feat!(stellar-registry-cli): stellar-cli@v27.0.0

[chadoh]

Updates stellar-cli to use latest v27.0.0, with requisite related
changes.

Also copies stellar-scaffold-test into this project, rather than
relying on latest main from stellar-scaffold/cli

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​glob@​10.5.0
	npm/​vite@​5.0.12
	cargo/​tokio@​1.52.1 ⏵ 1.52.3
	npm/​astro@​4.2.4
	npm/​@​astrojs/​check@​0.4.1
	npm/​eslint-plugin-react-x@​1.53.1
	npm/​typescript-eslint@​8.62.0
	npm/​@​types/​react-dom@​19.2.3
	npm/​@​types/​react@​19.2.17
	cargo/​soroban-sdk@​26.0.0-rc.1 ⏵ 27.0.0-rc.1
	npm/​@​stellar/​design-system@​3.2.8
	cargo/​soroban-sdk@​26.0.0-rc.1 ⏵ 22.0.7	+2	-2
	npm/​globals@​11.12.0
	npm/​react@​19.2.7
	npm/​eslint-plugin-react-dom@​1.53.1
	npm/​@​eslint/​js@​9.39.4
	npm/​dotenv@​16.4.1
	npm/​eslint-plugin-react-refresh@​0.4.26
	npm/​@​vitejs/​plugin-react@​4.7.0
	npm/​typescript@​5.3.3
	npm/​react-dom@​19.2.7
	npm/​concurrently@​8.2.2
	cargo/​soroban-spec-tools@​26.0.0 ⏵ 27.0.0
	cargo/​soroban-token-sdk@​26.0.0-rc.1 ⏵ 22.0.3			-7
	npm/​eslint@​9.39.4
	npm/​eslint-plugin-react-hooks@​5.2.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/form-data@4.0.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: npm sha.js is missing type checks leading to hash rewind and passing on crafted data CVE: GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 2.4.12 Patched version: 2.4.12 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/sha.js@2.4.11 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: cargo openssl is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: ? → cargo/reqwest@0.12.24 → cargo/openssl@0.10.81 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/openssl@0.10.81. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide in cargo soroban-sdk-macros CVE: GHSA-4chv-4c6w-w254 The rs-soroban-sdk #[contractimpl] macro calls inherent function instead of trait function when names collide (HIGH) Affected versions: >= 25.0.0 < 25.1.1; >= 23.0.0 < 23.5.2; < 22.0.10 Patched version: 22.0.10 From: ? → cargo/soroban-sdk@22.0.7 → cargo/soroban-sdk-macros@22.0.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/soroban-sdk-macros@22.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: cargo tokio is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: Cargo.lock → cargo/tokio@1.52.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/tokio@1.52.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @esbuild/aix-ppc64 is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/vite@5.0.12 → npm/astro@4.2.4 → npm/@esbuild/aix-ppc64@0.19.12 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@esbuild/aix-ppc64@0.19.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @ungap/structured-clone is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/astro@4.2.4 → npm/@ungap/structured-clone@1.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ungap/structured-clone@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Astro: Host header SSRF in prerendered error page fetch CVE: GHSA-2pvr-wf23-7pc7 Astro: Host header SSRF in prerendered error page fetch (HIGH) Affected versions: < 6.4.6 Patched version: 6.4.6 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/astro@4.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@4.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Astro: Reflected XSS via unescaped slot name CVE: GHSA-8hv8-536x-4wqp Astro: Reflected XSS via unescaped slot name (HIGH) Affected versions: < 6.3.3 Patched version: 6.3.3 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/astro@4.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@4.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Astro's server source code is exposed to the public if sourcemaps are enabled CVE: GHSA-49w6-73cw-chjr Astro's server source code is exposed to the public if sourcemaps are enabled (HIGH) Affected versions: >= 5.0.0-alpha.0 < 5.0.8; < 4.16.18 Patched version: 4.16.18 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/astro@4.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@4.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Astro vulnerable to reflected XSS via the server islands feature CVE: GHSA-wrwg-2hg8-v723 Astro vulnerable to reflected XSS via the server islands feature (HIGH) Affected versions: < 5.15.8 Patched version: 5.15.8 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/astro@4.2.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/astro@4.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter CVE: GHSA-p92q-9vqr-4j8v Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection CVE: GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection CVE: GHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) CVE: GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` CVE: GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy (HIGH) Affected versions: >= 1.0.0 < 1.16.0 Patched version: 1.16.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge CVE: GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge (HIGH) Affected versions: >= 1.0.0 < 1.15.2; >= 0.19.0 < 0.31.1 Patched version: 1.15.2 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Header Injection via Prototype Pollution CVE: GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking CVE: GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 CVE: GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking CVE: GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.2 Patched version: 1.15.2 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: npm axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL CVE: GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL (HIGH) Affected versions: >= 1.0.0 < 1.8.2; < 0.30.0 Patched version: 1.8.2 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig CVE: GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via proto Key in mergeConfig (HIGH) Affected versions: >= 1.0.0 < 1.13.5; < 0.30.3 Patched version: 1.13.5 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Server-Side Request Forgery in npm axios CVE: GHSA-8hc4-vh64-cxmj Server-Side Request Forgery in axios (HIGH) Affected versions: >= 1.3.2 < 1.7.4 Patched version: 1.7.4 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Axios is vulnerable to DoS attack through lack of data size check CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; >= 0.28.0 < 0.30.2 Patched version: 1.12.0 From: crates/stellar-registry-test/fixtures/soroban-init-boilerplate/package-lock.json → npm/axios@1.6.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.6.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 27 more rows in the dashboard

View full report