Update dependency eslint-plugin-unicorn to v62

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eslint-plugin-unicorn	^61.0.0 -> ^62.0.0

---

Release Notes

sindresorhus/eslint-plugin-unicorn (eslint-plugin-unicorn)

v62.0.0

Compare Source

New rules

• no-immediate-mutation (#​2787) e1c7d2e
• no-useless-collection-argument (#​2777) 2d07c9a
• prefer-response-static-json (#​2778) ffe5943

Improvements

• text-encoding-identifier-case: Add withDash option (#​2780) 9025386
• no-useless-undefined: Check one undefined at a time (#​2792) 27f7509
• prefer-single-call: Check optional chaining (#​2788) 8a132ac
• text-encoding-identifier-case: Enforce 'utf-8' in form[acceptCharset] and TextDecoder (#​2785) 46b3974
• prefer-node-protocol: Handle TypeScript import types (#​2774) 13a37a0
• no-array-for-each: Ignore forEach for Effect library (#​2783) 2ef6f83
• prefer-string-raw: Ignore more places that requires a string (#​2776) 43bc429
• prefer-string-raw: Add support for template literals (#​2691) 52723a2
• prefer-global-this: Add navigation to windowSpecificAPIs (#​2770) 0c93998
• prefer-code-point: Report cases where String.fromCharCode is not called directly (#​2766) 1d682a1
• no-useless-spread: Safely remove empty array and object (#​2764) 7aeabab

Fixes

• consistent-function-scoping: Fix inconsistent behavior (#​2748) a546444

---

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The eslint-plugin-unicorn devDependency version constraint was updated from ^61.0.0 to ^62.0.0 in package.json. This allows the package manager to install compatible versions within the 62.x release series.

