Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@audius/common@1.5.78

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context

@audius/mobile@1.5.177

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

@audius/web@1.5.170

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​ts-mocha@​10.0.0
	npm/​typescript@​4.3.5
	npm/​prettier@​2.6.2

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm mkdirp is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-malicious mkdir -p implementation with both asynchronous and synchronous interfaces. Primary security considerations are the default 0777 permissions which may be inappropriate in sensitive directories if not overridden, and potential path traversal risks depending on usage context. No evidence of malware, data leakage, backdoors, or obfuscated malicious behavior was found in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/ts-mocha@10.0.0 → npm/mkdirp@0.5.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mkdirp@0.5.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm pako is 100.0% likely to have a medium risk anomaly Notes: The code constitutes a robust, standard UTF-8/UTF-16 conversion utility with appropriate fallback paths for environments lacking TextEncoder/TextDecoder. It handles surrogate pairs, invalid sequences, and boundary-safe slicing correctly. No malicious behavior or data leakage is evident in this isolated module; it is safe to rely on as a helper in the open-source supply chain when used as intended. Confidence: 1.00 Severity: 0.60 From: ? → npm/@coral-xyz/anchor@0.28.0 → npm/pako@2.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pako@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm tsconfig-paths is 100.0% likely to have a medium risk anomaly Notes: The code is mostly straightforward utility functions, but the readJsonFromDiskSync function is a potential security and integrity risk due to using require() on a user-provided path to load JSON content. If an attacker can influence the path to point to a non-JSON or a JS module with side effects, this could lead to code execution or unintended behavior. readJsonFromDiskAsync is safer for JSON data but lacks error handling for invalid JSON, which could cause runtime exceptions. Overall, the presence of require() on an external path is the primary security concern. Confidence: 1.00 Severity: 0.60 From: ? → npm/ts-mocha@10.0.0 → npm/tsconfig-paths@3.14.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsconfig-paths@3.14.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm utf-8-validate is 100.0% likely to have a medium risk anomaly Notes: This command is typically benign and used to compile native addons. However, because it builds and may execute native code, it poses greater risk than pure-JS installs: malicious or vulnerable native source could introduce privilege-escalation, arbitrary code execution, or other system-level impacts. Review the native source, build scripts, and any downloaded prebuilt binaries before trusting the package. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/web3.js@1.78.4 → npm/utf-8-validate@5.0.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/utf-8-validate@5.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: This module implements a worker runtime that intentionally supports executing function source code received via messages using new Function. That design enables arbitrary code execution within the worker and is dangerous if the origin of the submitted code is untrusted. The code itself doesn't contain signs of hidden malicious behavior (no hardcoded secrets, no external network connections, no shell spawning), but the dynamic-code-execution capability is a high-risk feature that requires careful use. If you accept and forward untrusted strings to worker.methods.run, that is effectively remote code execution. Otherwise, the module appears legitimate for its intended workerpool use. Confidence: 1.00 Severity: 0.60 From: ? → npm/mocha@9.0.3 → npm/workerpool@6.1.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a non-malicious environment shim for an OpenVSX extension, exposing safe utilities and deliberately blocking dynamic requires. While it does expose an interface to read environment variables, there is no active data exfiltration, persistence, or external network interaction. Risk is low to moderate due to potential misuse of getEnv, but within this isolated module there is no malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/mocha@9.0.3 → npm/yargs@16.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@16.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm yargs is 100.0% likely to have a medium risk anomaly Notes: The code is a standard implementation for generating CLI completions with support for zsh and sh/bash, including handling of commands, options, and negative option forms. It delegates potentially untrusted logic to user-provided callbacks (completionFunction and command builders), which is typical for extensible CLI frameworks. The primary risk is the usual risk of executing user-supplied code, which is expected in this context, not a covert malware pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/mocha@9.0.3 → npm/yargs@16.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@16.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report