Update to newest by leonardkulms · Pull Request #3 · ironxyz/solana-program-library

leonardkulms · 2026-03-10T10:13:55Z

No description provided.

Bumps [bytemuck](https://github.com/Lokathor/bytemuck) from 1.18.0 to 1.19.0. - [Changelog](https://github.com/Lokathor/bytemuck/blob/main/changelog.md) - [Commits](Lokathor/bytemuck@v1.18.0...v1.19.0) --- updated-dependencies: - dependency-name: bytemuck dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [typedoc](https://github.com/TypeStrong/TypeDoc) from 0.26.8 to 0.26.9. - [Release notes](https://github.com/TypeStrong/TypeDoc/releases) - [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md) - [Commits](TypeStrong/typedoc@v0.26.8...v0.26.9) --- updated-dependencies: - dependency-name: typedoc dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

#### Problem The 1.1.6 publish didn't work for some reason. #### Summary of changes Bump to 1.1.7 and do it again

#### Problem git-cliff has deprecated the `commit.github` field available during parsing, opting for `commit.remote` instead. #### Summary of changes Use `commit.remote` instead of `commit.github`.

Bumps [typedoc](https://github.com/TypeStrong/TypeDoc) from 0.26.9 to 0.26.10. - [Release notes](https://github.com/TypeStrong/TypeDoc/releases) - [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md) - [Commits](TypeStrong/typedoc@v0.26.9...v0.26.10) --- updated-dependencies: - dependency-name: typedoc dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…solana-labs#7354) Bumps [@rollup/plugin-typescript](https://github.com/rollup/plugins/tree/HEAD/packages/typescript) from 12.1.0 to 12.1.1. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/typescript/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/typescript-v12.1.1/packages/typescript) --- updated-dependencies: - dependency-name: "@rollup/plugin-typescript" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…olana-labs#7355) Bumps [@rollup/plugin-commonjs](https://github.com/rollup/plugins/tree/HEAD/packages/commonjs) from 28.0.0 to 28.0.1. - [Changelog](https://github.com/rollup/plugins/blob/master/packages/commonjs/CHANGELOG.md) - [Commits](https://github.com/rollup/plugins/commits/commonjs-v28.0.1/packages/commonjs) --- updated-dependencies: - dependency-name: "@rollup/plugin-commonjs" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [tslib](https://github.com/Microsoft/tslib) from 2.7.0 to 2.8.0. - [Release notes](https://github.com/Microsoft/tslib/releases) - [Commits](microsoft/tslib@v2.7.0...v2.8.0) --- updated-dependencies: - dependency-name: tslib dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

* set patch version to only use solana-program <2 * update spl mt ref patch version

…#7359) Revert "Set patch version to only use solana-program <2 (solana-labs#7356)" This reverts commit 3adf4b8.

…7362) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.7.5 to 22.7.6. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…labs#7361) * Use the SHA-256 implementation built into JavaScript engines * Elevate requirements to Node >=19 * Lock to 0.1.0 of tlv package for now

… runtime (solana-labs#7360) * Hardcode the discriminators so that you don't have to compute them at runtime * Don't run tests in libraries on Node older than v20 * Update versions

…labs#7365) #### Problem The token-group and token-metadata JS packages now require at least Node v19, but the specific workflows only use v16. #### Summary of changes Update the CI job to v20.

Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.128 to 1.0.129. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@1.0.128...1.0.129) --- updated-dependencies: - dependency-name: serde_json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7366) * build(deps): bump @solana/web3.js from 1.95.3 to 1.95.4 Bumps [@solana/web3.js](https://github.com/solana-labs/solana-web3.js) from 1.95.3 to 1.95.4. - [Release notes](https://github.com/solana-labs/solana-web3.js/releases) - [Commits](solana-foundation/solana-web3.js@v1.95.3...v1.95.4) --- updated-dependencies: - dependency-name: "@solana/web3.js" dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> * Update everywhere --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Jon C <me@jonc.dev>

