chore(deps): update dependency @openzeppelin/contracts-upgradeable to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/contracts-upgradeable (source)	4.9.6 -> 5.0.2

---

Release Notes

OpenZeppelin/openzeppelin-contracts-upgradeable (@​openzeppelin/contracts-upgradeable)

v5.0.2

Compare Source

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#​4926)

v5.0.1

Compare Source

• ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

v5.0.0

Compare Source

Additions Summary

The following contracts and libraries were added:

• AccessManager: A consolidated system for managing access control in complex systems.
  • AccessManaged: A module for connecting a contract to an authority in charge of its access control.
  • GovernorTimelockAccess: An adapter for time-locking governance proposals using an AccessManager.
  • AuthorityUtils: A library of utilities for interacting with authority contracts.
• GovernorStorage: A Governor module that stores proposal details in storage.
• ERC2771Forwarder: An ERC2771 forwarder for meta transactions.
• ERC1967Utils: A library with ERC1967 events, errors and getters.
• Nonces: An abstraction for managing account nonces.
• MessageHashUtils: A library for producing digests for ECDSA operations.
• Time: A library with helpers for manipulating time-related objects.

Removals Summary

The following contracts, libraries, and functions were removed:

• Address.isContract (because of its ambiguous nature and potential for misuse)
• Checkpoints.History
• Counters
• ERC20Snapshot
• ERC20VotesComp
• ERC165Storage (in favor of inheritance based approach)
• ERC777
• ERC1820Implementer
• GovernorVotesComp
• GovernorProposalThreshold (deprecated since 4.4)
• PaymentSplitter
• PullPayment
• SafeMath
• SignedSafeMath
• Timers
• TokenTimelock (in favor of VestingWallet)
• All escrow contracts (Escrow, ConditionalEscrow and RefundEscrow)
• All cross-chain contracts, including AccessControlCrossChain and all the vendored bridge interfaces
• All presets in favor of OpenZeppelin Contracts Wizard

These removals were implemented in the following PRs: #​3637, #​3880, #​3945, #​4258, #​4276, #​4289

Changes by category

General

• Replaced revert strings and require statements with custom errors. (#​4261)
• Bumped minimum compiler version required to 0.8.20 (#​4288, #​4489)
• Use of abi.encodeCall in place of abi.encodeWithSelector and abi.encodeWithSignature for improved type-checking of parameters (#​4293)
• Replaced some uses of abi.encodePacked with clearer alternatives (e.g. bytes.concat, string.concat). (#​4504) (#​4296)
• Overrides are now used internally for a number of functions that were previously hardcoded to their default implementation in certain locations: ERC1155Supply.totalSupply, ERC721.ownerOf, ERC721.balanceOf and ERC721.totalSupply in ERC721Enumerable, ERC20.totalSupply in ERC20FlashMint, and ERC1967._getImplementation in ERC1967Proxy. (#​4299)
• Removed the override specifier from functions that only override a single interface function. (#​4315)
• Switched to using explicit Solidity import statements. Some previously available symbols may now have to be separately imported. (#​4399)
• Governor, Initializable, and UUPSUpgradeable: Use internal functions in modifiers to optimize bytecode size. (#​4472)
• Upgradeable contracts now use namespaced storage (EIP-7201). (#​4534)
• Upgradeable contracts no longer transpile interfaces and libraries. (#​4628)

Access

• Ownable: Added an initialOwner parameter to the constructor, making the ownership initialization explicit. (#​4267)
• Ownable: Prevent using address(0) as the initial owner. (#​4531)
• AccessControl: Added a boolean return value to the internal _grantRole and _revokeRole functions indicating whether the role was granted or revoked. (#​4241)
• access: Moved AccessControl extensions to a dedicated directory. (#​4359)
• AccessManager: Added a new contract for managing access control of complex systems in a consolidated location. (#​4121)
• AccessManager, AccessManaged, GovernorTimelockAccess: Ensure that calldata shorter than 4 bytes is not padded to 4 bytes. (#​4624)
• AccessManager: Use named return parameters in functions that return multiple values. (#​4624)
• AccessManager: Make schedule and execute more conservative when delay is 0. (#​4644)

Finance

• VestingWallet: Fixed revert during 1 second time window when duration is 0. (#​4502)
• VestingWallet: Use Ownable instead of an immutable beneficiary. (#​4508)

