenFilepath. No evidence of exfiltration, backdoors, or network activity. Recommendations: add input validation, robust error handling for IO and JSON parsing, explicit token schema validation, and consider access controls/logging around token reads. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@smithy/shared-ini-file-loader@4.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/shared-ini-file-loader@4.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @smithy/util-defaults-mode-node is 100.0% likely to have a medium risk anomaly Notes: The code uses a conventional environment-first region resolution, with a fallback to IMDS when not disabled. The silent catch on IMDS failures reduces observability and could lead to undefined behavior in non-AWS or restricted environments, but there is no evidence of data exfiltration, hardcoded secrets, or malicious backdoors. The main risk is environmental misconfiguration or silent failures. The unusual 0 && (module.exports = ...) pattern and dynamic loading are tooling conventions rather than security issues. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@smithy/util-defaults-mode-node@4.0.26 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-defaults-mode-node@4.0.26. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: npm fast-xml-parser has stack overflow in XMLBuilder with preserveOrder CVE: GHSA-fj3w-jwp8-x2g3 fast-xml-parser has stack overflow in XMLBuilder with preserveOrder (LOW) Affected versions: >= 5.0.0 < 5.3.8; >= 4.0.0-beta.0 < 4.5.4 Patched version: 5.3.8 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fast-xml-parser is 100.0% likely to have a medium risk anomaly Notes: This XMLParser module is not inherently malicious, but it exposes a potential XXE risk by allowing external entities to be injected into the underlying parser. The combination of external entity support and direct parsing paths means downstream parsing could fetch resources or exfiltrate data depending on the XML content. Additionally, a bug in parse(xmlData) introduces a recursive path that can cause a stack overflow for certain inputs. These issues warrant caution: disable external entities unless necessary, validate inputs more strictly, and fix the recursion bug. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/fast-xml-parser@5.2.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@5.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/undici@6.21.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Walkthrough

Package.json devDependencies updated: @types/node from ^20.19.21 to ^20.19.22 and rollup from ^4.52.4 to ^4.52.5. These are patch version updates with no runtime behavior changes.

Changes

Cohort / File(s)	Summary
DevDependency version updates packages/ui/package.json	@types/node: ^20.19.21 → ^20.19.22; rollup: ^4.52.4 → ^4.52.5

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• Renovate update import and package #674: Also modifies packages/ui/package.json for dependency management through Renovate rules.

Suggested reviewers

• ericglau
• collins-w

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The title "Update ui deps sync" is directly related to the changeset, which updates dependencies in the packages/ui/package.json file (@types/node and rollup versions). The title accurately indicates the primary change involves updating UI package dependencies, and a teammate scanning the commit history would understand this is about dependency updates for the UI package. While the term "sync" is somewhat informal and could be more explicit about which dependencies are affected, the title is sufficiently clear and specific to describe the main change.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description check	✅ Passed	The PR description comprehensively lists dependency updates with release notes and references, directly relating to the changeset in packages/ui/package.json.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/ui-deps-sync

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​hardhat-upgrades@​3.9.1

View full report