Bump the all-dependencies group across 1 directory with 26 updates

[dependabot]

Bumps the all-dependencies group with 26 updates in the / directory:

Package	From	To
@amplitude/analytics-browser	2.23.7	2.34.0
@ledgerhq/hw-app-str	7.2.9	7.4.0
@ledgerhq/hw-transport-webhid	6.30.9	6.31.0
@next/third-parties	15.5.7	16.1.6
@sentry/nextjs	10.29.0	10.37.0
@stellar/stellar-sdk	14.3.3	14.5.0
@tanstack/react-query	5.87.4	5.90.20
@tanstack/react-query-devtools	5.87.4	5.91.2
@trezor/connect-web	9.6.4	9.7.1
dompurify	3.2.6	3.3.1
immer	10.1.3	11.1.3
lossless-json	4.2.0	4.3.0
next	15.5.9	16.1.6
uuid	11.1.0	13.0.0
zustand-querystring	0.0.19	0.5.0
@next/eslint-plugin-next	15.5.3	16.1.6
@playwright/test	1.57.0	1.58.0
@types/node	24.3.1	25.1.0
@types/papaparse	5.3.16	5.5.2
@typescript-eslint/eslint-plugin	8.43.0	8.54.0
eslint	9.35.0	9.39.2
eslint-config-next	15.4.4	16.1.6
eslint-plugin-react-hooks	5.2.0	7.0.1
lint-staged	16.1.6	16.2.7
prettier	3.6.2	3.8.1
sass	1.92.1	1.97.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.34.0

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.34.0

2.34.0 (2026-01-26)

Features

• analytics-browser: add shouldTrackSubmit for custom form validation (#1500) (1d76745)

@​amplitude/analytics-browser@​2.33.5

2.33.5 (2026-01-21)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.33.4

2.33.4 (2026-01-15)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.33.2-SR-2360.0

2.33.2-SR-2360.0 (2026-01-21)

Bug Fixes

• deps: bump node-forge from 1.3.1 to 1.3.3 in /packages/analytics-browser/playground/react-spa (#1438) (ffacc88)

Commits

• 6ff4832 chore(release): publish
• de7431b chore: source map (#1506)
• 1d76745 feat(analytics-browser): add shouldTrackSubmit for custom form validation (#1...
• d6f4c59 feat(analytics-browser): support Error Clicks in frustration interactions (#1...
• 9f45b6c chore(test-server): get GTM container id from .env (#1504)
• 4f0f4e6 refactor: update window height and width functions to avoid fallback to body....
• a51b4b5 chore(release): publish
• d295e52 refactor: move network-observer into observers/ subdir (#1498)
• 5800f91 refactor: add trackErrorClick helper (#1487)
• 6c0dd48 refactor: get a browser error observable ready (#1482)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​amplitude/analytics-browser since your current version.

Updates @ledgerhq/hw-app-str from 7.2.9 to 7.4.0

Commits

• See full diff in compare view

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.31.0

Commits

• 647c11d Merge release into main
• f260074 chore(release): 🚀 prepare release [skip ci]
• 80c3d0c Merge pull request #13733 from LedgerHQ/smartling-translations-20260116094320030
• 42ac90e File apps/ledger-live-mobile/src/locales/en/common.json was translated to es-...
• 2c03c83 File apps/ledger-live-desktop/static/i18n/en/app.json was translated to pt-BR...
• c9d1d26 File apps/ledger-live-desktop/static/i18n/en/app.json was translated to es-ES...
• 4772f20 File apps/ledger-live-mobile/src/locales/en/common.json was translated to zh-...
• 3c18ff2 File apps/ledger-live-mobile/src/locales/en/common.json was translated to de-...
• d6191c9 File apps/ledger-live-desktop/static/i18n/en/app.json was translated to ar-AE...
• 83e994c File apps/ledger-live-mobile/src/locales/en/common.json was translated to ja-...
• Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.1.6

Release notes

Sourced from @​next/third-parties's releases.

v16.1.6

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Upgrade to swc 54 (#88207)
• implement LRU cache with invocation ID scoping for minimal mode response cache (#88509)
• tweak LRU sentinel key (#89123)

Credits

Huge thanks to @​mischnic, @​wyattjoh, and @​ztanner for helping!

v16.1.5

Please refer the following changelogs for more information about this security release:

https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472 https://vercel.com/changelog/summary-of-cve-2026-23864

v16.1.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Only filter next config if experimental flag is enabled (#88733)

Credits

Huge thanks to @​mischnic for helping!

v16.1.3

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• Fix linked list bug in LRU deleteFromLru (#88652)
• Fix relative same host redirects in node middleware (#88253)

Credits

Huge thanks to @​acdlite and @​ijjk for helping!

v16.1.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

... (truncated)

Commits

• adf8c61 v16.1.6
• acba4a6 v16.1.5
• 60de6c2 v16.1.4
• f01cf07 v16.1.3
• cb436b3 v16.1.2
• 3aa5398 v16.1.1
• 3491676 v16.1.0
• 58e8f8c v16.1.0-canary.34
• 3284587 v16.1.0-canary.33
• 04290ab v16.1.0-canary.32
• Additional commits viewable in compare view

Updates @sentry/nextjs from 10.29.0 to 10.37.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.37.0

Important Changes

• feat(core): Introduces a new Sentry.setConversationId() API to track multi turn AI conversations across API calls. (#18909)

  You can now set a conversation ID that will be automatically applied to spans within that scope. This allows you to link traces from the same conversation together.

  import * as Sentry from '@sentry/node';
  // Set conversation ID for all subsequent spans
  Sentry.setConversationId('conv_abc123');
  // All AI spans will now include the gen_ai.conversation.id attribute
  await openai.chat.completions.create({...});

  This is particularly useful for tracking multiple AI API calls that are part of the same conversation, allowing you to analyze entire conversation flows in Sentry. The conversation ID is stored on the isolation scope and automatically applied to spans via the new conversationIdIntegration.

• feat(tanstackstart-react): Auto-instrument global middleware in sentryTanstackStart Vite plugin (#18844)

  The sentryTanstackStart Vite plugin now automatically instruments requestMiddleware and functionMiddleware arrays in createStart(). This captures performance data without requiring manual wrapping.

  Auto-instrumentation is enabled by default. To disable it:

  // vite.config.ts
  sentryTanstackStart({
    authToken: process.env.SENTRY_AUTH_TOKEN,
    org: 'your-org',
    project: 'your-project',
    autoInstrumentMiddleware: false,
  });

Other Changes

• feat(core): simplify truncation logic to only keep the newest message (#18906)
• feat(core): Support new client discard reason invalid (#18901)
• feat(deps): Bump OpenTelemetry instrumentations (#18934)
• feat(nextjs): Update default ignore list for sourcemaps (#18938)
• feat(node): pass prisma instrumentation options through (#18900)
• feat(nuxt): Don't run source maps related code on Nuxt "prepare" (#18936)
• feat(replay): Update client report discard reason for invalid sessions (#18796)
• feat(winston): Add customLevelMap for winston transport (#18922)
• feat(react-router): Add support for React Router instrumentation API (#18580)
• fix(astro): Do not show warnings for valid options (#18947)
• fix(core): Report well known values in gen_ai.operation.name attribute (#18925)
• fix(node-core): ignore vercel AbortError by default on unhandled rejection (#18973)

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.37.0

Important Changes

• feat(core): Introduces a new Sentry.setConversationId() API to track multi turn AI conversations across API calls. (#18909)

  You can now set a conversation ID that will be automatically applied to spans within that scope. This allows you to link traces from the same conversation together.

  import * as Sentry from '@sentry/node';
  // Set conversation ID for all subsequent spans
  Sentry.setConversationId('conv_abc123');
  // All AI spans will now include the gen_ai.conversation.id attribute
  await openai.chat.completions.create({...});

  This is particularly useful for tracking multiple AI API calls that are part of the same conversation, allowing you to analyze entire conversation flows in Sentry. The conversation ID is stored on the isolation scope and automatically applied to spans via the new conversationIdIntegration.