Governance

• Governor: Optimized use of storage for proposal data (#​4268)
• Governor: Added validation in ERC1155 and ERC721 receiver hooks to ensure Governor is the executor. (#​4314)
• Governor: Refactored internals to implement common queuing logic in the core module of the Governor. Added queue and _queueOperations functions that act at different levels. Modules that implement queuing via timelocks are expected to override _queueOperations to implement the timelock-specific logic. Added _executeOperations as the equivalent for execution. (#​4360)
• Governor: Added voter and nonce parameters in signed ballots, to avoid forging signatures for random addresses, prevent signature replay, and allow invalidating signatures. Add voter as a new parameter in the castVoteBySig and castVoteWithReasonAndParamsBySig functions. (#​4378)
• Governor: Added support for casting votes with ERC-1271 signatures by using a bytes memory signature instead of r, s and v arguments in the castVoteBySig and castVoteWithReasonAndParamsBySig functions. (#​4418)
• Governor: Added a mechanism to restrict the address of the proposer using a suffix in the description.
• GovernorStorage: Added a new governor extension that stores the proposal details in storage, with an interface that operates on proposalId, as well as proposal enumerability. This replaces the old GovernorCompatibilityBravo module. (#​4360)
• GovernorTimelockAccess: Added a module to connect a governor with an instance of AccessManager, allowing the governor to make calls that are delay-restricted by the manager using the normal queue workflow. (#​4523)
• GovernorTimelockControl: Clean up timelock id on execution for gas refund. (#​4118)
• GovernorTimelockControl: Added the Governor instance address as part of the TimelockController operation salt to avoid operation id collisions between governors using the same TimelockController. (#​4432)
• TimelockController: Changed the role architecture to use DEFAULT_ADMIN_ROLE as the admin for all roles, instead of the bespoke TIMELOCK_ADMIN_ROLE that was used previously. This aligns with the general recommendation for AccessControl and makes the addition of new roles easier. Accordingly, the admin parameter and timelock will now be granted DEFAULT_ADMIN_ROLE instead of TIMELOCK_ADMIN_ROLE. (#​3799)
• TimelockController: Added a state getter that returns an OperationState enum. (#​4358)
• Votes: Use Trace208 for checkpoints. This enables EIP-6372 clock support for keys but reduces the max supported voting power to uint208. (#​4539)

Metatx

• ERC2771Forwarder: Added deadline for expiring transactions, batching, and more secure handling of msg.value. (#​4346)
• ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#​4481)
• ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#​4484)

Proxy

• ProxyAdmin: Removed getProxyAdmin and getProxyImplementation getters. (#​3820)
• TransparentUpgradeableProxy: Removed admin and implementation getters, which were only callable by the proxy owner and thus not very useful. (#​3820)
• ERC1967Utils: Refactored the ERC1967Upgrade abstract contract as a library. (#​4325)
• TransparentUpgradeableProxy: Admin is now stored in an immutable variable (set during construction) to avoid unnecessary storage reads on every proxy call. This removed the ability to ever change the admin. Transfer of the upgrade capability is exclusively handled through the ownership of the ProxyAdmin. (#​4354)
• Moved the logic to validate ERC-1822 during an upgrade from ERC1967Utils to UUPSUpgradeable. (#​4356)
• UUPSUpgradeable, TransparentUpgradeableProxy and ProxyAdmin: Removed upgradeTo and upgrade functions, and made upgradeToAndCall and upgradeAndCall ignore the data argument if it is empty. It is no longer possible to invoke the receive function (or send value with empty data) along with an upgrade. (#​4382)
• BeaconProxy: Reject value in initialization unless a payable function is explicitly invoked. (#​4382)
• Proxy: Removed redundant receive function. (#​4434)
• BeaconProxy: Use an immutable variable to store the address of the beacon. It is no longer possible for a BeaconProxy to upgrade by changing to another beacon. (#​4435)
• Initializable: Use the namespaced storage pattern to avoid putting critical variables in slot 0. Allow reinitializer versions greater than 256. (#​4460)
• Initializable: Use intermediate variables to improve readability. (#​4576)

