Bump @hono/node-server from 1.13.1 to 1.19.10

[dependabot]

Bumps @hono/node-server from 1.13.1 to 1.19.10.

Release notes

Sourced from @​hono/node-server's releases.

v1.19.10

Security Fix

Fixed an authorization bypass in Serve Static Middleware caused by inconsistent URL decoding (%2F handling) between the router and static file resolution. Users of Serve Static Middleware are encouraged to upgrade to this version.

See GHSA-wc8c-qw6v-h7f6 for details.

v1.19.9

What's Changed

• fix(globals): Stop overwriting global.fetch by @​usualoma in honojs/node-server#295

Full Changelog: honojs/node-server@v1.19.8...v1.19.9

v1.19.8

What's Changed

• docs: add guide for listening to UNIX domain socket by @​TransparentLC in honojs/node-server#292
• fix(serve-static): Use Readable.toWeb in serveStatic by @​otya128 in honojs/node-server#293

New Contributors

• @​TransparentLC made their first contribution in honojs/node-server#292
• @​otya128 made their first contribution in honojs/node-server#293

Full Changelog: honojs/node-server@v1.19.7...v1.19.8

v1.19.7

What's Changed

• fix: Fix for hono issue 4563 - incorrect content-length after following symlink by @​tshmieldev in honojs/node-server#290
• chore: add configVersion to bun.lock by @​yusukebe in honojs/node-server#291

New Contributors

• @​tshmieldev made their first contribution in honojs/node-server#290

Full Changelog: honojs/node-server@v1.19.6...v1.19.7

v1.19.6

What's Changed

• fix(serve-static): fix onFound timing by @​usualoma in honojs/node-server#286

Full Changelog: honojs/node-server@v1.19.5...v1.19.6

v1.19.5

What's Changed

• fix: cancel a readable stream if a writable stream is closed before a readable stream is closed. by @​usualoma in honojs/node-server#280

Full Changelog: honojs/node-server@v1.19.4...v1.19.5

v1.19.4

... (truncated)

Commits

• 2f8ca36 1.19.10
• 455015b Merge commit from fork
• cc05c48 chore: add benchmark for comparing with npm and local (dev) (#305)
• 58c4412 chore: Adding LICENSE file with MIT license referenced in README.md (#297)
• b1daa4c docs(readme): add @​usualoma as an author (#300)
• 26f5e89 1.19.9
• 2d729e7 fix(globals): Stop overwriting global.fetch (#295)
• 9b72ddf 1.19.8
• 0b1229e fix(serve-static): Use Readable.toWeb in serveStatic (#293)
• 76d80e6 docs: add guide for listening to UNIX domain socket (#292)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bun@​1.1.10 ⏵ 1.3.10	+1		+4	+1
	@​types/​react@​19.2.14
	unified@​11.0.5
	react@​19.2.4
	typescript@​5.9.3
	react-dom@​19.2.4
	@​hono/​node-server@​1.13.1 ⏵ 1.19.10		+16		+3

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Network access: npm ws in module http Module: http Location: Package overview From: ? → npm/ws@8.19.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm ws in module https Module: https Location: Package overview From: ? → npm/ws@8.19.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm ws in module net Module: net Location: Package overview From: ? → npm/ws@8.19.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm ws in module tls Module: tls Location: Package overview From: ? → npm/ws@8.19.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @hono/node-server is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment implements a safe, cached wrapper around the global Response object. It is designed for compatibility and performance optimization rather than performing I/O or exfiltrating data. While the approach is unconventional (Symbol-based private state and manual prototype adjustments), there is no clear malicious behavior or supply-chain risk evident in this isolated module. Normal due-diligence testing should focus on edge cases around state reuse, cloning, and interaction with host environments to ensure compatibility and predictable behavior in downstream code. Confidence: 1.00 Severity: 0.60 From: pnpm-lock.yaml → npm/@hono/node-server@1.19.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@hono/node-server@1.19.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @types/node URLs: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/subarray, https://nodejs.org/docs/latest-v25.x/api/module.html#module-compile-cache, options.directory, module.id, IO.read, https://chromedevtools.github.io/devtools-protocol/v8/, https://docs.libuv.org/en/v1.x/misc.html#c.uv_available_parallelism, https://linux.die.net/man/3/uname, https://en.wikipedia.org/wiki/Uname#Examples, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-systemerror, https://nodejs.org/docs/latest-v25.x/api/process.html#processarch, https://github.com/nodejs/node/blob/HEAD/BUILDING.md#androidandroid-based-devices-eg-firefox-os, example.com, 127.0.0.1:8000, process.env.HOST, req.headers.host, https://nodejs.org/docs/latest-v25.x/api/http.html#built-in-proxy-support, https://nodejs.org/docs/latest-v25.x/api/net.html#socketconnectoptions-connectlistener, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Equality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Inequality, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Classes, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Regular_Expressions, https://nodejs.org/docs/latest-v25.x/api/errors.html#err_invalid_return_value, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-error, https://github.com/nodejs/node/blob/v25.x/lib/child_process.js, subprocess.channel, https://nodejs.org/docs/latest-v25.x/api/net.html#class-netsocket, https://nodejs.org/docs/latest-v25.x/api/net.html#class-netserver, https://nodejs.org/docs/latest-v25.x/api/dgram.html#class-dgramsocket, test.sh, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/length, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/DataView, https://developer.mozilla.org/en-US/docs/Web/JavaScript/-, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/ArrayBuffer, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/JSON/stringify, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/set, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/String/indexOf, https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html, https://tools.ietf.org/html/rfc5929, https://www.openssl.org/docs/man1.1.1/man3/SSL_export_keying_material.html, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Error, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Undefined_type, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531, options.ca, https://hg.mozilla.org/mozilla-central/raw-file/tip/security/nss/lib/ckfw/builtins/certdata.txt, https://nodejs.org/docs/latest-v25.x/api/test.html#test-runner-execution-model, https://nodejs.org/docs/latest-v25.x/api/cli.html#--test-update-snapshots, https://nodejs.org/docs/latest-v25.x/api/process.html#a-note-on-process-io, https://github.com/nodejs/node/blob/v25.x/lib/console.js, https://nodejs.org/docs/latest-v25.x/api/util.html#utilinspectobject-options, example.org, 93.184.216.34, archive.org, nodejs.org, https://nodejs.org/docs/latest-v25.x/api/util.html#utilpromisifyoriginal, https://tools.ietf.org/html/rfc8482, https://nodejs.org/docs/latest-v25.