release v0.4.2 with idl-build feature

Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.129 to 1.0.132. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@1.0.129...1.0.132) --- updated-dependencies: - dependency-name: serde_json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [turbo](https://github.com/vercel/turborepo) from 2.1.3 to 2.2.1. - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/release.md) - [Commits](vercel/turborepo@v2.1.3...v2.2.1) --- updated-dependencies: - dependency-name: turbo dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7373) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.7.6 to 22.7.7. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…-labs#7376) Bumps [eslint-config-turbo](https://github.com/vercel/turborepo/tree/HEAD/packages/eslint-config-turbo) from 2.1.3 to 2.2.1. - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/release.md) - [Commits](https://github.com/vercel/turborepo/commits/v2.2.1/packages/eslint-config-turbo) --- updated-dependencies: - dependency-name: eslint-config-turbo dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…olana-labs#7377) Bumps [eslint-plugin-functional](https://github.com/eslint-functional/eslint-plugin-functional) from 7.0.2 to 7.1.0. - [Release notes](https://github.com/eslint-functional/eslint-plugin-functional/releases) - [Changelog](https://github.com/eslint-functional/eslint-plugin-functional/blob/main/CHANGELOG.md) - [Commits](eslint-functional/eslint-plugin-functional@v7.0.2...v7.1.0) --- updated-dependencies: - dependency-name: eslint-plugin-functional dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [tokio](https://github.com/tokio-rs/tokio) from 1.40.0 to 1.41.0. - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.40.0...tokio-1.41.0) --- updated-dependencies: - dependency-name: tokio dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [serde](https://github.com/serde-rs/serde) from 1.0.210 to 1.0.211. - [Release notes](https://github.com/serde-rs/serde/releases) - [Commits](serde-rs/serde@v1.0.210...v1.0.211) --- updated-dependencies: - dependency-name: serde dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [turbo](https://github.com/vercel/turborepo) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/release.md) - [Commits](vercel/turborepo@v2.2.1...v2.2.3) --- updated-dependencies: - dependency-name: turbo dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…-labs#7383) Bumps [eslint-config-turbo](https://github.com/vercel/turborepo/tree/HEAD/packages/eslint-config-turbo) from 2.2.1 to 2.2.3. - [Release notes](https://github.com/vercel/turborepo/releases) - [Changelog](https://github.com/vercel/turborepo/blob/main/release.md) - [Commits](https://github.com/vercel/turborepo/commits/v2.2.3/packages/eslint-config-turbo) --- updated-dependencies: - dependency-name: eslint-config-turbo dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…7384) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.7.7 to 22.7.8. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

#### Problem It's unclear that SPL Token's multisigs allow for duplicate signers. #### Summary of changes Call out the behavior of duplicate signers in a multisig.

…s#7625) Bumps [@types/node](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/node) from 22.10.3 to 22.10.5. - [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases) - [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/node) --- updated-dependencies: - dependency-name: "@types/node" dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.29.1 to 4.30.0. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.29.1...v4.30.0) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

…olana-labs#7629) Bumps [eslint-plugin-functional](https://github.com/eslint-functional/eslint-plugin-functional) from 7.2.0 to 7.2.1. - [Release notes](https://github.com/eslint-functional/eslint-plugin-functional/releases) - [Changelog](https://github.com/eslint-functional/eslint-plugin-functional/blob/main/CHANGELOG.md) - [Commits](eslint-functional/eslint-plugin-functional@v7.2.0...v7.2.1) --- updated-dependencies: - dependency-name: eslint-plugin-functional dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [serde_json](https://github.com/serde-rs/json) from 1.0.134 to 1.0.135. - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@v1.0.134...v1.0.135) --- updated-dependencies: - dependency-name: serde_json dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [async-trait](https://github.com/dtolnay/async-trait) from 0.1.84 to 0.1.85. - [Release notes](https://github.com/dtolnay/async-trait/releases) - [Commits](dtolnay/async-trait@0.1.84...0.1.85) --- updated-dependencies: - dependency-name: async-trait dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

Bumps [rollup](https://github.com/rollup/rollup) from 4.30.0 to 4.30.1. - [Release notes](https://github.com/rollup/rollup/releases) - [Changelog](https://github.com/rollup/rollup/blob/master/CHANGELOG.md) - [Commits](rollup/rollup@v4.30.0...v4.30.1) --- updated-dependencies: - dependency-name: rollup dependency-type: direct:development update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

semgrep-code-ironxyz · 2026-03-10T10:16:45Z

Semgrep found 29 package-dependencies-check findings:

token-swap/js/package.json
- L61 - Triage
- L63 - Triage
- L64 - Triage
- L66 - Triage
token-lending/js/package.json
- L54 - Triage
- L55 - Triage
- L57 - Triage
- L58 - Triage
- L59 - Triage
package.json
- L20 - Triage
- L21 - Triage
- L22 - Triage
- L23 - Triage
- L24 - Triage
name-service/js/package.json
- L53 - Triage
- L54 - Triage
- L56 - Triage
- L57 - Triage
- L59 - Triage
- L60 - Triage
account-compression/sdk/package.json
- L75 - Triage
- L76 - Triage
- L77 - Triage
- L78 - Triage
- L79 - Triage
- L81 - Triage
- L84 - Triage
- L85 - Triage
- L88 - Triage

Package dependencies with variant versions may lead to dependency hijack and confusion attacks. Better to specify an exact version or use package-lock.json for a specific version of the package.

