Support PolkaVM for Hardhat Upgrades Plugin

[KitHat]

Support precompiled contracts for PolkaVM deployments.

What should be done to move this PR to ready state:

• Fix automatic import resolution paritytech/revive#98 merged and released in resolc
• version of Hardhat Polkadot plugin with this compiler released
• ignored tests moved back in

NB: NodeJS version was pushed to 22.x, because Hardhat Polkadot plugin requires built-in WebSocket, that is present only in v22 and higher

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		[email protected] has a High CVE. CVE: GHSA-vj76-c3g6-qr5v tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball (HIGH) Affected versions: >= 3.0.0 < 3.1.1; >= 2.0.0 < 2.1.4; < 1.16.6 Patched version: 2.1.4 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/@babel/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@babel/[email protected] is a AI-detected potential code anomaly. Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines. Confidence: 1.00 Severity: 0.60 From: ? → npm/@babel/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code fragment is a feature-rich, standard Consola logging utility responsible for redirecting and managing log output with throttling, pausing, and reporter integration. There is no direct evidence of malicious activity, hardcoded secrets, or exfiltration within this snippet. However, the powerful I/O overrides pose privacy and data flow risks if reporters or downstream sinks are untrusted. The security posture hinges on trusted reporters and proper governance of the overall supply chain. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code is a standard, legitimate implementation of a recursive copy utility (copySync) from the fs-extra library. It includes typical safeguards (type checks, destination directory creation, overwrite logic, symlink handling, and optional timestamp preservation) and does not exhibit any malicious behavior such as data exfiltration, remote communication, backdoors, or code injection. The warning about preserveTimestamps on ia32 is a benign, user-facing message. Overall security risk is low, with normal filesystem side effects expected. If any concern exists, it would be about untrusted path manipulation via the src/dest, but this is inherent to any filesystem copy utility and mitigated by the provided option hooks (filter, dereference, etc.). Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a conventional stream-to-buffer utility with a MaxBuffer guard and convenient helpers. The main risk is the default Infinity maxBuffer which can enable memory exhaustion with untrusted streams; ensure downstream usage sets a sane maxBuffer or prefer streaming aggregations. No evidence of malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed fragment is a standard, legitimate error-construction utility (make-error) used to create custom error types with proper inheritance and stack traces. No malicious patterns or data exfiltration detected. Security risk remains low under normal usage as a dependency for error handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: This file is a helper library that wraps dockerode and execa to pull images, create and start Docker containers via the host socket (/var/run/docker.sock). It accepts unvalidated options for Image names, host bind mounts, environment variables, ports, commands, and container names. A malicious or careless caller could supply a crafted image name to pull and execute arbitrary code, mount sensitive host paths (e.g. /etc, /), inject secrets via environment variables, expose host ports, or otherwise gain remote code execution and privilege escalation on the host. Use only in fully trusted contexts, enforce strict access controls on who can call these functions, and sanitize or whitelist inputs before invoking any Docker actions. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a conventional, well-scoped implementation of an RxJS-like concat operator. No malicious behavior, data exfiltration, or suspicious I/O detected in this fragment. Security risk is low; malware likelihood is negligible for this isolated operator function. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code is a straightforward test runner that automatically executes local test-*.js files. The main security concern is the shell-based invocation of each test, which could allow shell interpretation if filenames are crafted maliciously despite being sourced from the local directory. Overall risk is moderate and largely depends on the trustworthiness of the test files. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code presents a conventional V8/Node.js compile-cache mechanism with file-backed storage and a process-wide Module._compile override. While there is no explicit malware or data exfiltration, the approach introduces notable attack surface: cache poisoning risk, race conditions in writes, and potential misuse if the cache store is compromised. The improvements should include: explicit cache integrity verification (e.g., signing or checksums beyond SHA-1), robust error handling with logging for lock failures, isolation of the cache path per-process, and a safer, opt-in alternative to global Module.prototype overrides. Overall security risk is moderate due to cache integrity and supply-chain concerns, with no active malicious behavior detected in isolation. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code fragment represents a legitimate environment-variable integration path for a CLI argument parser (consistent with yargs-parser). There is no evidence of malicious behavior such as data exfiltration or backdoors. The primary security consideration is the potential for environment-driven overrides to affect runtime behavior; this is expected but should be carefully configured to avoid leaking sensitive settings. Overall risk is moderate but acceptable with proper configuration and validation. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​contracts@​5.4.0

View full report

[ericglau]

Looking good!

This compiles the core package for both EVM and PVM, but I don't see a way for it to actually run any test cases with the PVM code path.

We should try to find a way to run all of the tests (in both core and plugin-hardhat) using the PVM code path, if feasible, perhaps using a custom GitHub workflow to modify the way it runs. Even if that is not feasible, we should aim to add at least one mainline test scenario (e.g. deploy and upgrade a proxy) using PVM.

(If that has been tested manually already, I think this would be ok as-is, and the automated tests can be added later)

[ericglau]

The test file name doesn't appear in the results when not using ava, so we could add more context in the test name.

Suggested change

	describe('happy path', async () => {
	describe('beacon happy path', async () => {

[ericglau]

Suggested change

	describe('happy path', async () => {
	describe('transparent happy path', async () => {

[ericglau]

Suggested change

	describe('happy path', async () => {
	describe('uups happy path', async () => {

[ericglau]

Are the commented parts needed?

Suggested change

	// test.before(async t => {
	// t.context.Greeter = await ethers.getContractFactory('Greeter');
	// t.context.GreeterV2 = await ethers.getContractFactory('GreeterV2');
	// t.context.GreeterV3 = await ethers.getContractFactory('GreeterV3');
	// });
	// test('happy path', async t => {
	// const { Greeter, GreeterV2, GreeterV3 } = t.context;
	// const greeter = await upgrades.deployProxy(Greeter, ['Hello, Hardhat!'], { kind: 'transparent' });
	// const greeter2 = await upgrades.upgradeProxy(greeter, GreeterV2);
	// await greeter2.waitForDeployment();
	// await greeter2.resetGreeting();
	// const greeter3ImplAddr = await upgrades.prepareUpgrade(await greeter.getAddress(), GreeterV3);
	// const greeter3 = GreeterV3.attach(greeter3ImplAddr);
	// const version3 = await greeter3.version();
	// t.is(version3, 'V3');
	// });

[ericglau]

Can we also add some simple negative tests?

These could be based on

• packages/plugin-hardhat/test/uups-upgrade-validation.js for basic contract validations which do not use storage layout. The current test case checks for selfdestruct, but since that opcode isn't in PolkaVM, it can be adjusted to test for some other unsafe pattern, such as a contract with a constructor.
• packages/plugin-hardhat/test/uups-upgrade-storage.js for basic storage layout validation (when storage layouts are available in resolc)

[ericglau]

This test case was originally intended to check for unsafe patterns in the implementation contract itself, unrelated to storage layout. Since there is no selfdestruct, we should test for another pattern such as with a constructor in InvalidPVMProxiable.

Specifically, I would suggest:

1. Add a storage variable string greeting; in InvalidPVMProxiable so that its storage layout matches that of GreeterProxiable
2. Add a constructor in InvalidPVMProxiable
3. Change this expect to look for an error about the constructor.