Update dependency hardhat to v3

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
hardhat (source)	^2.26.3 -> ^3.0.0

---

Release Notes

NomicFoundation/hardhat (hardhat)

v3.0.9

Compare Source

Patch Changes

• 0ee442d: All test runners now set NODE_ENV to "test" in case it is not set before the tests start (#​7511)
• b27b924: Fix bug in flatten task where ordering was incorrect (#​7586)

v3.0.8

Compare Source

Patch Changes

• d2c9a7f: Don't swallow the original error when trying to improve installation error messages (#​7569)
• ec50793: Validate initialBaseFeePerGas against hardfork only for L1 chain type (#​6181)

v3.0.7

Compare Source

Patch Changes

• 138d673: Added network.createServer(...) to spawn a Hardhat node programmatically (#​6472)
• d414eda: Added support for conditional dependencies on plugins (#​7424)
• 138d673: Added support for compiling solidity tests separately from contracts (#​6474)
• e17972f: Added hre.versions with Hardhat and EDR package versions.
• 34add2d: Added configVariable support for test.solidity.forking config
• b13620a: Added compilation progress spinner to show build progress (#​7460)
• 4c65d3e: Automatically add compilation results to a running npx hardhat node on recompilation (#​6040)
• 138d673: Updated EDR to version 0.12.0-next.7
• d821a0a: Fixed npm artifact cleanup on windows (#​7459)
• 138d673: Fixed creation of network connections to include config extensions from plugins (#​7106)

v3.0.6

Compare Source

Patch Changes

• 609d05c: Add deprecation warning for testFail_* test functions
• 8c1cb1e: Fixed dependencies for Hardhat so rpc utils can be loaded (#​7415)

v3.0.5

Compare Source

Patch Changes

• bebf87c: Added support for Linea network verification, thanks @​kyzooghost (#​7357)
• 0bfe6ac: Fixed coverage report when loading data from large test suites (#​7385)
• be469d6: Display an error message when attempting to use a global hardhat installation in a local repo (#​5362)
• 49cc9ba: Load resolved global options into environment variables during tests (#​7305)
• 8d3b16c: Support for custom compilers (#​7130)
• a475780: Added automatic proxy detection for hardhat-verify and fixed case-insensitive proxy environment variables for network requests (#​7407)
• 3996886: Fixed getBuildInfoPath and getBuildInfoOutputPath to correctly return undefined when build info files are missing 7052

v3.0.4

Compare Source

Patch Changes

• af301a8: Update validation for solidity test config (#​7205)

v3.0.3

Compare Source

Patch Changes

• 34a5bc9: Fixed an issue when making historical calls in a forked network (#​7271)
• e0e658a: Upgraded EDR to 0.12.0-next.5. This brings a fix for expectEmit cheatcode stack traces and performance improvements from upgrading to REVM 27 (#​1063)

v3.0.2

Compare Source

Patch Changes

• d45d544: Fixed passing global network options to node:test and mocha subprocesses (#​7248)
• 003e72c: Help message phrasing unified
• 0120e67: Added warning when running with a non-LTS Node version (#​7167)
• 9261714: Update npm module regex to include versions in solidity imports (#​7308)

v3.0.1

Compare Source

Patch Changes

• a3bd239: Add Yarn support for Hardhat v3 (#​7192)
• 617254e: Move extraneous dependency to peer (#​7231)
• 6446a38: Add temporary fix for incorrect error message (#​7168)
• 6361ea4: Fixed an issue with compiling a Hardhat project after switching OS users (#​7161)
• 5c9ee7f: Warn the user if they are not using the latest version of Hardhat
• 0fc1f3f: Remove full stops from help message descriptions (#​7185)
• 8acf48f: Improved exception filtering for Sentry telemetry (#​7246)
• e7d2f80: Added missing Solidity test config option allowInternalExpectRevert.

v3.0.0

Compare Source

Major Changes

• 29cc141: First release of Hardhat 3!

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hardhat@​2.26.3 ⏵ 3.0.9	+5		-8		+20

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a security-conscious utility for running a compiler subprocess and collecting its output. It uses temporary files and careful stream handling to avoid large buffers and ensure proper cleanup. No suspicious data leakage, hardcoded credentials, or backdoors are evident. The primary risk is the inherent risk of spawning external processes, but this is standard for compilers in build tools and is mitigated by controlled I/O and error handling. Confidence: 0.75 Severity: 0.55 From: package-lock.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: This fragment appears to be a bundler-generated bootstrap/initialization piece that imports many modules and executes an initialization function (r). No explicit malicious activity is evident within this fragment itself, but the risk stems from side effects of the imported modules on load. A careful review of the implementations of the imported modules (especially those exporting r and those performing initialization, build-time, or network/file operations) is recommended to rule out hidden telemetry, backdoors, or undesired side effects. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report