Bump fast-xml-parser and @aws-sdk/credential-providers in /.github/actions

[dependabot]

Bumps fast-xml-parser and @aws-sdk/credential-providers. These dependencies needed to be updated together.
Updates fast-xml-parser from 4.5.0 to 4.5.4

Release notes

Sourced from fast-xml-parser's releases.

Summary update on all the previous releases from v4.2.4

• Multiple minor fixes provided in the validator and parser
• v6 is added for experimental use.
• ignoreAttributes support function, and array of string or regex
• Add support for parsing HTML numeric entities
• v5 of the application is ESM module now. However, JS is also supported

Note: Release section in not updated frequently. Please check CHANGELOG or Tags for latest release information.

Changelog

Sourced from fast-xml-parser's changelog.

Note: If you find missing information about particular minor version, that version must have been changed without any functional change in this library.

Note: Due to some last quick changes on v4, detail of v4.5.3 & v4.5.4 are not updated here. v4.5.4x is the last tag of v4 in github repository. I'm extremely sorry for the confusion

5.4.2 / 2026-03-03

• support maxEntityCount option

5.4.1 / 2026-02-25

• fix (#785) unpairedTag node should not have tag content

5.4.0 / 2026-02-25

• migrate to fast-xml-builder

5.3.9 / 2026-02-25

• support strictReservedNames

5.3.8 / 2026-02-25

• support maxNestedTags
• handle non-array input for XML builder when preserveOrder is true (By Angelo Coetzee)
• save use of js properies

5.3.7 / 2026-02-20

• fix typings for CJS (By Corentin Girard)

5.3.6 / 2026-02-14

• Improve security and performance of entity processing
  • new options maxEntitySize, maxExpansionDepth, maxTotalExpansions, maxExpandedLength, allowedTags,tagFilter
  • fast return when no edtity is present
  • improvement replacement logic to reduce number of calls

5.3.5 / 2026-02-08

• fix: Escape regex char in entity name
• update strnum to 2.1.2
• add missing exports in CJS typings

5.3.4 / 2026-01-30

• fix: handle HTML numeric and hex entities when out of range

5.3.3 / 2025-12-12

• fix #775: transformTagName with allowBooleanAttributes adds an unnecessary attribute

5.3.2 / 2025-11-14

• fix for import statement for v6

5.3.1 / 2025-11-03

... (truncated)

Commits

• f8d4d42 update strnum to fix parsing issues of 0 when skiplike is used
• ab00cdc update package bundle for minor fixes
• 57c6187 Update ReadMe
• caeda37 fix: emit full JSON string from CLI when no output filename specified (#710)
• eadeb7e fix(performance): Update check for leaf node in saveTextToParentTag function ...
• 682066c Update disclaimer
• 280cd63 Fix null CDATA to comply with undefined behavior (#701)
• e132656 update release detail
• 74e2651 Fixes entity parsing when used in strict mode (#699)
• 4082902 Fix empty tag key name for v5 (#697)
• Additional commits viewable in compare view

Updates @aws-sdk/credential-providers from 3.658.1 to 3.1003.0

Release notes

Sourced from @​aws-sdk/credential-providers's releases.

v3.1003.0

3.1003.0(2026-03-05)

Chores

• bump '@smithy/*' dependencies (#7822) (8ddd5442)
• set downlevel types to be used in typescript@'<4.5' (#7817) (03dad66b)
• clients:
  • strip trailing periods when the last character is non-alphanumeric (#7821) (6b5b50b2)
  • sort missed package.json files (#7820) (297b5643)
  • include deprecated-since in generated tsdoc (#7815) (17ecb20a)

New Features

• clients: update client endpoints as of 2026-03-05 (e9a8d8de)
• client-guardduty: Added MALICIOUS FILE to IndicatorType enum in MDC Sequence (bb9d4662)
• client-savingsplans: Added support for OpenSearch and Neptune Analytics to Database Savings Plans. (9e063913)
• client-sagemaker: Adds support for S3 Bucket Ownership validation for SageMaker Managed MLflow. (b6216564)
• client-connecthealth: Connect-Health SDK is AWS's unified SDK for the Amazon Connect Health offering. It allows healthcare developers to integrate purpose-built agents - such as patient insights, ambient documentation, and medical coding - into their existing applications, including EHRs, telehealth, and revenue cycle. (454c6cb7)
• client-mpa: Updates to multi-party approval (MPA) service to add support for approval team baseline operations. (e9581543)
• client-ec2: Added metadata field to CapacityAllocation. (d7cce1c2)

Bug Fixes

• nested-clients: add bundler instructions for browser credential clients (#7823) (f32f3539)

Tests

• canary: replace verdaccio canary test with client tests in canary mode (#7816) (d9bad4ef)
• clients:
  • ignore prettifying automated snapshot test code (#7819) (1eabedb4)
  • run client feature tests in browser mode too (#7808) (37f1adc7)

---

For list of updated packages, view updated-packages.md in assets-3.1003.0.zip

v3.1002.0

3.1002.0(2026-03-04)

New Features

• client-elastic-beanstalk: As part of this release, Beanstalk introduce a new info type - analyze for request environment info and retrieve environment info operations. When customers request an Al analysis, Elastic Beanstalk runs a script on an instance in their environment and returns an analysis of events, health and logs. (44048ced)
• client-connect: Added support for configuring additional email addresses on queues in Amazon Connect. Agents can now select an outbound email address and associate additional email addresses for replying to or initiating emails. (b79a4dbd)
• client-gamelift: Amazon GameLift Servers now offers DDoS protection for Linux-based EC2 and Container Fleets on SDKv5. The player gateway proxy relay network provides traffic validation, per-player rate limiting, and game server IP address obfuscation all with negligible added latency and no additional cost. (1fc4ece8)
• client-elasticsearch-service: Adds support for DeploymentStrategyOptions. (703a57c5)
• client-opensearch: Adding support for DeploymentStrategyOptions (cf6a8810)
• client-quicksight: Added several new values for Capabilities, increased visual limit per sheet from previous limit to 75, renamed Quick Suite to Quick in several places. (c94f306e)

... (truncated)

Changelog

Sourced from @​aws-sdk/credential-providers's changelog.

