chore(deps): bump minimatch and mocha

[dependabot]

Bumps minimatch to 3.1.5 and updates ancestor dependencies minimatch and mocha. These dependencies need to be updated together.

Updates minimatch from 3.1.2 to 3.1.5

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates minimatch from 5.1.1 to 5.1.9

Commits

• 7bba978 3.1.5
• bd25942 docs: add warning about ReDoS
• 1a9c27c fix partial matching of globstar patterns
• 1a2e084 3.1.4
• ae24656 update lockfile
• b100374 limit recursion for **, improve perf considerably
• 26ffeaa lockfile update
• 9eca892 lock node version to 14
• 00c323b 3.1.3
• 30486b2 update CI matrix and actions
• Additional commits viewable in compare view

Updates mocha from 9.2.2 to 11.7.5

Release notes

Sourced from mocha's releases.

v11.7.5

11.7.5 (2025-11-04)

🩹 Fixes

• swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

• run tests on PRs for and pushes to v11.x (#5525) (8b21b38)
• setup release-please for v11 (#5522) (663fff4)

v11.7.4

11.7.4 (2025-10-01)

🩹 Fixes

• watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

• migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

• remove trailing spaces (#5475) (7f68e5c)

v11.7.3

11.7.3 (2025-09-30)

🩹 Fixes

• use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

• add security escalation policy (#5466) (4122c7d)
• fix duplicate global leak documentation (#5461) (1164b9d)
• migrate third party UIs wiki page to docs (#5434) (6654704)
• update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

... (truncated)

Changelog

Sourced from mocha's changelog.

11.7.5 (2025-11-04)

🩹 Fixes

• swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

• run tests on PRs for and pushes to v11.x (#5525) (8b21b38)
• setup release-please for v11 (#5522) (663fff4)

11.7.4 (2025-10-01)

🩹 Fixes

• watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

• migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

• remove trailing spaces (#5475) (7f68e5c)

11.7.3 (2025-09-30)

🩹 Fixes

• use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

• add security escalation policy (#5466) (4122c7d)
• fix duplicate global leak documentation (#5461) (1164b9d)
• migrate third party UIs wiki page to docs (#5434) (6654704)
• update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

• deps: bump actions/setup-node in the github-actions group (#5459) (48c6f40)

... (truncated)