• feat(tanstackstart-react): Auto-instrument global middleware in sentryTanstackStart Vite plugin (#18844)

  The sentryTanstackStart Vite plugin now automatically instruments requestMiddleware and functionMiddleware arrays in createStart(). This captures performance data without requiring manual wrapping.

  Auto-instrumentation is enabled by default. To disable it:

  // vite.config.ts
  sentryTanstackStart({
    authToken: process.env.SENTRY_AUTH_TOKEN,
    org: 'your-org',
    project: 'your-project',
    autoInstrumentMiddleware: false,
  });

Other Changes

• feat(core): simplify truncation logic to only keep the newest message (#18906)
• feat(core): Support new client discard reason invalid (#18901)
• feat(deps): Bump OpenTelemetry instrumentations (#18934)
• feat(nextjs): Update default ignore list for sourcemaps (#18938)
• feat(node): pass prisma instrumentation options through (#18900)
• feat(nuxt): Don't run source maps related code on Nuxt "prepare" (#18936)
• feat(replay): Update client report discard reason for invalid sessions (#18796)
• feat(winston): Add customLevelMap for winston transport (#18922)
• feat(react-router): Add support for React Router instrumentation API (#18580)
• fix(astro): Do not show warnings for valid options (#18947)
• fix(core): Report well known values in gen_ai.operation.name attribute (#18925)

... (truncated)

Commits

• 8aec947 release: 10.37.0
• c60ca61 meta(changelog): Update changelog for 10.37.0 (#18984)
• 429ac16 meta(changelog): Update changelog for 10.37.0
• 11f38a7 feat(winston): Add customLevelMap for winston transport (#18922)
• 93a91cc test(prisma): Move to yarn prisma (#18975)
• b0add63 ref(core): Set system message as separate attribute (#18978)
• 9a2b6a4 chore: Add external contributor to CHANGELOG.md (#18977)
• cf738e7 deps: Bump version of sentry-bundler-plugins (#18972)
• 693ca47 test(nextjs): Added nextjs CF workers test app (#18928)
• 75f0e20 feat(react-router): Add support for React Router instrumentation API (#18580)
• Additional commits viewable in compare view

Updates @stellar/stellar-sdk from 14.3.3 to 14.5.0

Release notes

Sourced from @​stellar/stellar-sdk's releases.

v14.5.0

v14.5.0

Added

• Introduced CLI functionality for generating smart contract bindings (#1287).
• Added BindingGeneration class for parsing contract specs into fully typed TypeScript libraries for calling contract methods (#1287).
• Introduced rpc.Server.fundAddress that supports funding contract and account addresses via Friendbot (#1314).
• Updated the StellarToml interface with SEP 45 fields WEB_AUTH_FOR_CONTRACTS_ENDPOINT and WEB_AUTH_CONTRACT_ID (#1326).

Fixed

• X-App-Name and X-App-Version headers are now included when using CallBuilder.stream() (#1317).
• CallBuilder now correctly uses the configured server URL for all requests, including pagination and linked resources. Previously, URLs returned by Horizon in _links would bypass reverse proxies (#1318).

Deprecated

• rpc.Server.requestAirdrop is deprecated in favor of rpc.Server.fundAddress (#1314).

Contributors

@​ElliotFriend, @​leighmcculloch, @​Ryang-21, @​wpalmeri made their first contribution in stellar/js-stellar-sdk#1321, and @​joaquinsoza made their first contribution in stellar/js-stellar-sdk#1314

Full Changelog: stellar/js-stellar-sdk@v14.4.3...v14.5.0

v14.4.3

v14.4.3

Fixed

• Upgraded underlying @stellar/stellar-base library to include its fixes (release notes).

v14.4.2

v14.4.2

Fixed

• Fixed package installation for Windows environments (#1306)

Full Changelog: stellar/js-stellar-sdk@v14.4.1...v14.4.2

v14.4.1

v14.4.1

Fixed

• Set Api.GetEventsRequest.endLedger to be optional to align with RPC behavior (#1304)
• Added back Typepoint and marked it deprecated in favor of Timepoint (#1303)

Contributors

• @​mootz12 , @​Ryang-21

Full Changelog: stellar/js-stellar-sdk@v14.4.0...v14.4.1

v14.4.0

v14.4.0

... (truncated)

Changelog

Sourced from @​stellar/stellar-sdk's changelog.

v14.5.0

Added

• Introduced CLI functionality for generating smart contract bindings (#1287).
• Added BindingGeneration class for parsing contract specs into fully typed TypeScript libraries for calling contract methods (#1287).
• Introduced rpc.Server.fundAddress that supports funding contract and account addresses via Friendbot (#1314).
• Updated the StellarToml interface with SEP 45 fields WEB_AUTH_FOR_CONTRACTS_ENDPOINT and WEB_AUTH_CONTRACT_ID (#1326).

Fixed

• X-App-Name and X-App-Version headers are now included when using CallBuilder.stream() (#1317).
• CallBuilder now correctly uses the configured server URL for all requests, including pagination and linked resources. Previously, URLs returned by Horizon in _links would bypass reverse proxies (#1318).

Deprecated

• rpc.Server.requestAirdrop is deprecated in favor of rpc.Server.fundAddress (#1314).

v14.4.3

Fixed

• Upgraded underlying @stellar/stellar-base library to include its fixes (release notes).

v14.4.2

Fixed

• Fixed package installation for Windows environments (#1306)

v14.4.1

Fixed

• Set Api.GetEventsRequest.endLedger to be optional to align with RPC behavior (#1304)
• Added back Typepoint and marked it deprecated in favor of Timepoint (#1303)

v14.4.0

Added

• Introduced an rpc.Server.getAssetBalance() helper to fetch asset balances both for contracts and accounts (#1286).
• rpc.Api.BalanceResponse now can include a revocable field in its balanceEntry for when trustlines are fetched (#1286).
• Added Timepoint and Duration support to Spec (#1288)
• Api.GetHealthResponse interface now includes latestLedger, ledgerRetentionWindow, and oldestLedger fields (#1297).
• Added publicKey, signTransaction, and signAuthEntry as optional fields to contract.MethodOptions (#1293).

Fixed

• Api.RawEventResponse.topics is now optional to reflect topicless events (#1292).
• parseRawEvents correctly checks if Api.RawEventResponse.topics is undefined (#1292).
• Remove WebAssembly usage in favor of manual wasm parsing (#1300).
• Fixed URL contamination in Horizon.Server methods (#1296).

Commits

• 6eb8ff7 add changelog entry for StellarToml changes (#1330)
• a8a871a V14.5.0 release (#1329)
• 697544c Reverse Proxy Support (#1318)
• cafa3e6 fix: preserve string return type for scSpecTypeAddress (#1328)
• e68d49b chore: add sep45 fields in stellar TOML interface (#1326)
• 6326631 feat(rpc): add Server.fundAddress() for dual Address support (#1314)
• 95bafa2 fix jsdoc tag (#1325)
• d3c1426 Port Binding Generation (#1287)
• 47acf2b propagate horizon server headers when streaming (#1317)
• e377032 move to trusted npm publishing (#1321)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​stellar/stellar-sdk since your current version.

