Bump postcss from 8.5.12 to 8.5.14

[dependabot]

Bumps postcss from 8.5.12 to 8.5.14.

Release notes

Sourced from postcss's releases.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

Changelog

Sourced from postcss's changelog.

8.5.14

• Fixed custom syntax regression (by @​43081j).

8.5.13

• Fixed postcss-scss commend regression.

Commits

• 3ec1394 Release 8.5.14 version
• f2bb827 Update dependencies
• d75953d Merge pull request #2084 from 43081j/raw-raws-rawing
• 68bd213 fix: always call raw to retrieve raw values
• af58cf1 Release 8.5.13 version
• f227dbd Temporary ignore pnpm 11 config
• d3abd40 Update dependencies
• dd06c3e Revert stringifier changes because of the conflict with postcss-scss
• ae889c8 Try to fix CI
• e0093e4 Move to pnpm 11
• See full diff in compare view

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Trivial package: npm at-least-node has 5 lines of code Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/at-least-node@1.0.0 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/at-least-node@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm ejs Eval Type: Function Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/ejs@3.1.10 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@3.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Deprecated by its maintainer: npm inflight Reason: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful. From: ? → npm/astrojs-service-worker@2.0.0 → npm/inflight@1.0.6 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/inflight@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm jake in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/jake@10.9.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jake@10.9.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm jake in module child_process Module: child_process Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/jake@10.9.4 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jake@10.9.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm jest-worker in module child_process Module: child_process Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/jest-worker@26.6.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jest-worker@26.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic code execution: npm lodash.debounce Eval Type: Function Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/lodash.debounce@4.0.8 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.debounce@4.0.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Deprecated by its maintainer: npm sourcemap-codec Reason: Please use @jridgewell/sourcemap-codec instead From: ? → npm/astrojs-service-worker@2.0.0 → npm/sourcemap-codec@1.4.8 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sourcemap-codec@1.4.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Debug access: npm @babel/helper-define-polyfill-provider in module module Module: module Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/@babel/helper-define-polyfill-provider@0.6.8 ℹ Read more on: This package | This alert | What is debug access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing the use of debug will reduce the risk of any reflection and dynamic code execution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-define-polyfill-provider@0.6.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Dynamic module loading: npm @babel/helper-define-polyfill-provider Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/@babel/helper-define-polyfill-provider@0.6.8 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-define-polyfill-provider@0.6.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm async URLs: example.com, https://en.wikipedia.org/wiki/Topological_sorting#Kahn.27s_algorithm, http://connalle.blogspot.com/2013/10/topological-sortingkahn-algorithm.html, https://en.wikipedia.org/wiki/Doubly_linked_list, https://server.net/, http://www.ecma-international.org/ecma-262/5.1/#sec-8.6, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/async_function Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/async@3.2.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async@3.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm at-least-node was last published 6 years ago Last Publish: 2/1/2020, 10:11:36 PM From: ? → npm/astrojs-service-worker@2.0.0 → npm/at-least-node@1.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/at-least-node@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm ejs with module fs Module: fs Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/ejs@3.1.10 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@3.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm ejs URLs: https://github.com/RyanZim/EJS-Lint, api.ejs.co, README.md, http://fleegix.org, git://github.com/mde/ejs.git, https://github.com/mde/ejs/issues, https://github.com/mde/ejs Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/ejs@3.1.10 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@3.1.