Commits

• 9a6a5db chore(v11.x): release 11.7.5 (#5523)
• 8b21b38 chore: run tests on PRs for and pushes to v11.x (#5525)
• 663fff4 chore: setup release-please for v11 (#5522)
• 8d97220 Update release-please to include v11.x and use Node ^22
• d89dbaf fix: swallow more require errors from *ts files (#5498)
• 8649f39 chore(main): release 11.7.4 (#5473)
• c2667c3 fix: watch mode using chokidar v4 (#5379)
• 7f68e5c chore: remove trailing spaces (#5475)
• bff9166 Docs: migrate remaining legacy wiki pages to main documentation (#5465)
• c805327 chore(main): release 11.7.3 (#5455)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mocha@​9.2.2 ⏵ 11.7.5	+2		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		System shell access: npm foreground-child in module child_process Module: child_process Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/foreground-child@3.3.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm workerpool in module child_process Module: child_process Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/workerpool@9.3.4 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@9.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @pkgjs/parseargs URLs: https://github.com/nodejs/node/pull/38248, Function.prototype.call Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/@pkgjs/parseargs@0.11.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@pkgjs/parseargs@0.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm chokidar URLs: https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L612, https://github.com/paulmillr/chokidar/blob/e1753ddbc9571bdc33b4a4af172d52cb6e611c10/lib/nodefs-handler.js#L553 Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/chokidar@4.0.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chokidar@4.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm diff URLs: https://www.artima.com/weblogs/viewpost.jsp?thread=164293, https://stackoverflow.com/a/60422853/1709587, https://en.wikipedia.org/wiki/Latin_script_in_Unicode, https://github.com/kpdecker/jsdiff/issues/160#issuecomment-1866099640, https://github.com/kpdecker/jsdiff/issues/180, https://github.com/kpdecker/jsdiff/issues/211 Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/diff@7.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/diff@7.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm foreground-child is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard watchdog for child-process lifecycle management, aiming to prevent zombie processes when the parent exits. It is not inherently malicious, but reliability hinges on the correctness of the inline watchdog script and proper scoping of the PID. Potential improvements include addressing syntax reliability of the inline code, removing unnecessary no-op keepalive, and ensuring strict validation of the provided PID to mitigate accidental termination of unrelated processes. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/foreground-child@3.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm glob URLs: https://github.com/isaacs/node-glob/issues/570, http://npm.im/path-scurry Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/glob@10.5.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@10.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a conventional, non-malicious implementation of glob pattern expansion and directory traversal. It reads filesystem data based on user-provided patterns but does not exhibit data exfiltration, remote communications, or code execution risks within this fragment. Overall security risk is low, with standard OS-specific handling for nocase behavior. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/glob@10.5.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@10.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm jackspeak Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/jackspeak@3.4.3 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jackspeak@3.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm lru-cache with https://example.com/ URLs: https://example.com/ Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/lru-cache@10.4.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lru-cache@10.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm lru-cache is 100.0% likely to have a medium risk anomaly Notes: Selected report is improved by clarifying potential risks from consumer-provided callbacks and by explicitly noting benign in-memory behavior with TTL/size management. The code itself does not exhibit malicious activity. Primary risk derives from extensibility points (fetchMethod, memoMethod, dispose callbacks) rather than any embedded threat. Overall security risk remains moderate due to misbehavior risk in user-supplied callbacks, not due to the library code itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/lru-cache@10.4.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lru-cache@10.4.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm minimatch Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/minimatch@9.0.9 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm minimatch Env Vars: MINIMATCH_TESTING_PLATFORM Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/minimatch@9.0.9 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@9.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm mocha URLs: https://npm.im/serialize-javascript, chokidar.watch, https://nodejs.org/api/errors.html#errors_error_stacktracelimit, https://github.com/mochajs/mocha/wiki/compilers-deprecation, http://feross.org, https://bugzilla.mozilla.org/show_bug.cgi?id=695438., http://msdn.microsoft.com/en-us/library/ie/dww52sbt, https://stackoverflow.com/a/60422853/1709587, https://en.wikipedia.org/wiki/Latin_script_in_Unicode, http://stackoverflow.com/a/22747272/680742,, https://mths.be/he, https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides, https://html.spec.whatwg.org/multipage/syntax.html#table-charref-overrides., https://mths.be/punycode., https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae, https://mths.be/notes/ambiguous-ampersands, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/toString, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign#Custom_and_Null_objects, http://stackoverflow.com/a/16459606/376773, https://github.com/facebook/react-native/pull/1632, http://stackoverflow.com/a/398120/376773, https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages, https://nodejs.org/api/process.html#process_process_emitwarning_warning_options, https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout#Maximum_delay_value, https://nodejs.org/api/events.html#events_class_eventemitter, https://testanything.org/tap-specification.html, https://testanything.org/tap-version-13-specification.html, https://mochajs.org/, https://ibin.co/4QuRuGjXvl36.png, https://github.com/mochajs/mocha/pull/916 Location: Package overview From: package-lock.json → npm/mocha@11.7.5 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mocha@11.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm mocha is 100.0% likely to have a medium risk anomaly Notes: The code is a small, benign utility for cache invalidation in Node.js. It enables reloading behavior but bears potential risk if used on critical modules or without validation. Overall security risk is low to moderate depending on usage context. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mocha@11.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm path-scurry URLs: https://nodejs.org/docs/latest/api/fs.html#class-fsdirent, path.name Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/path-scurry@1.11.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-scurry@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm path-scurry is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a filesystem traversal utility (path-scurry) intended to enumerate directories and emit entries through a streaming interface. It implements symlink resolution, optional following of symlinks, and traversal filtering. There is no indication of malicious activity such as data exfiltration, backdoors, or external communications. The code appears legitimate within its stated purpose, though care should be taken when integrating with user-provided filters to avoid unintended traversal or resource exhaustion. Overall security risk is moderate due to filesystem access permissions, but no direct security threat identified in the fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/path-scurry@1.11.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-scurry@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm path-scurry with module fs Module: fs Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/path-scurry@1.11.1 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-scurry@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm signal-exit is 100.0% likely to have a medium risk anomaly Notes: The code represents a legitimate signal-exit instrumentation module intended to provide robust exit handling and lifecycle hooks. It does not introduce executable malware or data exfiltration in this fragment. However, it significantly alters process termination behavior and could cause compatibility issues or subtle bugs if used alongside other exit-handling code in extensions. Overall, this is a non-malicious yet potentially risky integration point that should be reviewed for compatibility with other modules in the extension. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/signal-exit@4.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/signal-exit@4.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm workerpool URLs: https://nodejs.org/api/child_process.html#child_processforkmodulepath-args-options, https://html.spec.whatwg.org/multipage/workers.html#dom-worker, https://html.spec.whatwg.org/multipage/workers.html#workeroptions, https://nodejs.org/api/worker_threads.html#new-workerfilename-options, https://developer.mozilla.org/en-US/docs/Web/API/Worker/Worker Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/workerpool@9.3.4 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@9.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm workerpool Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/workerpool@9.3.4 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@9.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: The fragment is a self-contained, non-native Promise-like utility with cancellation/timeout semantics. It shows no evidence of malware, data exfiltration, or covert backdoors within this module. The primary concern is the execution of untrusted callback code via then/catch/finally, which is expected for any Promise-based flow. The non-standard internals pose integration risks with native Promise semantics but do not constitute malicious behavior. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@11.7.5 → npm/workerpool@9.3.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@9.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm yargs URLs: https://unpkg.com/cliui@7.0.1/index.mjs, https://unpkg.com/yargs-parser@19.0.0/browser.js, https://yargs.js.org/docs/#api-reference-version, https://github.com/yargs/yargs#supported-nodejs-versions Location: Package overview From: package-lock.json → npm/mocha@11.7.5 → npm/yargs@17.7.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report