Token

• ERC20, ERC721, ERC1155: Deleted _beforeTokenTransfer and _afterTokenTransfer hooks, added a new internal _update function for customizations, and refactored all extensions using those hooks to use _update instead. (#​3838, #​3876, #​4377)
• ERC20: Removed Approval event previously emitted in transferFrom to indicate that part of the allowance was consumed. With this change, allowances are no longer reconstructible from events. See the code for guidelines on how to re-enable this event if needed. (#​4370)
• ERC20: Removed the non-standard increaseAllowance and decreaseAllowance functions. (#​4585)
• ERC20Votes: Changed internal vote accounting to reusable Votes module previously used by ERC721Votes. Removed implicit ERC20Permit inheritance. Note that the DOMAIN_SEPARATOR getter was previously guaranteed to be available for ERC20Votes contracts, but is no longer available unless ERC20Permit is explicitly used; ERC-5267 support is included in ERC20Votes with EIP712 and is recommended as an alternative. (#​3816)
• SafeERC20: Refactored safeDecreaseAllowance and safeIncreaseAllowance to support USDT-like tokens. (#​4260)
• SafeERC20: Removed safePermit in favor of documentation-only permit recommendations. Based on recommendations from @​trust1995 (#​4582)
• ERC721: _approve no longer allows approving the owner of the tokenId. (#​4377) _setApprovalForAll no longer allows setting address(0) as an operator. (#​4377)
• ERC721: Renamed _requireMinted to _requireOwned and added a return value with the current owner. Implemented ownerOf in terms of _requireOwned. (#​4566)
• ERC721Consecutive: Added a _firstConsecutiveId internal function that can be overridden to change the id of the first token minted through _mintConsecutive. (#​4097)
• ERC721URIStorage: Allow setting the token URI prior to minting. (#​4559)
• ERC721URIStorage, ERC721Royalty: Stop resetting token-specific URI and royalties when burning. (#​4561)
• ERC1155: Optimized array allocation. (#​4196)
• ERC1155: Removed check for address zero in balanceOf. (#​4263)
• ERC1155: Optimized array accesses by skipping bounds checking when unnecessary. (#​4300)
• ERC1155: Bubble errors triggered in the onERC1155Received and onERC1155BatchReceived hooks. (#​4314)
• ERC1155Supply: Added a totalSupply() function that returns the total amount of token circulating, this change will restrict the total tokens minted across all ids to 2**256-1 . (#​3962)
• ERC1155Receiver: Removed in favor of ERC1155Holder. (#​4450)

Utils

• Address: Removed the ability to customize error messages. A common custom error is always used if the underlying revert reason cannot be bubbled up. (#​4502)
• Arrays: Added unsafeMemoryAccess helpers to read from a memory array without checking the length. (#​4300)
• Arrays: Optimized findUpperBound by removing redundant SLOAD. (#​4442)
• Checkpoints: Library moved from utils to utils/structs (#​4275)
• DoubleEndedQueue: Refactored internal structure to use uint128 instead of int128. This has no effect on the library interface. (#​4150)
• ECDSA: Use unchecked arithmetic for the tryRecover function that receives the r and vs short-signature fields separately. (#​4301)
• EIP712: Added internal getters for the name and version strings (#​4303)
• Math: Makes ceilDiv to revert on 0 division even if the numerator is 0 (#​4348)
• Math: Optimized stack operations in mulDiv. (#​4494)
• Math: Renamed members of Rounding enum, and added a new rounding mode for "away from zero". (#​4455)
• MerkleProof: Use custom error to report invalid multiproof instead of reverting with overflow panic. (#​4564)
• MessageHashUtils: Added a new library for creating message digest to be used along with signing or recovery such as ECDSA or ERC-1271. These functions are moved from the ECDSA library. (#​4430)
• Nonces: Added a new contract to keep track of user nonces. Used for signatures in ERC20Permit, ERC20Votes, and ERC721Votes. (#​3816)
• ReentrancyGuard, Pausable: Moved to utils directory. (#​4551)
• Strings: Renamed toString(int256) to toStringSigned(int256). (#​4330)
• Optimized Strings.equal (#​4262)

How to migrate from 4.x

ERC20, ERC721, and ERC1155

These breaking changes will require modifications to ERC20, ERC721, and ERC1155 contracts, since the _afterTokenTransfer and _beforeTokenTransfer functions were removed. Thus, any customization made through those hooks should now be done overriding the new _update function instead.

