You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Vitest 4 migration: Replaced Karma/Mocha with Vitest 4 across all packages. Tests migrated from .js to .ts; shared configs live under test/shared/ (node and browser variants: mocked, dev, prod, debug).
Shared configs: Node configs: test/shared/node.mocked.mts, node.dev.mts, node.prod.mts, node.debug.mts. Browser configs: test/shared/browsers.mocked.mts, browsers.dev.mts, browsers.prod.mts, browsers.debug.mts. Most packages point scripts directly at these; default keeps local configs that extend shared (custom testTimeout, prod METADATA URL).
web-storage: Uses shared browser configs; scripts use --project Chrome so only Chrome runs. Test uses import.meta.env for MOCKED/METADATA; random key per run when not mocked to avoid parallel collisions. Predefined key when mocked.
Coverage & behavior:--coverage added to the main test script in every package. passWithNoTests: true added to all shared browser configs so empty test dirs pass in both node and browser.
Cleanup: Removed all .nycrc.json files (coverage is Vitest-only). ESLint test file pattern simplified to **/test/**/*.{js,ts,mts} (no overlap with test/**). Added vitest to devDependencies in every package that was missing it.
Tests: OneKey test in default allows missing typeOfUser from sapphire metadata response. ed25519 tests: expect.fail replaced with expect(() => ...).toThrow() and expect(...).rejects.toThrow().
How has this been tested?
npm run test and npm run test-production at repo root (lerna runs tests for all packages).
npm test and npm run test-production in packages/default and packages/web-storage.
Lint: npm run lint at root.
Screenshots (if appropriate)
N/A — no UI changes.
Types of changes
Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to not work as expected)
Checklist
My code follows the code style of this project. (run lint)
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe. @SocketSecurity ignore npm/PACKAGE@VERSION
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/nx@22.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm es-module-lexer is 100.0% likely to have a medium risk anomaly
Notes: This es-module-lexer component appears legitimate in its intended role but contains a significant risk surface: (a) an eval-based sink that can execute code derived from untrusted module input, and (b) an embedded wasm blob loaded at runtime that could be manipulated via supply chain compromise. The combination means using this parser with untrusted code or in an unsafe host environment could enable arbitrary code execution or behavior modification. The code shows no obvious exfiltration or persistence mechanisms, but the eval path is unacceptable in many security models and requires strict sandboxing or replacement with safer parsing patterns. Recommend using only trusted inputs, hardening the eval path (remove or heavily restrict), and validating the wasm blob integrity via checksums/signatures in the build/publish process.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/es-module-lexer@1.7.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm nx is 100.0% likely to have a medium risk anomaly
Notes: This file itself does not contain direct malicious payloads (no eval, no hardcoded secrets, no obfuscation). However it intentionally downloads and executes an external package (nx-mcp@latest) via the package manager's dlx mechanism and forwards user input as arguments. That design presents a clear supply-chain risk: a malicious or compromised 'nx-mcp' package (or tampered registry response) could execute arbitrary code on the host. Recommend pinning to a specific audited version, verifying package integrity, or avoiding executing unpinned remote packages automatically. Treat this as a moderate security risk due to potential supply-chain execution.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/nx@22.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm nx is 100.0% likely to have a medium risk anomaly
Notes: The JavaScript wrapper is a legitimate auto-generated napi-rs/WASI loader for a wasm module and does not itself contain direct malicious JS code. However it deliberately grants the loaded WASM and worker threads high privileges: it forwards the entire process.env and preopens the host filesystem root, which can expose secrets and allow extensive filesystem operations if the wasm (or resolved package) is malicious or compromised. Treat the wasm binary and package provenance as critical: verify the wasm artifact and avoid forwarding full environment or root preopens for untrusted modules.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/nx@22.5.4. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm source-map-js is 100.0% likely to have a medium risk anomaly
Notes: The code is a standard JS-implemented Quick Sort with caching of a generated sorter per comparator. It uses dynamic function construction but does not perform network access, file I/O, or data exfiltration. The primary risk is performance-related and potential side effects from the user-provided comparator, not malicious activity. Overall, the code shows low malicious intent and moderate security risk due to dynamic code generation and reliance on external comparator behavior.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/source-map-js@1.2.1. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Potential code anomaly (AI signal): npm tar is 100.0% likely to have a medium risk anomaly
Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/tar@7.5.8. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Jira Link
Description
.jsto.ts; shared configs live undertest/shared/(node and browser variants: mocked, dev, prod, debug).test/shared/node.mocked.mts,node.dev.mts,node.prod.mts,node.debug.mts. Browser configs:test/shared/browsers.mocked.mts,browsers.dev.mts,browsers.prod.mts,browsers.debug.mts. Most packages point scripts directly at these;defaultkeeps local configs that extend shared (customtestTimeout, prodMETADATAURL).--project Chromeso only Chrome runs. Test usesimport.meta.envfor MOCKED/METADATA; random key per run when not mocked to avoid parallel collisions. Predefined key when mocked.--coverageadded to the maintestscript in every package.passWithNoTests: trueadded to all shared browser configs so empty test dirs pass in both node and browser..nycrc.jsonfiles (coverage is Vitest-only). ESLint test file pattern simplified to**/test/**/*.{js,ts,mts}(no overlap withtest/**). AddedvitesttodevDependenciesin every package that was missing it.defaultallows missingtypeOfUserfrom sapphire metadata response. ed25519 tests:expect.failreplaced withexpect(() => ...).toThrow()andexpect(...).rejects.toThrow().How has this been tested?
npm run testandnpm run test-productionat repo root (lerna runs tests for all packages).npm testandnpm run test-productioninpackages/defaultandpackages/web-storage.npm run lintat root.Screenshots (if appropriate)
N/A — no UI changes.
Types of changes
Checklist