socket-security · 2026-03-10T10:18:37Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance
	cargo/tokio@1.38.0 ⏵ 1.42.0
	npm/turbo@2.0.4 ⏵ 2.3.3	⁺¹		⁺³
	npm/@solana/eslint-config-solana@3.0.3 ⏵ 3.0.6	⁺²		⁺¹
	npm/@solana/eslint-config-solana@3.0.3 ⏵ 4.0.0	⁺²		⁺²	⁺³
	npm/@typescript-eslint/parser@7.13.1 ⏵ 8.12.2	⁺¹		⁺¹
	npm/@typescript-eslint/parser@7.13.1 ⏵ 8.4.0	⁺¹		⁺¹	⁺¹
	npm/@types/node-fetch@2.6.11 ⏵ 2.6.12	⁺¹		⁺¹
	npm/@types/chai-as-promised@7.1.8 ⏵ 8.0.1	⁺¹		⁺¹	⁺¹
	npm/@types/bn.js@5.1.5 ⏵ 5.1.6	⁺¹		⁺¹
	npm/@types/chai@4.3.16 ⏵ 5.0.1			⁺¹
	npm/@types/jest@29.5.12 ⏵ 29.5.14
	npm/@types/mocha@10.0.6 ⏵ 10.0.10	⁺¹		⁺¹
	npm/rollup@4.18.0 ⏵ 4.30.1	⁺¹	⁺⁶		⁺²
	npm/eslint-plugin-simple-import-sort@12.1.0 ⏵ 12.1.1	⁺¹		⁺¹
	npm/@typescript-eslint/eslint-plugin@7.13.1 ⏵ 8.4.0	⁺¹			⁺¹
	npm/@typescript-eslint/eslint-plugin@7.13.1 ⏵ 8.12.2	⁺¹
	cargo/thiserror@1.0.57 ⏵ 2.0.9
	npm/@solana/spl-token@0.4.6 ⏵ 0.4.9	⁺¹		⁺¹
	npm/@types/node@20.14.5 ⏵ 22.10.5	⁺¹		⁺¹
	cargo/serde@1.0.203 ⏵ 1.0.217
	npm/gh-pages@6.1.1 ⏵ 6.3.0	⁺¹
	cargo/borsh@1.5.1 ⏵ 1.5.3
	cargo/libm@0.2.8 ⏵ 0.2.11	⁺²
	npm/@solana/web3.js@2.0.0-experimental.21e994f ⏵ 1.95.4	^-9		⁺¹	⁺³⁴
	npm/@solana/web3.js@2.0.0-experimental.21e994f ⏵ 1.95.5	^-4		⁺¹	⁺³⁴
	npm/eslint-plugin-import@2.29.1 ⏵ 2.31.0	⁺¹
	npm/start-server-and-test@2.0.4 ⏵ 2.0.9				^-4
	npm/tslib@2.6.3 ⏵ 2.8.1
	pypi/cryptography@42.0.4 ⏵ 43.0.1		⁺²
	npm/@rollup/plugin-node-resolve@15.2.3 ⏵ 16.0.0	^-1
	npm/eslint-plugin-mocha@10.4.3 ⏵ 10.5.0	⁺¹
	npm/@rollup/plugin-typescript@11.1.6 ⏵ 12.1.2	⁺¹
See 44 more rows in the dashboard

View full report

socket-security · 2026-03-10T10:18:39Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: cargo `hidapi` Location: Package overview From: `?` → `cargo/solana-remote-wallet@2.1.0` → `cargo/hidapi@2.6.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/hidapi@2.6.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `librocksdb-sys` Location: Package overview From: `?` → `cargo/solana-test-validator@2.1.0` → `cargo/librocksdb-sys@0.16.0%2B8.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/librocksdb-sys@0.16.0%2B8.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `lz4-sys` Location: Package overview From: `?` → `cargo/solana-program-test@2.1.0` → `cargo/solana-test-validator@2.1.0` → `cargo/lz4-sys@1.11.1%2Blz4-1.10.0` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/lz4-sys@1.11.1%2Blz4-1.10.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `openssl-src` Location: Package overview From: `?` → `cargo/solana-program-test@2.1.0` → `cargo/solana-test-validator@2.1.0` → `cargo/solana-client@2.1.0` → `cargo/spl-token-client@0.13.0` → `cargo/openssl-src@300.3.1%2B3.3.1` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/openssl-src@300.3.1%2B3.3.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: cargo `webpki-roots` under MPL-2.0 Location: Package overview From: `?` → `cargo/solana-test-validator@2.1.0` → `cargo/solana-client@2.1.0` → `cargo/webpki-roots@0.26.6` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore cargo/webpki-roots@0.26.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `rpc-websockets` under LGPL-3.0-only Location: Package overview From: pnpm-lock.yaml → `npm/@solana/web3.js@1.95.4` → `npm/@solana/web3.js@1.95.5` → `npm/rpc-websockets@9.0.2` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rpc-websockets@9.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` License: LicenseRef-W3C-Community-Final-Specification-Agreement - the applicable license policy does not allow this license (4) (package/ThirdPartyNoticeText.txt) From: account-compression/sdk/package.json → `npm/typescript@5.7.2` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.7.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `certifi` under MPL-2.0 Location: Package overview From: binary-option/client/requirements.txt → `pypi/certifi@2024.7.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/certifi@2024.7.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: pypi `certifi` under MPL-2.0 Location: Package overview From: binary-option/client/requirements.txt → `pypi/certifi@2024.7.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore pypi/certifi@2024.7.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

