Update dependency @modelcontextprotocol/sdk to v1.25.2 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@modelcontextprotocol/sdk (source)	1.17.3 → 1.25.2

GitHub Vulnerability Alerts

CVE-2025-66414

The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with StreamableHTTPServerTransport or SSEServerTransport and has not enabled enableDnsRebindingProtection, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.

Note that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.

Servers created via createMcpExpressApp() now have this protection enabled by default when binding to localhost. Users with custom Express configurations are advised to update to version 1.24.0 and apply the exported hostHeaderValidation() middleware when running an unauthenticated server on localhost.

CVE-2026-0621

Impact

A ReDoS vulnerability in the UriTemplate class allows attackers to cause denial of service. The partToRegExp() function generates a regex pattern with nested quantifiers (([^/]+(?:,[^/]+)*)) for exploded template variables (e.g., {/id*}, {?tags*}), causing catastrophic backtracking on malicious input.

Who is affected: MCP servers that register resource templates with exploded array patterns and accept requests from untrusted clients.

Attack result: An attacker sends a crafted URI via resources/read request, causing 100% CPU utilization, server hang/crash, and denial of service for all clients.

Affected Versions

All versions of @modelcontextprotocol/sdk prior to the patched release.

Patches

v1.25.2 contains b392f02ffcf37c088dbd114fedf25026ec3913d3 the fix modifies the regex pattern to prevent backtracking.

Workarounds

• Avoid using exploded patterns ({/id*}, {?tags*}) in resource templates
• Implement request timeouts and rate limiting
• Validate URIs before processing to reject suspicious patterns

---

Release Notes

modelcontextprotocol/typescript-sdk (@​modelcontextprotocol/sdk)

v1.25.2

Compare Source

What's Changed

• ci: trigger workflow on v1.x branch by @​felixweinberger in #​1319
• fix: README badges links destinations by @​antonpk1 in #​907
• fix: prevent ReDoS in UriTemplate regex patterns (v1.x backport) by @​pcarleton in #​1365

New Contributors

• @​antonpk1 made their first contribution in #​907

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.1...v1.25.2

v1.25.1

Compare Source

What's Changed

• spec types - backwards compatibility changes by @​KKonstantinov in #​1306
• chore: bump version for patch fix by @​felixweinberger in #​1307

Full Changelog: modelcontextprotocol/typescript-sdk@1.25.0...1.25.1

v1.25.0

Compare Source

What's Changed

• list changed handlers on client constructor by @​mattzcarey in #​1206
• Role - moved from inline to reusable type by @​KKonstantinov in #​1221
• fix: use versioned npm tag for non-main branch releases by @​pcarleton in #​1236
• No automatic completion support unless needed - Revisited yet again by @​cliffhall in #​1237
• fix: Support updating output schema by @​vincent0426 in #​1048
• Remove type dependency on @​cfworker/json-schema by @​LucaButBoring in #​1229
• Relocate tests under /test by @​KKonstantinov in #​1220
• Fix tsconfig: remove tests by @​KKonstantinov in #​1240
• tsconfig - tests and build fix by @​KKonstantinov in #​1243
• fix a typo in examples README by @​DaleSeo in #​1246
• Protocol date validation by @​mattzcarey in #​1247
• Flaky test fix on Types.test.ts by @​KKonstantinov in #​1244
• SPEC COMPLIANCE: Remove loose/passthrough types not allowed/defined by MCP spec + Task types by @​KKonstantinov in #​1242
• Follow-up fixes for PR #​1242 by @​felixweinberger in #​1274
• Update server examples and docs by @​DaleSeo in #​1285
• Update TypeScript config to ES2020 to fix AJV imports by @​mattzcarey in #​1297
• Fix Zod v4 schema description extraction by @​felixweinberger in #​1296
• Add optional description field to Implementation schema by @​calclavia in #​1295
• Add theme property to Icon schema by @​DaleSeo in #​1290
• feat: fetch transport by @​mattzcarey in #​1209
• chore: bump version for release by @​felixweinberger in #​1301

New Contributors

• @​vincent0426 made their first contribution in #​1048

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.3...1.25.0

v1.24.3

Compare Source

What's Changed

• chore: fix dev dependency security vulnerabilities by @​felixweinberger in #​1227
• chore(deps): bump express from 5.0.1 to 5.2.1 in the npm_and_yarn group across 1 directory by @​dependabot[bot] in #​1228
• fix: release HTTP connections after POST responses by @​mattzcarey in #​1214
• fix: skip priming events and closeSSEStream for old protocol versions by @​felixweinberger in #​1233
• chore: bump version for patch release by @​felixweinberger in #​1235

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.2...1.24.3

v1.24.2

Compare Source

What's Changed

• feat: add optional resource annotations by @​vhorvath2010 in #​954
• chore: refresh CLAUDE.md by @​LucaButBoring in #​1217
• refactor: make Server class framework-agnostic by moving express to separate module by @​cytle in #​1223
• chore: bump version to 1.24.2 by @​pcarleton in #​1224

New Contributors

• @​vhorvath2010 made their first contribution in #​954
• @​cytle made their first contribution in #​1223

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.1...1.24.2

v1.24.1

Compare Source

What's Changed

• fix(streamableHttp): fix infinite retries when maxRetries is set to 0 by @​mrorigo in #​1216
• chore: update protocol version to 2025-11-25 by @​dsp-ant in #​1218
• chore: bump version for release by @​felixweinberger in #​1219

New Contributors

• @​mrorigo made their first contribution in #​1216

Full Changelog: modelcontextprotocol/typescript-sdk@1.24.0...1.24.1

v1.24.0

Compare Source

Summary

This release brings us up to speed with the latest MCP spec 2025-11-25. Take a look at the latest spec as well as the release blog post.

What's Changed

• fix: update spec links from latest to draft by @​domdomegg in #​1171
• Make sure to consume HTTP error response bodies by @​GreenStage in #​1173
• docs: add GET request handling for streamableHttp stateless mode by @​saharis9988 in #​1161
• SEP-1686: Tasks by @​LucaButBoring in #​1041
• Fix JSON parse error on SSE events with empty data by @​felixweinberger in #​1184
• Fix StreamableHTTPClientTransport instantiation by @​yuwzho in #​944
• feat: eslint rule to prefer node protocols by @​mattzcarey in #​1187
• fix: call tasks/result to deliver side-channel messages by @​felixweinberger in #​1185
• Add invalid_target oauth error (rfc 8707) by @​GreenStage in #​1183
• fix(client): use StreamableHTTPError instead of plain Error in send() by @​yamadashy in #​1178
• coerce 'expires_in' to be a number by @​adam-kuhn in #​1111
• Allow HTTP issuer URLs when MCP_DEV_MODE is enabled by @​jerome3o-anthropic in #​1189
• fix: update registerTool signature for proper typed ToolCallback by @​mattzcarey in #​1188
• SEP-1046: Client credentials flow for M2M without user interaction by @​KKonstantinov in #​1157
• adds the transitive @​types/express-serve-static-core dependency as a direct devDependency by @​mgyarmathy in #​1078
• Fix optional argument handling in prompts for Zod V4 by @​filip-bartuska-ipf in #​1199
• fix hanging stdio servers by @​mattzcarey in #​1200
• README refactor by @​KKonstantinov in #​1197
• [Docs] Fix typo by @​koic in #​1067
• feat: add closeSSEStream callback to RequestHandlerExtra by @​felixweinberger in #​1166
• fix: improve SSE reconnection behavior by @​felixweinberger in #​1191
• fix: normalize headers in sse transport by @​marcrasi in #​856
• feat: add closeStandaloneSSEStream for GET stream polling by @​felixweinberger in #​1203
• fix: normalize null to undefined in ElicitResultSchema content field by @​mattzcarey in #​1204
• Modify Origin header validation in validateRequestHeaders (streamableHttp.ts and sse.ts) to allow requests without an Origin, as they are not relevant to server DNS rebinding protection. by @​jacopoc in #​1205
• fix: allow zod 4 transformations by @​mattzcarey in #​1213
• feat: backwards-compatible createMessage overloads for SEP-1577 by @​felixweinberger in #​1212
• chore: bump version for release by @​felixweinberger in #​1215

New Contributors

• @​GreenStage made their first contribution in #​1173
• @​saharis9988 made their first contribution in #​1161
• @​yuwzho made their first contribution in #​944
• @​yamadashy made their first contribution in #​1178
• @​adam-kuhn made their first contribution in #​1111
• @​mgyarmathy made their first contribution in #​1078
• @​filip-bartuska-ipf made their first contribution in #​1199
• @​koic made their first contribution in #​1067
• @​marcrasi made their first contribution in #​856
• @​jacopoc made their first contribution in #​1205

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.24.0

v1.23.1

Compare Source

Fixed:

• Disabled SSE priming events to fix backwards compatibility - 1.23.x clients crash on empty SSE data (JSON.parse(""))

This is a patch for servers still on 1.23.x that were breaking clients not handling the the 2025-11-25 priming event behavior with empty SSE data fields. See #​1233 for more details.