Minting and burning are implemented by _update and customizations should be done by overriding this function as well. _transfer, _mint and _burn are no longer virtual (meaning they are not overridable) to guard against possible inconsistencies.

For example, a contract using ERC20's _beforeTokenTransfer hook would have to be changed in the following way.

-function _beforeTokenTransfer(
+function _update(
   address from,
   address to,
   uint256 amount
 ) internal virtual override {
-  super._beforeTokenTransfer(from, to, amount);
   require(!condition(), "ERC20: wrong condition");
+  super._update(from, to, amount);
 }

More about ERC721

In the case of ERC721, the _update function does not include a from parameter, as the sender is implicitly the previous owner of the tokenId. The address of this previous owner is returned by the _update function, so it can be used for a posteriori checks. In addition to to and tokenId, a third parameter (auth) is present in this function. This parameter enabled an optional check that the caller/spender is approved to do the transfer. This check cannot be performed after the transfer (because the transfer resets the approval), and doing it before _update would require a duplicate call to _ownerOf.

In this logic of removing hidden SLOADs, the _isApprovedOrOwner function was removed in favor of a new _isAuthorized function. Overrides that used to target the _isApprovedOrOwner should now be performed on the _isAuthorized function. Calls to _isApprovedOrOwner that preceded a call to _transfer, _burn or _approve should be removed in favor of using the auth argument in _update and _approve. This is showcased in ERC721Burnable.burn and in ERC721Wrapper.withdrawTo.

The _exists function was removed. Calls to this function can be replaced by _ownerOf(tokenId) != address(0).

More about ERC1155

Batch transfers will now emit TransferSingle if the batch consists of a single token, while in previous versions the TransferBatch event would be used for all transfers initiated through safeBatchTransferFrom. Both behaviors are compliant with the ERC-1155 specification.

ERC165Storage

Users that were registering EIP-165 interfaces with _registerInterface from ERC165Storage should instead do so by overriding the supportsInterface function as seen below:

function supportsInterface(bytes4 interfaceId) public view virtual override returns (bool) {
  return interfaceId == type(MyInterface).interfaceId || super.supportsInterface(interfaceId);
}

SafeMath

Methods in SafeMath superseded by native overflow checks in Solidity 0.8.0 were removed along with operations providing an interface for revert strings. The remaining methods were moved to utils/Math.sol.

- import "@​openzeppelin/contracts/utils/math/SafeMath.sol";
+ import "@​openzeppelin/contracts/utils/math/Math.sol";

 function tryOperations(uint256 x, uint256 y) external view {
-  (bool overflowsAdd, uint256 resultAdd) = SafeMath.tryAdd(x, y);
+  (bool overflowsAdd, uint256 resultAdd) = Math.tryAdd(x, y);
-  (bool overflowsSub, uint256 resultSub) = SafeMath.trySub(x, y);
+  (bool overflowsSub, uint256 resultSub) = Math.trySub(x, y);
-  (bool overflowsMul, uint256 resultMul) = SafeMath.tryMul(x, y);
+  (bool overflowsMul, uint256 resultMul) = Math.tryMul(x, y);
-  (bool overflowsDiv, uint256 resultDiv) = SafeMath.tryDiv(x, y);
+  (bool overflowsDiv, uint256 resultDiv) = Math.tryDiv(x, y);
   // ...
 }

Adapting Governor modules

Custom Governor modules that override internal functions may require modifications if migrated to v5. In particular, the new internal functions _queueOperations and _executeOperations may need to be used. If assistance with this migration is needed reach out via the OpenZeppelin Support Forum.

ECDSA and MessageHashUtils

The ECDSA library is now focused on signer recovery. Previously it also included utility methods for producing digests to be used with signing or recovery. These utilities have been moved to the MessageHashUtils library and should be imported if needed:

 import {ECDSA} from "@​openzeppelin/contracts/utils/cryptography/ECDSA.sol";
+import {MessageHashUtils} from "@​openzeppelin/contracts/utils/cryptography/MessageHashUtils.sol";

 contract Verifier {
   using ECDSA for bytes32;
+  using MessageHashUtils for bytes32;

   function _verify(bytes32 data, bytes memory signature, address account) internal pure returns (bool) {
     return data
       .toEthSignedMessageHash()
       .recover(signature) == account;
   }
 }

Interfaces and libraries in upgradeable contracts

The upgradeable version of the contracts library used to include a variant suffixed with Upgradeable for every contract. These variants, which are produced automatically, mainly include changes for dealing with storage that don't apply to libraries and interfaces.

The upgradeable library no longer includes upgradeable variants for libraries and interfaces. Projects migrating to 5.0 should replace their library and interface imports with their corresponding non-upgradeable version:

 // Libraries
-import {AddressUpgradeable} from '@​openzeppelin/contracts-upgradeable/utils/AddressUpgradeable.sol';
+import {Address} from '@​openzeppelin/contracts/utils/Address.sol';

 // Interfaces
-import {IERC20Upgradeable} from '@​openzeppelin/contracts-upgradeable/interfaces/IERC20.sol';
+import {IERC20} from '@​openzeppelin/contracts/interfaces/IERC20.sol';

Offchain Considerations

Some changes may affect offchain systems if they rely on assumptions that are changed along with these new breaking changes. These cases are:

Relying on revert strings for processing errors

A concrete example is AccessControl, where it was previously advised to catch revert reasons using the following regex:

/^AccessControl: account (0x[0-9a-f]{40}) is missing role (0x[0-9a-f]{64})$/

Instead, contracts now revert with custom errors. Systems that interact with smart contracts outside of the network should consider reliance on revert strings and possibly support the new custom errors.

Relying on storage locations for retrieving data

After 5.0, the storage location of some variables were changed. This is the case for Initializable and all the upgradeable contracts since they now use namespaced storaged locations. Any system relying on storage locations for retrieving data or detecting capabilities should be updated to support these new locations.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
dapp-token-ico	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 12, 2024 3:44am

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[changeset-bot]

⚠️ No Changeset found

Latest commit: 67ae4d5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

Share

• X
• Mastodon
• Reddit
• LinkedIn

Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>.
  • Generate unit testing code for this file.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai generate interesting stats about this repository and render them as a table.
  • @coderabbitai show all the console.log statements in this repository.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (invoked as PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Additionally, you can add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.

