[Examples] Update Dynamic example

[AyushBherwani1998]

Description

• Update Dynamic example to use v0.2.0 of smart-accounts-kit
• Update NEXT js version

---

Note

Migrates the Dynamic signer example to smart-accounts-kit v0.2.0 and a newer Next.js, refactoring components and app structure to the updated APIs.

• Examples — Dynamic signer (examples/smart-accounts/signers/dynamic/):
  • Dependencies: Upgrade smart-accounts-kit to v0.2.0 and update Next.js.
  • Refactors for new APIs:
    • Update src/components/SendUserOperationButton.tsx for the new signing/submission flow.
    • Adapt src/components/TransactionForm.tsx, src/components/Steps.tsx, and src/components/Footer.tsx to the updated SDK/types.
  • App structure: Adjust src/app/layout.tsx and src/app/page.tsx to align with the updated Next.js app setup.

^{Written by Cursor Bugbot for commit 13b581a. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​dynamic-labs/​wagmi-connector@​4.42.0 ⏵ 4.50.4	+1			+1
	@​types/​react-dom@​19.1.9 ⏵ 19.2.3	+1		+1	-4
	@​dynamic-labs/​ethereum@​4.42.0 ⏵ 4.50.4			+1	+1
	wagmi@​2.19.2 ⏵ 2.19.5	+1		+1	+1
	@​types/​react@​19.1.12 ⏵ 19.2.7				-1
	@​metamask/​smart-accounts-kit@​0.1.0 ⏵ 0.2.0			+1	+4
	@​types/​node@​20.19.13 ⏵ 20.19.27			+1	+2
	next@​15.3.4 ⏵ 15.4.10	+11	+75	+1	+48
	tailwindcss@​4.1.13 ⏵ 4.1.18			+1
	react@​19.1.1 ⏵ 19.2.3			+1
	@​tanstack/​react-query@​5.90.6 ⏵ 5.90.12
	@​eslint/​eslintrc@​3.3.3
	typescript@​5.9.2 ⏵ 5.9.3			+1
	@​dynamic-labs/​sdk-react-core@​4.42.0 ⏵ 4.50.4	+2		+1	+1
	react-dom@​19.1.1 ⏵ 19.2.3	+1		+1
	eslint@​9.35.0 ⏵ 9.39.2	-3			+2
	viem@​2.38.6 ⏵ 2.42.1	+1			+2
	@​tailwindcss/​postcss@​4.1.13 ⏵ 4.1.18			+21