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v25.x/api/dns.html#dnspromiseslookuphostname-options, https://tools.ietf.org/html/rfc5952#section-6, https://man7.org/linux/man-pages/man5/resolv.conf.5.html, https://datatracker.ietf.org/doc/html/rfc5952#section-6, https://nodejs.org/docs/latest-v25.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v25.x/api/worker_threads.html, 4.4.4.4, 0.0.0.0, https://nodejs.org/docs/latest-v25.x/api/worker_threads.html#worker-threads, https://github.com/nodejs/node/blob/v25.x/src/node_sea.cc, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://nodejs.org/docs/latest-v25.x/api/modules.md#loading-ecmascript-modules-using-require, fs.read, process.report.directory, https://nodejs.org/docs/latest-v25.x/api/os.html#dlopen-constants, http://man7.org/linux/man-pages/man7/environ.7.html, process.pid, https://docs.libuv.org/en/v1.x/misc.html#c.uv_get_constrained_memory, https://nodejs.org/docs/latest-v25.x/api/process.html#processavailablememory, https://nodejs.org/api/cli.html#--permission, https://nodejs.org/api/permissions.html#permission-model, https://nodejs.org/download/release/v18.12.0/node-v18.12.0.tar.gz, https://nodejs.org/download/release/v18.12.0/node-v18.12.0-headers.tar.gz, https://nodejs.org/download/release/v18.12.0/win-x64/node.lib, https://nodejs.org/docs/latest-v25.x/api/report.html, process.report, ws://127.0.0.1:9229/166e272e-7a30-4d09-97ce-f1c012b43c34, https://nodejs.org/en/docs/inspector, app.js.map, 4.4.4.4:1053, https://nodejs.org/docs/latest-v20.x/api/errors.html#class-error, https://nodejs.org/docs/latest-v20.x/api/dns.html#error-codes, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromiseslookuphostname-options, https://nodejs.org/docs/latest-v20.x/api/dns.html#dnspromisessetdefaultresultorderorder, https://nodejs.org/docs/latest-v20.x/api/cli.html#--dns-result-orderorder, https://nodejs.org/docs/latest-v20.x/api/worker_threads.html, 192.168.1.1, 74.125.127.100, 127.0.0.1, 123.123.123.123, 10.0.0.1, 10.0.0.10, 10.0.0.3, 222.111.111.222, 192.168.1.0/24, 10.0.0.5, 127.000.000.001, 127.0.0.1/24, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_customizing_repl_output, https://nodejs.org/dist/latest-v25.x/docs/api/readline.html#readline_use_of_the_completer_function, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_class_replserver, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_commands_and_special_keys, https://nodejs.org/dist/latest-v25.x/docs/api/repl.html#repl_assignment_of_the_underscore_variable, 224.0.0.114, https://en.wikipedia.org/wiki/IPv6_address#Scoped_literal_IPv6_addresses, https://tools.ietf.org/html/rfc4007, 10.0.0.2, https://nodejs.org/docs/latest-v25.x/api/async_context.html, http://man7.org/linux/man-pages/man2/fdatasync.2.html, http://man7.org/linux/man-pages/man2/fsync.2.html, https://tc39.github.io/ecma262/#sec-asynciterable-interface, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Iteration_protocols#The_iterable_protocol, https://developer.mozilla.org/en-US/docs/Web/API/ArrayBufferView, http://man7.org/linux/man-pages/man2/open.2.html, https://docs.microsoft.com/en-us/windows/desktop/FileIO/naming-a-file, https://docs.microsoft.com/en-us/windows/desktop/FileIO/using-streams, http://man7.org/linux/man-pages/man2/readlink.2.html, http://man7.org/linux/man-pages/man2/lstat.2.html, http://man7.org/linux/man-pages/man2/link.2.html, http://man7.org/linux/man-pages/man2/unlink.2.html, https://github.com/mdn/content/pull/38027, http://man7.org/linux/man-pages/man3/opendir.3.html, http://example.org:8000, https://example.org:80, https://example.org/foo/bar, https://example.org, http2stream.id, https://example.com, request.stream, http://example.com, http://example.com/status?name=ryan, https://nodejs.org/docs/latest-v25.x/api/errors.html#class-typeerror, response.stream, https://tools.ietf.org/html/rfc7540, https://http2.github.io/faq/#does-http2-require-encryption, xn--fsq.com, xn--maana-pta.com, ana.com, xn----dqo34k.com, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#String_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Number_type, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/BigInt, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures#Boolean_type, https://nodejs.org/docs/latest-v25.x/api/v8.html, https://www.chromium.org/developers/how-tos/trace-event-profiling-tool, https://nodejs.org/docs/latest-v25.x/api/worker_threads.html#class-worker, https://github.com/nodejs/node/blob/v25.x/lib/trace_events.js, encrypted.google.com, github.com, https://encrypted.google.com/, https://nodejs.org/docs/latest-v25.x/api/stream.html#streamcomposestreams, readable.map, https://nodejs.org/docs/latest-v25.x/api/stream.html#readablecomposestream-options, https://github.com/nodejs/node/blob/v25.x/lib/crypto.js, https://www.openssl.org/docs/man3.0/man1/openssl-spkac.html, https://nodejs.org/dist/latest-v25.x/docs/api/crypto.html#crypto-constants, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html, https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html., https://en.wikipedia.org/wiki/Initialization_vector, https://www.rfc-editor.org/rfc/rfc2412.txt, https://www.rfc-editor.org/rfc/rfc3526.txt, https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-132.pdf, https://en.wikipedia.org/wiki/Fisher%E2%80%93Yates_shuffle#Modulo_bias, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger, https://www.w3.org/TR/capability-urls/, https://nodejs.org/docs/latest-v25.x/api/crypto.html#asymmetric-key-types, https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532, https://www.rfc-editor.org/rfc/rfc2818.txt, https://www.rfc-editor.org/rfc/rfc5280.txt, https://www.rfc-editor.org/rfc/rfc9106.html, https://nodejs.org/docs/latest-v25.x/api/crypto.html#using-strings-as-inputs-to-cryptographic-apis, http://man7.org/linux/man-pages/man3/readdir.3.html, http://man7.org/linux/man-pages/man2/mkdir.2.html, http://man7.org/linux/man-pages/man2/pwrite.2.html, fs.watch, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/MAX_SAFE_INTEGER, https://github.com/WebAssembly/wabt, https://github.com/nodejs/node/blob/v25.x/lib/wasi.js, https://nodejs.org/docs/latest-v25.x/api/vm.html#support-of-dynamic-import-in-compilation-apis, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/eval, https://es5.github.io/#x10.4.2, https://tc39.es/ecma262/#sec-abstract-module-records, https://tc39.es/ecma262/#sec-cyclic-module-records, https://tc39.es/ecma262/#sec-getmodulenamespace, https://tc39.es/ecma262/#sec-moduleevaluation, https://tc39.es/ecma262/#sec-smr-Evaluate, https://heycam.github.io/webidl/#synthetic-module-records, https://v8docs.nodesource.com/node-13.2/d5/dda/classv8_1_1_isolate.html#a6079122af17612ef54ef3348ce170866, https://nodejs.org/docs/latest-v25.x/api/cli.html#--heapsnapshot-near-heap-limitmax_count, https://developer.mozilla.org/en-US/docs/Web/API/Web_Workers_API, https://example.com/some/path?page=1&#x26, urlObject.host, urlObject.search, http://example.com/, http://example.com/one, http://example.com/two, https://tools.ietf.org/html/rfc5891#section-4.4, https://nodejs.org/docs/latest-v25.x/api/child_process.html#optionsstdio, https://man7.org/linux/man-pages/man2/setuid.2.html, https://man7.org/linux/man-pages/man2/setgid.2.html, sql.run, https://www.sqlite.org/c3ref/changes.html, https://chromedevtools.github.io/devtools-protocol/1-3/Runtime/#type-ScriptId, https://nodejs.org/docs/latest-v25.x/api/util.html#modifiers, https://github.com/microsoft/TypeScript/issues/12936, https://nodejs.org/docs/latest-v25.x/api/async_hooks.html#promise-execution-tracking Location: Package overview From: pnpm-lock.yaml → npm/@types/bun@1.3.10 → npm/@vanilla-extract/vite-plugin@3.9.5 → npm/@types/node@25.3.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@25.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @types/react URLs: https://react.dev/reference/react-dom/components/common#ref-callback, https://react.dev/reference/react/Component#static-contexttype, https://react.dev/reference/react/Component#context, https://www.typescriptlang.org/docs/handbook/2/conditional-types.html#distributive-conditional-types, https://github.com/microsoft/TypeScript/issues/28339, https://react.dev/reference/react/useContext, https://react.dev/reference/react/useState, https://react.dev/reference/react/useReducer, https://react.dev/reference/react/useRef, https://react.dev/reference/react/useLayoutEffect, https://react.dev/reference/react/useEffect, https://react.dev/reference/react/useEffectEvent, https://react.dev/reference/react/useImperativeHandle, https://react.dev/reference/react/useDebugValue, https://github.com/facebook/react/pull/21913, https://github.com/reactwg/react-18/discussions/86, https://react.dev/reference/react/Activity, https://react.dev/reference/react/captureOwnerStack, https://github.com/DefinitelyTyped/DefinitelyTyped/issues/11508#issuecomment-256045682, https://github.com/frenic/csstype#what-should-i-do-when-i-get-type-errors, https://www.w3.org/TR/wai-aria-1.1/, https://developer.mozilla.org/en-US/docs/Web/API/View_Transition_API Location: Package overview From: pnpm-lock.yaml → npm/@types/react@19.2.14 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/react@19.2.14. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm bun-types URLs: https://example.com/, https://www.sqlite.org/c3ref/file_control.html, https://html.spec.whatwg.org/multipage/syntax.html#void-elements, https://developers.cloudflare.com/workers/runtime-apis/html-rewriter?bun, https://github.com/cloudflare/lol-html, https://www.youtube.com/watch?v=dQw4w9WgXcQ, https://remix.run, https://github.com/microsoft/TypeScript/issues/28867, wss://dev.local, https://developer.mozilla.org/en-US/docs/Web/API/File, https://developer.mozilla.org/en-US/docs/Web/API/Blob, https://github.com/tc39/proposal-shadowrealm/blob/main/explainer.md#introduction, https://www.youtube.com/watch?v=2AoxCkySv34&t=22s, https://developer.mozilla.org/docs/Web/API/structuredClone, https://developer.mozilla.org/docs/Web/API/AbortController, https://developer.mozilla.org/docs/Web/API/FormData/append, https://developer.mozilla.org/docs/Web/API/FormData/delete, https://developer.mozilla.org/docs/Web/API/FormData/get, https://developer.mozilla.org/docs/Web/API/FormData/getAll, https://developer.mozilla.org/docs/Web/API/FormData/has, https://developer.mozilla.org/docs/Web/API/FormData/set, https://developer.mozilla.org/docs/Web/API/MessageChannel/port1, https://developer.mozilla.org/docs/Web/API/MessageChannel/port2, https://github.com/whatwg/fetch/issues/1389, http://example.com, 127.0.0.1:8080, https://127.0.0.1:8080, https://example.com/api, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/RegExp/escape, WebSocket.OPEN, https://developer.mozilla.org/en-US/docs/Web/API/WebSocket/readyState, https://github.com/uNetworking/uWebSockets, https://github.com/microsoft/TypeScript/issues/26242, 127.0.0.1, 0.0.0.0, remix.run, https://s3.us-east-1.amazonaws.com, https://my-bucket.s3.us-east-1.amazonaws.com, https://docs.aws.amazon.com/AmazonS3/latest/userguide/RequesterPaysBuckets.html, r2.cloudflarestorage.com, digitaloceanspaces.com, https://example.com/data, https://github.com/TinyCC/tinycc, https://bun.com/docs/runtime/shell, https://developer.mozilla.org/docs/Web/API/ServiceWorker/error_event, https://developer.mozilla.org/docs/Web/API/Worker/message_event, https://developer.mozilla.org/docs/Web/API/Worker/messageerror_event, https://developer.mozilla.org/docs/Web/API/Worker/terminate, www.example.com, https://www.manpagez.com/man/2/clonefile/, https://www.manpagez.com/man/2/fcopyfile/, example.com, https://opensource.apple.com/source/Libinfo/Libinfo-222.1/lookup.subproj/netdb_async.h.auto.html, https://man7.org/linux/man-pages/man3/getaddrinfo.3.html, https://example.com, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/TypedArray/subarray, https://bun.com/docs/bundler#api, http://mydomain.com, https://nodejs.org/api/packages.html#exports, https://production.api.com, https://bun.com/guides/util/hash-a-password, https://registry.npmjs.org, github.com, https://cdn.example.com/assets/, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Uint8Array, wss://example.com, http://proxy.example.com:8080, proxy.example.com:8080, https://man7.org/linux/man-pages/man2/mmap.2.html, https://github.com/microsoft/mimalloc, https://github.com/oven-sh/bun, https://man7.org/linux/man-pages/man2/nanosleep.2.html, https://en.wikipedia.org/wiki/SHA-2#Comparison_of_SHA_functions, https://boringssl.googlesource.com/boringssl, https://bun.com/docs/bundler/loaders, 192.168.1.100, https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#exporter-labels, https://www.openssl.org/docs/man1.1.1/man3/SSL_get_shared_sigalgs.html, https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man2/posix_spawn.2.html, https://github.com/oven-sh/bun/issues/8329, https://example.com/package.tar.gz, README.md, https://bun.com/docs/install/overrides, https://bun.com/docs/install/patch, https://bun.com/docs/install/lifecycle#trusteddependencies, https://bun.com/docs/install/catalogs, https://bun.com/docs/pm/cli/install#isolated-installs, import.meta.hot.data, https://github.com/mmkal/expect-type#why-is-my-assertion-failing, https://github.com/mmkal/expect-type/pull/21, https://github.com/mmkal/expect-type/issues/50 Location: Package overview From: pnpm-lock.yaml → npm/@types/bun@1.3.10 → npm/bun-types@1.3.10 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bun-types@1.3.