Skip to content

chore(deps): bump dependencies with audit warnings to latest #673

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
rexxars wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

chore(deps): bump dependencies with audit warnings to latest #673

rexxars wants to merge 3 commits into from

Conversation

@rexxars
Copy link
Member

@rexxars rexxars commented Dec 3, 2025

Description

Bumps dependencies that have audit warnings to their latest (or non-affected) versions.

In light of https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components

@rexxars rexxars requested a review from a team as a code owner December 3, 2025 20:49
@rexxars rexxars requested a review from ryanbonial December 3, 2025 20:49
@vercel
Copy link

vercel bot commented Dec 3, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Preview Comments Updated (UTC)
sdk-docs Error Error Dec 3, 2025 9:09pm
sdk-kitchensink-react Error Error Dec 3, 2025 9:09pm

@socket-security
Copy link

socket-security bot commented Dec 3, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedhusky@​9.1.6 ⏵ 9.1.71001006280100
Updated@​commitlint/​types@​19.8.0 ⏵ 19.8.11001006786100
Updated@​vitest/​coverage-v8@​3.1.2 ⏵ 3.2.49910072 +199100
Updated@​commitlint/​cli@​19.8.0 ⏵ 19.8.1991007387100
Updated@​sanity/​types@​3.88.1 ⏵ 3.99.010010073 +1100100
Updatedtypescript-eslint@​8.26.1 ⏵ 8.48.110010074 -198 +1100
Updated@​types/​react-dom@​19.1.3 ⏵ 19.2.3100 +110075 +193100
Updated@​sanity/​prettier-config@​1.0.3 ⏵ 1.0.686 +210077 +289 +2100
Updated@​sanity/​cli@​3.88.1-typegen-experimental.0 ⏵ 4.20.097 +110079 +2100100
Updatedvitest@​3.1.2 ⏵ 3.2.4981007999100
Updated@​types/​react@​19.1.2 ⏵ 19.2.71001007995100
Updatedreact-router@​7.5.2 ⏵ 7.10.096 -210079 +198100
Updatedinter-ui@​4.1.0 ⏵ 4.1.1100 +1100100 +181 +390
Updated@​types/​node@​22.13.9 ⏵ 22.19.1100 +110081 +195 +1100
Updatedtsx@​4.19.4 ⏵ 4.21.0100 +810081 +190 +6100
Updated@​sanity/​icons@​3.7.0 ⏵ 3.7.499 +110082 +192 +1100
Updatedeslint-plugin-react@​7.37.4 ⏵ 7.37.599 +110010084100
Updatedeslint-plugin-import@​2.31.0 ⏵ 2.32.09810010084100
Updatedreact@​19.1.0 ⏵ 19.2.110010084 +197 +1100
Updatedeslint-plugin-unused-imports@​4.1.4 ⏵ 4.3.010010090 +185100
Updatedglobals@​16.0.0 ⏵ 16.5.010010085 +190100
Updated@​sanity/​ui@​2.15.13 ⏵ 3.1.1199 +110086 +2100100
Updatedminimatch@​3.0.8 ⏵ 10.1.1100100100 +186100
Updatedeslint-plugin-react-refresh@​0.4.19 ⏵ 0.4.24100 +1100100 +186100
Updatedturbo@​2.5.2 ⏵ 2.6.2100 +110086 +197 +2100
Updated@​commitlint/​config-conventional@​19.8.0 ⏵ 19.8.110010010086100
Updatedstyled-components@​6.1.18 ⏵ 6.1.1994 +1100100 +187100
Updatedjson-edit-react@​1.26.2 ⏵ 1.29.09910097 +288 -2100
Updatedeslint-config-prettier@​10.1.1 ⏵ 10.1.8100 +1100100 +188100
Updatedrimraf@​6.0.1 ⏵ 6.1.2100 +110010089100
Updateddotenv@​16.5.0 ⏵ 16.6.1100 +110010089100
Updated@​testing-library/​jest-dom@​6.6.3 ⏵ 6.9.110010010089100
See 22 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Dec 3, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm inter-ui under OFL-1.1

License: OFL-1.1 - the applicable license policy does not allow this license (4) (npm metadata)

License: OFL-1.1 - the applicable license policy does not allow this license (4) (package/LICENSE.txt)

License: OFL-1.1 - the applicable license policy does not allow this license (4) (package/package.json)

From: apps/kitchensink-react/package.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript

License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt)

From: apps/kitchensink-react/package.jsonnpm/[email protected]

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Install-time scripts: npm unrs-resolver during postinstall

Install script: postinstall

Source: napi-postinstall unrs-resolver 1.11.1 check

From: pnpm-lock.yamlnpm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@rexxars rexxars marked this pull request as draft December 3, 2025 21:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ryanbonial ryanbonial Awaiting requested review from ryanbonial ryanbonial is a code owner automatically assigned from sanity-io/sdk

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rexxars