Skip to content

Add atmn npm issue tracker metadata#88

Open
hxf233 wants to merge 1 commit into
useautumn:mainfrom
hxf233:fix-atmn-npm-metadata
Open

Add atmn npm issue tracker metadata#88
hxf233 wants to merge 1 commit into
useautumn:mainfrom
hxf233:fix-atmn-npm-metadata

Conversation

@hxf233

@hxf233 hxf233 commented Jun 8, 2026

Copy link
Copy Markdown

Summary

  • Add package source metadata for the atmn workspace package.
  • Keep the existing CLI docs homepage in package metadata.
  • Add bugs.url so npm users can reach the public GitHub issue tracker.

Verification

  • Metadata smoke check from atmn/
  • npm pack --dry-run --ignore-scripts from atmn/
  • git diff --check

Summary by cubic

Add npm metadata to the atmn package to improve discoverability and support. Includes repository source (repo URL and atmn directory), sets homepage to the CLI docs, and adds bugs.url pointing to GitHub issues.

Written for commit 07636b7. Summary will update on new commits.

Review in cubic

@greptile-apps

greptile-apps Bot commented Jun 8, 2026

Copy link
Copy Markdown

PR author is not in the allowed authors list.

@vercel

vercel Bot commented Jun 8, 2026

Copy link
Copy Markdown

@hxf233 is attempting to deploy a commit to the Autumn Team on Vercel.

A member of the Team first needs to authorize it.

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 1 file

Confidence score: 5/5

  • Automated review surfaced no issues in the provided summaries.
  • No files require special attention.

Re-trigger cubic

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: Official Clerk JavaScript SDKs: Middleware-based route protection bypass in npm @clerk/nextjs

CVE: GHSA-vqx2-fgx2-5wq9 Official Clerk JavaScript SDKs: Middleware-based route protection bypass (CRITICAL)

Affected versions: >= 5.0.0 < 5.7.6; >= 6.0.0-snapshot.vb87a27f < 6.39.2; >= 7.0.0 < 7.2.1

Patched version: 6.39.2

From: pnpm-lock.yamlnpm/@clerk/nextjs@6.30.1

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clerk/nextjs@6.30.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Official Clerk JavaScript SDKs: Middleware-based route protection bypass in npm @clerk/shared

CVE: GHSA-vqx2-fgx2-5wq9 Official Clerk JavaScript SDKs: Middleware-based route protection bypass (CRITICAL)

Affected versions: >= 2.20.17 < 2.22.1; >= 3.0.0-canary.v20250225091530 < 3.47.4; >= 4.0.0 < 4.8.1

Patched version: 3.47.4

From: pnpm-lock.yamlnpm/@clerk/nextjs@6.30.1npm/@clerk/shared@3.19.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clerk/shared@3.19.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Official Clerk JavaScript SDKs: Middleware-based route protection bypass in npm @clerk/shared

CVE: GHSA-vqx2-fgx2-5wq9 Official Clerk JavaScript SDKs: Middleware-based route protection bypass (CRITICAL)

Affected versions: >= 2.20.17 < 2.22.1; >= 3.0.0-canary.v20250225091530 < 3.47.4; >= 4.0.0 < 4.8.1

Patched version: 3.47.4

From: pnpm-lock.yamlnpm/@clerk/clerk-react@5.59.0npm/@clerk/backend@1.34.0npm/@clerk/nextjs@6.30.1npm/@clerk/react-router@1.10.2npm/@clerk/shared@3.40.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clerk/shared@3.40.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: Official Clerk JavaScript SDKs: Middleware-based route protection bypass in npm @clerk/shared

CVE: GHSA-vqx2-fgx2-5wq9 Official Clerk JavaScript SDKs: Middleware-based route protection bypass (CRITICAL)

Affected versions: >= 2.20.17 < 2.22.1; >= 3.0.0-canary.v20250225091530 < 3.47.4; >= 4.0.0 < 4.8.1

Patched version: 3.47.4

From: pnpm-lock.yamlnpm/@clerk/express@1.7.72npm/@clerk/react-router@1.10.2npm/@clerk/shared@3.46.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clerk/shared@3.46.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Critical
Critical CVE: React Router has Path Traversal in File Session Storage in npm @remix-run/node

CVE: GHSA-9583-h5hc-x8cw React Router has Path Traversal in File Session Storage (CRITICAL)

Affected versions: < 2.17.2

Patched version: 2.17.2

From: package/package.jsonnpm/@remix-run/node@2.17.0

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@remix-run/node@2.17.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @esbuild/aix-ppc64 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: pnpm-lock.yamlnpm/@esbuild/aix-ppc64@0.20.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@esbuild/aix-ppc64@0.20.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant