chore: drop pedalboard plugins now living in pedalboard repo + k8s

[dylanjeffers]

Summary

• The pedalboard apps (anti-abuse-oracle, archiver, staking, app-template) and the shared pedalboard packages (basekit, logger, storage, tsconfig, eslint-config-custom*, jest-presets) have been migrated to the standalone pedalboard repo and now deploy from k8s. This PR removes the stale copies under packages/discovery-provider/plugins/pedalboard and every tooling reference that still pointed at them.
• Net: -52 files removed from the repo, -197 lines across the tooling that referenced them, package-lock pruned of all pedalboard workspaces and their transitive deps.

What changed

• Deleted: packages/discovery-provider/plugins/pedalboard/**, dev-tools/compose/docker-compose.pedalboard.{dev,prod}.yml, dev-tools/compose/Dockerfile.notifications-test.
• package.json: dropped the pedalboard workspaces entries and the four pedalboard:* turbo scripts.
• packages/compose/package.json: dropped @pedalboard/staking and @pedalboard/archiver, so npm run protocol no longer tries to build deleted workspaces.
• dev-tools/compose/docker-compose.yml: removed the staking / anti-abuse / archiver service entries and the dead audius-pedalboard extra_host.
• dev-tools/compose/docker-compose.test.yml: removed test-notifications — notifications tests now live in the pedalboard repo.
• dev-tools/audius-compose: removed the -p / --pedalboard flag, the --profile=pedalboard injection, and the audius-pedalboard LOCALHOSTS entry. The -o / --anti-abuse-oracle flag stays because it already points at the external ../anti-abuse-oracle repo, not the deleted in-repo copy.
• dev-tools/environment/api.env: removed the stale antiAbuseOracle=http://audius-anti-abuse-oracle-1:8000 URL that pointed at the removed container.
• buf.gen.yaml: dropped the pedalboard/gen/audiusd-sdk output target.
• package-lock.json: regenerated via npm install --package-lock-only; pedalboard workspaces and their transitive deps are pruned.

Left intentionally

• packages/discovery-provider/src/queries/get_notifications.py comment that mentions pedalboard — still factually correct (pedalboard, now in its own repo, is what emits those notification types).
• packages/spl/** antiAbuseOracle* references — those are on-chain reward-manager concepts, not pedalboard code.
• .changeset/*.md — historical changelog entries.

Test plan

• Local: confirm npm install succeeds at the repo root after this lands
• Local: confirm npm run protocol / audius-compose up brings the stack up without the pedalboard profile
• CI: confirm there are no remaining jobs that build/test pedalboard workspaces (none expected — grep showed zero CI references)
• Confirm with the team that the local AAO endpoint removal in api.env is fine (the Go API will now have no AAO endpoint configured locally; if local AAO is needed, run with audius-compose up -o against the external anti-abuse-oracle repo)

🤖 Generated with Claude Code

[changeset-bot]