dependabot bot and others added 30 commits October 14, 2024 12:59

stake-pool-js: Bump to 1.1.7 (solana-labs#7347)

9ce28e0

#### Problem The 1.1.6 publish didn't work for some reason. #### Summary of changes Bump to 1.1.7 and do it again

CI: Use commit.remote in git-cliff (solana-labs#7348)

82ad10a

#### Problem git-cliff has deprecated the `commit.github` field available during parsing, opting for `commit.remote` instead. #### Summary of changes Use `commit.remote` instead of `commit.github`.

Set patch version to only use solana-program <2 (solana-labs#7356)

3adf4b8

* set patch version to only use solana-program <2 * update spl mt ref patch version

Revert "Set patch version to only use solana-program <2" (solana-labs…

b1e526d

…#7359) Revert "Set patch version to only use solana-program <2 (solana-labs#7356)" This reverts commit 3adf4b8.

Use the SHA-256 implementation built into JavaScript engines (solana-…

a2de58f

…labs#7361) * Use the SHA-256 implementation built into JavaScript engines * Elevate requirements to Node >=19 * Lock to 0.1.0 of tlv package for now

Hardcode the discriminators so that you don't have to compute them at…

cc3a5d1

… runtime (solana-labs#7360) * Hardcode the discriminators so that you don't have to compute them at runtime * Don't run tests in libraries on Node older than v20 * Update versions

Sync versions with NPM

d73e91c

Update pull-request-account-compression.yml

0c12455

CI: Update token-group and token-metadata JS jobs to Node 20 (solana-…

8857b05

…labs#7365) #### Problem The token-group and token-metadata JS packages now require at least Node v19, but the specific workflows only use v16. #### Summary of changes Update the CI job to v20.

Release v0.4.2 with idl-build feature (solana-labs#7371)

1af9fcd

release v0.4.2 with idl-build feature

docs: Specify behavior for dupes in token multisig (solana-labs#7386)

b4a73a3

#### Problem It's unclear that SPL Token's multisigs allow for duplicate signers. #### Summary of changes Call out the behavior of duplicate signers in a multisig.

dependabot bot and others added 26 commits January 3, 2025 13:22

CI: Remove CI files for removed programs

b631d42

docs: Point everything at the new repos

ad6f6d9

Remove from CI (more)

e116dc2

README: Update internal documentation

e4ab3ed

ATA: Remove program, add README explaining

87c340d

feature-proposal: Remove program

90a5452

instruction-padding: Remove program

623d210

libraries: Remove ported libraries

b76e156

record: Remove program

8d47204

single-pool: Remove program / cli / js

dbd75db

slashing: Remove program

0bd3456

stake-pool: Remove program and clients

8a82976

token / token-2022 / transfer-hook: Remove

3be4655

token-group: Remove program and clients

ddc79d6

token-metadata: Remove program and clients

656ca12

Update existing code to use non-local dependencies

0b1a4d0

math-example: Fix tests that have been broken

63b2173

Update README.md

77b718e

Update README.md

264ca72

Merge remote-tracking branch 'upstream/master'

df93522

ben-iron approved these changes Mar 10, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Update to newest#3

Update to newest#3
leonardkulms wants to merge 630 commits intomasterfrom
update-to-newest

leonardkulms commented Mar 10, 2026

Uh oh!

semgrep-code-ironxyz bot commented Mar 10, 2026

Uh oh!

socket-security bot commented Mar 10, 2026

Uh oh!

socket-security bot commented Mar 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants

Conversation

leonardkulms commented Mar 10, 2026

Uh oh!

semgrep-code-ironxyz bot commented Mar 10, 2026

Uh oh!

socket-security bot commented Mar 10, 2026

Uh oh!

socket-security bot commented Mar 10, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

20 participants