mobile: re-add Sentry with conservative sampling and ignore list

[dylanjeffers]

Summary

• Re-introduces @sentry/react-native (^6.20.0) to packages/mobile, replacing the no-op initSentry() left behind after the RN 0.77 upgrade.
• Reuses the existing env.SENTRY_DSN (same DSN as web; events are tagged platform=mobile so they're filterable in the Sentry UI).
• Drops tracesSampleRate from 1.0 (previous config) to 0.1 to preserve quota.
• Adds an ignoreErrors list for known-noisy transient/cancellation cases (network failures, AbortError, "User cancelled", non-Error rejections, etc.).
• Restores navigationIntegration so React Navigation route changes register as transactions.

Context

Sentry was removed from mobile in da4fd75f (the RN 0.77 upgrade) — likely because @sentry/react-native@6.11.0 wasn't yet compatible. RN has since moved to 0.78.3 + React 19, and recent 6.x versions of the SDK support that combination. The initSentry() wrapper and its App.tsx callsite were preserved during removal, so re-enabling is mostly a content swap inside one file.

Follow-ups (not in this PR)

This PR only restores the JS-side integration. To get the full pipeline working, the following native pieces still need to be wired up:

• iOS: add Sentry to ios/Podfile, run pod install, drop a sentry.properties next to the project, and add the source-map upload build phase.
• Android: apply the Sentry Gradle plugin in android/app/build.gradle, add a matching sentry.properties.
• CI: verify the existing SENTRY_AUTH_TOKEN / SENTRY_ORG / SENTRY_PROJECT secrets referenced in .github/workflows/mobile.yml still resolve to the right project for the upload step.
• Version pin: ^6.20.0 was picked as a recent 6.x supporting RN 0.78 / React 19, but please confirm against your install/build before merging — adjust if npm install flags peer-dep issues.

Without the native side, the JS will still call Sentry.init and report errors over the network, but stacks won't be symbolicated and releases won't be associated with uploaded source maps.

Test plan

• npm install from repo root resolves @sentry/react-native@^6.20.0 cleanly against RN 0.78.3 / React 19.
• iOS dev build (npm run ios:dev) launches without runtime errors from Sentry init.
• Android dev build (npm run android:dev) launches without runtime errors from Sentry init.
• Trigger a thrown error in dev and confirm it lands in the Sentry project tagged platform=mobile.
• Confirm a sampled transaction appears for a navigation event (10% sample rate, may need a few attempts).
• Verify Network request failed and User cancelled errors are filtered out (do not appear in Sentry).

