feat: add connect-bitcoin

[NikosFotiadis]

Explanation

• Adds the @metamask/connect-bitcoin package which wraps the @metamask/bitcoin-wallet-standard with MetaMask Connect.
• Playground dapp support for bitcoin-wallet-standard

Testing Steps

1. Install dependencies and build (yarn install && yarn build)
2. Launch browser playground (yarn workspace @metamask/browser-playground start)
3. Click Connect (Bitcoin) button (ensure no extension is installed if using desktop browser)
4. Confirm connection -> Bitcoin Card should appear in dapp
5. Try interactions available interactions like signMessage, which should succeed.

Important

Metamask does not support Bitcoin testnets so in oorder to test transactions you will need BTC on mainnet

References

Checklist

• I've updated the test suite for new or updated code as appropriate
  • Tests for @metamask/connect-bitcoin
  • Test for Bitcoin Card in the playground dapp
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
• I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​bitcoin-wallet-standard@​1.3.0
	bitcoinjs-lib@​7.0.1
	@​metamask/​multichain-api-client@​0.10.1 ⏵ 0.12.0			+1	-5
	sats-connect@​4.2.1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter CVE: GHSA-p92q-9vqr-4j8v Axios: Proxy-Authorization Credential Leak to Origin Server Across HTTP-to-HTTPS Redirect in Axios Node.js HTTP Adapter (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Allocation of Resources Without Limits or Throttling in Axios CVE: GHSA-777c-7fjr-54vf Allocation of Resources Without Limits or Throttling in Axios (HIGH) Affected versions: >= 1.7.0 < 1.16.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection CVE: GHSA-j5f8-grm9-p9fc Axios: Proxy-Authorization header leaks to redirect target when proxy is re-evaluated to direct connection (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection CVE: GHSA-hfxv-24rg-xrqf Axios: Regular Expression Denial of Service (ReDoS) via Cookie Name Injection (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) CVE: GHSA-pjwm-pj3p-43mv axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718) (HIGH) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in `config.proxy` CVE: GHSA-35jp-ww65-95wh axios Vulnerable to Full Man-in-the-Middle via Prototype Pollution Gadget in config.proxy (HIGH) Affected versions: >= 1.0.0 < 1.16.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge CVE: GHSA-3g43-6gmg-66jw axios Vulnerable to Credential Theft and Response Hijacking via Prototype Pollution Gadget in Config Merge (HIGH) Affected versions: >= 1.0.0 < 1.15.2; >= 0.19.0 < 0.31.1 Patched version: 1.15.2 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios: Header Injection via Prototype Pollution CVE: GHSA-6chq-wfr3-2hj9 Axios: Header Injection via Prototype Pollution (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking CVE: GHSA-pf86-5x62-jrwf Axios: Prototype Pollution Gadgets - Response Tampering, Data Exfiltration, and Request Hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 CVE: GHSA-pmwg-cvhr-8vh7 Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Axios 1.15.0 (HIGH) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking CVE: GHSA-q8qp-cvcw-x6jj Axios has prototype pollution read-side gadgets in HTTP adapter that allow credential injection and request hijacking (HIGH) Affected versions: >= 1.0.0 < 1.15.2 Patched version: 1.15.2 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Axios is Vulnerable to Denial of Service via __proto__ Key in mergeConfig CVE: GHSA-43fc-jf86-j433 Axios is Vulnerable to Denial of Service via proto Key in mergeConfig (HIGH) Affected versions: >= 1.0.0 < 1.13.5; < 0.30.3 Patched version: 1.13.5 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm axios in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm axios in module http Module: http Location: Package overview From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm axios in module https Module: https Location: Package overview From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions CVE: GHSA-898c-q2cr-xwhg axios has DoS & Header Injection via Prototype Pollution Read-Side Gadgets in axios merge functions (MODERATE) Affected versions: >= 1.0.0 < 1.16.0; < 0.32.0 Patched version: 1.16.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver CVE: GHSA-3w6x-2g7m-8v23 Axios: Invisible JSON Response Tampering via Prototype Pollution Gadget in parseReviver (MODERATE) Affected versions: >= 1.0.0 < 1.15.2 Patched version: 1.15.2 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream CVE: GHSA-445q-vr5w-6q77 Axios: CRLF Injection in multipart/form-data body via unsanitized blob.type in formDataToStream (MODERATE) Affected versions: >= 1.0.0 < 1.15.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 CVE: GHSA-5c9x-8gcm-mpgx Axios' HTTP adapter-streamed uploads bypass maxBodyLength when maxRedirects: 0 (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: unbounded recursion in toFormData causes DoS via deeply nested request data CVE: GHSA-62hf-57xw-28j9 Axios: unbounded recursion in toFormData causes DoS via deeply nested request data (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: no_proxy bypass via IP alias allows SSRF CVE: GHSA-m7pr-hjqh-92cm Axios: no_proxy bypass via IP alias allows SSRF (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: HTTP adapter streamed responses bypass maxContentLength CVE: GHSA-vf2m-468p-8v99 Axios: HTTP adapter streamed responses bypass maxContentLength (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy CVE: GHSA-w9j2-pvgh-6h63 Axios: Authentication Bypass via Prototype Pollution Gadget in validateStatus Merge Strategy (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion CVE: GHSA-xx6v-rp6x-q39c Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in withXSRFToken Boolean Coercion (MODERATE) Affected versions: >= 1.0.0 < 1.15.1; < 0.31.1 Patched version: 1.15.1 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF CVE: GHSA-3p68-rc4w-qgx5 Axios has a NO_PROXY Hostname Normalization Bypass that Leads to SSRF (MODERATE) Affected versions: >= 1.0.0 < 1.15.0; < 0.31.0 Patched version: 1.15.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain CVE: GHSA-fvcv-3m26-pcqx Axios has Unrestricted Cloud Metadata Exfiltration via Header Injection Chain (MODERATE) Affected versions: >= 1.0.0 < 1.15.0; < 0.31.0 Patched version: 1.15.0 From: ? → npm/sats-connect@4.2.1 → npm/axios@1.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 2 more rows in the dashboard

View full report