Update lockfile

[renovate]

This PR contains the following updates:

Update	Change
lockFileMaintenance	All locks refreshed

🔧 This Pull Request updates lock files to use the latest dependency versions.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • Between 12:00 AM and 03:59 AM, on day 1 of the month (* 0-3 1 * *)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (4)

• packages/core/solidity/src/environments/hardhat/package-lock.json is excluded by !**/package-lock.json
• packages/core/solidity/src/environments/hardhat/polkadot/package-lock.json is excluded by !**/package-lock.json
• packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json is excluded by !**/package-lock.json
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

• 🔍 Trigger a full review

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch renovate/lock-file-maintenance

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.29.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.29.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: ? → npm/@modelcontextprotocol/sdk@1.29.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: packages/core/confidential/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.12.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly Notes: The code implements a filesystem-backed cache with potential path traversal vulnerabilities due to unvalidated docId/cacheDir inputs that influence file paths. While not inherently malicious, the lack of input sanitization creates risk of reading/writing/deleting arbitrary files, especially in a public package context where inputs could be user-controlled. No evidence of deliberate malware or obfuscated logic is present, but the security risk due to path handling is non-trivial and should be mitigated by validating and constraining input paths, using safe defaults, and isolating cache storage. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/flat-cache@4.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly Notes: The code implements a subprocess-based transport to offload event sending. While this can reduce main-process dependencies, it creates a cross-process data path that exposes the serialized event via environment variables to an external subprocess. The subprocess script (not present here) becomes a critical trust boundary. Without inspecting the subprocess implementation and package contents, there is a non-trivial risk of data leakage or tampering via the external process. No explicit malware detected in this fragment, but the design warrants careful review of the subprocess code and supply chain integrity. Confidence: 1.00 Severity: 0.60 From: packages/core/confidential/package.json → npm/hardhat@2.28.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat@2.28.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/typescript-eslint@8.59.0 → npm/ava@6.4.1 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm js-yaml is 100.0% likely to have a medium risk anomaly Notes: The script functions as a straightforward JSON↔YAML translator CLI with standard error handling. The primary security concern is the use of yaml.loadAll without a safeLoad alternative, which could enable YAML deserialization risks if inputs contain crafted tags. To improve security, switch to a safe loader (e.g., yaml.safeLoadAll or equivalent) or ensure the library is configured to restrict risky constructors. Overall, no malware indicators were observed; the risk is confined to YAML deserialization semantics. Confidence: 1.00 Severity: 0.60 From: ? → npm/@changesets/cli@2.31.0 → npm/ava@6.4.1 → npm/js-yaml@3.14.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@3.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-fetch is 100.0% likely to have a medium risk anomaly Notes: Overall, this node-fetch fragment appears to be a standard, well-structured HTTP client with reasonable security-conscious design. No malicious logic detected within the examined scope. Typical network-client risks remain, but there is no indication of supply-chain or covert data leakage from this code fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@changesets/changelog-github@0.5.2 → npm/node-fetch@2.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-fetch@2.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm openai is 100.0% likely to have a medium risk anomaly Notes: The script itself is not evidently malicious but poses a moderate-to-high supply-chain risk: it invokes npx to download and execute a GitHub-hosted tarball and passes a local migration-config.json path and the process environment to the remote code. That remote code could perform arbitrary actions, read local configuration or environment secrets, or exfiltrate data. Mitigations: avoid using tarball URLs in runtime invocations, pin to vetted packages in package.json, verify integrity (checksums/signatures), vendor the migration tool or require an explicit local installation, and avoid passing sensitive file paths or environment variables to untrusted code. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/openai@5.23.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openai@5.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm readable-stream is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, legitimate portion of the Node.js readable-stream implementation handling piping, flow control, and lifecycle events. There is no evidence of malicious behavior, data exfiltration, or unsafe operations within this fragment. It does not introduce backdoors or hidden communicative channels. Given the OpenVSX extension context, this fragment alone does not indicate supply chain risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/jszip@3.10.1 → npm/readable-stream@2.3.8 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/readable-stream@2.3.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm resolve is 100.0% likely to have a medium risk anomaly Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment. Confidence: 1.00 Severity: 0.60 From: packages/core/confidential/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@fhevm/hardhat-plugin@0.3.0-1 → npm/resolve@1.22.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm rollup-plugin-terser is 100.0% likely to have a medium risk anomaly Notes: This file is a terser wrapper that unsafely evaluates a caller-supplied string to produce options. The code itself contains no explicit exfiltration, hard-coded credentials, or network calls, and appears non-obfuscated. However, eval(optionsString) is a high-severity issue: if optionsString can be influenced by an attacker, the application can be fully compromised (RCE). Replace eval with safe parsing and validate inputs. Avoid returning mutable objects from evaluated input. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/rollup-plugin-terser@7.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rollup-plugin-terser@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm svelte is 100.0% likely to have a medium risk anomaly Notes: The fragment implements a dynamic, on-demand loader for Svelte-like templates via require.extensions and module._compile. While functionally straightforward and common for template compilers, it relies on executing untrusted input through the compiler output and mutates a core Node mechanism (require.extensions). This yields moderate security risk if inputs or the compiler become compromised; use only trusted sources and consider modern alternatives or sandboxing. Overall, improved clarity and a cautious stance on risk for deployment. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/svelte@3.59.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/svelte@3.59.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm tailwindcss is 100.0% likely to have a medium risk anomaly Notes: The code is a targeted, low-risk utility for locating a config file referenced by a PostCSS @config at-rule. It enforces single usage, requires a quoted path, resolves relative to the source file, and ensures the file exists before returning the path or null. No malicious behavior or external data leakage is evident in this fragment, though error messages could be toned for production usage. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/tailwindcss@3.4.19 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tailwindcss@3.4.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm tailwindcss is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a legitimate PostCSS/Tailwind nesting integration that handles Tailwind-like at-rules and converts them to standard CSS constructs for downstream processing. The dynamic plugin loading and private API usage are the primary non-ideal aspects but are documented and controlled within the plugin design. Overall, the security risk is moderate due to potential arbitrary code execution from dynamic requires if misused, but there is no evidence of data exfiltration or malicious payloads in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/ui/package.json → npm/tailwindcss@3.4.19 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tailwindcss@3.4.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm viem is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a legitimate, feature-rich Ethereum call utility with support for deployless calls and multicall scheduling. No hardcoded credentials or malicious backdoors are evident. The dynamic require in the error path (ccip.js) is a legitimate pattern for CCIP workflows but represents a dynamic dependency surface that should be monitored. Overall, the module shows standard security-risk characteristics for a blockchain-facing library, with a moderate risk due to complexity and dynamic module loading, but no direct malware indicators. Confidence: 1.00 Severity: 0.60 From: packages/core/confidential/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/viem@2.37.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.37.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: packages/cli/package.json → npm/zod@4.3.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/core/confidential/src/environments/hardhat/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: hardhat-sample@0.0.1
npm error Found: @zama-fhe/relayer-sdk@0.3.0-5
npm error node_modules/@zama-fhe/relayer-sdk
npm error   dev @zama-fhe/relayer-sdk@"0.3.0-5" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @zama-fhe/relayer-sdk@"^0.3.0-8" from @fhevm/mock-utils@0.3.0-4
npm error node_modules/@fhevm/mock-utils
npm error   peer @fhevm/mock-utils@"0.3.0-4" from @fhevm/hardhat-plugin@0.3.0-4
npm error   node_modules/@fhevm/hardhat-plugin
npm error     dev @fhevm/hardhat-plugin@"^0.3.0-1" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-04-23T21_48_57_492Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-04-23T21_48_57_492Z-debug-0.log