Add stellar skills site by oceans404 · Pull Request #18 · stellar/stellar-dev-skill

oceans404 · 2026-05-15T14:59:10Z

No description provided.

A Next.js 15 static-export site at site/ that mirrors every SKILL.md under skills/ and exposes them as a copy-pastable directory at the deploy origin, plus a /llms.txt index for AI agents. GitHub Pages deploy is branch-based via two workflows at .github/: - deploy-pages.yml publishes main to gh-pages root on push to main. - preview-pr.yml publishes PR previews to gh-pages:/pr/<N>/ with a bot comment containing the URL; cleans up on PR close. Both workflows pin SITE_ORIGIN to production so the hero pill, copy-pastable card URLs, and llms.txt show post-merge URLs even on preview builds. An IS_PREVIEW banner identifies preview builds. Custom-domain cutover is a one-place repo-variable change. Co-Authored-By: mk <86380734+minkyeongshin@users.noreply.github.com>

socket-security · 2026-05-15T14:59:41Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@15.5.9
	eslint-config-next@15.4.4
	@next/eslint-plugin-next@15.5.18
	@types/react-dom@19.2.3
	@types/react@19.2.14
	@typescript-eslint/eslint-plugin@8.59.3
	@stellar/design-system@3.2.8
	@types/node@24.12.4
	@next/third-parties@15.5.18
	react@19.2.6
	eslint-config-prettier@10.1.8
	eslint@9.39.4
	typescript@5.9.3
	prettier@3.8.3
	sass@1.99.0
	react-dom@19.2.6
	eslint-plugin-react-hooks@5.2.0

View full report

socket-security · 2026-05-15T14:59:43Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: npm `@img/sharp-libvips-darwin-arm64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-darwin-arm64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-darwin-arm64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-darwin-x64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-darwin-x64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-darwin-x64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-arm` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-arm@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-arm@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-arm64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-arm64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-arm64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-ppc64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-ppc64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-ppc64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-riscv64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-riscv64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-riscv64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-s390x` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-s390x@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-s390x@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linux-x64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linux-x64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linux-x64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linuxmusl-arm64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-arm64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-libvips-linuxmusl-x64` under LGPL-3.0-or-later Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-libvips-linuxmusl-x64@1.2.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-libvips-linuxmusl-x64@1.2.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-wasm32` Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-wasm32@0.34.5` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-wasm32@0.34.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-win32-arm64` Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-win32-arm64@0.34.5` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-win32-arm64@0.34.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-win32-ia32` Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-win32-ia32@0.34.5` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-win32-ia32@0.34.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@img/sharp-win32-x64` Location: Package overview From: site/pnpm-lock.yaml → `npm/next@15.5.9` → `npm/@img/sharp-win32-x64@0.34.5` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@img/sharp-win32-x64@0.34.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `axe-core` under MIT AND MPL-2.0 Location: Package overview From: site/pnpm-lock.yaml → `npm/eslint-config-next@15.4.4` → `npm/axe-core@4.11.4` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/axe-core@4.11.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up CVE: GHSA-26hh-7cqf-hhc6 Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up (HIGH) Affected versions: >= 15.2.0 < 15.5.18; >= 16.0.0 < 16.2.6 Patched version: 15.5.18 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components CVE: GHSA-mg66-mrh9-m8jx Next.js vulnerable to Denial of Service via connection exhaustion in applications using Cache Components (HIGH) Affected versions: >= 15.0.0 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes CVE: GHSA-267c-6grr-h53f Next.js has a Middleware / Proxy bypass in App Router applications via segment-prefetch routes (HIGH) Affected versions: >= 15.2.0 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n CVE: GHSA-36qx-fr4f-26g5 Next.js has a Middleware / Proxy bypass in Pages Router applications using i18n (HIGH) Affected versions: >= 12.2.0 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Middleware / Proxy bypass through dynamic route parameter injection CVE: GHSA-492v-c6pp-mqqv Next.js has a Middleware / Proxy bypass through dynamic route parameter injection (HIGH) Affected versions: >= 15.4.0 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades CVE: GHSA-c4j6-fc7j-m34r Next.js vulnerable to server-side request forgery in applications using WebSocket upgrades (HIGH) Affected versions: >= 13.4.13 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js Vulnerable to Denial of Service with Server Components CVE: GHSA-8h8q-6873-q5fj Next.js Vulnerable to Denial of Service with Server Components (HIGH) Affected versions: >= 13.0.0 < 15.5.16; >= 16.0.0 < 16.2.5 Patched version: 15.5.16 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components CVE: GHSA-h25m-26qc-wcjf Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components (HIGH) Affected versions: >= 13.0.0 < 15.0.8; >= 15.1.1-canary.0 < 15.1.12; >= 15.2.0-canary.0 < 15.2.9; >= 15.3.0-canary.0 < 15.3.9; >= 15.4.0-canary.0 < 15.4.11; >= 15.5.1-canary.0 < 15.5.10; >= 15.6.0-canary.0 < 15.6.0-canary.61; >= 16.0.0-beta.0 < 16.0.11; >= 16.1.0-canary.0 < 16.1.5 Patched version: 15.5.10 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		High CVE: Next.js has a Denial of Service with Server Components CVE: GHSA-q4gf-8mx6-v5v3 Next.js has a Denial of Service with Server Components (HIGH) Affected versions: >= 13.0.0 < 15.5.15; >= 16.0.0-beta.0 < 16.2.3 Patched version: 15.5.15 From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `next` Location: Package overview From: site/package.json → `npm/next@15.5.9` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/next@15.5.9`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` under MIT-Khronos-old License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: site/package.json → `npm/typescript@5.9.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.9.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot

Pull request overview

Introduces a new Next.js 15 static site under site/ that mirrors the repo's skills/*/SKILL.md files, exposes them as copy-pastable URLs at skills.stellar.org, and emits a sibling /llms.txt index for AI agents. Includes GitHub Pages workflows for main deploys and per-PR previews on the gh-pages branch.

Changes:

Add full Next.js (App Router, static export) site with server-rendered landing page, theme switch, copy-to-clipboard pills, ARIA tablist filtering for skills and installer methods, and 404/error boundaries.
Add build scripts that mirror ../skills/ into public/skills/ and generate public/llms.txt from src/data/skills.ts plus upstream frontmatter.
Add two GitHub Actions workflows (deploy-pages.yml, preview-pr.yml) that publish to gh-pages (root for main, pr/<N>/ for previews) and pin SITE_ORIGIN to production.

Reviewed changes

Copilot reviewed 29 out of 35 changed files in this pull request and generated 17 comments.

Show a summary per file

File	Description
site/src/app/page.tsx	Landing page composition: hero, install tabs, skill grid, ecosystem grid, footer.
site/src/app/layout.tsx	Root layout, fonts, GA, theme class.
site/src/app/error.tsx, not-found.tsx, global-error.tsx, icon.svg	Error/404 pages and favicon.
site/src/app/_components/{SkillCard,SkillsFilter,CopyButton,ThemeSwitchIsland,icons}.tsx	Server card + client islands and inline SVG icons.
site/src/data/skills.ts, installers.mjs	Source-of-truth for cards, filters, installers.
site/src/lib/skill-meta.mjs	Frontmatter + first-H1 parser shared between page and llms.txt.
site/src/styles/{globals,utils}.scss, app/styles.scss	Global styles, px→rem helpers, landing-page styles, CSS-driven filtering.
site/scripts/copy-skills.mjs	Mirrors upstream SKILL.md files into `public/`.
site/scripts/generate-llms-txt.mjs	Regex-parses skills.ts to emit `public/llms.txt`.
site/{package.json,tsconfig.json,next.config.js,.eslintrc.json,.prettierrc.json,.gitignore,.env.example,README.md,CLAUDE.md}	Project configuration and docs.
.github/workflows/{deploy-pages,preview-pr}.yml	Main + per-PR preview deployment to GitHub Pages.

Comments suppressed due to low confidence (1)

site/src/app/_components/CopyButton.tsx:37

The setTimeout callback can fire after the component unmounts (e.g., user changes the active filter tab so the button is removed before 1s elapses), causing a state update on an unmounted component. Track the timeout id and clear it in a useEffect cleanup, or guard the callback with a mounted ref.

    setCopied(true);
    setTimeout(() => setCopied(false), 1000);

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

+    await navigator.clipboard.writeText(value);
+    setCopied(true);
+    setTimeout(() => setCopied(false), 1000);


+const parseArray = (arrayName) => {
+  const re = new RegExp(
+    `${arrayName}[^=]*=\\s*\\[([\\s\\S]*?)\\]\\s*as\\s+const`,
+  );
+  const m = re.exec(source);
+  if (!m) return [];
+  const body = m[1];
+  const entries = [];
+  const objectRe = /\{([\s\S]*?)\},/g;
+  let om;
+  while ((om = objectRe.exec(body)) !== null) {
+    const fields = om[1];
+    const get = (key) => {
+      const fr = new RegExp(`\\b${key}:\\s*"([^"]+)"`);
+      const fm = fr.exec(fields);
+      return fm ? fm[1] : null;
+    };
+    entries.push({
+      source: get("source"),
+      title: get("title"),
+      description: get("description"),
+      copyValue: get("copyValue"),
+      category: get("category"),
+    });
+  }
+  return entries;
+};
+
+const parseFilters = () => {
+  const re = /FILTERS:\s*readonly[^=]*=\s*\[([\s\S]*?)\]\s*as\s+const/;
+  const m = re.exec(source);
+  if (!m) return [];
+  return [...m[1].matchAll(/"([^"]+)"/g)].map((x) => x[1]);
+};


+// Clean stale files before copying so removed skills don't linger.
+rmSync(PUBLIC_SKILLS_DIR, { recursive: true, force: true });
+
+const missing = [];
+for (const source of sources) {
+  const src = join(REPO_ROOT, source);
+  const dest = join(PUBLIC_DIR, source);
+  if (!existsSync(src)) {
+    missing.push(source);
+    continue;
+  }
+  mkdirSync(dirname(dest), { recursive: true });
+  cpSync(src, dest, { dereference: false });
+}
+
+// Apache-2.0 attribution alongside the content.
+const upstreamLicense = join(REPO_ROOT, "LICENSE");
+if (existsSync(upstreamLicense)) {
+  mkdirSync(PUBLIC_SKILLS_DIR, { recursive: true });
+  cpSync(upstreamLicense, join(PUBLIC_SKILLS_DIR, "LICENSE"), {
+    dereference: false,
+  });
+}
+
+if (missing.length > 0) {
+  const lines = missing.map((s) => `  ${s}`).join("\n");
+  const msg = `[copy-skills] ${missing.length} advertised source(s) missing under ${UPSTREAM_SKILLS_DIR}:\n${lines}`;
+  if (strict) {
+    console.error(msg);
+    process.exit(1);
+  }
+  console.warn(msg);
+}


+  return (
+    <html lang="en">
+      <body className="sds-theme-light" data-sds-theme="sds-theme-light">
+        <div id="root">{children}</div>
+        {GA_TRACKING_ENABLED && <GoogleTagManager gtmId="GTM-KCNDDL3" />}
+      </body>
+    </html>


+const parseFrontmatter = (content) => {
+  const match = /^---\s*\n([\s\S]*?)\n---\s*\n?/.exec(content);
+  if (!match) return { frontmatter: {}, body: content };
+  const frontmatter = {};
+  for (const line of match[1].split("\n")) {
+    const kv = /^([\w-]+):\s*(.*)$/.exec(line);
+    if (!kv) continue;
+    let value = kv[2].trim();
+    if (
+      (value.startsWith('"') && value.endsWith('"')) ||
+      (value.startsWith("'") && value.endsWith("'"))
+    ) {
+      value = value.slice(1, -1);
+    }
+    frontmatter[kv[1]] = value;
+  }
+  return { frontmatter, body: content.slice(match[0].length) };
+};


+export default function GlobalError() {
+  return (
+    <html>
+      <body>
+        <NextError statusCode={0} />
+      </body>
+    </html>
+  );
+}


+  contents: write
+
+concurrency:
+  group: pages-main


+          # displayed text. Asset paths (in <script src=…/_next/…>) are
+          # excluded by requiring the match to live inside a text node.
+          if grep -qE "Read [^<]*pr/[0-9]" out/index.html; then


+// Fonts for SDS
+// TODO: switch to next/font/google to avoid render-blocking external CSS
+@import url("https://fonts.googleapis.com/css2?family=Inter:wght@400;500;600&family=Roboto+Mono&display=swap");


+  > .Button {
+    padding-left: 0;
+    padding-right: 0;
+    border-color: transparent !important;
+    background-color: transparent !important;
+    margin-bottom: pxToRem(12px);
+
+    @media (hover: hover) {
+      &:hover {
+        background-color: transparent !important;
+        color: var(--sds-clr-lilac-11) !important;
+      }
+    }
+
+    &:focus,
+    &:focus-visible {
+      outline: none !important;
+      box-shadow: none !important;
+    }
+  }


…trict TS, build scripts

oceans404 and others added 2 commits May 13, 2026 13:49

Design changes for install instructions

e815a2b

Copilot AI review requested due to automatic review settings May 15, 2026 14:59

Copilot started reviewing on behalf of oceans404 May 15, 2026 14:59 View session

Copilot AI reviewed May 15, 2026

View reviewed changes

Address PR review: harden workflows, CopyButton a11y, SEO metadata, s…

4cce07f

…trict TS, build scripts

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add stellar skills site#18

Add stellar skills site#18
oceans404 wants to merge 3 commits into
stellar:mainfrom
oceans404:main

oceans404 commented May 15, 2026

Uh oh!

socket-security Bot commented May 15, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 15, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Conversation

oceans404 commented May 15, 2026

Uh oh!

socket-security Bot commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented May 15, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

socket-security Bot commented May 15, 2026 •

edited

Loading

socket-security Bot commented May 15, 2026 •

edited

Loading