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: 2a7090a

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​babel/​plugin-proposal-class-static-block@​7.21.0
	npm/​@​esbuild-plugins/​node-globals-polyfill@​0.1.1 ⏵ 0.2.3	+1		+1
	npm/​@​babel/​preset-typescript@​7.28.5 ⏵ 7.22.15
	npm/​@​babel/​plugin-transform-runtime@​7.29.0 ⏵ 7.18.2			+1
	npm/​@​emotion/​server@​11.11.0
	npm/​@​babel/​helper-compilation-targets@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​audius/​fetch-nft@​0.2.8
	npm/​@​babel/​plugin-transform-react-jsx@​7.21.0
	npm/​@​babel/​template@​7.22.15 ⏵ 7.27.1	+1		+1
	npm/​@​audius/​hedgehog@​2.1.0 ⏵ 3.0.0-alpha.1	+1
	npm/​@​babel/​preset-env@​7.22.15
	npm/​@​atlaskit/​pragmatic-drag-and-drop@​1.7.7
	npm/​@​audius/​stems@​0.3.10
	npm/​@​babel/​helper-module-transforms@​7.22.20 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​parser@​7.22.16 ⏵ 7.27.1			-3
	npm/​@​babel/​compat-data@​7.22.20 ⏵ 7.27.1	+1		+1
	npm/​@​coral-xyz/​anchor@​0.29.0
	npm/​@​babel/​generator@​7.22.15 ⏵ 7.27.1			+1
	npm/​@​babel/​traverse@​7.22.20 ⏵ 7.27.1	+1	+75	+1
	npm/​@​babel/​helpers@​7.22.15 ⏵ 7.27.1	+1	+2	+1
	npm/​@​babel/​core@​7.22.20 ⏵ 7.23.7			+1
	npm/​@​elastic/​elasticsearch@​8.1.0
	npm/​@​babel/​types@​7.26.3 ⏵ 7.27.1
	npm/​@​emotion/​styled@​11.14.0
	npm/​@​bravemobile/​react-native-code-push@​12.3.2
	npm/​@​apollo/​client@​3.3.7
	npm/​@​commander-js/​extra-typings@​12.1.0
	npm/​@​emotion/​eslint-plugin@​11.12.0
	npm/​@​emotion/​babel-preset-css-prop@​11.12.0
	npm/​@​emotion/​react@​11.11.3 ⏵ 11.14.0	+3		+1
	npm/​@​emotion/​native@​11.11.0
	npm/​@​emotion/​css@​11.13.5
See 7 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: package-lock.json → npm/form-data@4.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @amplitude/session-replay-browser is 100.0% likely to have a medium risk anomaly Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard SourceMap remapping mechanism. There is no inherent malicious behavior or backdoor within the shown fragment. The only potential risk lies in the use of the user-supplied loader callback, which could be misused by a project integrating this library. If the loader is trusted and sandboxed, the code poses no evident security threats. Overall, the security risk is moderate due to loader trust requirements. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @ampproject/remapping is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, loader-driven Source Map remapping utility. It exhibits a legitimate trust boundary at the loader. No intrinsic malware present; security concerns hinge on loader trust and content exposure. Recommend reviewing loader implementations and ensuring options properly redact or restrict sourcesContent when distributing SourceMaps. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 → npm/@ampproject/remapping@2.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ampproject/remapping@2.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @apollo/protobufjs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code segment is a standard RPC service wrapper (protobufjs style) with conventional input validation, encoding/decoding, event emission, and end handling. No malicious behavior is evident, and there are no observable security vulnerabilities beyond ordinary library-level error handling. It does not exhibit data exfiltration, backdoors, or other anti-security patterns. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@apollo/protobufjs@1.2.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@apollo/protobufjs@1.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @audius/hedgehog is 100.0% likely to have a medium risk anomaly Notes: The source code contains hardcoded sensitive credentials and cryptographic material that are directly exported, posing a high security risk if used in production or published publicly. There is no evidence of malware or obfuscation, but the insecure practice of embedding plaintext passwords and keys in source code can lead to credential leakage and compromise. It is strongly recommended to remove hardcoded secrets, implement secure credential management, and restrict exposure of sensitive data. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@audius/hedgehog@3.0.0-alpha.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@audius/hedgehog@3.0.0-alpha.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helpers@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: Selected report 1 provides a thorough evaluation of decorator-related runtime utilities and concludes low risk with potential for finishers to alter constructors if used with untrusted inputs. The improved assessment confirms normal, expected behavior for Babel decorator infrastructure and notes that the primary risk lies in the finishers channel if untrusted code is supplied. Security risk remains low to moderate depending on input provenance; malware likelihood is negligible based on the fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/@babel/runtime@7.24.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @bravemobile/react-native-code-push is 75.0% likely to have a medium risk anomaly Notes: The fragment represents a standard, legitimate OTA update mechanism for React Native, with normal update orchestration, user prompts, retry/rollback, and status reporting. There is no obvious malicious behavior or backdoor within this code fragment. The main security considerations relate to the integrity and authenticity of updates, secure transport, and the security of the native bridge implementation. Overall risk is moderate due to remote updates, but not due to internal malicious code in this snippet. Confidence: 0.75 Severity: 0.55 From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bravemobile/react-native-code-push@12.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @clack/prompts is 100.0% likely to have a medium risk anomaly Notes: The code fragment appears to be a part of a larger project related to CLI interactions and logging. The heavy obfuscation, incomplete functions, and potential untrusted input handling raise concerns about its security and reliability. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@clack/prompts@0.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clack/prompts@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @cspotcode/source-map-support is 100.0% likely to have a medium risk anomaly Notes: The fragment is consistent with a legitimate source-map support utility (likely source-map-support) used to enhance debugging by resolving and applying source maps. While it performs long-lived network/file I/O and intensively manipulates error reporting, there is no concrete evidence of malicious activity or data exfiltration beyond what such debugging tooling normally performs. The security risk is modest and largely dependent on trust in remote map sources and logging practices. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@cspotcode/source-map-support@0.8.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emnapi/runtime is 100.0% likely to have a medium risk anomaly Notes: Overall, this code fragment is a standard and legitimate binding/runtime infrastructure for Node.js native addon interoperability (EMNAPI). There is no evidence of data exfiltration, remote control, backdoors, or malware behavior within this snippet. The primary security considerations relate to the complexity and correct handling of finalizers, weak references, and policy-driven warning paths; misconfiguration or misuse by host applications could introduce risk, but the code itself does not demonstrate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emnapi/runtime@1.5.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/cache is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a legitimate part of Emotion’s CSS-in-JS cache that manages hydration of server-rendered styles and style insertion. It does not exhibit malicious behavior or supply chain exploits within this snippet. The security risk is low to moderate (primarily DOM manipulation, which is expected for a UI library), with no evident data leakage or external communications. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/cache@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/cache@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/styled is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a standard, non-malicious portion of the Emotion styling library. No evidence of backdoors, credential theft, or external network/data exfiltration. The primary risk vector is the CSS-in-DOM injection path via dangerouslySetInnerHTML, which is expected but should be reviewed in the context of trusted inputs. Security posture is low-to-moderate; no immediate danger, but maintain caution with user-supplied template literals and ensure dependencies are trusted. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/styled@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/styled@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cacache is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/cacache@18.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@18.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm commander is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard Commander-like CLI framework with dynamic subcommand execution via spawning local executables. It is not inherently malicious, but the external-executable dispatch mechanism introduces a legitimate supply-chain risk: untrusted or misconfigured subcommands can execute arbitrary local code. Recommend tightening executable discovery (absolute trusted paths only, explicit allowlists), validating subcommand targets before spawning, and ensuring regular security reviews of any projects using this pattern. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/commander@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 12 more rows in the dashboard

View full report