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm lodash URLs: _.map, _.at, https://bugs.webkit.org/show_bug.cgi?id=156034, _.gt, _.property, _.lt, _.rest, http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero, http://ecma-international.org/ecma-262/7.0/#sec-ecmascript-function-objects-call-thisargument-argumentslist, https://mdn.io/Array/slice, https://en.wikipedia.org/wiki/Empty_set, https://en.wikipedia.org/wiki/Vacuous_truth, https://mdn.io/Structured_clone_algorithm, https://mdn.io/Number/isFinite, http://ecma-international.org/ecma-262/7.0/#sec-tolength, http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types, https://mths.be/he, https://mathiasbynens.be/notes/ambiguous-ampersands, http://wonko.com/post/html-escaping, http://requirejs.org/docs/errors.html#mismatch, https://lodash.com/, https://css-tricks.com/debouncing-throttling-explained-examples/, https://npms.io/search?q=ponyfill., http://ecma-international.org/ecma-262/7.0/#sec-patterns, http://ecma-international.org/ecma-262/7.0/#sec-template-literal-lexical-components, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks, https://en.wikipedia.org/wiki/Combining_Diacritical_Marks_for_Symbols, https://mathiasbynens.be/notes/javascript-unicode, http://eev.ee/blog/2015/09/12/dark-corners-of-unicode/, http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring, https://en.wikipedia.org/wiki/Exponentiation_by_squaring, https://mdn.io/clearTimeout, https://github.com/jashkenas/underscore/pull/1247, https://bugs.chromium.org/p/v8/issues/detail?id=90, https://es5.github.io/#x13.2.2, https://mdn.io/round#Examples, http://www.ecma-international.org/ecma-262/7.0/#sec-regexp.prototype.tostring, http://ecma-international.org/ecma-262/7.0/#sec-object.keys, https://bugs.chromium.org/p/v8/issues/detail?id=2070, https://mdn.io/setTimeout, https://mdn.io/Array/reverse, https://mdn.io/iteration_protocols#iterator, https://en.wikipedia.org/wiki/Fisher-Yates_shuffle, http://peter.michaux.ca/articles/lazy-function-definition-pattern, http://ecma-international.org/ecma-262/7.0/#sec-properties-of-the-map-prototype-object, https://mdn.io/rest_parameters, http://www.ecma-international.org/ecma-262/7.0/#sec-function.prototype.apply, https://mdn.io/spread_operator, https://mdn.io/Number/isInteger, https://mdn.io/Number/isNaN, https://mdn.io/isNaN, https://www.npmjs.com/package/babel-polyfill, https://mdn.io/Number/isSafeInteger, http://www.ecma-international.org/ecma-262/7.0/#sec-tointeger, https://mdn.io/Object/assign, https://en.wikipedia.org/wiki/Letter_case#Special_case_styles, https://es5.github.io/#x15.1.2.2, https://mdn.io/String/replace, https://en.wikipedia.org/wiki/Snake_case, https://mdn.io/String/split, https://en.wikipedia.org/wiki/Letter_case#Stylistic_or_specialised_usage, http://www.html5rocks.com/en/tutorials/developertools/sourcemaps/#toc-sourceurl, https://lodash.com/custom-builds, https://developer.chrome.com/extensions/sandboxingEval, https://github.com/olado/doT, https://mdn.io/toLowerCase, https://mdn.io/toUpperCase Location: Package overview From: ? → npm/lodash@4.17.23 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash@4.17.23. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm react-dom URLs: https://react.dev/errors/, https://react.dev/link/dangerously-set-inner-html, https://reactjs.org/link/react-polyfills, https://github.com/tc39/proposal-import-attributes, http://www.w3.org/2000/svg, http://www.w3.org/1998/Math/MathML, https://react.dev/link/invalid-aria-props, https://react.dev/link/attribute-behavior, https://react.dev/link/controlled-components, https://react.dev/link/invalid-hook-call, https://react.dev/link/rules-of-hooks, https://react.dev/link/warning-keys, https://react.dev/warnings/react-dom-test-utils, http://www.w3.org/1999/xlink, http://www.w3.org/XML/1998/namespace, https://react.dev/warnings/version-mismatch, https://react.dev/link/unsafe-component-lifecycles, https://react.dev/link/legacy-context Location: Package overview From: pnpm-lock.yaml → npm/react-dom@19.2.4 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-dom@19.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm react URLs: https://react.dev/link/special-props, https://react.dev/link/invalid-hook-call, https://react.dev/errors/, https://react.dev/link/new-jsx-transform, https://github.com/facebook/react/issues, https://github.com/facebook/react/issues/3236 Location: Package overview From: pnpm-lock.yaml → npm/react@19.2.4 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react@19.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 10 more rows in the dashboard

View full report

[dependabot]

Superseded by #31.