Update dependency eslint-plugin-unicorn to v62

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
eslint-plugin-unicorn	^61.0.0 -> ^62.0.0

---

Release Notes

sindresorhus/eslint-plugin-unicorn (eslint-plugin-unicorn)

v62.0.0

Compare Source

New rules

• no-immediate-mutation (#​2787) e1c7d2e
• no-useless-collection-argument (#​2777) 2d07c9a
• prefer-response-static-json (#​2778) ffe5943

Improvements

• text-encoding-identifier-case: Add withDash option (#​2780) 9025386
• no-useless-undefined: Check one undefined at a time (#​2792) 27f7509
• prefer-single-call: Check optional chaining (#​2788) 8a132ac
• text-encoding-identifier-case: Enforce 'utf-8' in form[acceptCharset] and TextDecoder (#​2785) 46b3974
• prefer-node-protocol: Handle TypeScript import types (#​2774) 13a37a0
• no-array-for-each: Ignore forEach for Effect library (#​2783) 2ef6f83
• prefer-string-raw: Ignore more places that requires a string (#​2776) 43bc429
• prefer-string-raw: Add support for template literals (#​2691) 52723a2
• prefer-global-this: Add navigation to windowSpecificAPIs (#​2770) 0c93998
• prefer-code-point: Report cases where String.fromCharCode is not called directly (#​2766) 1d682a1
• no-useless-spread: Safely remove empty array and object (#​2764) 7aeabab

Fixes

• consistent-function-scoping: Fix inconsistent behavior (#​2748) a546444

---

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

The eslint-plugin-unicorn devDependency version constraint was updated from ^61.0.0 to ^62.0.0 in package.json. This allows the package manager to install compatible versions within the 62.x release series.

Changes

Cohort / File(s)	Summary
Dependency version update package.json	Updated eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~1 minute

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title Check	✅ Passed	The PR title "Update dependency eslint-plugin-unicorn to v62" directly and accurately reflects the primary change in the changeset, which updates the eslint-plugin-unicorn devDependency from ^61.0.0 to ^62.0.0. The title is concise, specific, and clearly communicates the main objective of the PR in a way that would be easily understood by someone reviewing the commit history.
Description check	✅ Passed	The pull request description clearly relates to the changeset, detailing the eslint-plugin-unicorn dependency update from v61.0.0 to v62.0.0 with release notes and relevant metadata.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Axios is vulnerable to DoS attack through lack of data size check CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm amdefine is 100.0% likely to have a medium risk anomaly Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/amdefine@1.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/amdefine@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm asynckit is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard wrapper/adapter for long-signature iterators in a streaming context. It includes proper handling to avoid duplicate callbacks, emits errors correctly, and finalizes the stream appropriately. There is no indication of malicious behavior, data exfiltration, or backdoor-like mechanisms. The risk is minimal and primarily relates to correct usage by downstream code (e.g., ensuring stream object has the expected properties). Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/asynckit@0.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/asynckit@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chalk is 100.0% likely to have a medium risk anomaly Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/chalk@2.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fs-extra is 100.0% likely to have a medium risk anomaly Notes: The copy.js module appears to be a legitimate and secure filesystem copy utility with appropriate safeguards and options. No malicious activity detected, and typical supply-chain risk is limited to the general risk of filesystem operations. The code is suitable for inclusion in a package like fs-extra with normal risk expectations. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/fs-extra@9.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@9.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-addon-api is 100.0% likely to have a medium risk anomaly Notes: The script is a legitimate formatting helper within a Node.js project. It orchestrates clang-format via git-clang-format, supports fix and diff modes, and provides actionable feedback to the developer. While operational dependencies exist, no malicious activity or data leakage is evident based on the provided code and typical usage. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/node-addon-api@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-addon-api@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm pbkdf2 is 72.0% likely to have a medium risk anomaly Notes: The code is a straightforward and correct PBKDF2 implementation using HMAC with support for multiple digests and standard input handling. No malicious behavior detected. Security risk mainly derives from correct usage (encodings, salt handling, and proper key length) and from the absence of explicit side-channel hardening within the function. Recommendations focus on careful integration and memory hygiene, and optional refinements for side-channel resilience in high-assurance contexts. Confidence: 0.72 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/pbkdf2@3.1.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm sc-istanbul is 100.0% likely to have a medium risk anomaly Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/sc-istanbul@0.4.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sc-istanbul@0.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/undici@6.21.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm viem is 100.0% likely to have a medium risk anomaly Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/viem@2.33.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.33.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ws is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.17.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.17.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ws is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.18.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 3d34a00 and 1fbdd51.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (12)

• GitHub Check: boostsecurity - boostsecurityio/semgrep-pro
• GitHub Check: build (stylus, default)
• GitHub Check: build (solidity, default)
• GitHub Check: build (stellar, default)
• GitHub Check: build (cairo, default)
• GitHub Check: build (stellar, compile)
• GitHub Check: ui
• GitHub Check: mcp
• GitHub Check: format-lint
• GitHub Check: check
• GitHub Check: deno-check
• GitHub Check: semgrep-cloud-platform/scan

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify eslint-plugin-unicorn v62 breaking changes and config compatibility.