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm fast-uri URLs: https://datatracker.ietf.org/doc/html/rfc3986#section-5.2.4, http://example.com/a%2Fb/public/%2e%2e/admin, http://example.com/public/%2e%2e/admin, http://example.com/public/%2E%2E/admin, http://example.com/a%2Fb, http://example.com/admin, http://example.com/a/b, www.g.com/, www.g.com/adf%0Agf, www.g.com/error%0A/, 10.10.000.10, https://datatracker.ietf.org/doc/html/rfc5954#section-4.1, gary.court@gmail.com, example.com:123/one/two.three?q1=a1&q2=a2#body, example.com, 10.10.10.10, 129.144.52.38, uri://10.10.10.10.example.com/en/process, 10.10.10.10.example.com, example.com:1/path?query#fragment, uri://example.com:9000, uri://www.example.org/red%09ros, uri://www.example.org/red%09ros%C3%A9#red, 192.068.001.000, 192.68.1.0, http://example.org/~user, http://example.org/%7euser, xE9.example.org, uri://xn--rsum-bpad.example.org, uri://www.example.org/D%C3%BCrst, uri://www.example.org/D, uri://www.example.org/D%FCrst, uri://xn--99zt52a.example.org/%e2%80%ae, uri://xn--99zt52a.example.org/%E2%80%AE, http://abc.com:80/~smith/home.html, http://abc.com/~smith/home.html, http://ABC.com/%7Esmith/home.html, http://ABC.com:/%7esmith/home.html, HTTP://ABC.COM, http://abc.com/, http://example.com:/, http://example.com:80/, https://example.com, https://example.com:443/, https://example.com:/, example.com?subject=current-issue, example.com?body=send%20current-issue, example.com?body=send%20current-issue%0D%0Asend%20index, example.org?In-Reply-To=%3C3469A91.D10AF4C@example.com%3E, example.org, example.com?body=subscribe%20bamboo-l, example.com?cc=bob@example.com&body=hello, example.com?cc=bob@example.com?body=hello, example.com?blat=foop, example.org?subject=caf%C3%A9, example.org?subject=%3D%3Futf-8%3FQ%3Fcaf%3DC3%3DA9%3F%3D, example.org?subject=%3D%3Fiso-8859-1%3FQ%3Fcaf%3DE9%3F%3D, example.org?subject=caf%C3%A9&body=caf%C3%A9, 86.example.org?subject=Test&body=NATTO, xn--99zt52a.example.org, example.com?body=current-issue, ws://example.com, ws://example.com/foo, ws://example.com/foo?bar, wss://example.com, wss://example.com/foo?bar, wss://example.com/foo, http://example.com/, http://example.com/foo, http://example.com/foo/, abc.com, WS://ABC.COM:80/chat#one, ws://abc.com/chat, WSS://ABC.COM:443/chat#one, wss://abc.com/chat, mple.com, https://example.com/foo#bar, example.com:123, 01.01.01.01 Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/fast-uri@3.1.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-uri@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm filelist with README.md URLs: README.md Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/filelist@1.0.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/filelist@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm filelist with module fs Module: fs Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/filelist@1.0.6 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/filelist@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm fs.realpath reads NODE_DEBUG Env Vars: NODE_DEBUG Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/fs.realpath@1.0.0 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs.realpath@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm fs.realpath with module fs Module: fs Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/fs.realpath@1.0.0 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs.realpath@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm fs.realpath was last published 10 years ago Last Publish: 6/15/2016, 6:39:05 PM From: ? → npm/astrojs-service-worker@2.0.0 → npm/fs.realpath@1.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs.realpath@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Embedded URLs or IPs: npm graceful-fs with fs.read URLs: fs.read Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm graceful-fs reads NODE_DEBUG Env Vars: NODE_DEBUG Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm graceful-fs Env Vars: TEST_GRACEFUL_FS_GLOBAL_PATCH Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Environment variable access: npm graceful-fs reads GRACEFUL_FS_PLATFORM Env Vars: GRACEFUL_FS_PLATFORM Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Filesystem access: npm graceful-fs with module fs Module: fs Location: Package overview From: ? → npm/astrojs-service-worker@2.0.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm inflight was last published 10 years ago Last Publish: 10/13/2016, 3:53:29 AM From: ? → npm/astrojs-service-worker@2.0.0 → npm/inflight@1.0.6 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/inflight@1.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Unmaintained: npm is-module was last published 12 years ago Last Publish: 4/1/2014, 12:58:29 AM From: ? → npm/astrojs-service-worker@2.0.0 → npm/is-module@1.0.0 ℹ Read more on: This package | This alert | What are unmaintained packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/is-module@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 22 more rows in the dashboard

View full report