You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Safe-only sweep of open Dependabot security alerts. Lockfile-only changes — no package.json edits, no resolutions added. All bumps stay within existing semver ranges via yarn up -R.
Resolved
Package
Strategy
Version change
flatted
yarn up -R (transitive refresh)
3.4.1 → 3.4.2
minimatch
yarn up -R (transitive refresh)
9.0.5 → 9.0.9
picomatch
yarn up -R (transitive refresh)
4.0.3 → 4.0.4
tar (7.x instances)
yarn up -R (transitive refresh)
7.5.1 → 7.5.13
express
yarn up -R (transitive refresh)
4.21.2 → 4.22.1
body-parser
via express refresh
1.20.3 → 1.20.4
path-to-regexp
via express refresh
0.1.12 → 0.1.13
qs
via express / body-parser refresh
6.13.0 → 6.14.2
yarn install --immutable passes. The existing vite@7 peer warning from @remix-run/dev is pre-existing and unchanged by this PR.
Flagged (not changed)
These would require a breaking change (cross-major resolution or bypassing the age gate) and were left alone:
lodash → 4.18.0 — the only patched version was published 2026-03-31 and is blocked by npmMinimalAgeGate: 10080 (7 days). Will clear on its own once the gate window passes.
tar@6.2.1 (via cacache@17 ← @remix-run/dev@2.17.4) — no tar@6.x backport exists; fixing requires forcing cacache/tar across a major.
esbuild@0.17.6 / 0.19.12 / 0.21.5 (via @remix-run/dev@2.17.4 and its @vanilla-extract/integration@6 / vite@5 transitives) — pinned/capped below 0.25.0; a resolution would cross a breaking 0.x boundary. @remix-run/dev@2.17.4 is already the latest 2.x.
estree-util-value-to-estree@1.3.0 (via remark-mdx-frontmatter@1 ← @remix-run/dev@2.17.4) — first patched version is 3.3.3, a two-major jump with no 1.x backport.
All flagged items are dev-only transitives of @remix-run/dev.
Next steps: Take a moment to review the security alert above. Review
the linked package source code to understand the potential risk. Ensure the
package is not malicious before proceeding. If you're unsure how to proceed,
reach out to your security team or ask the Socket team for help at
support@socket.dev.
Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/path-to-regexp@0.1.13. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Safe-only sweep of open Dependabot security alerts. Lockfile-only changes — no
package.jsonedits, noresolutionsadded. All bumps stay within existing semver ranges viayarn up -R.Resolved
flattedyarn up -R(transitive refresh)minimatchyarn up -R(transitive refresh)picomatchyarn up -R(transitive refresh)tar(7.x instances)yarn up -R(transitive refresh)expressyarn up -R(transitive refresh)body-parserexpressrefreshpath-to-regexpexpressrefreshqsexpress/body-parserrefreshyarn install --immutablepasses. The existingvite@7peer warning from@remix-run/devis pre-existing and unchanged by this PR.Flagged (not changed)
These would require a breaking change (cross-major resolution or bypassing the age gate) and were left alone:
lodash→ 4.18.0 — the only patched version was published 2026-03-31 and is blocked bynpmMinimalAgeGate: 10080(7 days). Will clear on its own once the gate window passes.tar@6.2.1(viacacache@17←@remix-run/dev@2.17.4) — notar@6.xbackport exists; fixing requires forcingcacache/taracross a major.esbuild@0.17.6 / 0.19.12 / 0.21.5(via@remix-run/dev@2.17.4and its@vanilla-extract/integration@6/vite@5transitives) — pinned/capped below0.25.0; a resolution would cross a breaking0.xboundary.@remix-run/dev@2.17.4is already the latest2.x.estree-util-value-to-estree@1.3.0(viaremark-mdx-frontmatter@1←@remix-run/dev@2.17.4) — first patched version is3.3.3, a two-major jump with no1.xbackport.All flagged items are dev-only transitives of
@remix-run/dev.