Bump Playwright to the latest version, resolving some Dependabot alerts while also moving our browser tests to newer browsers.
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
View full report
[!WARNING]
MetaMask internal reviewing guidelines:
- Do not ignore-all
- Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
- Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION
| Action |
Severity |
Alert (click "▶" to expand/collapse) |
| Warn |
 |
[email protected] is a AI-detected potential code anomaly.
Notes: The code appears to be a legitimate component of a Playwright-like automation framework, focusing on page bindings, event-driven dispatch, and frame/viewport/evaluation orchestration. There is no immediate malware indication, but the binding/dispatch mechanism introduces a moderate security risk contingent on the trustworthiness of bindings and payloads. Primary recommendations: enforce strict binding registration controls, validate all payloads, sandbox binding executions, and minimize/log-filter any sensitive data in logs. Overall risk is moderate with targeted improvements needed around payload trust boundaries.
Confidence: 1.00
Severity: 0.60
From: ? → npm/[email protected] → npm/[email protected]
ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?
Next steps: Take a moment to review the security alert
above. Review the linked package source code to understand the potential
risk. Ensure the package is not malicious before proceeding. If you're
unsure how to proceed, reach out to your security team or ask the Socket
team for help at [email protected].
Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Mark the package as acceptable risk. To ignore this alert only
in this pull request, reply with the comment
@SocketSecurity ignore npm/[email protected]. You can
also ignore all packages with @SocketSecurity ignore-all.
To ignore an alert for all future pull requests, use Socket's Dashboard to
change the triage state of this alert.
|
Ignoring alerts on:
View full report
@SocketSecurity ignore npm/[email protected]
Network access expected.
MetaMask
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}