This is a major version bump (v61 → v62) for a linter plugin. Major version updates often introduce breaking changes, rule removals, or behavioral changes that may require eslint configuration updates or could cause lint failures.

Please verify:

1. Whether v62.0.0 introduces breaking changes (check the release notes)
2. Whether any eslint configuration updates are needed in .eslintrc files or linter configs
3. Whether the lint script (eslint) will pass without errors with v62.0.0

If breaking changes exist, ensure that related configuration changes have been applied to the repository before merging.

---

🌐 Web query:

What are the breaking changes in eslint-plugin-unicorn v62.0.0 compared to v61?

💡 Result:

I couldn't find any release notes or a published v62.0.0 for eslint-plugin-unicorn. The official repo (sindresorhus/eslint-plugin-unicorn) and release listings don't show a v62 tag/releases, and the latest changelog I located is for v60.0.0. [1][2]

If you have a specific release URL or tag for v62 (or want me to keep searching other sources), share it and I’ll fetch the breaking changes and summarize them.

Sources:

• eslint-plugin-unicorn GitHub repo. [1]
• v60.0.0 changelog listing. [2]

---

🏁 Script executed:

#!/bin/bash
# Check the actual package.json content for eslint-plugin-unicorn version
cat package.json | grep -A2 -B2 "eslint-plugin-unicorn"

Length of output: 186

---

🏁 Script executed:

#!/bin/bash
# Query npm registry for eslint-plugin-unicorn versions (check latest and v62 specifically)
curl -s https://registry.npmjs.org/eslint-plugin-unicorn | jq '.versions | keys | sort | .[-10:]'

Length of output: 114

---

🏁 Script executed:

#!/bin/bash
# Check npm registry for v62 specifically
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq 'if .error then "Version not found" else .version end'

Length of output: 8

---

---

🏁 Script executed:

```shell
#!/bin/bash
# Find eslint configuration files in the repository
fd -t f -e json -e js -e yml -e yaml -e mjs -e cjs -g '*eslintrc*' .

Length of output: 0

---

🏁 Script executed:

#!/bin/bash
# Also check for common eslint config locations
find . -maxdepth 2 -type f \( -name ".eslintrc*" -o -name "eslint.config.*" \) 2>/dev/null

Length of output: 19

---

🌐 Web query:

eslint-plugin-unicorn v62.0.0 changelog breaking changes

💡 Result:

There is no published eslint-plugin-unicorn v62.0.0 release. The latest published release series on npm/GitHub is v61 (most-recent tags show v61.x in Sep 2025), and npm's package page lists v60/v59 as recent stable releases. See the release list and npm info. [1][2]

Sources:

• Release list for eslint-plugin-unicorn (shows up through v61.x). [1]
• npm package page for eslint-plugin-unicorn (latest published versions). [2]

---

🏁 Script executed:

#!/bin/bash
# Check npm package metadata for v62.0.0 to see if it's a pre-release
curl -s https://registry.npmjs.org/eslint-plugin-unicorn/62.0.0 | jq '{version, dist_tags: .["dist-tags"], prerelease: (.version | contains("-")), published: .time["62.0.0"]}'

Length of output: 90

---

🏁 Script executed:

#!/bin/bash
# Check eslint.config.mjs to see which rules are configured
cat eslint.config.mjs

Length of output: 1348

---

Revert eslint-plugin-unicorn to stable v61 release; v62.0.0 is unreleased.

The version v62.0.0 exists on npm but is marked as unreleased (null published timestamp, no dist tags, not listed on GitHub releases). While the config imports eslint-plugin-unicorn, it doesn't explicitly enable any unicorn rules—so breaking changes wouldn't immediately break linting—using an unreleased, undocumented version introduces unnecessary stability risk.

Revert to the latest stable version: "eslint-plugin-unicorn": "^61.0.2"

🤖 Prompt for AI Agents

In package.json around line 37, the dependency "eslint-plugin-unicorn":
"^62.0.0" references an unreleased/unstable npm version; change it back to the
latest stable release by replacing the version string with "^61.0.2" so the
project uses the documented stable unicorn plugin; update package-lock/yarn.lock
by running the appropriate install command afterwards to ensure the lockfile
reflects the reverted version.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0
	@​openzeppelin/​hardhat-upgrades@​3.9.1
	hardhat@​2.26.3 ⏵ 2.26.5	+1		+2	+1

View full report