Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

[email protected]

Minor Changes

• 82c9bbd: Update @audius/sdk version to 11.0.0

@audius/[email protected]

Patch Changes

• Updated dependencies [40e5b07]
  • @audius/[email protected]

@audius/[email protected]

Patch Changes

• 40e5b07: Update hompeage URL

@audius/[email protected]

Patch Changes

• @audius/[email protected]

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​cipher-base@​1.0.4
	npm/​babel-traverse@​6.26.0
	npm/​define-properties@​1.1.4
	npm/​constant-case@​2.0.0
	npm/​boolbase@​1.0.0
	npm/​babel-helper-optimise-call-expression@​6.24.1
	npm/​camel-case@​3.0.0
	npm/​babel-helper-get-function-arity@​6.24.1
	npm/​babel-helper-regex@​6.26.0
	npm/​detect-node@​2.1.0
	npm/​copy-descriptor@​0.1.1
	npm/​caller-path@​0.1.0
	npm/​babel-helper-hoist-variables@​6.24.1
	npm/​core-util-is@​1.0.3
	npm/​browserify-rsa@​4.1.0
	npm/​dom-walk@​0.1.2
	npm/​babel-helper-function-name@​6.24.1
	npm/​chownr@​1.1.4
	npm/​domelementtype@​2.3.0
	npm/​create-ecdh@​4.0.4
	npm/​babel-plugin-syntax-async-functions@​6.13.0
	npm/​babel-plugin-syntax-exponentiation-operator@​6.13.0
	npm/​call-bind@​1.0.2
	npm/​browserify-cipher@​1.0.1
	npm/​babel-helper-replace-supers@​6.24.1
	npm/​babel-helper-remap-async-to-generator@​6.24.1
	npm/​browserify-des@​1.0.2
	npm/​diffie-hellman@​5.0.3
	npm/​cli-regexp@​0.1.2
	npm/​decompress-response@​3.3.0
	npm/​babel-plugin-transform-es2015-sticky-regex@​6.24.1
	npm/​code-point-at@​1.1.0
	npm/​babel-messages@​6.23.0
See 178 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		npm/[email protected] has a Critical CVE. CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: >= 0 Patched version: No patched versions From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has a Critical CVE. CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] is a AI-detected potential code anomaly. Notes: This command is typically benign and used to compile native addons. However, because it builds and may execute native code, it poses greater risk than pure-JS installs: malicious or vulnerable native source could introduce privilege-escalation, arbitrary code execution, or other system-level impacts. Review the native source, build scripts, and any downloaded prebuilt binaries before trusting the package. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] is a AI-detected potential code anomaly. Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] is a AI-detected potential code anomaly. Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] is a AI-detected potential code anomaly. Notes: The code appears to be a standard, non-malicious Content-Disposition header parser with strict input validation and proper encoding/decoding utilities. No evident data exfiltration or remote execution within this fragment. The primary precaution is to ensure the external decodefield function is safe and that PARAM_REGEXP robustly handles edge-case inputs to prevent DoS or parsing failures. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] is a AI-detected potential code anomaly. Notes: This file is a minimal, legitimate wrapper around Node.js child_process.spawn and spawnSync to provide improved ENOENT (command not found) error handling. It does not perform any network requests, dynamic code evaluation, secret disclosure, or telemetry. The only “sink” is the intended execution of local processes as directed by the calling application. No malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report