deps: periodic dependency update

[qw-in]

Dependency Updates

Example	Updates
expressjs	@types/node 20.19.32
fastify	@types/node 20.19.32
nestjs	@nestjs/common 11.1.13, @nestjs/config 4.0.3, @nestjs/core 11.1.13, @nestjs/platform-express 11.1.13, @types/node 20.19.32
nextjs-bot-protection	@types/node 22.19.9, @types/react 19.2.13
nextjs-fly	@types/node 22.19.9, @types/react 19.2.13
nextjs-form	@types/node 22.19.9, @types/react 19.2.13
nextjs-server-action	@types/node 22.19.9, @types/react 19.2.13
nextjs	@playwright/test 1.58.2, @types/node 22.19.9, @types/react 19.2.13
nuxt	@types/node 20.19.32
react-router	@types/react 19.2.13
tanstack-start	@tanstack/react-router 1.158.4, @tanstack/react-start 1.159.0, @types/node 24.10.11, @types/react 19.2.13

Security Fixes

Example	Fixed	GHSA IDs
astro	svgo 4.0.0 → 4.0.1	GHSA-xpqw-6gx7-v673
fastify	fastify 5.7.4 → 5.8.2	GHSA-573f-x89g-hqp9
firebase-functions	@hono/node-server, express-rate-limit, hono, tar	GHSA-wc8c-qw6v-h7f6, GHSA-46wh-pxpv-q5gq, GHSA-5pq2-9x2x-5p6w, GHSA-p6xx-57qc-3wxr, GHSA-q5qw-6gx7-v32p, GHSA-qffp-2rhf-9h96
nestjs	terser-webpack-plugin (serialize-javascript)	GHSA-5c6j-r48x-rmvq
nestjs	@nestjs/platform-express 11.1.13 → 11.1.16 (multer)	GHSA-xf7r-hgr6-v32p, GHSA-v52c-386h-88mc, GHSA-5528-5vmv-3xc2
nuxt	svgo 4.0.0 → 4.0.1, tar 7.5.9 → 7.5.11	GHSA-xpqw-6gx7-v673, GHSA-qffp-2rhf-9h96

Unresolvable Vulnerabilities

Example	Package	Severity	Reason
firebase-functions	@tootallnate/once (×11)	Low	Deep in firebase-admin chain; fix requires firebase-admin@10.3.0 (breaking)
nestjs	ajv (×6)	Moderate	Deep in @nestjs/cli → angular-devkit chain; fix requires @nestjs/cli@7.6.0 (breaking)
nextjs-fly	diff (×2)	Low	In @flydotio/dockerfile; already at latest (0.7.10), upstream hasn't fixed
nuxt	serialize-javascript (×6)	High	Deep in nuxt → nitropack → @rollup/plugin-terser chain; no patched version available yet

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​tanstack/​react-router@​1.157.18 ⏵ 1.158.4
	npm/​@​types/​react@​19.2.10 ⏵ 19.2.13	+1		+1
	npm/​@​types/​node@​24.10.9 ⏵ 20.19.32
	npm/​@​types/​node@​24.10.9 ⏵ 22.19.9
	npm/​@​types/​node@​24.10.9 ⏵ 24.10.11			+1
	npm/​@​tanstack/​react-start@​1.157.18 ⏵ 1.159.0				+1
	npm/​@​nestjs/​config@​4.0.2 ⏵ 4.0.3				-2
	npm/​@​nestjs/​core@​11.1.12 ⏵ 11.1.13				+2
	npm/​@​nestjs/​common@​11.1.12 ⏵ 11.1.13				+2
	npm/​@​nestjs/​platform-express@​11.1.12 ⏵ 11.1.16				+2
	npm/​fastify@​5.7.4 ⏵ 5.8.2	+1	+2
	npm/​@​playwright/​test@​1.58.1 ⏵ 1.58.2