Full Changelog: modelcontextprotocol/typescript-sdk@1.23.0...1.23.1

v1.23.0

Compare Source

What's Changed

• Migrate to vitest from jest by @​mattzcarey in #​1074
• ci: add workflow_dispatch trigger for manual CI runs by @​felixweinberger in #​1114
• Fix: @​types/node incompatibility with vite warnings on npm install by @​KKonstantinov in #​1121
• Fix: clean up accidental spec.types.ts by @​KKonstantinov in #​1122
• fix: Pass RequestInit options to auth requests by @​dsp-ant in #​1066
• SEP-1036: URL Elicitation by @​nbarbettini in #​1105
• add none to test and the router. by @​m-henderson in #​1116
• [auth] Adjust scope management to line up with SEP-835 by @​pcarleton in #​1133
• chore: add .idea/ to .gitignore by @​maxisbey in #​1134
• chore: remove unused @​types/eslint__js dependency by @​mattzcarey in #​1128
• feat: url based client metadata registration (SEP 991) by @​mattzcarey in #​1127
• feat: zod v4 with backwards compatibility for v3.25+ by @​dclark27 in #​1040
• fix: remove pnpm lock and regenerate package-lock by @​mattzcarey in #​1138
• docs: update installation instructions for zod peer dependency by @​mattzcarey in #​1139
• Implement SEP-1577 - Sampling With Tools by @​ochafik in #​1101
• Follow up: unify v3 and v4 zod types via describe matrix and a test helper by @​KKonstantinov in #​1141
• chore: Add deprecated marker to old elicitInput overload by @​nbarbettini in #​1142
• fix: Connect error in URL elicitation example by @​nbarbettini in #​1136
• Support upscoping on insufficient_scope 403 by @​Nayana-Parameswarappa in #​1115
• Support beta releases by publishing with --tag beta by @​felixweinberger in #​1146
• Bump version to 1.23.0-beta.0 by @​felixweinberger in #​1147
• SEP-1613: use.catchall() on inputSchema/outputSchema to support JSON Schema 2020-12 by @​felixweinberger in #​1135
• sampling: validate tools, tool_use, tool_result constraints by @​ochafik in #​1156
• fix: React to upstream RC schema changes for form mode elicitation requests by @​felixweinberger in #​1164
• feat: implement SEP-1699 SSE polling via server-side disconnect by @​felixweinberger in #​1129
• chore: bump package number for release by @​felixweinberger in #​1170

New Contributors

• @​nbarbettini made their first contribution in #​1105
• @​m-henderson made their first contribution in #​1116
• @​maxisbey made their first contribution in #​1134
• @​dclark27 made their first contribution in #​1040
• @​Nayana-Parameswarappa made their first contribution in #​1115

Full Changelog: modelcontextprotocol/typescript-sdk@1.22.0...1.23.0

v1.22.0

Compare Source

What's Changed

• registerTool: accept ZodType for input and output schema by @​ksinder in #​816
• SEP-1319: Decouple Request Payloads, Remove passthrough iteration, Typecheck fixes by @​KKonstantinov in #​1086
• add pkg-pr-new bot by @​pcarleton in #​1088
• Upgrade to Node LTS by @​mattzcarey in #​1072
• change step name by @​pcarleton in #​1089
• SEP-1034: Default values for Elicitation Schemas by @​KKonstantinov in #​1096
• SEP-1330: Compatibility with SEP-1034 by @​KKonstantinov in #​1100
• Implementation of SEP-986: Specify Format for Tool Names by @​kentcdodds in #​900
• [auth] Fix march spec fallback for metadata discovery by @​pcarleton in #​1108
• chore: bump version for release by @​felixweinberger in #​1110