Changes

Cohort / File(s)	Summary
Dependency version update package.json	Updated eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update dependency eslint-plugin-unicorn to v62" directly and accurately reflects the primary change in the changeset, which updates the eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0. The title is concise, specific, and clearly communicates the main objective of the PR in a way that would be easily understood by someone reviewing the commit history.
Description check	✅ Passed	The description provides detailed information about the dependency update, including release notes, changelog items, and migration details.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default in npm @modelcontextprotocol/sdk CVE: GHSA-w48q-cv73-mx4w Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default (HIGH) Affected versions: < 1.24.0 Patched version: 1.24.0 From: packages/mcp/package.json → npm/@modelcontextprotocol/sdk@1.17.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@modelcontextprotocol/sdk@1.17.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @humanwhocodes/retry is 100.0% likely to have a medium risk anomaly Notes: The Retrier class implements a conventional, well-scoped retry mechanism with abort support and backoff-like scheduling. There is no evidence of malicious behavior, data exfiltration, or backdoors in this fragment. The primary security considerations relate to the trustworthiness of the host-provided function (fn) and the external timing constants that govern bail/retry behavior. Overall risk is moderate due to the possibility of executing arbitrary host code, but this is expected for a retry utility; no external communications or data leakage are evident here. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.33.0 → npm/@humanwhocodes/retry@0.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanwhocodes/retry@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.33.0 → npm/@modelcontextprotocol/sdk@1.17.3 → npm/ajv@6.12.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.12.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm consola is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/consola@3.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/consola@3.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm css-tree is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped parser fragment for a DSL-like FeatureFunction construct. It uses dynamic feature dispatch with proper balance checks and safe fallbacks, and emits a consistent AST node. No malicious behavior detected; the main risks relate to misconfiguration of the features map rather than code-level exploits. Confidence: 1.00 Severity: 0.60 From: ? → npm/rollup-plugin-styles@4.0.0 → npm/css-tree@3.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm detect-libc is 100.0% likely to have a medium risk anomaly Notes: The code represents a robust, multi-source libc detection utility for Linux, prioritizing filesystem data, then runtime reports, and finally command-based inference. It shows no malicious behavior and aligns with expected patterns for environment introspection. The main improvement areas are strengthening error visibility and handling edge cases where outputs differ from standard expectations. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/detect-libc@2.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/detect-libc@2.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.4.1 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm object-hash is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The code appears to be a standard, open-source-like object hashing/serialization utility with streaming capabilities. No active malicious behavior detected within this fragment. Minor issues (typos, blob handling edge-case, and potential performance considerations for large inputs) should be addressed to reduce risk in supply-chain contexts. Overall security risk remains moderate and workload/usage controls should govern integration. Confidence: 1.00 Severity: 0.60 From: ? → npm/tailwindcss@3.4.18 → npm/object-hash@3.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/object-hash@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm openai is 100.0% likely to have a medium risk anomaly Notes: The script itself is not evidently malicious but poses a moderate-to-high supply-chain risk: it invokes npx to download and execute a GitHub-hosted tarball and passes a local migration-config.json path and the process environment to the remote code. That remote code could perform arbitrary actions, read local configuration or environment secrets, or exfiltrate data. Mitigations: avoid using tarball URLs in runtime invocations, pin to vetted packages in package.json, verify integrity (checksums/signatures), vendor the migration tool or require an explicit local installation, and avoid passing sensitive file paths or environment variables to untrusted code. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/openai@5.23.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openai@5.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm prettier is 100.0% likely to have a medium risk anomaly Notes: No definitive malware detected in this fragment. The main security concern is supply-chain risk from dynamically loading plugins from potentially untrusted sources. To mitigate, enforce strict plugin provenance, disable remote plugin loading, verify plugin integrity, and apply least-privilege execution for plugins. Confidence: 1.00 Severity: 0.60 From: package.json → npm/prettier@3.6.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm proxy-addr is 100.0% likely to have a medium risk anomaly Notes: The code is a standard, well-scoped IP trust utility (proxy-addr) with no evidence of malicious behavior. It reads IPs from request headers, validates and normalizes them, and applies a trust policy to determine the client address. No backdoors, exfiltration, or dangerous operations are present. The security posture appears acceptable for its intended purpose when used as a dependency in an Open Source project. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.17.3 → npm/proxy-addr@2.0.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/proxy-addr@2.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm resolve is 100.0% likely to have a medium risk anomaly Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment. Confidence: 1.00 Severity: 0.60 From: ? → npm/rollup-plugin-styles@4.0.0 → npm/@rollup/plugin-typescript@12.1.4 → npm/tailwindcss@3.4.18 → npm/@rollup/plugin-node-resolve@16.0.3 → npm/resolve@1.22.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rimraf is 100.0% likely to have a medium risk anomaly Notes: The rimraf module analyzed appears to be a conventional, dependable recursive deletion utility with thoughtful cross-platform safeguards and backoff strategies. There is no evidence of malicious activity, data leakage, or backdoors. The primary risk is accidental or intentional destructive file system changes if misused; treat as legitimate utility with appropriate access controls. Confidence: 1.00 Severity: 0.60 From: ? → npm/svelte-preprocess@5.1.4 → npm/rimraf@2.7.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rimraf@2.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rollup-plugin-terser is 100.0% likely to have a medium risk anomaly Notes: This file is a terser wrapper that unsafely evaluates a caller-supplied string to produce options. The code itself contains no explicit exfiltration, hard-coded credentials, or network calls, and appears non-obfuscated. However, eval(optionsString) is a high-severity issue: if optionsString can be influenced by an attacker, the application can be fully compromised (RCE). Replace eval with safe parsing and validate inputs. Avoid returning mutable objects from evaluated input. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/rollup-plugin-terser@7.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup-plugin-terser@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rxjs is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, well-scoped implementation of an RxJS-like concat operator. No malicious behavior, data exfiltration, or suspicious I/O detected in this fragment. Security risk is low; malware likelihood is negligible for this isolated operator function. Confidence: 1.00 Severity: 0.60 From: ? → npm/concurrently@9.2.0 → npm/rxjs@7.8.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rxjs@7.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-prettier@5.5.4 → npm/synckit@0.11.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/synckit@0.11.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm terser is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The fragment is a benign static list of DOM/Web API identifiers used for tooling purposes (e.g., property enumeration, whitelist checks, or code generation). There is no evidence of malicious behavior, data exfiltration, or backdoors within this fragment alone. Overall security risk is low for this isolated piece; assessment should consider how the list is used in the broader codebase. Confidence: 1.00 Severity: 0.60 From: ? → npm/rollup-plugin-terser@7.0.2 → npm/terser@5.43.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser@5.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.17.3 → npm/zod@3.25.76 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@3.25.76. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d34a00 and 1fbdd51.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: build (stylus, default)
• GitHub Check: build (solidity, default)
• GitHub Check: build (stellar, default)
• GitHub Check: build (cairo, default)
• GitHub Check: build (stellar, compile)
• GitHub Check: ui
• GitHub Check: mcp
• GitHub Check: format-lint
• GitHub Check: check
• GitHub Check: deno-check
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify eslint-plugin-unicorn v62 breaking changes and config compatibility.

This is a major version bump (v61 → v62) for a linter plugin. Major version updates often introduce breaking changes, rule removals, or behavioral changes that may require eslint configuration updates or could cause lint failures.

Please verify:

1. Whether v62.0.0 introduces breaking changes (check the release notes)
2. Whether any eslint configuration updates are needed in .eslintrc files or linter configs
3. Whether the lint script (eslint) will pass without errors with v62.0.0

If breaking changes exist, ensure that related configuration changes have been applied to the repository before merging.

---

🌐 Web query:

What are the breaking changes in eslint-plugin-unicorn v62.0.0 compared to v61?