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm @tailwindcss/node is now published by malfaitrobin Author: malfaitrobin From: ? → npm/@tailwindcss/postcss@4.1.18 → npm/@tailwindcss/node@4.1.18 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/node@4.1.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm @tailwindcss/oxide-android-arm64 is now published by malfaitrobin Author: malfaitrobin From: ? → npm/@tailwindcss/postcss@4.1.18 → npm/@tailwindcss/oxide-android-arm64@4.1.18 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-android-arm64@4.1.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm @tailwindcss/oxide-wasm32-wasi is now published by malfaitrobin Author: malfaitrobin From: ? → npm/@tailwindcss/postcss@4.1.18 → npm/@tailwindcss/oxide-wasm32-wasi@4.1.18 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-wasm32-wasi@4.1.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm @tailwindcss/oxide-win32-arm64-msvc is now published by malfaitrobin Author: malfaitrobin From: ? → npm/@tailwindcss/postcss@4.1.18 → npm/@tailwindcss/oxide-win32-arm64-msvc@4.1.18 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tailwindcss/oxide-win32-arm64-msvc@4.1.18. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @0no-co/graphqlsp in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@dynamic-labs/ethereum@4.50.4 → npm/@0no-co/graphqlsp@1.15.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@0no-co/graphqlsp@1.15.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs-wallet/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@dynamic-labs/sdk-react-core@4.50.4 → npm/@dynamic-labs-wallet/core@0.0.211 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs-wallet/core@0.0.211. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs-wallet/core in module http-errors Module: http-errors Location: Package overview From: ? → npm/@dynamic-labs/sdk-react-core@4.50.4 → npm/@dynamic-labs-wallet/core@0.0.211 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs-wallet/core@0.0.211. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs-wallet/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@dynamic-labs/ethereum@4.50.4 → npm/@dynamic-labs-wallet/core@0.0.217 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs-wallet/core@0.0.217. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs-wallet/core in module http-errors Module: http-errors Location: Package overview From: ? → npm/@dynamic-labs/ethereum@4.50.4 → npm/@dynamic-labs-wallet/core@0.0.217 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs-wallet/core@0.0.217. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs/ethereum in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/smart-accounts/signers/dynamic/package.json → npm/@dynamic-labs/ethereum@4.50.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/ethereum@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs/utils in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@dynamic-labs/ethereum@4.50.4 → npm/@dynamic-labs/sdk-react-core@4.50.4 → npm/@dynamic-labs/utils@4.50.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/utils@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @dynamic-labs/wallet-connector-core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@dynamic-labs/ethereum@4.50.4 → npm/@dynamic-labs/sdk-react-core@4.50.4 → npm/@dynamic-labs/wallet-connector-core@4.50.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/wallet-connector-core@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/smart-accounts-kit in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/smart-accounts/signers/dynamic/package.json → npm/@metamask/smart-accounts-kit@0.2.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/smart-accounts-kit@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @tanstack/query-core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@tanstack/react-query@5.90.12 → npm/@tanstack/query-core@5.90.12 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tanstack/query-core@5.90.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @types/node in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/smart-accounts/signers/dynamic/package.json → npm/@types/node@20.19.27 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@20.19.27. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @types/node in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/wagmi@2.19.5 → npm/@dynamic-labs/ethereum@4.50.4 → npm/@types/node@25.0.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@25.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @types/react in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/smart-accounts/signers/dynamic/package.json → npm/@types/react@19.2.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/react@19.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm eslint in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: examples/smart-accounts/signers/dynamic/package.json → npm/eslint@9.39.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@9.39.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm lightningcss-android-arm64 is now published by devongovett instead of talalalmrka New Author: devongovett Previous Author: talalalmrka From: ? → npm/@tailwindcss/postcss@4.1.18 → npm/lightningcss-android-arm64@1.30.2 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lightningcss-android-arm64@1.30.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm sharp during install Install script: install Source: node install/check.js || npm run build From: ? → npm/next@15.4.10 → npm/sharp@0.34.5 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sharp@0.34.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @dynamic-labs/sdk-react-core is 80.0% likely to have a medium risk anomaly Notes: The module implements a conventional HTTP polling mechanism for establishing a Farcaster connection with proper error handling and a cancellation pathway. There is no clear evidence of malicious behavior such as data exfiltration or backdoors within this fragment. Security concerns center on token handling, external endpoint trust, and potential abuse of polling cadence; ensure upstream token integrity, TLS enforcement, and rate-limiting protections are in place. Overall risk is moderate due to external network interactions, but no malware indicators are detected in this snippet. Confidence: 0.80 Severity: 0.60 From: examples/smart-accounts/signers/dynamic/package.json → npm/@dynamic-labs/sdk-react-core@4.50.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/sdk-react-core@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @dynamic-labs/sdk-react-core is 75.0% likely to have a medium risk anomaly Notes: The code presents a standard, well-scoped UI component for Sign-In with Passkey. It handles asynchronous flow correctly, provides user-friendly error messaging, and avoids evident data leakage or malicious behavior within this fragment. Overall risk is low; primary concerns would be the robustness of the signInWithPasskey implementation and surrounding contexts, which are outside this fragment. Confidence: 0.75 Severity: 0.50 From: examples/smart-accounts/signers/dynamic/package.json → npm/@dynamic-labs/sdk-react-core@4.50.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/sdk-react-core@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @dynamic-labs/sdk-react-core is 78.0% likely to have a medium risk anomaly Notes: The PasskeySignInSection fragment demonstrates a conventional, well-scoped UI component for initiating a Passkey sign-in with thoughtful user-facing error handling. No evidence of malicious activity, hardcoded secrets, or inadvertent data leakage within this snippet. Security posture largely depends on the underlying signInWithPasskey implementation and the external callbacks, which should be reviewed in their own right. Confidence: 0.78 Severity: 0.50 From: examples/smart-accounts/signers/dynamic/package.json → npm/@dynamic-labs/sdk-react-core@4.50.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@dynamic-labs/sdk-react-core@4.50.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard Axios defaults/module implementation with no malicious behavior detected. It handles request/response transformations and content-type management in a typical, safe manner. No data exfiltration, backdoors, or privacy-invasive actions are present within this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/wagmi@2.19.5 → npm/@dynamic-labs/ethereum@4.50.4 → npm/@dynamic-labs/sdk-react-core@4.50.4 → npm/axios@1.13.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.13.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm hono is 100.0% likely to have a medium risk anomaly Notes: The code is a safe, standard utility for streaming text responses. It merely configures response headers and delegates streaming to another module. There is no indication of malicious behavior or data leakage within this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/wagmi@2.19.5 → npm/hono@4.11.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 3 more rows in the dashboard

View full report

[jeffsmale90]

LGTM!

[mj-kiwi]

I think we should update to next@15.4.10. https://nextjs.org/blog/security-update-2025-12-11

[jeffsmale90]

lgtm

[jeffsmale90]

nit: this could be broken into a variable to avoid complicating the react component

[AyushBherwani1998]

I have already moved the examples to https://github.com/MetaMask/smart-accounts-kit-examples

Have covered all the changes there. In Q1 first week, I'll remove examples from this repo, and rename it.

As Jeff approved