Skip to content

chore: Bump ses from 2.1.0 to 2.2.0#4037

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/ses-2.2.0
Open

chore: Bump ses from 2.1.0 to 2.2.0#4037
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/main/ses-2.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 16, 2026

Copy link
Copy Markdown
Contributor

Bumps ses from 2.1.0 to 2.2.0.

Release notes

Sourced from ses's releases.

ses@2.2.0

Minor Changes

  • #3285 889be5e Thanks @​erights! - Permit both initial powerful Temporal and safe shared Temporal

  • #2422 fe6be07 Thanks @​kriskowal! - Add support for host module exits in bundled compartments.

    ses exports a new StrictModuleDescriptor type that consists only of the NamespaceModuleDescriptor and SourceModuleDescriptor shapes mutually supported by SES and XS.

    compartment-mapper lets arbitrary module descriptors pass through importHook when no policy is in effect for that edge (the policy-enforcement runtime was previously limited to virtual module sources). It also implicitly treats any module specifier with a URL-scheme prefix (like node:fs) as an exit module when bundling, removing the need for an additional bundler flag in the common case.

    import-bundle threads the importHook option through to the underlying compartment so that bundled applications can route exits to host-provided implementations at import time. Host-provided modules must be hardened and pure to avoid being a side-channel or man-in-the-middle attack surface between guests.

Changelog

Sourced from ses's changelog.

2.2.0

Minor Changes

  • #3285 889be5e Thanks @​erights! - Permit both initial powerful Temporal and safe shared Temporal

  • #2422 fe6be07 Thanks @​kriskowal! - Add support for host module exits in bundled compartments.

    ses exports a new StrictModuleDescriptor type that consists only of the NamespaceModuleDescriptor and SourceModuleDescriptor shapes mutually supported by SES and XS.

    compartment-mapper lets arbitrary module descriptors pass through importHook when no policy is in effect for that edge (the policy-enforcement runtime was previously limited to virtual module sources). It also implicitly treats any module specifier with a URL-scheme prefix (like node:fs) as an exit module when bundling, removing the need for an additional bundler flag in the common case.

    import-bundle threads the importHook option through to the underlying compartment so that bundled applications can route exits to host-provided implementations at import time. Host-provided modules must be hardened and pure to avoid being a side-channel or man-in-the-middle attack surface between guests.

Commits
  • 665f015 Version Packages
  • 7421d6e fix(ses): tuple-typed args restores Parameters<typeof compartmentOptions> ove...
  • 8937b37 feat(ses): StrictModuleDescriptor type
  • 5065e72 fix(ses): Consolidate Compartment jsdoc comments
  • d45818c fix(ses): Deduplicate dist types
  • c423ed3 chore(eslint-plugin): require underscore-delimited groups in numeric literals
  • 889be5e feat(ses): permit Temporal (#3285)
  • See full diff in compare view
Maintainer changes

This version was pushed to npm by kriscendobot, a new releaser for ses since your current version.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 16, 2026 06:06
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 16, 2026
@socket-security

socket-security Bot commented Jun 16, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedses@​2.1.0 ⏵ 2.2.088 -1210010093 +1100

View full report

@socket-security

socket-security Bot commented Jun 16, 2026

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Publisher changed: npm ses is now published by kriscendobot

Author: kriscendobot

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is unstable ownership?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Potential security risk (AI signal): npm ses

Notes: undefined

Confidence: undefined

Severity: undefined

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What are AI-detected potential security risks?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm ses is now published by kriscendobot instead of boneskull

New Author: kriscendobot

Previous Author: boneskull

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ses is 70.0% likely to have a medium risk anomaly

Notes: The file package/dist/ses.umd.min.js contains an SES/Compartment-based module loader/runtime fragment that uses dynamic evaluation and can modify global intrinsics. While heavily obfuscated, there is no evidence of malware behavior such as data exfiltration or backdoors; the behavior aligns with sandbox hardening rather than active exploitation.

Confidence: 0.70

Severity: 0.35

From: packages/snaps-execution-environments/package.jsonnpm/ses@2.2.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ses@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:07 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:08 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:09 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:11 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:11 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch June 16, 2026 06:13 Inactive
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/main/ses-2.2.0 branch from e6865a6 to 4289bfc Compare July 2, 2026 10:41
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:41 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:42 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:43 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:44 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:44 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 10:48 Inactive
Bumps [ses](https://github.com/endojs/endo/tree/HEAD/packages/ses) from 2.1.0 to 2.2.0.
- [Release notes](https://github.com/endojs/endo/releases)
- [Changelog](https://github.com/endojs/endo/blob/master/packages/ses/CHANGELOG.md)
- [Commits](https://github.com/endojs/endo/commits/ses@2.2.0/packages/ses)

---
updated-dependencies:
- dependency-name: ses
  dependency-version: 2.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/main/ses-2.2.0 branch from 4289bfc to bb03564 Compare July 2, 2026 11:05
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:06 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:07 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:08 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:09 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:09 Inactive
@dependabot dependabot Bot temporarily deployed to default-branch July 2, 2026 11:13 Inactive
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants