deps: periodic dependency update

[Copilot]

• Update JavaScript examples to 1.3.1 & Python examples to 0.6.1.
• Periodic dependency updates
• Security patches
• Add simple Github action to build examples

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​react-router/​serve@​7.13.0 ⏵ 7.13.1	+1
	npm/​@​react-router/​fs-routes@​7.13.0 ⏵ 7.13.1
	npm/​@​react-router/​node@​7.13.0 ⏵ 7.13.1
	npm/​@​arcjet/​react-router@​1.3.0 ⏵ 1.3.1	-28			-5
	npm/​@​arcjet/​fastify@​1.3.0 ⏵ 1.3.1	-28			-5
	npm/​@​arcjet/​sveltekit@​1.3.0 ⏵ 1.3.1	-27			-4
	npm/​@​arcjet/​nuxt@​1.3.0 ⏵ 1.3.1	-27			-5
	npm/​@​arcjet/​nest@​1.3.0 ⏵ 1.3.1	-26			-4
	npm/​@​arcjet/​astro@​1.3.0 ⏵ 1.3.1	-24			-4
	npm/​@​tanstack/​react-router@​1.168.1 ⏵ 1.168.8	-3		+1
	npm/​@​react-router/​dev@​7.13.0 ⏵ 7.13.1	+1		+1
	npm/​@​sveltejs/​adapter-node@​5.5.3 ⏵ 5.5.4	+1			-5
	npm/​@​arcjet/​decorate@​1.3.0 ⏵ 1.3.1	-22			-4
	npm/​react-router@​7.13.0 ⏵ 7.13.1	+1		+1
	npm/​@​astrojs/​check@​0.9.6 ⏵ 0.9.8				+4
	npm/​@​types/​node@​24.10.13 ⏵ 20.19.35
	npm/​@​types/​node@​24.10.13 ⏵ 22.19.13
	npm/​@​types/​node@​24.10.13 ⏵ 24.11.0			+1	+1
	npm/​@​arcjet/​node@​1.3.0 ⏵ 1.3.1	-18			-4
	npm/​@​tanstack/​react-start@​1.167.2 ⏵ 1.167.13
	npm/​firebase-functions@​7.0.5 ⏵ 7.0.6	+3		+1
	npm/​class-validator@​0.14.3 ⏵ 0.15.1	+1		+1
	npm/​@​arcjet/​inspect@​1.3.0 ⏵ 1.3.1	-12			-4
	npm/​vue@​3.5.28 ⏵ 3.5.29	+1		+1
	npm/​firebase-admin@​13.6.1 ⏵ 13.7.0	+1		+1	-2
	npm/​vue-tsc@​3.2.4 ⏵ 3.2.5			+22	-1
	npm/​react-hook-form@​7.71.1 ⏵ 7.71.2	+1		+1	+2
	npm/​svelte-check@​4.4.1 ⏵ 4.4.4				-1
	npm/​@​arcjet/​next@​1.3.0 ⏵ 1.3.1	-4			-4
	pypi/​gunicorn@​25.1.0 ⏵ 25.3.0	+1
	npm/​fastify@​5.8.2 ⏵ 5.8.4	+1	+2
	pypi/​uvicorn@​0.41.0 ⏵ 0.42.0	+1
See 2 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Publisher changed: npm path-to-regexp is now published by ulisesgascon Author: ulisesgascon From: examples/firebase-functions/package-lock.json → npm/firebase-functions@7.0.6 → npm/firebase-tools@15.10.0 → npm/path-to-regexp@0.1.13 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-to-regexp@0.1.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @arcjet/analyze-wasm in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/fastify/package-lock.json → npm/@arcjet/fastify@1.3.1 → npm/@arcjet/analyze-wasm@1.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/analyze-wasm@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/astro Location: Package overview From: examples/astro/package-lock.json → npm/@arcjet/astro@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/astro@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/fastify Location: Package overview From: examples/fastify/package-lock.json → npm/@arcjet/fastify@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/fastify@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/nest Location: Package overview From: examples/nestjs/package-lock.json → npm/@arcjet/nest@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/nest@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/nuxt Location: Package overview From: examples/nuxt/package-lock.json → npm/@arcjet/nuxt@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/nuxt@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/react-router Location: Package overview From: examples/react-router/package-lock.json → npm/@arcjet/react-router@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/react-router@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low adoption: npm @arcjet/sveltekit Location: Package overview From: examples/sveltekit/package-lock.json → npm/@arcjet/sveltekit@1.3.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/sveltekit@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @tanstack/router-core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-start@1.167.13 → npm/@tanstack/react-router@1.168.8 → npm/@tanstack/router-core@1.168.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/router-core@1.168.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/fastify Location: Package overview From: examples/fastify/package-lock.json → npm/@arcjet/fastify@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/fastify@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/inspect reads ARCJET_KEY Env Vars: ARCJET_KEY Location: Package overview From: examples/fastify/package-lock.json → npm/@arcjet/inspect@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/inspect@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/nest Location: Package overview From: examples/nestjs/package-lock.json → npm/@arcjet/nest@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/nest@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/next Location: Package overview From: examples/nextjs/package-lock.json → npm/@arcjet/next@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/next@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/next reads VERCEL Env Vars: VERCEL Location: Package overview From: examples/nextjs/package-lock.json → npm/@arcjet/next@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/next@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/next reads VERCEL_GIT_COMMIT_SHA Env Vars: VERCEL_GIT_COMMIT_SHA Location: Package overview From: examples/nextjs/package-lock.json → npm/@arcjet/next@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/next@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads SOMEVAR Env Vars: SOMEVAR Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads FLY_APP_NAME Env Vars: FLY_APP_NAME Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads VERCEL Env Vars: VERCEL Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads RENDER Env Vars: RENDER Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads MODE Env Vars: MODE Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads NODE_ENV Env Vars: NODE_ENV Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads ARCJET_ENV Env Vars: ARCJET_ENV Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads ARCJET_LOG_LEVEL Env Vars: ARCJET_LOG_LEVEL Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads ARCJET_BASE_URL Env Vars: ARCJET_BASE_URL Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/node reads FIREBASE_CONFIG Env Vars: FIREBASE_CONFIG Location: Package overview From: examples/expressjs/package-lock.json → npm/@arcjet/node@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/node@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @arcjet/react-router Location: Package overview From: examples/react-router/package-lock.json → npm/@arcjet/react-router@1.3.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arcjet/react-router@1.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @tanstack/react-router reads NODE_ENV Env Vars: NODE_ENV Location: Package overview From: examples/tanstack-start/package-lock.json → npm/@tanstack/react-router@1.168.8 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/react-router@1.168.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 11 more rows in the dashboard

Ignoring alerts on:

• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• pypi/wasmtime@42.0.0
• npm/yaml@2.8.3
• npm/ajv@6.14.0

View full report

[qw-in]

@SocketSecurity ignore pypi/typeid-python@0.3.9

Acceptable risk

@SocketSecurity ignore pypi/uuid-utils@0.14.1

Acceptable risk

@SocketSecurity ignore pypi/wasmtime@42.0.0

Acceptable risk

@SocketSecurity ignore npm/ajv@6.14.0

Acceptable risk

@SocketSecurity ignore npm/yaml@2.8.3

Previous version has cve

[qw-in]

Blocked by arcjet/arcjet-py#2