CodeRabbit Configration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@openzeppelin/contracts-upgradeable@5.0.2	None	+1	2.92 MB	amxx
npm/ethers@5.7.2	None	+3	11 MB	ricmoo
npm/ethjs-util@0.1.6	None	+2	244 kB	silentcicero
npm/eventemitter3@4.0.7	None	0	38 kB	lpinca
npm/evp_bytestokey@1.0.3	None	+2	18.9 kB	dcousens
npm/fill-range@7.1.1	None	+1	39.7 kB	jonschlinkert
npm/follow-redirects@1.15.6	network	0	29.4 kB	rubenverborgh
npm/fp-ts@1.19.3	None	0	2 MB	gcanti
npm/fs-extra@7.0.1	filesystem	0	124 kB	ryanzim
npm/fsevents@2.3.3	None	0	173 kB	pipobscure
npm/functional-red-black-tree@1.0.1	None	0	43.5 kB	mikolalysenko
npm/get-caller-file@2.0.5	None	0	4.72 kB	stefanpenner
npm/get-func-name@2.0.2	None	0	8.68 kB	keithamus
npm/get-stream@8.0.1	None	0	25.2 kB	ehmicky
npm/glob-parent@5.1.2	None	0	12.1 kB	phated
npm/glob@7.2.0	filesystem Transitive: environment	+3	74.9 kB	isaacs
npm/graceful-fs@4.2.11	environment, filesystem	0	32.5 kB	isaacs
npm/hardhat-gas-reporter@2.2.0	Transitive: environment, filesystem, network, shell, unsafe	+38	22.9 MB
npm/hardhat@2.22.5	environment, filesystem, network, shell Transitive: unsafe	+80	162 MB	kanej
npm/hash.js@1.1.7	None	0	41.7 kB	indutny
npm/hmac-drbg@1.0.1	None	0	25 kB	indutny
npm/husky@9.0.11	environment, filesystem, shell	0	3.61 kB	typicode
npm/ieee754@1.2.1	None	0	6.8 kB	feross
npm/inherits@2.0.4	None	0	3.96 kB	isaacs
npm/is-glob@4.0.3	None	+1	19.8 kB	phated
npm/is-typedarray@1.0.0	None	0	4.41 kB	hughsk
npm/js-sha3@0.8.0	None	0	52.9 kB	emn178
npm/js-tokens@4.0.0	None	0	15.1 kB	lydell
npm/js-yaml@4.1.0	Transitive: environment, filesystem	+1	576 kB	vitaly
npm/jsonschema@1.4.1	None	0	81.8 kB	acubed
npm/keccak@3.0.1	None	+1	1.55 MB	fanatid
npm/level-concat-iterator@2.0.1	None	0	11 kB	vweevers
npm/level-errors@2.0.1	None	+2	40.8 kB	vweevers
npm/level-iterator-stream@4.0.2	None	0	26.5 kB	vweevers
npm/level-supports@1.0.1	None	0	15.2 kB	vweevers
npm/level-ws@2.0.0	None	0	34.5 kB	vweevers
npm/levelup@4.4.0	None	0	108 kB	vweevers
npm/lilconfig@3.1.1	filesystem	0	17.7 kB	antonk52
npm/lint-staged@15.2.6	Transitive: environment, shell	+34	1.24 MB
npm/lodash@4.17.21	None	0	1.41 MB	bnjmnt4n
npm/loglevel@1.9.1	None	0	639 kB	pimterry
npm/lru-cache@5.1.1	None	0	15.7 kB	isaacs
npm/ltgt@2.2.1	None	0	17.5 kB	dominictarr
npm/merkle-patricia-tree@4.2.4	None	+7	568 kB	holgerd77
npm/micromatch@4.0.7	None	0	56.3 kB	paulmillr
npm/mime-types@2.1.35	None	+1	224 kB	dougwilson
npm/minimalistic-assert@1.0.1	None	0	1.55 kB	cwmma
npm/minimalistic-crypto-utils@1.0.1	None	0	4.76 kB	indutny
npm/minimatch@3.1.2	None	+3	57.8 kB	isaacs
npm/minimist@1.2.8	None	0	54.5 kB	ljharb
npm/minipass@7.0.4	None	0	285 kB	isaacs
npm/mkdirp@0.5.6	filesystem	0	7.69 kB	isaacs
npm/mocha@10.2.0	environment, eval, filesystem	+37	3.59 MB	juergba
npm/node-fetch@2.7.0	network	+1	212 kB	node-fetch-bot
npm/node-gyp-build@4.3.0	environment, filesystem	0	12.7 kB	vweevers
npm/normalize-path@3.0.0	None	0	9.22 kB	jonschlinkert
npm/once@1.4.0	None	+1	7.01 kB	isaacs