Updates @tanstack/react-query from 5.87.4 to 5.90.20

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-persist-client@​5.90.20

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.91.17
  • @​tanstack/react-query@​5.90.18

@​tanstack/react-query@​5.90.20

Patch Changes

• Updated dependencies [e7258c5]:
  • @​tanstack/query-core@​5.90.20

@​tanstack/react-query-persist-client@​5.90.19

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.91.16
  • @​tanstack/react-query@​5.90.17

@​tanstack/react-query@​5.90.19

Patch Changes

• Updated dependencies [53fc74e]:
  • @​tanstack/query-core@​5.90.19

@​tanstack/react-query-persist-client@​5.90.18

Patch Changes

• Updated dependencies [4be3ad7]:
  • @​tanstack/react-query@​5.90.16
  • @​tanstack/query-persist-client-core@​5.91.15

@​tanstack/react-query@​5.90.18

Patch Changes

• Updated dependencies [dea1614]:
  • @​tanstack/query-core@​5.90.18

@​tanstack/react-query-persist-client@​5.90.17

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.91.14
  • @​tanstack/react-query@​5.90.15

@​tanstack/react-query@​5.90.17

Patch Changes

• Updated dependencies [269351b]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.90.20

Patch Changes

• Updated dependencies [e7258c5]:
  • @​tanstack/query-core@​5.90.20

5.90.19

Patch Changes

• Updated dependencies [53fc74e]:
  • @​tanstack/query-core@​5.90.19

5.90.18

Patch Changes

• Updated dependencies [dea1614]:
  • @​tanstack/query-core@​5.90.18

5.90.17

Patch Changes

• Updated dependencies [269351b]:
  • @​tanstack/query-core@​5.90.17

5.90.16

Patch Changes

• fix(react-query): allow retryOnMount when throwOnError is function (#9338)

• Updated dependencies [7f47906]:

  • @​tanstack/query-core@​5.90.16

5.90.15

Patch Changes

• Updated dependencies [fccef79]:
  • @​tanstack/query-core@​5.90.15

5.90.14

Patch Changes

• Updated dependencies [d576092]:
  • @​tanstack/query-core@​5.90.14

... (truncated)

Commits

• 7ac4e20 ci: Version Packages (#10067)
• 9ff3de7 Upgrade to Vitest v4 (#9862)
• 0525ad1 ci: Version Packages (#10047)
• 53fc74e fix(query-core): fix combine not updating when queries change with stable ref...
• 64d5d62 ci: Version Packages (#10045)
• dea1614 fix(query-core): avoid throwing promise errors when data exists (#10025)
• bf7f47e ci: Version Packages (#10033)
• 44c3cb9 test(react-query/ssr): add 'useQueries' test for SSR (#9996)
• 167db32 ci: Version Packages (#10005)
• 4be3ad7 fix(react-query): allow retryOnMount when throwOnError is function (#9336) (#...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​tanstack/react-query since your current version.

Updates @tanstack/react-query-devtools from 5.87.4 to 5.91.2

Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.91.2

Patch Changes

• Updated dependencies [f9fc56a, 0b29b6f]:
  • @​tanstack/query-devtools@​5.92.0
  • @​tanstack/react-query@​5.90.14

5.91.1

Patch Changes

• Updated dependencies [b261b6f]:
  • @​tanstack/query-devtools@​5.91.1

5.91.0

Minor Changes

• feat(devtools): allow passing a theme via prop (#9887)

Patch Changes

• Updated dependencies [0e9d5b5]:
  • @​tanstack/query-devtools@​5.91.0

Commits

• 84564f1 ci: Version Packages (#10001)
• f15b7fc ci: prepare for trusted publishing (#9952)
• 72d8ac5 fix: update react and nextJs (#9944)
• 0253588 ci: Version Packages (#9908)
• 18febbd ci: Version Packages (#9890)
• 0e9d5b5 feat(devtools): allow passing a theme via prop (#9887)
• f4a0cd5 chore: update eslint-plugin-react-hooks (#9737)
• a242f98 Revert "chore(deps): update all non-major dependencies" (#9715)
• 571bc18 chore(deps): update all non-major dependencies (#9712)
• 0eaafe0 release: v5.90.2
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​tanstack/react-query-devtools since your current version.