New Contributors

• @​ksinder made their first contribution in #​816

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.22.0

v1.21.2

Compare Source

What's changed

This is a patch release for a regression highlighted by #​1103

This patch contains only the cherry picked fix in #​1108

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.1...1.21.2

v1.21.1

Compare Source

What's Changed

• Only use path-based discovery URLs from the authorization server to discover metadata by @​roadmapper in #​1070
• Add @​deprecated annotations to legacy APIs by @​domdomegg in #​1018
• fix: Support WWW-Authenticate scope param for SEP-835 by @​chipgpt in #​983
• move CLI script to dedicated scripts directory by @​mattzcarey in #​1073
• Check script which typechecks using Typescripts new Go port by @​mattzcarey in #​1075
• FIX: use a nightly spec.types.ts by @​mattzcarey in #​1087
• chore: bump version for release by @​felixweinberger in #​1085

New Contributors

• @​roadmapper made their first contribution in #​1070

Full Changelog: modelcontextprotocol/typescript-sdk@1.21.0...1.21.1

v1.21.0

Compare Source

What's Changed

• feat: pluggable JSON schema validator providers by @​mattzcarey in #​1012
• Update metadata.ts by @​pcarleton in #​1010
• fix: Prefer the token_endpoint_auth_method response from DCR registration by @​chipgpt in #​1022
• Fix: Non-existent tool, disabled tool and inputSchema validation return MCP protocol level instead of CallToolResult with isError: true by @​KKonstantinov in #​1044
• chore: bump version to 1.21.0 for release by @​felixweinberger in #​1062

New Contributors

• @​chipgpt made their first contribution in #​1022

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.2...1.21.0

v1.20.2

Compare Source

What's Changed

• fix: Zod to JSONSchema pipe strategies by @​pierreliefauche in #​962
• chore: bump version for weekly release by @​felixweinberger in #​1042

New Contributors

• @​pierreliefauche made their first contribution in #​962

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.1...1.20.2

v1.20.1

Compare Source

What's Changed

• fix: Add Accept header to auth metadata request by @​SVLaursen in #​901
• Allow empty string as valid URL in DCR workflow by @​fredericbarthelet in #​987
• docs: fix summary contents at readme by @​starfish719 in #​1025
• chore: bump version to 1.20.1 for release by @​felixweinberger in #​1032

New Contributors

• @​SVLaursen made their first contribution in #​901
• @​starfish719 made their first contribution in #​1025

Full Changelog: modelcontextprotocol/typescript-sdk@1.20.0...1.20.1

v1.20.0

Compare Source

What's Changed

• docs: improve main README with better quick start, include examples of stateless HTTP, explain tools v resources v prompts by @​domdomegg in #​980
• chore: add lint:fix script by @​mattzcarey in #​1013
• Default to S256 code challenge if not specified in authorization server metadata by @​LucaButBoring in #​992

New Contributors 🙏

• @​mattzcarey made their first contribution in #​1013

Full Changelog: modelcontextprotocol/typescript-sdk@1.19.0...1.20.0

v1.19.1

Compare Source

v1.18.2

Compare Source

What's Changed

• Updates the sampling code example in the README by @​viniciuscsouza in #​958
• Use redirect Uri passed in in demoInMemoryOAuthProvider by @​TylerLeonhardt in #​931
• fix(auth-router): correct Protected Resource Metadata for pathful RS and add explicit resourceServerUrl (RFC 9728) by @​blustAI in #​858
• chore: update version to 1.18.2 for weekly release by @​felixweinberger in #​970

New Contributors

• @​viniciuscsouza made their first contribution in #​958
• @​TylerLeonhardt made their first contribution in #​931
• @​blustAI made their first contribution in #​858

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.1...1.18.2

v1.18.1

Compare Source

What's Changed

• fix: prevent streamable http wite after end from crashing the node process by @​MQ37 in #​933
• chore: update version to 1.18.1 for weekly release by @​felixweinberger in #​950

New Contributors

• @​MQ37 made their first contribution in #​933

Full Changelog: modelcontextprotocol/typescript-sdk@1.18.0...1.18.1

v1.18.0

Compare Source

What's Changed

• mcp: update SDK for SEP 973 + add to example server by @​jesselumarie in #​904
• feat: add _meta field support to tool definitions by @​knguyen-figma in #​922
• Fix automatic log level handling for sessionless connections by @​cliffhall in #​917
• 1.17.6 by @​ihrpr in #​936
• 1.18.0 by @​ihrpr in #​937
• ignore icons for now by @​ihrpr in #​938

New Contributors

• @​jesselumarie made their first contribution in #​904
• @​knguyen-figma made their first contribution in #​922

