You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
It's time. This release updates zx internals to make the ps API and related methods ProcessPromise.kill(), kill() work on Windows systems without wmic. #1344webpod/ps#15
WMIC will be missing in Windows 11 25H2 (kernel >= 26000)
The windows-latest label in GitHub Actions will migrate from Windows Server 2022 to Windows Server 2025 beginning September 2, 2025 and finishing by September 30, 2025.
Review the following alerts detected in dependencies.
According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.
Action
Severity
Alert (click "▶" to expand/collapse)
Block
Malicious package: npm asynckit
Note: This VS Code extension is classified as malware because it exhibits high-confidence brandjacking and typosquatting indicators that strongly imply deceptive distribution and user impersonation:
Publisher impersonation: The VSIX claims to be “JFrog VSCode Extension,” but it is published by Artifactory-Software-Studio, not the official JFrog publisher.
Typosquatted identifier: The extension’s identity is vscode-jrrog-extension (note the “jrrog” typo), which is a look-alike of the official JFrog extension identifier and consistent with marketplace typosquat tactics.
Abuse of trust via branding: The manifest and package metadata deliberately reuse JFrog’s brand name (“JFrog VSCode Extension”) to induce installation under false provenance.
High-risk capability overlap: The extension’s functionality includes reading JFrog CLI configuration/credentials and initiating outbound network connections for scanning workflows. In a typosquatted/impersonating package, these capabilities materially increase the likelihood of credential theft or sensitive project metadata leakage, regardless of whether the current bundle contains overt C2 logic.
Together, the deceptive provenance (non-official publisher + typo-lookalike ID + brand reuse) is sufficient to classify the extension as malicious because it is designed to obtain installs by masquerading as a trusted vendor extension, a common precursor to credential harvesting and supply-chain compromise.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: It is strongly recommended that malware is removed from your codebase.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/asynckit@0.4.0. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Malicious package: npm function-bind
Note: This VS Code extension is classified as malware because it exhibits high-confidence brandjacking and typosquatting indicators that strongly imply deceptive distribution and user impersonation:
Publisher impersonation: The VSIX claims to be “JFrog VSCode Extension,” but it is published by Artifactory-Software-Studio, not the official JFrog publisher.
Typosquatted identifier: The extension’s identity is vscode-jrrog-extension (note the “jrrog” typo), which is a look-alike of the official JFrog extension identifier and consistent with marketplace typosquat tactics.
Abuse of trust via branding: The manifest and package metadata deliberately reuse JFrog’s brand name (“JFrog VSCode Extension”) to induce installation under false provenance.
High-risk capability overlap: The extension’s functionality includes reading JFrog CLI configuration/credentials and initiating outbound network connections for scanning workflows. In a typosquatted/impersonating package, these capabilities materially increase the likelihood of credential theft or sensitive project metadata leakage, regardless of whether the current bundle contains overt C2 logic.
Together, the deceptive provenance (non-official publisher + typo-lookalike ID + brand reuse) is sufficient to classify the extension as malicious because it is designed to obtain installs by masquerading as a trusted vendor extension, a common precursor to credential harvesting and supply-chain compromise.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: It is strongly recommended that malware is removed from your codebase.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/function-bind@1.1.2. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Block
Malicious package: npm mime-types
Note: This VS Code extension is classified as malware because it exhibits high-confidence brandjacking and typosquatting indicators that strongly imply deceptive distribution and user impersonation:
Publisher impersonation: The VSIX claims to be “JFrog VSCode Extension,” but it is published by Artifactory-Software-Studio, not the official JFrog publisher.
Typosquatted identifier: The extension’s identity is vscode-jrrog-extension (note the “jrrog” typo), which is a look-alike of the official JFrog extension identifier and consistent with marketplace typosquat tactics.
Abuse of trust via branding: The manifest and package metadata deliberately reuse JFrog’s brand name (“JFrog VSCode Extension”) to induce installation under false provenance.
High-risk capability overlap: The extension’s functionality includes reading JFrog CLI configuration/credentials and initiating outbound network connections for scanning workflows. In a typosquatted/impersonating package, these capabilities materially increase the likelihood of credential theft or sensitive project metadata leakage, regardless of whether the current bundle contains overt C2 logic.
Together, the deceptive provenance (non-official publisher + typo-lookalike ID + brand reuse) is sufficient to classify the extension as malicious because it is designed to obtain installs by masquerading as a trusted vendor extension, a common precursor to credential harvesting and supply-chain compromise.
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: It is strongly recommended that malware is removed from your codebase.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/mime-types@2.1.35. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
Warn
Obfuscated code: npm vite is 91.0% likely obfuscated
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at support@socket.dev.
Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/vite@7.1.5. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
dependenciesUpgrade or downgrade of project dependencies.
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
renovate
bot
added
the
dependencies
This PR contains the following updates:
8.8.1→8.8.5GitHub Vulnerability Alerts
CVE-2025-13437
When zx is invoked with --prefer-local=, the CLI creates a symlink named ./node_modules pointing to /node_modules. Due to a logic error in src/cli.ts (linkNodeModules / cleanup), the function returns the target path instead of the alias (symlink path). The later cleanup routine removes what it received, which deletes the target directory itself. Result: zx can delete an external /node_modules outside the current working directory.
Release Notes
google/zx (zx)
v8.8.5: — Temporary ReservoirCompare Source
This release fixes the issue, when zx flushes external
node_moduleson linking #1348 #1349 #1355Also
globby@15.0.0arrives here.v8.8.4: — Flange CouplingCompare Source
It's time. This release updates zx internals to make the
psAPI and related methodsProcessPromise.kill(),kill()work on Windows systems withoutwmic.#1344 webpod/ps#15
https://github.blog/changelog/2025-07-31-github-actions-new-apis-and-windows-latest-migration-notice/#windows-latest-image-label-migration
v8.8.3: — Sealing GasketCompare Source
Continues #1339 to prevent injections via
Proxyinput or customtoString()manipulations.v8.8.2: — Leaking ValveCompare Source
Fixes potential cmd injection via
kill()method for Windows platform. #1337 #1339. Affects the versions range8.7.1...8.8.1.Configuration
📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.