Updates @trezor/connect-web from 9.6.4 to 9.7.1

Release notes

Sourced from @​trezor/connect-web's releases.

v25.12.2@mobile

Trezor Suite 25.12.2 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.12.2

🎨 Improvements

• We’ve added language support for Japanese, German, and Portuguese in the Trezor Suite app.
• Firmware installation is now allowed on USB-connected devices even when battery level is below 40%.
• Firmware language of Trezor device can be changed directly from the Trezor Suite app.

v25.11.4@mobile

Trezor Suite 25.11.4 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.11.4

🔧 Bug fixes

• Fix handling of passphrase with special characters.

v25.11.3@mobile

Trezor Suite 25.11.3 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.11.3

🚀 New features

• Passphrase protection is now disabled by default during onboarding and can be activated at any time in the passphrase settings for greater user control.
• A new Tropic chip authenticity check has been introduced, providing an additional layer of device verification.

🎨 Improvements

• Passphrase wallet visibility has been optimized—when passphrase protection is disabled, Passphrase wallets are no longer shown in the wallet switcher, reducing interface clutter.

🔧 Bug fixes

• Minor issues have been resolved, and overall usability has been enhanced to deliver a more stable and consistent experience.

v25.10.4@mobile

Trezor Suite 25.10.4 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.10.4

🔧 Bug fixes

• Fixed amount rounding of fees, and decimal pad for custom fee.

v25.10.2@mobile

Trezor Suite 25.10.2 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.10.2

🚀 New features

• Trezor Suite welcomes our newest family member - Trezor Safe 7.

v25.10.1@mobile

Trezor Suite 25.10.1 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v25.10.1

🚀 New features

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​trezor/connect-web since your current version.

Updates dompurify from 3.2.6 to 3.3.1

Release notes

Sourced from dompurify's releases.

DOMPurify 3.3.1

• Updated ADD_FORBID_CONTENTS setting to extend default list, thanks @​MariusRumpf
• Updated the ESM import syntax to be more correct, thanks @​binhpv

DOMPurify 3.3.0

• Added the SVG mask-type attribute to default allow-list, thanks @​prasadrajandran
• Added support for ADD_ATTR and ADD_TAGS to accept functions, thanks @​nelstrom
• Fixed an issue with the slot element being in both SVG and HTML allow-list, thanks @​Wim-Valgaeren

DOMPurify 3.2.7

• Added new attributes and elements to default allow-list, thanks @​elrion018
• Added tagName parameter to custom element attributeNameCheck, thanks @​nelstrom
• Added better check for animated href attributes, thanks @​llamakko
• Updated and improved the bundled types, thanks @​ssi02014
• Updated several tests to better align with new browser encoding behaviors
• Improved the handling of potentially risky content inside CDATA elements, thanks @​securityMB & @​terjanq
• Improved the regular expression for raw-text elements to cover textareas, thanks @​securityMB & @​terjanq

Commits

• 6fc446a Merge pull request #1175 from cure53/main
• 3b3bf91 Merge branch 'main' of github.com:cure53/DOMPurify
• 9863f41 chore: Preparing 3.3.1 release
• b4e0295 chore: Preparing 3.3.0 release
• 077746b build(deps-dev): bump js-yaml from 4.1.0 to 4.1.1 (#1170)
• 4de68bb build(deps): bump actions/checkout from 5 to 6 (#1171)
• 4c76b6f Use correct ESM import syntax (#1173)
• 27e8496 Merge pull request #1168 from MariusRumpf/add-forbid-contents
• a920096 Add ADD_FORBID_CONTENTS setting to extend default list
• ac64660 Merge pull request #1163 from cure53/dependabot/github_actions/actions/setup-...
• Additional commits viewable in compare view

Updates immer from 10.1.3 to 11.1.3

Release notes

Sourced from immer's releases.

v11.1.3

11.1.3 (2025-12-29)

Bug Fixes

• recursive T for WritableDraft (#1197) (78ea694)

v11.1.2

11.1.2 (2025-12-29)

Bug Fixes

• bogus commit to retest release (c329ddb)

v11.1.0

11.1.0 (2025-12-20)

This feature release adds a new optional "array method overrides" plugin that significantly speeds up array methods when accessing drafts.

