Version Packages

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and the packages will be published to npm automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to main, this PR will be updated.

Releases

@audius/common@1.5.78

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context

@audius/mobile@1.5.178

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [ab85f43]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

@audius/web@1.5.170

Patch Changes

• 44dba8d: Automatically follow an artist when a user successfully purchases their artist coin
• ab85f43: Fix Explore page tracks to queue as a lineup so pressing next plays the next track in the section
• 6da21c6: Add a dedicated Playlist: Play amplitude event that fires when a user starts playback of a playlist or album from the collection page or from a collection tile on web and mobile
• 2e2e7b3: Add collectionId to PLAYBACK_PLAY analytics events when a track is played from a playlist or album context
• Updated dependencies [44dba8d]
• Updated dependencies [ab85f43]
• Updated dependencies [6da21c6]
• Updated dependencies [2e2e7b3]
  • @audius/common@1.5.78

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm cacache is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a straightforward content-cache retrieval and streaming utility. It reads from a cache using an index, supports digest-based access, and optionally memoizes results. There is no evidence of malicious behavior, data exfiltration, backdoors, or external network activity within this module. The security risk appears low, assuming the surrounding system properly manages cache integrity and does not expose untrusted cache contents without validation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/spl-token@0.3.8 → npm/mocha@9.0.3 → npm/@solana/web3.js@1.78.4 → npm/cacache@18.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cacache@18.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chownr is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: ? → npm/chownr@2.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm es6-promise is 100.0% likely to have a medium risk anomaly Notes: The code implements a cautious Promise polyfill bootstrap that avoids overriding an existing compliant Promise and only replaces it when necessary. Overall risk is low; the approach is standard for open-source libraries. The improved assessment confirms minimal malicious risk and acceptable security posture, with the primary caveat being possible behavioral differences if the polyfill diverges from native Promise in edge cases. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/web3.js@1.78.4 → npm/es6-promise@4.2.8 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es6-promise@4.2.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm foreground-child is 100.0% likely to have a medium risk anomaly Notes: The code implements a watchdog pattern to terminate a specified PID in response to SIGHUP, which is an unconventional but known reliability/cleanup mechanism. The presence of a likely syntax error and lack of robust input validation reduce reliability and introduce risk. There is no evidence of data exfiltration or network activity; however, the ability to kill arbitrary PIDs poses a moderate security risk if misused within an extension. The overall assessment is that this code is non-malicious by intent but potentially disruptive if deployed without safeguards. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/spl-token@0.3.8 → npm/mocha@9.0.3 → npm/@solana/web3.js@1.78.4 → npm/foreground-child@3.1.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/foreground-child@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm minipass-fetch is 100.0% likely to have a medium risk anomaly Notes: No evidence of malicious behavior or supply-chain sabotage within this code fragment. The code adheres to standard fetch-like behavior with conventional TLS/config handling. Potential security considerations include the ability to disable TLS verification via an environment variable (a known risk if misused) but this is typical for Node.js TLS configurations and not a deliberate backdoor. Overall risk is moderate due to TLS verification control but not due to malicious intent in this module. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/spl-token@0.3.8 → npm/mocha@9.0.3 → npm/@solana/web3.js@1.78.4 → npm/minipass-fetch@3.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass-fetch@3.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm minipass is 100.0% likely to have a medium risk anomaly Notes: The code analyzed is a legitimate streaming utility (Minipass) implementing a robust streaming API with buffering, encoding/decoding, and piping. The primary security concern is the optional exposure of internal state via debug options (debugExposeBuffer, debugExposePipes), which could lead to inadvertent data leakage if misused. No direct malware, exfiltration, or backdoor activity is evident within this fragment. The risk is moderate and largely depends on downstream usage and configuration. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/spl-token@0.3.8 → npm/mocha@9.0.3 → npm/@solana/web3.js@1.78.4 → npm/minipass@7.0.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minipass@7.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-gyp-build is 100.0% likely to have a medium risk anomaly Notes: While the script is intended for legitimate purposes, the direct execution of potentially unsanitized input through 'process.argv' in the exec() function poses a significant security risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/node-gyp-build@4.6.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp-build@4.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm path-scurry is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a legitimate, well-structured directory-walking utility that emits filesystem entries through a streaming interface with proper backpressure handling. No evidence of data exfiltration, backdoors, or networked malicious behavior is found in this fragment. Primary security concerns stem from potential path traversal or misconfiguration if filters are overly permissive, rather than intrinsic maliciousness in the library. Confidence: 1.00 Severity: 0.60 From: ? → npm/@solana/spl-token@0.3.8 → npm/mocha@9.0.3 → npm/@solana/web3.js@1.78.4 → npm/path-scurry@1.10.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-scurry@1.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report