⚠️ No Changeset found

Latest commit: f1dca96

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​babel/​plugin-proposal-class-static-block@​7.21.0
	npm/​@​certusone/​wormhole-sdk@​0.1.1
	npm/​@​esbuild-plugins/​node-globals-polyfill@​0.2.3
	npm/​@​babel/​preset-typescript@​7.28.5 ⏵ 7.22.15
	npm/​@​babel/​plugin-transform-runtime@​7.19.6 ⏵ 7.18.2
	npm/​@​emotion/​server@​11.11.0
	npm/​@​babel/​helper-compilation-targets@​7.22.1 ⏵ 7.27.1			+1
	npm/​@​audius/​fetch-nft@​0.2.8
	npm/​@​babel/​plugin-transform-react-jsx@​7.21.0
	npm/​@​babel/​template@​7.21.9 ⏵ 7.27.1	+1		+1
	npm/​@​audius/​hedgehog@​3.0.0-alpha.1
	npm/​@​babel/​preset-env@​7.22.15
	npm/​@​atlaskit/​pragmatic-drag-and-drop@​1.7.7
	npm/​@​audius/​stems@​0.3.10
	npm/​@​babel/​helper-module-transforms@​7.22.1 ⏵ 7.27.1	+1		+1
	npm/​@​babel/​parser@​7.22.4 ⏵ 7.27.1			-4
	npm/​@​babel/​compat-data@​7.22.3 ⏵ 7.27.1	+1		+1
	npm/​@​coral-xyz/​anchor@​0.29.0
	npm/​@​babel/​runtime@​7.20.7 ⏵ 7.18.3
	npm/​@​babel/​generator@​7.22.3 ⏵ 7.27.1			+1
	npm/​@​babel/​traverse@​7.22.4 ⏵ 7.27.1	+1	+75	+1
	npm/​@​babel/​helpers@​7.22.3 ⏵ 7.27.1		+2	+1
	npm/​@​babel/​core@​7.22.1 ⏵ 7.23.7			+1
	npm/​@​elastic/​elasticsearch@​8.1.0
	npm/​@​babel/​types@​7.22.4 ⏵ 7.27.1	+1
	npm/​@​emotion/​styled@​11.14.0
	npm/​@​emotion/​eslint-plugin@​11.12.0
	npm/​@​bravemobile/​react-native-code-push@​12.3.2
	npm/​@​emotion/​babel-preset-css-prop@​11.12.0
	npm/​@​commander-js/​extra-typings@​12.1.0
	npm/​@​emotion/​react@​11.14.0
	npm/​@​emotion/​native@​11.11.0
See 10 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL) Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4 Patched version: 4.0.4 From: package-lock.json → npm/form-data@4.0.1 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @amplitude/session-replay-browser is 100.0% likely to have a medium risk anomaly Notes: This is a session-replay / DOM-capture library that intentionally collects detailed page state (DOM, canvas bitmaps, user interactions), persists them locally, compresses, and sends them to Amplitude session-replay endpoints. The behavior is expected for such SDKs. The primary security concern is privacy/data exfiltration: if misconfigured or used without user consent, the library can capture sensitive inputs and page content. No evidence of traditional malware (reverse shell, arbitrary remote code execution, eval-based payloads) was found in the provided fragment. Recommendations: only use from trusted package sources, ensure masking/ignore selectors are tightly configured (especially for inputs and sensitive CSS selectors), review remote config behavior (it fetches sampling/privacy config), consider privacy/legal implications (consent), and monitor network endpoints and API keys. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@amplitude/plugin-session-replay-browser@1.8.2 → npm/@amplitude/session-replay-browser@1.15.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/session-replay-browser@1.15.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @audius/hedgehog is 100.0% likely to have a medium risk anomaly Notes: The source code contains hardcoded sensitive credentials and cryptographic material that are directly exported, posing a high security risk if used in production or published publicly. There is no evidence of malware or obfuscation, but the insecure practice of embedding plaintext passwords and keys in source code can lead to credential leakage and compromise. It is strongly recommended to remove hardcoded secrets, implement secure credential management, and restrict exposure of sensitive data. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@audius/hedgehog@3.0.0-alpha.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@audius/hedgehog@3.0.0-alpha.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment is a standard Babel core error handling and code-frame rendering utility. It reads internal node and code data to produce informative errors but does not perform any suspicious network activity, data exfiltration, or backdoor behavior. The observed behavior is typical for a compiler/transpiler component and, in this isolated context, does not indicate malicious activity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment implements a conventional file transformation entry point with no evident malicious behavior or hard-coded secrets. Security concerns depend on the downstream transformation logic (run) and configuration loading (loadConfig). The code maintains safe control flow (null config handling) and avoids arbitrary code execution within this scope. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/core@7.23.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.23.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helper-module-transforms@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/helpers@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/preset-typescript@7.22.15 → npm/@babel/plugin-syntax-typescript@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: The module implements a legitimate Babel runtime polyfill for named capture groups, using established patterns (WeakMap, prototype inheritance, lazy initialization) to augment RegExp results and substitutions. No evidence of malicious activity, data leakage, or external communication. Overall security risk is low but the code warrants standard review for potential debugging complexity due to prototype and factory redefinition. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@babel/runtime@7.18.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.18.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/runtime is 100.0% likely to have a medium risk anomaly Notes: Selected report 1 provides a thorough evaluation of decorator-related runtime utilities and concludes low risk with potential for finishers to alter constructors if used with untrusted inputs. The improved assessment confirms normal, expected behavior for Babel decorator infrastructure and notes that the primary risk lies in the finishers channel if untrusted code is supplied. Security risk remains low to moderate depending on input provenance; malware likelihood is negligible based on the fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@changesets/cli@2.27.1 → npm/@babel/runtime@7.24.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/runtime@7.24.