Changelog

Performance Improvements

As part of the recent performance optimization work, our benchmarks showed that all Proxy-based immutable update libraries were drastically slower than vanilla JS when calling both mutating and non-mutating array methods. After investigation, it turns out that an array method like arr.filter() causes the Proxy's get trap to trigger for every single item in the array. This in turn forces creation of a new Proxy and internal Immer metadata for every item, even though this was just a read operation and no items were being updated.

This release adds a new enableArrayMethods plugin that will override draft array methods to bypass the draft and directly operate on the underlying wrapped array instance. This significantly speeds up array operations.

When enabled, the plugin overrides these array methods:

• Mutating: push, pop, shift, unshift, splice, reverse, sort
• Non-mutating: filter, slice, concat, flat, find, findIndex, findLast, findLastIndex, some, every, indexOf, lastIndexOf, includes, join, toString, toLocaleString

Our benchmarks show that the overridden methods (plus the other perf changes in Immer 10.2 and 11.0) are 50-80% faster than the baseline behavior of Immer 10.1.

The plugin adds about 1.5-2K minified to Immer's bundle size.

It's important to note that the plugin does change the "safe to mutate a draft" semantics of Immer. Any of these methods that receives an array item as a callback argument will not automatically wrap that item in a Proxy!. That means that if you try to mutate an argument in a method such as filter, it will actually mutate the real underlying object, which will cause bugs in your app. This is an intentional design tradeoff. Semantically, all of these methods imply read-only access to array values, so if your code tries to mutate an array item in a callback, that is a bug in your code.

Note that this does not override map, flatMap, forEach, or reduce / reduceRight. Those methods do imply either side effects and potential mutations, or returning arbitrary values. Given that, we determined it was both safest and simplest to keep their behavior as-is.

See the Array Methods Plugin docs page for further deta...