3.1003.0 (2026-03-05)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1002.0 (2026-03-04)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1001.0 (2026-03-03)

Note: Version bump only for package @​aws-sdk/credential-providers

3.1000.0 (2026-02-27)

Note: Version bump only for package @​aws-sdk/credential-providers

3.999.0 (2026-02-26)

Note: Version bump only for package @​aws-sdk/credential-providers

3.998.0 (2026-02-25)

Note: Version bump only for package @​aws-sdk/credential-providers

3.997.0 (2026-02-24)

... (truncated)

Commits

• 4c36ea3 Publish v3.1003.0
• 8ddd544 chore: bump '@smithy/*' dependencies (#7822)
• 03dad66 chore: set downlevel types to be used in typescript@'<4.5' (#7817)
• 800431b Publish v3.1002.0
• b8467bd Publish v3.1001.0
• ab9e775 chore(codegen): upgrade smithy 1.68.0 (#7806)
• e373aa8 Publish v3.1000.0
• cd1d49d Publish v3.999.0
• ab81c73 chore(packages): reapply eslint rules (#7789)
• adb02cd Publish v3.998.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-prettier@​8.10.0
	husky@​8.0.3
	uuid@​9.0.1 ⏵ 8.3.2
	prettier@​2.7.1
	eslint-plugin-prettier@​4.2.1
	nock@​13.5.5
	mocha@​10.7.3
	mongodb@​4.17.2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Network access: npm @smithy/service-error-classification in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/@smithy/service-error-classification@4.2.11 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/service-error-classification@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @smithy/util-stream in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/@smithy/util-stream@4.5.17 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@smithy/util-stream@4.5.17. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm follow-redirects in module http Module: http Location: Package overview From: .github/actions/package-lock.json → npm/axios@1.8.2 → npm/follow-redirects@1.15.9 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/follow-redirects@1.15.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm follow-redirects in module https Module: https Location: Package overview From: .github/actions/package-lock.json → npm/axios@1.8.2 → npm/follow-redirects@1.15.9 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/follow-redirects@1.15.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm husky in module child_process Module: child_process Location: Package overview From: .github/actions/package-lock.json → npm/husky@8.0.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/husky@8.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm mongodb in module dns Module: dns Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mongodb@4.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm mongodb in module http Module: http Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mongodb@4.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm mongodb in module net Module: net Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mongodb@4.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm mongodb in module tls Module: tls Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mongodb@4.17.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm nock in module http Module: http Location: Package overview From: .github/actions/package-lock.json → npm/nock@13.5.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nock@13.5.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm nock in module https Module: https Location: Package overview From: .github/actions/package-lock.json → npm/nock@13.5.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nock@13.5.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm p-retry in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: .github/actions/package-lock.json → npm/@slack/web-api@6.13.0 → npm/p-retry@4.6.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/p-retry@4.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm prettier Eval Type: Function Location: Package overview From: .github/actions/package-lock.json → npm/prettier@2.7.1 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@2.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm smart-buffer Eval Type: Function Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/smart-buffer@4.2.0 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/smart-buffer@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm socks in module net Module: net Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/socks@2.8.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socks@2.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm tunnel in module net Module: net Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/tunnel@0.0.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tunnel@0.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm tunnel in module tls Module: tls Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/tunnel@0.0.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tunnel@0.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm tunnel in module http Module: http Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/tunnel@0.0.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tunnel@0.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm tunnel in module https Module: https Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/tunnel@0.0.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tunnel@0.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/undici@5.28.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.28.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici in module net Module: net Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/undici@5.28.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.28.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici in module http Module: http Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/undici@5.28.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.28.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici in module http2 Module: http2 Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/undici@5.28.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.28.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm undici in module tls Module: tls Location: Package overview From: .github/actions/package-lock.json → npm/@actions/github@6.0.0 → npm/@actions/core@1.10.1 → npm/undici@5.28.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.28.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic code execution: npm whatwg-url Eval Type: eval Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/whatwg-url@11.0.0 ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/whatwg-url@11.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @aws-sdk/client-cognito-identity URLs: http://cognito-identity.amazonaws.com/doc/2014-06-30/, https://cognito-identity-fips.us-east-1.amazonaws.com, https://cognito-identity-fips.us-east-2.amazonaws.com, https://cognito-identity-fips.us-west-1.amazonaws.com, https://cognito-identity-fips.us-west-2.amazonaws.com, amazonaws.com, https://docs.aws.amazon.com/cognito/latest/developerguide/authentication-flow.html, https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html, https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-smithy-util-retry/Enum/RETRY_MODES/, https://docs.aws.amazon.com/cognito/latest/developerguide/external-identity-providers.html Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/@aws-sdk/client-cognito-identity@3.1003.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/client-cognito-identity@3.1003.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @aws-sdk/core with https://a.co/c895JFp URLs: https://a.co/c895JFp Location: Package overview From: .github/actions/package-lock.json → npm/mongodb@4.17.2 → npm/@aws-sdk/core@3.973.18 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@aws-sdk/core@3.973.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 96 more rows in the dashboard

View full report