npm/path-is-absolute@1.0.1	None	0	3.62 kB	sindresorhus
npm/pbkdf2@3.1.2	None	0	13.8 kB	cwmma
npm/picocolors@1.0.1	environment	0	5.15 kB	alexeyraspopov
npm/picomatch@2.3.1	None	0	90 kB	mrmlnc
npm/postcss-js@4.0.1	None	+1	12.5 kB	ai
npm/postcss-value-parser@4.2.0	None	0	27.2 kB	evilebottnawi
npm/postcss@8.4.38	environment, filesystem	+2	362 kB	ai
npm/randombytes@2.1.0	None	0	6.36 kB	cwmma
npm/raw-body@2.5.2	network, unsafe Transitive: environment, eval	+4	420 kB	dougwilson
npm/react-dom@18.3.1	environment	0	4.51 MB	react-bot
npm/react-hot-toast@2.4.1	None	0	173 kB	timolins
npm/react-query@4.0.0-beta.23	environment	0	2.41 MB	tannerlinsley
npm/react@18.3.1	environment	0	318 kB	react-bot
npm/readable-stream@3.6.2	environment	0	124 kB	matteo.collina
npm/repeat-string@1.6.1	None	0	9.09 kB	jonschlinkert
npm/request@2.88.2	environment, filesystem, network	+2	280 kB	mikeal
npm/require-from-string@2.0.2	unsafe	0	3.42 kB	floatdrop
npm/resolve@1.17.0	filesystem	0	105 kB	ljharb
npm/rimraf@2.7.1	filesystem	0	15.5 kB	isaacs
npm/ripemd160@2.0.2	None	+1	15.9 kB	dcousens
npm/rlp@2.2.7	None	0	62.9 kB	ralxz
npm/rustywind@0.22.0	environment, filesystem, network, shell	+3	132 kB	praveenperera
npm/safe-buffer@5.2.1	None	0	32.1 kB	feross
npm/scrypt-js@3.0.1	None	0	226 kB	ricmoo
npm/secp256k1@4.0.3	None	+1	2.69 MB	fanatid
npm/seedrandom@3.0.5	None	0	374 kB	davidbau
npm/semver@6.3.1	None	0	68.3 kB	lukekarrys
npm/set-blocking@2.0.0	None	0	4.22 kB	bcoe
npm/sha.js@2.4.11	None	0	31.1 kB	dcousens
npm/signal-exit@4.1.0	None	0	77 kB	isaacs
npm/solgraph@1.0.2	Transitive: unsafe	+1	5.28 MB	raine
npm/solhint@5.0.1	filesystem Transitive: unsafe	+4	5.68 MB	diego.bale.arg
npm/solidity-coverage@0.8.12	environment, filesystem Transitive: unsafe	+1	5.36 MB	cgewecke
npm/sort-package-json@2.10.0	None	0	31.7 kB	keithamus
npm/source-map-support@0.5.21	filesystem	+1	890 kB	linusu
npm/source-map@0.5.7	None	0	766 kB	tromey
npm/string-width@4.2.3	None	+3	122 kB	sindresorhus
npm/strip-ansi@6.0.1	None	+1	9.7 kB	sindresorhus
npm/table@6.8.1	None	+3	360 kB	gajus-table
npm/tailwindcss@3.4.4	environment, filesystem	+2	5.82 MB	adamwathan
npm/tmp@0.0.33	filesystem	0	26 kB	raszi
npm/tslib@2.4.0	None	0	50 kB	typescript-bot
npm/tweetnacl-util@0.15.1	None	0	8.14 kB	dchest
npm/tweetnacl@1.0.3	None	0	175 kB	dchest
npm/type-detect@4.0.8	None	0	42.1 kB	chaijs
npm/typechain@8.3.2	filesystem Transitive: environment, unsafe	+2	11.4 MB	ethereum-ts-bot
npm/typedarray-to-buffer@3.1.5	None	0	8.84 kB	feross
npm/typescript@5.4.5	None	0	32.4 MB	typescript-bot
npm/unpipe@1.0.0	None	0	4.31 kB	dougwilson
npm/utf-8-validate@5.0.7	None	0	400 kB	lpinca
npm/util-deprecate@1.0.2	None	0	5.48 kB	tootallnate
npm/uuid@8.3.2	None	0	116 kB	ctavan
npm/vite@5.2.13	environment, eval, filesystem, network, shell, unsafe	0	3.6 MB	vitebot
npm/web3-react@5.0.5	None	0	197 kB	noahwz
npm/yallist@3.1.1	None	0	14.8 kB	isaacs
npm/yaml@2.4.5	environment	0	675 kB	eemeli
npm/yargs-parser@20.2.4	environment, filesystem	0	120 kB	oss-bot

🚮 Removed packages: npm/@0x/assert@2.1.6, npm/@0x/types@2.4.3, npm/@0x/typescript-typings@4.3.0, npm/@0x/utils@4.5.2, npm/@babel/helper-create-regexp-features-plugin@7.22.15, npm/@babel/helper-member-expression-to-functions@7.23.0, npm/@babel/plugin-transform-optional-chaining@7.23.4, npm/@babel/runtime@7.23.8, npm/@ledgerhq/hw-transport@4.78.0, npm/@ljharb/through@2.3.11, npm/@nodelib/fs.stat@2.0.5, npm/@openzeppelin/contracts-upgradeable@4.9.6, npm/@sindresorhus/is@5.6.0, npm/@szmarczak/http-timer@5.0.1, npm/@types/cacheable-request@6.0.3, npm/@types/http-cache-semantics@4.0.4, npm/@types/seedrandom@3.0.1, npm/@yarnpkg/lockfile@1.1.0, npm/abbrev@1.0.9, npm/accepts@1.3.8, npm/ajv@6.12.6, npm/arr-diff@4.0.0, npm/arr-flatten@1.1.0, npm/arr-union@3.1.0, npm/array-back@3.1.0, npm/array-flatten@1.1.1, npm/array-unique@0.3.2, npm/array.prototype.reduce@1.0.6, npm/asn1.js@5.4.1, npm/assert-plus@1.0.0, npm/assign-symbols@1.0.0, npm/atob@2.1.2, npm/babel-core@6.26.3, npm/babel-plugin-transform-es2015-modules-amd@6.24.1, npm/babel-plugin-transform-es2015-modules-commonjs@6.26.2, npm/babel-runtime@6.26.0, npm/babel-template@6.26.0, npm/babel-traverse@6.26.0, npm/babel-types@6.26.0, npm/base@0.11.2, npm/bluebird@3.7.2, npm/body-parser@1.20.1, npm/browserify-cipher@1.0.1, npm/browserify-rsa@4.1.0, npm/browserify-sign@4.2.2, npm/buffer-to-arraybuffer@0.0.5, npm/bytewise-core@1.2.3, npm/bytewise@1.1.0, npm/cacheable-lookup@7.0.0, npm/cacheable-request@10.2.14, npm/cachedown@1.0.0, npm/call-bind@1.0.5, npm/catering@2.1.1, npm/chownr@1.1.4, npm/cids@0.7.5, npm/clone-response@1.0.3, npm/clone@2.1.2, npm/console-control-strings@1.1.0, npm/content-disposition@0.5.4, npm/content-hash@2.5.2, npm/content-type@1.0.5, npm/cookie-signature@1.0.6, npm/cookiejar@2.1.4, npm/core-js-compat@3.35.0, npm/core-js@2.6.12, npm/core-util-is@1.0.2, npm/cors@2.8.5, npm/create-ecdh@4.0.4, npm/crypto-browserify@3.12.0, npm/crypto-js@3.3.0, npm/d@1.0.1, npm/decompress-response@6.0.0, npm/deep-extend@0.6.0, npm/defer-to-connect@2.0.1, npm/define-data-property@1.1.1, npm/define-properties@1.2.1, npm/define-property@1.0.0, npm/detect-node@2.1.0, npm/duplexer3@0.1.5, npm/encodeurl@1.0.2, npm/end-of-stream@1.4.4, npm/es5-ext@0.10.62, npm/es6-symbol@3.1.3, npm/escalade@3.1.2, npm/escape-html@1.0.3, npm/esprima@2.7.3, npm/etag@1.8.1, npm/eth-ens-namehash@2.0.8, npm/eth-lib@0.2.8, npm/eth-query@2.1.2, npm/eth-sig-util@1.4.2, npm/ethashjs@0.0.8, npm/ethereum-types@2.1.6, npm/ethereumjs-account@2.0.5, npm/ethereumjs-block@1.7.1, npm/ethereumjs-blockchain@4.0.4, npm/ethereumjs-common@1.5.2, npm/ethereumjs-tx@1.3.7, npm/ethereumjs-vm@2.6.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Install scripts	npm/solgraph@1.0.2	Install script: postinstall Source: npm run build	package.json
Install scripts	npm/rustywind@0.22.0	Install script: install Source: node ./lib/postinstall.js || npm run prepack	package.json
Install scripts	npm/core-js@2.6.12	Install script: postinstall Source: node -e "try{require('./postinstall')}catch(e){}"	Source
Protestware/Troll package	npm/es5-ext@0.10.62	Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale	Source
Install scripts	npm/es5-ext@0.10.62	Install script: postinstall Source: node -e "try{require('./_postinstall')}catch(e){}" || exit 0	Source
Git dependency	npm/eth-sig-util@1.4.2	Dependency: ethereumjs-abi@git+https://github.com/ethereumjs/ethereumjs-abi.git Location: Package overview	Source
Install scripts	npm/esbuild@0.20.2	Install script: postinstall Source: node install.js	Source

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

What is protestware?

This package is a joke, parody, or includes undocumented or hidden behavior unrelated to its primary function.

Consider that consuming this package my come along with functionality unrelated to its primary purpose.

What are git dependencies?

Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

Publish the git dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/solgraph@1.0.2
• @SocketSecurity ignore npm/rustywind@0.22.0
• @SocketSecurity ignore npm/core-js@2.6.12
• @SocketSecurity ignore npm/es5-ext@0.10.62
• @SocketSecurity ignore npm/eth-sig-util@1.4.2
• @SocketSecurity ignore npm/esbuild@0.20.2