Description has been truncated

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​15.5.9 ⏵ 16.1.6		+19
	eslint-config-next@​15.4.4 ⏵ 16.1.6	+1		+3
	@​tanstack/​react-query-devtools@​5.87.4 ⏵ 5.91.3	+1		+1	+2
	@​next/​eslint-plugin-next@​15.5.3 ⏵ 16.1.6
	@​types/​papaparse@​5.3.16 ⏵ 5.5.2	+1		+1
	@​amplitude/​analytics-browser@​2.23.7 ⏵ 2.34.0	-21		+1
	@​typescript-eslint/​eslint-plugin@​8.43.0 ⏵ 8.54.0	+1		+1
	@​types/​node@​24.3.1 ⏵ 25.1.0
	zustand-querystring@​0.0.19 ⏵ 0.5.0	+2		+10	+14
	@​next/​third-parties@​15.5.7 ⏵ 16.1.6	+1		+1
	lossless-json@​4.2.0 ⏵ 4.3.0			+1
	immer@​10.1.3 ⏵ 11.1.3			+1
	uuid@​11.1.0 ⏵ 13.0.0
	dompurify@​3.2.6 ⏵ 3.3.1
	@​tanstack/​react-query@​5.87.4 ⏵ 5.90.20			+1
	lint-staged@​16.1.6 ⏵ 16.2.7	+1
	prettier@​3.6.2 ⏵ 3.8.1	-3		+1
	@​sentry/​nextjs@​10.29.0 ⏵ 10.38.0	+1		+1
	@​trezor/​connect-web@​9.6.4 ⏵ 9.7.1
	eslint@​9.35.0 ⏵ 9.39.2	+5
	@​ledgerhq/​hw-app-str@​7.2.9 ⏵ 7.4.0	-1			-1
	sass@​1.92.1 ⏵ 1.97.3	+1
	eslint-plugin-react-hooks@​5.2.0 ⏵ 7.0.1
	@​stellar/​stellar-sdk@​14.3.3 ⏵ 14.5.0	+5			+2
	@​ledgerhq/​hw-transport-webhid@​6.30.9 ⏵ 6.31.0				-1
	@​playwright/​test@​1.57.0 ⏵ 1.58.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @ethereumjs/rlp under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/rlp@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/rlp@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/tx under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/tx@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/tx@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/util under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/util@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/util@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/babel-plugin-component-annotate under BSD-3-Clause AND MIT Location: Package overview From: pnpm-lock.yaml → npm/@sentry/nextjs@10.38.0 → npm/@sentry/babel-plugin-component-annotate@4.8.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/babel-plugin-component-annotate@4.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/bundler-plugin-core under BSD-3-Clause AND MIT Location: Package overview From: pnpm-lock.yaml → npm/@sentry/nextjs@10.38.0 → npm/@sentry/bundler-plugin-core@4.8.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/bundler-plugin-core@4.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT License: LicenseRef-FSL-1.1-MIT - the applicable license policy does not allow this license (4) (package/LICENSE) From: pnpm-lock.yaml → npm/@sentry/nextjs@10.38.0 → npm/@sentry/cli@2.58.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/webpack-plugin under BSD-3-Clause AND MIT Location: Package overview From: pnpm-lock.yaml → npm/@sentry/nextjs@10.38.0 → npm/@sentry/webpack-plugin@4.8.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/webpack-plugin@4.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @stellar/stellar-sdk Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@stellar/stellar-sdk@14.2.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@stellar/stellar-sdk@14.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @stellar/stellar-sdk Location: Package overview From: package.json → npm/@stellar/stellar-sdk@14.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@stellar/stellar-sdk@14.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/blockchain-link@2.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-common under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect-common@0.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-common@0.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: package.json → npm/@trezor/connect-web@9.7.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect@9.7.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/transport@1.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utils under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utils@9.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utils@9.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utxo-lib under LicenseRef-T-RSL License: LicenseRef-T-RSL - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utxo-lib@2.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utxo-lib@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.1.6 → npm/axe-core@4.11.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm esquery under BSD-3-Clause Location: Package overview From: pnpm-lock.yaml → npm/eslint@9.39.2 → npm/esquery@1.7.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esquery@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm next under CC-BY-SA-4.0 License: CC-BY-SA-4.0 - the applicable license policy does not allow this license (4) (package/dist/compiled/glob/LICENSE) From: package.json → npm/next@16.1.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.1.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm playwright under CC-BY-4.0 License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (package/ThirdPartyNotices.txt) From: pnpm-lock.yaml → npm/@playwright/test@1.58.1 → npm/playwright@1.58.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.58.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm sass Location: Package overview From: package.json → npm/sass@1.97.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sass@1.97.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm ua-parser-js under AGPL-3.0-or-later License: AGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/package.json) License: AGPL-3.0-or-later - the applicable license policy does not allow this license (4) (npm metadata) License: AGPL-3.0-or-later - the applicable license policy does not allow this license (4) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/ua-parser-js@2.0.8 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ua-parser-js@2.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm usb under GPL-1.0-only License: GPL-1.0-only - the applicable license policy does not allow this license (4) (package/libusb/examples/ezusb.h) License: GPL-1.0-only - the applicable license policy does not allow this license (4) (package/libusb/examples/ezusb.c) License: GPL-1.0-only - the applicable license policy does not allow this license (4) (package/libusb/examples/fxload.c) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.1 → npm/@creit.tech/stellar-wallets-kit@1.9.5 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/usb@2.17.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/usb@2.17.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report