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Obfuscated code: npm @tanstack/router-core is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-router@1.158.4 → npm/@tanstack/react-start@1.159.0 → npm/@tanstack/router-core@1.158.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/router-core@1.158.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm seroval is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-router@1.158.4 → npm/@tanstack/react-start@1.159.0 → npm/seroval@1.5.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential security risk (AI signal): npm seroval is 80.0% likely risky Notes: This is a serialization/deserialization library (Seroval) that intentionally generates JavaScript source for complex values and includes a helper (deserialize2) that calls eval on a string. The code does not show signs of covert malicious behavior (no exfiltration domains, no credential harvesting, no process spawning). However, it intentionally supports code-generation and evaluation which makes it dangerous to use with untrusted input. The immediate security concern is the eval-based execution path and general code-generation features — those allow arbitrary code execution if callers feed untrusted serialized strings or evaluate generated code. Use only with fully trusted input or avoid deserialize2/eval pathways and avoid evaluating serialized strings from untrusted sources. Confidence: 0.80 Severity: 0.70 From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-router@1.158.4 → npm/@tanstack/react-start@1.159.0 → npm/seroval@1.5.1 ℹ Read more on: This package | This alert | What are AI-detected potential security risks? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential security risk (AI signal): npm seroval is 85.0% likely risky Notes: The code is a serializer/deserializer that intentionally generates executable JavaScript source for complex values and exposes a direct eval-based entry point (deserialize2). This enables arbitrary code execution if untrusted serialized input is evaluated. There are no signs of covert malicious exfiltration or backdoors, but the design is dangerous: do NOT call deserialize2 (or otherwise eval serialized strings from this library) on data from untrusted sources. Use this library only with fully trusted inputs or use safer deserialization alternatives that avoid executing generated code. Confidence: 0.85 Severity: 0.70 From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-router@1.158.4 → npm/@tanstack/react-start@1.159.0 → npm/seroval@1.5.1 ℹ Read more on: This package | This alert | What are AI-detected potential security risks? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/seroval@1.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm playwright-core is 100.0% likely to have a medium risk anomaly Notes: The fragment provides a comprehensive storage serialization/deserialization mechanism with capabilities to read, serialize, and rehydrate user data across storage mechanisms. While legitimate for data migration or debugging, its ability to collect and restore storage states could enable data exfiltration or tampering if originState or serialized payloads are sourced from untrusted inputs. No explicit malicious payload is present, but the design warrants strict access controls, user consent, and narrow data-path exposure in an OpenVSX extension context. Overall, moderate risk due to data access and restoration capabilities; no definitive malware observed. Confidence: 1.00 Severity: 0.60 From: examples/nextjs/package-lock.json → npm/@playwright/test@1.58.2 → npm/playwright-core@1.58.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright-core@1.58.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm playwright-core is 100.0% likely to have a medium risk anomaly Notes: The code instruments Electron startup to allow external control over readiness via a global Playwright hook, enabling deterministic startup sequences or automation. While not inherently malicious, the capability to externally drive readiness and alter Chromium switches creates an attack surface if exposed to untrusted code or environments. No credentials or network activity detected in this fragment; risk is moderate and primarily revolves around lifecycle control and potential timing-based attacks if abused. Confidence: 1.00 Severity: 0.60 From: examples/nextjs/package-lock.json → npm/@playwright/test@1.58.2 → npm/playwright-core@1.58.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright-core@1.58.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm playwright under CC-BY-4.0 License: CC-BY-4.0 - the applicable license policy does not allow this license (4) (package/ThirdPartyNotices.txt) From: examples/nextjs/package-lock.json → npm/@playwright/test@1.58.2 → npm/playwright@1.58.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.58.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @tanstack/start-server-core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-start@1.159.0 → npm/@tanstack/start-server-core@1.159.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/start-server-core@1.159.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Publisher changed: npm cors is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: examples/nestjs/package-lock.json → npm/@nestjs/platform-express@11.1.16 → npm/cors@2.8.6 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cors@2.8.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[qw-in]

Obfuscated code: npm seroval is 98.0% likely obfuscated

This package is odd. The 1.5.1 release was just pushed at time of writing. It does not have a corresponding release or even a tag on the GitHub repo. It has 0 downloads reported on npm. It seems this package is gaining recent traction due to CVEs in similar libraries.

I'm going to sit on this and monitor for a few days before merging just to be on the safe side.