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.5...1.18.0

v1.17.5

Compare Source

What's Changed

• Automatic handling of logging level by @​cliffhall in #​882
• Fix the SDK vs Spec types test that is breaking CI by @​cliffhall in #​908

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.4...1.17.5

v1.17.4

Compare Source

What's Changed

• feature(middleware): Composable fetch middleware for auth and cross‑cutting concerns by @​m-paternostro in #​485
• restrict url schemes allowed in oauth metadata by @​pcarleton in #​877
• [auth] OAuth protected-resource-metadata: fallback on 4xx not just 404 by @​pcarleton in #​879
• chore: bump version to 1.17.4 by @​felixweinberger in #​894

Full Changelog: modelcontextprotocol/typescript-sdk@1.17.3...1.17.4

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​uniswap-hooks@​1.2.1
	rollup-plugin-terser@​7.0.2
	@​changesets/​changelog-github@​0.5.1
	typescript-eslint@​8.39.1
	highlightjs-cairo@​0.4.0
	@​types/​semver@​7.7.0
	@​types/​semver@​7.7.1
	path-browserify@​1.0.1
	file-saver@​2.0.5
	sirv-cli@​3.0.1
	@​types/​file-saver@​2.0.7
	@​types/​resize-observer-browser@​0.1.11
	jszip@​3.10.1
	tippy.js@​6.3.7
	rollup-plugin-livereload@​2.0.5
	rollup-plugin-styles@​4.0.0
	@​types/​node@​22.7.5 ⏵ 20.19.21	+1		+1	-1
	@​types/​node@​22.7.5 ⏵ 20.19.10	+1		+1	-1
	solidity-ast@​0.4.60
	postcss-load-config@​6.0.1
	@​uniswap/​v4-core@​1.0.2
	@​uniswap/​v4-periphery@​1.0.3
	postcss@​8.5.6
	svelte-preprocess@​5.1.4
	ethereum-cryptography@​1.2.0 ⏵ 3.2.0	+1		+1
	concurrently@​9.2.0
	highlightjs-solidity@​2.0.6
	ava@​6.4.1
	@​rollup/​plugin-json@​6.1.0
	highlight.js@​11.11.1
	@​rollup/​plugin-alias@​5.1.1
	@​rollup/​plugin-replace@​6.0.2
	util@​0.12.5
See 25 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: npm qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion CVE: GHSA-6rw7-vpxm-498p qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion (HIGH) Affected versions: < 6.14.1 Patched version: 6.14.1 From: ? → npm/@modelcontextprotocol/sdk@1.25.2 → npm/qs@6.14.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/qs@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @humanwhocodes/retry is 100.0% likely to have a medium risk anomaly Notes: The Retrier class implements a conventional, well-scoped retry mechanism with abort support and backoff-like scheduling. There is no evidence of malicious behavior, data exfiltration, or backdoors in this fragment. The primary security considerations relate to the trustworthiness of the host-provided function (fn) and the external timing constants that govern bail/retry behavior. Overall risk is moderate due to the possibility of executing arbitrary host code, but this is expected for a retry utility; no external communications or data leakage are evident here. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.33.0 → npm/@humanwhocodes/retry@0.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanwhocodes/retry@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.33.0 → npm/ajv@6.12.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.12.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm consola is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/consola@3.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/consola@3.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm css-tree is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped parser fragment for a DSL-like FeatureFunction construct. It uses dynamic feature dispatch with proper balance checks and safe fallbacks, and emits a consistent AST node. No malicious behavior detected; the main risks relate to misconfiguration of the features map rather than code-level exploits. Confidence: 1.00 Severity: 0.60 From: ? → npm/rollup-plugin-styles@4.0.0 → npm/css-tree@3.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm detect-libc is 100.0% likely to have a medium risk anomaly Notes: The code represents a robust, multi-source libc detection utility for Linux, prioritizing filesystem data, then runtime reports, and finally command-based inference. It shows no malicious behavior and aligns with expected patterns for environment introspection. The main improvement areas are strengthening error visibility and handling edge cases where outputs differ from standard expectations. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/detect-libc@2.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/detect-libc@2.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly Notes: The code implements a subprocess-based transport to offload event sending. While this can reduce main-process dependencies, it creates a cross-process data path that exposes the serialized event via environment variables to an external subprocess. The subprocess script (not present here) becomes a critical trust boundary. Without inspecting the subprocess implementation and package contents, there is a non-trivial risk of data leakage or tampering via the external process. No explicit malware detected in this fragment, but the design warrants careful review of the subprocess code and supply chain integrity. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/package.json → npm/hardhat@2.26.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat@2.26.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm object-hash is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The code appears to be a standard, open-source-like object hashing/serialization utility with streaming capabilities. No active malicious behavior detected within this fragment. Minor issues (typos, blob handling edge-case, and potential performance considerations for large inputs) should be addressed to reduce risk in supply-chain contexts. Overall security risk remains moderate and workload/usage controls should govern integration. Confidence: 1.00 Severity: 0.60 From: ? → npm/tailwindcss@3.4.18 → npm/object-hash@3.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/object-hash@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm openai is 100.0% likely to have a medium risk anomaly Notes: The script itself is not evidently malicious but poses a moderate-to-high supply-chain risk: it invokes npx to download and execute a GitHub-hosted tarball and passes a local migration-config.json path and the process environment to the remote code. That remote code could perform arbitrary actions, read local configuration or environment secrets, or exfiltrate data. Mitigations: avoid using tarball URLs in runtime invocations, pin to vetted packages in package.json, verify integrity (checksums/signatures), vendor the migration tool or require an explicit local installation, and avoid passing sensitive file paths or environment variables to untrusted code. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/openai@5.23.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openai@5.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm prettier is 100.0% likely to have a medium risk anomaly Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins. Confidence: 1.00 Severity: 0.60 From: package.json → npm/prettier@3.6.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm proxy-addr is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped IP trust utility (proxy-addr) with no evidence of malicious behavior. It reads IPs from request headers, validates and normalizes them, and applies a trust policy to determine the client address. No backdoors, exfiltration, or dangerous operations are present. The security posture appears acceptable for its intended purpose when used as a dependency in an Open Source project. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.25.2 → npm/proxy-addr@2.0.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/proxy-addr@2.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm resolve is 100.0% likely to have a medium risk anomaly Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@rollup/plugin-typescript@12.1.4 → npm/rollup-plugin-styles@4.0.0 → npm/tailwindcss@3.4.18 → npm/@rollup/plugin-node-resolve@16.0.3 → npm/resolve@1.22.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rimraf is 100.0% likely to have a medium risk anomaly Notes: The rimraf module analyzed appears to be a conventional, dependable recursive deletion utility with thoughtful cross-platform safeguards and backoff strategies. There is no evidence of malicious activity, data leakage, or backdoors. The primary risk is accidental or intentional destructive file system changes if misused; treat as legitimate utility with appropriate access controls. Confidence: 1.00 Severity: 0.60 From: ? → npm/svelte-preprocess@5.1.4 → npm/rimraf@2.7.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rimraf@2.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rollup-plugin-terser is 100.0% likely to have a medium risk anomaly Notes: This file is a terser wrapper that unsafely evaluates a caller-supplied string to produce options. The code itself contains no explicit exfiltration, hard-coded credentials, or network calls, and appears non-obfuscated. However, eval(optionsString) is a high-severity issue: if optionsString can be influenced by an attacker, the application can be fully compromised (RCE). Replace eval with safe parsing and validate inputs. Avoid returning mutable objects from evaluated input. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/rollup-plugin-terser@7.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup-plugin-terser@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rxjs is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, well-scoped implementation of an RxJS-like concat operator. No malicious behavior, data exfiltration, or suspicious I/O detected in this fragment. Security risk is low; malware likelihood is negligible for this isolated operator function. Confidence: 1.00 Severity: 0.60 From: ? → npm/concurrently@9.2.0 → npm/rxjs@7.8.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rxjs@7.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-prettier@5.5.4 → npm/synckit@0.11.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/synckit@0.11.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm terser is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The fragment is a benign static list of DOM/Web API identifiers used for tooling purposes (e.g., property enumeration, whitelist checks, or code generation). There is no evidence of malicious behavior, data exfiltration, or backdoors within this fragment alone. Overall security risk is low for this isolated piece; assessment should consider how the list is used in the broader codebase. Confidence: 1.00 Severity: 0.60 From: ? → npm/rollup-plugin-terser@7.0.2 → npm/terser@5.43.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser@5.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.25.2 → npm/zod@4.3.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: ? → npm/rollup-plugin-styles@4.0.0 → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report