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @bravemobile/react-native-code-push is 75.0% likely to have a medium risk anomaly Notes: The fragment represents a standard, legitimate OTA update mechanism for React Native, with normal update orchestration, user prompts, retry/rollback, and status reporting. There is no obvious malicious behavior or backdoor within this code fragment. The main security considerations relate to the integrity and authenticity of updates, secure transport, and the security of the native bridge implementation. Overall risk is moderate due to remote updates, but not due to internal malicious code in this snippet. Confidence: 0.75 Severity: 0.55 From: package-lock.json → npm/@bravemobile/react-native-code-push@12.3.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@bravemobile/react-native-code-push@12.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @certusone/wormhole-sdk is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, autogenerated ethers.js ContractFactory for an NFTBridge contract. No malicious behavior detected within this fragment. Security posture is typical for library code; risk depends on the on-chain contract and provider configuration, not this loader. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@certusone/wormhole-sdk@0.1.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@certusone/wormhole-sdk@0.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @clack/prompts is 100.0% likely to have a medium risk anomaly Notes: The code fragment appears to be a part of a larger project related to CLI interactions and logging. The heavy obfuscation, incomplete functions, and potential untrusted input handling raise concerns about its security and reliability. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@clack/prompts@0.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@clack/prompts@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @cspotcode/source-map-support is 100.0% likely to have a medium risk anomaly Notes: The fragment is consistent with a legitimate source-map support utility (likely source-map-support) used to enhance debugging by resolving and applying source maps. While it performs long-lived network/file I/O and intensively manipulates error reporting, there is no concrete evidence of malicious activity or data exfiltration beyond what such debugging tooling normally performs. The security risk is modest and largely dependent on trust in remote map sources and logging practices. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@cspotcode/source-map-support@0.8.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/cache is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a legitimate part of Emotion’s CSS-in-JS cache that manages hydration of server-rendered styles and style insertion. It does not exhibit malicious behavior or supply chain exploits within this snippet. The security risk is low to moderate (primarily DOM manipulation, which is expected for a UI library), with no evident data leakage or external communications. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/css@11.13.5 → npm/@emotion/react@11.14.0 → npm/@emotion/cache@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/cache@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @emotion/styled is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a standard, non-malicious portion of the Emotion styling library. No evidence of backdoors, credential theft, or external network/data exfiltration. The primary risk vector is the CSS-in-DOM injection path via dangerouslySetInnerHTML, which is expected but should be reviewed in the context of trusted inputs. Security posture is low-to-moderate; no immediate danger, but maintain caution with user-supplied template literals and ensure dependencies are trusted. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@emotion/styled@11.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emotion/styled@11.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/axios@1.7.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cacache is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/cacache@18.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@18.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm commander is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard Commander-like CLI framework with dynamic subcommand execution via spawning local executables. It is not inherently malicious, but the external-executable dispatch mechanism introduces a legitimate supply-chain risk: untrusted or misconfigured subcommands can execute arbitrary local code. Recommend tightening executable discovery (absolute trusted paths only, explicit allowlists), validating subcommand targets before spawning, and ensuring regular security reviews of any projects using this pattern. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/commander@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm foreground-child is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard watchdog for child-process lifecycle management, aiming to prevent zombie processes when the parent exits. It is not inherently malicious, but reliability hinges on the correctness of the inline watchdog script and proper scoping of the PID. Potential improvements include addressing syntax reliability of the inline code, removing unnecessary no-op keepalive, and ensuring strict validation of the provided PID to mitigate accidental termination of unrelated processes. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/foreground-child@3.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fs-extra is 100.0% likely to have a medium risk anomaly Notes: The code is a standard filesystem utility that ensures a file exists by creating necessary directories and then writing an empty file. There is no evidence of malicious behavior, data exfiltration, or remote activity. The unusual ENOTDIR triggering is a defensive error path, not a backdoor or covert channel. Overall risk is low; functionality is as expected for a helper library in a filesystem module. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/fs-extra@10.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@10.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 10 more rows in the dashboard

View full report

[github-actions]

🌐 Web preview ready

Preview URL: https://audius-web-preview-pr-14398.audius.workers.dev

Unique preview for this PR (deployed from this branch).
Workflow run