💡 Result:

I couldn't find any release notes or a published v62.0.0 for eslint-plugin-unicorn. The official repo (sindresorhus/eslint-plugin-unicorn) and release listings don't show a v62 tag/releases, and the latest changelog I located is for v60.0.0. [1][2]

If you have a specific release URL or tag for v62 (or want me to keep searching other sources), share it and I’ll fetch the breaking changes and summarize them.

Sources:

• eslint-plugin-unicorn GitHub repo. [1]
• v60.0.0 changelog listing. [2]

---

🏁 Script executed:

#!/bin/bash
# Check the actual package.json content for eslint-plugin-unicorn version
cat package.json | grep -A2 -B2 "eslint-plugin-unicorn"

Length of output: 186

---

🏁 Script executed:

#!/bin/bash
# Query npm registry for eslint-plugin-unicorn versions (check latest and v62 specifically)
curl -s https://registry.npmjs.org/eslint-plugin-unicorn | jq '.versions | keys | sort | .[-10:]'

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
# Check npm registry for v62 specifically
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq 'if .error then "Version not found" else .version end'

Length of output: 8

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Find eslint configuration files in the repository
fd -t f -e json -e js -e yml -e yaml -e mjs -e cjs -g '*eslintrc*' .

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Also check for common eslint config locations
find . -maxdepth 2 -type f \( -name ".eslintrc*" -o -name "eslint.config.*" \) 2>/dev/null

Length of output: 19

---

🌐 Web query:

eslint-plugin-unicorn v62.0.0 changelog breaking changes

💡 Result:

There is no published eslint-plugin-unicorn v62.0.0 release. The latest published release series on npm/GitHub is v61 (most-recent tags show v61.x in Sep 2025), and npm's package page lists v60/v59 as recent stable releases. See the release list and npm info. [1][2]

Sources:

• Release list for eslint-plugin-unicorn (shows up through v61.x). [1]
• npm package page for eslint-plugin-unicorn (latest published versions). [2]

---

🏁 Script executed:

#!/bin/bash
# Check npm package metadata for v62.0.0 to see if it's a pre-release
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq '{version, dist_tags: .["dist-tags"], prerelease: (.version | contains("-")), published: .time["62.0.0"]}'

Length of output: 90

---

🏁 Script executed:

#!/bin/bash
# Check eslint.config.mjs to see which rules are configured
cat eslint.config.mjs

Length of output: 1348

---

Revert eslint-plugin-unicorn to stable v61 release; v62.0.0 is unreleased.

The version v62.0.0 exists on npm but is marked as unreleased (null published timestamp, no dist tags, not listed on GitHub releases). While the config imports eslint-plugin-unicorn, it doesn't explicitly enable any unicorn rules—so breaking changes wouldn't immediately break linting—using an unreleased, undocumented version introduces unnecessary stability risk.

Revert to the latest stable version: "eslint-plugin-unicorn": "^61.0.2"

🤖 Prompt for AI Agents

In package.json around line 37, the dependency "eslint-plugin-unicorn":
"^62.0.0" references an unreleased/unstable npm version; change it back to the
latest stable release by replacing the version string with "^61.0.2" so the
project uses the documented stable unicorn plugin; update package-lock/yarn.lock
by running the appropriate install command afterwards to ensure the lockfile
reflects the reverted version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​uniswap-hooks@​1.2.1
	rollup-plugin-terser@​7.0.2
	@​changesets/​changelog-github@​0.5.1
	typescript-eslint@​8.39.1
	highlightjs-cairo@​0.4.0
	@​types/​semver@​7.7.0
	@​types/​semver@​7.7.1
	path-browserify@​1.0.1
	file-saver@​2.0.5
	solidity-ast@​0.4.60
	sirv-cli@​3.0.1
	@​modelcontextprotocol/​sdk@​1.17.3
	@​types/​file-saver@​2.0.7
	@​types/​resize-observer-browser@​0.1.11
	jszip@​3.10.1
	tippy.js@​6.3.7
	rollup-plugin-livereload@​2.0.5
	rollup-plugin-styles@​4.0.0
	@​types/​node@​22.7.5 ⏵ 20.19.21	+1		+1	-1
	@​types/​node@​22.7.5 ⏵ 20.19.10	+1		+1	-1
	postcss-load-config@​6.0.1
	@​uniswap/​v4-core@​1.0.2
	@​uniswap/​v4-periphery@​1.0.3
	postcss@​8.5.6
	concurrently@​9.2.0
	svelte-preprocess@​5.1.4
	ethereum-cryptography@​1.2.0 ⏵ 3.2.0	+1		+1
	highlightjs-solidity@​2.0.6
	ava@​6.4.1
	@​rollup/​plugin-json@​6.1.0
	highlight.js@​11.11.1
	util@​0.12.5
	rollup-plugin-svelte@​7.2.3
See 25 more rows in the dashboard

View full report