Clean up main CI

[raymondjacobson]

No description provided.

[changeset-bot]

⚠️ No Changeset found

Latest commit: dd02449

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​babel/​plugin-proposal-class-static-block@​7.21.0
	npm/​@​esbuild-plugins/​node-globals-polyfill@​0.2.3
	npm/​@​escape.tech/​mookme@​2.4.1
	npm/​@​babel/​preset-typescript@​7.22.15
	npm/​@​babel/​register@​7.7.0
	npm/​@​babel/​plugin-transform-runtime@​7.18.2
	npm/​@​emotion/​server@​11.11.0
	npm/​@​babel/​helper-compilation-targets@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​audius/​fetch-nft@​0.2.8
	npm/​@​babel/​plugin-transform-react-jsx@​7.21.0
	npm/​@​babel/​template@​7.22.15 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​cli@​7.7.0
	npm/​@​babel/​preset-env@​7.22.15
	npm/​@​atlaskit/​pragmatic-drag-and-drop@​1.7.7
	npm/​@​audius/​stems@​0.3.10
	npm/​@​babel/​helper-module-transforms@​7.22.17 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​parser@​7.22.16 ⏵ 7.27.1	+1		-3
	npm/​@​audius/​hedgehog@​2.1.0 ⏵ 3.0.0-alpha.1	+1
	npm/​@​babel/​compat-data@​7.22.9 ⏵ 7.27.1	+1		+1
	npm/​@​coral-xyz/​anchor@​0.29.0
	npm/​@​babel/​generator@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​babel/​traverse@​7.22.17 ⏵ 7.27.1	+1	+75	+1
	npm/​@​babel/​helpers@​7.22.15 ⏵ 7.27.1	+1	+2	+1
	npm/​@​babel/​core@​7.22.17 ⏵ 7.23.7	+1		+1
	npm/​@​babel/​types@​7.22.17 ⏵ 7.27.1	+1
	npm/​@​emotion/​styled@​11.14.0
	npm/​@​apollo/​client@​3.3.7
	npm/​@​commander-js/​extra-typings@​12.1.0
	npm/​@​cloudflare/​kv-asset-handler@​0.1.2 ⏵ 0.3.1				+3
	npm/​@​emotion/​eslint-plugin@​11.12.0
	npm/​@​alch/​alchemy-web3@​1.4.6
	npm/​@​emotion/​babel-preset-css-prop@​11.12.0
See 14 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm @amplitude/session-replay-browser is 100.0% likely to have a medium risk anomaly Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/babel-preset-css-prop@11.12.0 → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/styled@11.14.0 → npm/@babel/preset-env@7.22.15 → npm/@babel/plugin-proposal-class-static-block@7.21.0 → npm/@babel/helper-module-transforms@7.27.1 → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-transform-runtime@7.18.2 → npm/@babel/plugin-transform-react-jsx@7.21.0 → npm/@babel/helper-string-parser@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helpers@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: Selected report 1 provides a thorough evaluation of decorator-related runtime utilities and concludes low risk with potential for finishers to alter constructors if used with untrusted inputs. The improved assessment confirms normal, expected behavior for Babel decorator infrastructure and notes that the primary risk lies in the finishers channel if untrusted code is supplied. Security risk remains low to moderate depending on input provenance; malware likelihood is negligible based on the fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/@babel/runtime@7.24.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emnapi/runtime is 100.0% likely to have a medium risk anomaly Notes: Overall, this code fragment is a standard and legitimate binding/runtime infrastructure for Node.js native addon interoperability (EMNAPI). There is no evidence of data exfiltration, remote control, backdoors, or malware behavior within this snippet. The primary security considerations relate to the complexity and correct handling of finalizers, weak references, and policy-driven warning paths; misconfiguration or misuse by host applications could introduce risk, but the code itself does not demonstrate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emnapi/runtime@1.5.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/cache is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a legitimate part of Emotion’s CSS-in-JS cache that manages hydration of server-rendered styles and style insertion. It does not exhibit malicious behavior or supply chain exploits within this snippet. The security risk is low to moderate (primarily DOM manipulation, which is expected for a UI library), with no evident data leakage or external communications. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/cache@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/cache@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/styled is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a standard, non-malicious portion of the Emotion styling library. No evidence of backdoors, credential theft, or external network/data exfiltration. The primary risk vector is the CSS-in-DOM injection path via dangerouslySetInnerHTML, which is expected but should be reviewed in the context of trusted inputs. Security posture is low-to-moderate; no immediate danger, but maintain caution with user-supplied template literals and ensure dependencies are trusted. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/styled@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/styled@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/acorn@8.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/acorn@8.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fs-extra is 100.0% likely to have a medium risk anomaly Notes: The code is a standard filesystem utility that ensures a file exists by creating necessary directories and then writing an empty file. There is no evidence of malicious behavior, data exfiltration, or remote activity. The unusual ENOTDIR triggering is a defensive error path, not a backdoor or covert channel. Overall risk is low; functionality is as expected for a helper library in a filesystem module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/fs-extra@10.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@10.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm semver is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The code is a standard, benign implementation of a semver range-exterior check. No malicious behavior, no data exfiltration, and no suspicious side effects are evident. It operates purely on in-memory data and relies on local modules for comparisons. Overall security risk appears low. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/semver@7.6.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@7.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm axios is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/axios@1.7.7 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report