Skip to content

Bump the npm_and_yarn group across 1 directory with 3 updates #168

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Bump the npm_and_yarn group across 1 directory with 3 updates #168

wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 12, 2025
edited
Loading

Bumps the npm_and_yarn group with 1 update in the / directory: hardhat.

Updates hardhat from 2.17.2 to 3.0.6

Release notes

Sourced from hardhat's releases.

Hardhat v3.0.6

This release is a small bug fix release that adds a deprecation warning for testFail_* functions in Solidity Test, and resolves a dependency issue affecting rpc utils.

Changes

  • 609d05c: Add deprecation warning for testFail_* test functions
  • 8c1cb1e: Fixed dependencies for Hardhat so rpc utils can be loaded (#7415)

💡 The Nomic Foundation is hiring! Check our open positions.

Hardhat v3.0.5

This release adds support for custom compilers along with multiple bug fixes.

Changes

  • 8d3b16c: Support for custom compilers (#7130)
  • a475780: Added automatic proxy detection for hardhat-verify and fixed case-insensitive proxy environment variables for network requests (#7407)
  • 0bfe6ac: Fixed coverage report when loading data from large test suites (#7385)
  • be469d6: Display an error message when attempting to use a global hardhat installation in a local repo (#5362)
  • bebf87c: Added support for Linea network verification, thanks @​kyzooghost (#7357)
  • 49cc9ba: Load resolved global options into environment variables during tests (#7305)
  • 3996886: Fixed getBuildInfoPath and getBuildInfoOutputPath to correctly return undefined when build info files are missing 7052

💡 The Nomic Foundation is hiring! Check our open positions.

Hardhat v3.0.4

This release is a small bug fix release to improve validation in Solidity test configuration.

Changes

  • af301a8: Update validation for solidity test config (#7205)

💡 The Nomic Foundation is hiring! Check our open positions.

Hardhat v3.0.3

This release is a small bug fix release and includes a resolution for a bug when making historical calls in a forked network.

Changes

  • 34a5bc9: Fixed an issue when making historical calls in a forked network (#7271)
  • e0e658a: Upgraded EDR to 0.12.0-next.5. This brings a fix for expectEmit cheatcode stack traces and performance improvements from upgrading to REVM 27 (#1063)

💡 The Nomic Foundation is hiring! Check our open positions.

... (truncated)

Changelog

Sourced from hardhat's changelog.

3.0.6

Patch Changes

  • 609d05c: Add deprecation warning for testFail_* test functions
  • 8c1cb1e: Fixed dependencies for Hardhat so rpc utils can be loaded (#7415)

3.0.5

Patch Changes

  • bebf87c: Added support for Linea network verification, thanks @​kyzooghost (#7357)
  • 0bfe6ac: Fixed coverage report when loading data from large test suites (#7385)
  • be469d6: Display an error message when attempting to use a global hardhat installation in a local repo (#5362)
  • 49cc9ba: Load resolved global options into environment variables during tests (#7305)
  • 8d3b16c: Support for custom compilers (#7130)
  • a475780: Added automatic proxy detection for hardhat-verify and fixed case-insensitive proxy environment variables for network requests (#7407)
  • 3996886: Fixed getBuildInfoPath and getBuildInfoOutputPath to correctly return undefined when build info files are missing 7052

3.0.4

Patch Changes

  • af301a8: Update validation for solidity test config (#7205)

3.0.3

Patch Changes

  • 34a5bc9: Fixed an issue when making historical calls in a forked network (#7271)
  • e0e658a: Upgraded EDR to 0.12.0-next.5. This brings a fix for expectEmit cheatcode stack traces and performance improvements from upgrading to REVM 27 (#1063)

3.0.2

Patch Changes

  • d45d544: Fixed passing global network options to node:test and mocha subprocesses (#7248)
  • 003e72c: Help message phrasing unified
  • 0120e67: Added warning when running with a non-LTS Node version (#7167)
  • 9261714: Update npm module regex to include versions in solidity imports (#7308)

3.0.1

Patch Changes

  • a3bd239: Add Yarn support for Hardhat v3 (#7192)
  • 617254e: Move extraneous dependency to peer (#7231)
  • 6446a38: Add temporary fix for incorrect error message (#7168)
  • 6361ea4: Fixed an issue with compiling a Hardhat project after switching OS users (#7161)
  • 5c9ee7f: Warn the user if they are not using the latest version of Hardhat

... (truncated)

Commits
  • 4abca88 Version Packages
  • 3f01d02 Merge branch 'main' into 7253
  • 28430ee remove unnecessary name check
  • f1d260d Version Packages
  • abc9f13 Merge pull request #7407 from NomicFoundation/use-proxy
  • d9608fa fix: use getProxyUrl in getHttpDispatcher
  • a500780 Merge branch 'main' into 7253
  • 1fdcd02 Improve error messages for viem assertions (#7384)
  • ba6773d improve testFail* deprecation warning handling
  • b321e15 fix: address code review feedback for testFail warning function
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by nomic-foundation-publisher, a new releaser for hardhat since your current version.


Updates ws from 7.4.6 to 8.18.3

Release notes

Sourced from ws's releases.

8.18.3

Bug fixes

  • Fixed a spec violation where the Sec-WebSocket-Version header was not added to the HTTP response if the client requested version was either invalid or unacceptable (33f5dbaf).

8.18.2

Bug fixes

  • Fixed an issue that, during message decompression when the maximum size was exceeded, led to the emission of an inaccurate error and closure of the connection with an improper close code (#2285).

8.18.1

Bug fixes

  • The length of the UNIX domain socket paths in the tests has been shortened to make them work when run via CITGM (021f7b8b).

8.18.0

Features

  • Added support for Blob (#2229).

8.17.1

Bug fixes

  • Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';

</tr></table>

... (truncated)

Commits

Updates undici from 5.26.3 to 6.21.3

Release notes

Sourced from undici's releases.

v6.21.3

What's Changed

Full Changelog: nodejs/undici@v6.21.2...v6.21.3

v6.21.2

What's Changed

New Contributors

Full Changelog: nodejs/undici@v6.21.1...v6.21.2

v6.21.1

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

What's Changed

Full Changelog: nodejs/undici@v6.21.0...v6.21.1

v6.21.0

What's Changed

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

What's Changed

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Sep 12, 2025
@socket-security
Copy link

socket-security bot commented Sep 12, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedhardhat@​2.26.3 ⏵ 3.0.699 +510082 -8100 +3100 +20

View full report

@socket-security
Copy link

socket-security bot commented Sep 12, 2025
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Low
[email protected] is a AI-detected potential code anomaly.

Notes: This module deliberately installs a hidden signal handler that forwards SIGINT/SIGTERM events to a client-provided callback (likely a remote server) and hides that handler from listener inspection. The behavior is stealthy and could be used to exfiltrate operational signals or telemetry. There is no clear destructive payload here, but the hiding of handlers and forwarding of runtime signals to a remote endpoint is suspicious and warrants caution. Review the client.connectingToServer implementation and any loaded './cjs/index.cjs' code to determine what data is transmitted and to which endpoints before trusting this package.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] is a AI-detected potential code anomaly.

Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
[email protected] is a AI-detected potential code anomaly.

Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-328a95834b branch 2 times, most recently from 9e2b2b8 to 957f086 Compare September 13, 2025 12:57
@dependabot
Bump the npm_and_yarn group across 1 directory with 3 updates
4e7917f 
Bumps the npm_and_yarn group with 1 update in the / directory: [hardhat](https://github.com/NomicFoundation/hardhat/tree/HEAD/v-next/hardhat).


Updates `hardhat` from 2.17.2 to 3.0.6
- [Release notes](https://github.com/NomicFoundation/hardhat/releases)
- [Changelog](https://github.com/NomicFoundation/hardhat/blob/main/v-next/hardhat/CHANGELOG.md)
- [Commits](https://github.com/NomicFoundation/hardhat/commits/[email protected]/v-next/hardhat)

Updates `ws` from 7.4.6 to 8.18.3
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.6...8.18.3)

Updates `undici` from 5.26.3 to 6.21.3
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.26.3...v6.21.3)

---
updated-dependencies:
- dependency-name: hardhat
  dependency-version: 3.0.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 8.18.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 6.21.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-328a95834b branch from 957f086 to 4e7917f Compare September 18, 2025 15:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants