[WIP] Add Gatsby example app for demonstration

[Copilot]

Thanks for assigning this issue to me. I'm starting to work on it and will keep this PR's description up to date as I form a plan and make progress.

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add Gatsby example</issue_title>
<issue_description>See: https://github.com/arcjet/arcjet-js/tree/587cbe7268dbf35eda07068a63be5b13498acd41/examples/gatsby-rate-limit

Ref: arcjet/arcjet-js#5220
</issue_description>

<agent_instructions>Add a gatsby example app. Follow the contributing guide for how to do that (just omit installing the anchor positioning polyfill - its baseline now)</agent_instructions>

Comments on the Issue (you are @copilot in this section)

• Fixes Add Gatsby example #81

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​react-dom@​18.3.7
	npm/​@​types/​react@​18.3.23
	npm/​@​types/​node@​24.0.10
	npm/​react@​18.3.1
	npm/​gatsby@​5.15.0
	npm/​typescript@​5.8.3
	npm/​react-dom@​18.3.1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Protestware or unwanted behavior: npm es5-ext Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Immutable is vulnerable to Prototype Pollution CVE: GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution (HIGH) Affected versions: < 4.3.8; >= 5.0.0 < 5.1.5 Patched version: 4.3.8 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/immutable@3.7.6 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immutable@3.7.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potentially malicious package (AI signal): npm promise is 60.0% likely malicious Notes: This script is a local source transformer/obfuscator used at package build time. It performs destructive deletes of local output directories and non-deterministic renaming of member properties that start with '_' to randomized short identifiers, and then writes three transformed variants. There is no network access, no dynamic code execution, and no credential harvesting. The main concerns are intentional obfuscation (makes auditing harder) and the use of rimraf to delete directories (expected for build scripts but potentially risky if run in an unexpected context). Overall it does not contain clear malware, but it introduces supply-chain/maintenance risks through obfuscation and non-reproducibility. Confidence: 0.60 Severity: 0.90 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/promise@7.3.1 ℹ Read more on: This package | This alert | What is AI-detected potential malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/promise@7.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: npm lmdb Location: Package overview From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/lmdb@2.5.2 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lmdb@2.5.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: npm lmdb Location: Package overview From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/lmdb@2.5.3 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lmdb@2.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: npm msgpackr-extract Location: Package overview From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/msgpackr-extract@3.0.3 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/msgpackr-extract@3.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: npm sharp Location: Package overview From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/sharp@0.32.6 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.32.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential vulnerability: npm tar-stream with risk level "medium" Location: Package overview From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/tar-stream@2.2.0 ℹ Read more on: This package | This alert | Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar-stream@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @parcel/runtime-js is 100.0% likely to have a medium risk anomaly Notes: The code reads a file specified by a path derived from user input and immediately executes its contents using the Function constructor. This constitutes a high-risk dynamic code execution sink, with potential path traversal via unvalidated bundle paths and no sandboxing. While this may be legitimate in a controlled build system, as a general-purpose library it presents significant security risk and warrants strict input validation, path normalization, and safer execution strategies (e.g., static import, sandboxed evaluation, or restricted execution environment). Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/@parcel/runtime-js@2.8.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@parcel/runtime-js@2.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @szmarczak/http-timer is 100.0% likely to have a medium risk anomaly Notes: The instrument is a well-structured HTTP timing utility for Node.js that collects rich in-process timing data and exposes it via the request/response objects without performing external communications or data leakage. It demonstrates benign intent with careful handling of edge cases (proxies, missing dns timings) and robust lifecycle event management. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/@szmarczak/http-timer@5.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@szmarczak/http-timer@5.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm asap is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a standard asynchronous task scheduler (asap-like) with domain detachment support. There is no inherent malicious behavior, data exfiltration, or backdoor logic present in this fragment. The primary risk is that if an attacker can enqueue untrusted tasks, those tasks could execute arbitrary code in the host environment. Given no external inputs or hardcoded secrets, the code itself is low risk. However, the deprecated domain handling and lazy loading of the domain module should be reviewed in the broader project context for maintainability rather than security threats. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/asap@2.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/asap@2.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chalk is 100.0% likely to have a medium risk anomaly Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/chalk@2.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chownr is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/chownr@1.1.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@1.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm core-js-pure is 100.0% likely to have a medium risk anomaly Notes: The fragment implements a conventional abstract AsyncIterator polyfill pattern. It prevents direct construction, attaches type metadata, and exposes AsyncIteratorConstructor globally in a controlled manner. There are no signs of data exfiltration, external I/O, or hidden behavior. Overall security risk is low, malware likelihood is negligible in this fragment, and the code aligns with legitimate library usage (e.g., core-js style shims). Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/core-js-pure@3.48.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js-pure@3.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm core-js is 100.0% likely to have a medium risk anomaly Notes: The code constitutes a standards-compliant polyfill/compatibility patch for RegExp/String.prototype.replace with robust handling of named groups and replacer semantics. No evidence of malware, exfiltration, or sensitive data leakage. The risk profile is typical for polyfills in open-source libraries and is acceptable when used in trusted contexts, albeit with standard caution about using third-party dependencies in supply chains. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/core-js@3.48.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js@3.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm core-js is 100.0% likely to have a medium risk anomaly Notes: The fragment implements a conventional abstract AsyncIterator polyfill pattern. It prevents direct construction, attaches type metadata, and exposes AsyncIteratorConstructor globally in a controlled manner. There are no signs of data exfiltration, external I/O, or hidden behavior. Overall security risk is low, malware likelihood is negligible in this fragment, and the code aligns with legitimate library usage (e.g., core-js style shims). Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/core-js@3.48.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js@3.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm core-js is 100.0% likely to have a medium risk anomaly Notes: The code implements a targeted safety polyfill for Uint8Array.prototype.setFromBase64 to support base64 decoding into typed arrays. It includes environment feature checks and uses internal decoding helpers to fill the array and report read/written counts. No malicious activity detected; the flow is confined to in-memory decoding and prototype augmentation. This appears to be a legitimate compatibility helper rather than malware. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/core-js@3.48.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/core-js@3.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm date-fns is 100.0% likely to have a medium risk anomaly Notes: The code is a small, well-scoped utility to convert quarters to whole years using standard argument validation. No malware detected. The primary concern is a likely incomplete snippet causing syntax errors; completing the module export is recommended to ensure proper functionality. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/date-fns@2.30.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/date-fns@2.30.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm debug is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a benign debug utility (Node.js debug library) used to format and emit colored log messages to standard error based on environment-configured namespaces. It safely handles optional dependencies and avoids dubious data flows or side effects. No evidence of malware, data exfiltration, backdoors, or supply-chain abuse is present in this fragment. Overall security risk is low. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/debug@3.2.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/debug@3.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm enquirer is 100.0% likely to have a medium risk anomaly Notes: The analyzed code implements a straightforward boolean prompt component with predictable data flow. It validates and casts user input to boolean values, renders the UI accordingly, and does not exhibit signs of malice or data exfiltration. Security risk remains low if used within a typical CLI prompt context; no external communications or sensitive data handling detected in this fragment. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/enquirer@2.4.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/enquirer@2.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm es-abstract is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a faithful, standard implementation of ECMAScript FlattenIntoArray with optional mapper support and depth control. No malicious activity detected within this fragment. The main risk vector is user-provided mapperFunction execution, which is a normal pattern for functional transforms and should be reviewed in the hosting environment for trust and sandboxing. Overall security posture in isolation is low to moderate, contingent on mapperFunction usage. Confidence: 1.00 Severity: 0.60 From: examples/gatsby/package-lock.json → npm/gatsby@5.15.0 → npm/es-abstract@1.24.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 594 more rows in the dashboard

View full report