Skip to content

Bump the npm_and_yarn group across 1 directory with 8 updates#2

Merged
Dargon789 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-64002aa3b8
Jun 13, 2025
Merged

Bump the npm_and_yarn group across 1 directory with 8 updates#2
Dargon789 merged 1 commit intomasterfrom
dependabot/npm_and_yarn/npm_and_yarn-64002aa3b8

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jun 13, 2025
edited by sourcery-ai bot
Loading

Bumps the npm_and_yarn group with 1 update in the / directory: @openzeppelin/contracts.

Updates @openzeppelin/contracts from 4.9.2 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts's releases.

v4.9.6

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

v4.9.5

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

v4.9.4

  • ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

v4.9.3

Note This release contains a fix for GHSA-g4vp-m682-qqmp.

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)
Changelog

Sourced from @​openzeppelin/contracts's changelog.

4.9.6 (2024-02-29)

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

4.9.3 (2023-07-28)

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)
Commits

Updates braces from 3.0.2 to 3.0.3

Commits

Updates elliptic from 6.5.4 to 6.6.1

Commits

Updates flat from 4.1.1 to 5.0.2

Commits
  • e5ffd66 Release 5.0.2
  • fdb79d5 Update dependencies, refresh lockfile, format with standard.
  • e52185d Test against node 14 in CI.
  • 0189cb1 Avoid arrow function syntax.
  • f25d3a1 Release 5.0.1
  • 54cc7ad use standard formatting
  • 779816e drop dependencies
  • 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
  • a61a554 Bump acorn from 7.1.0 to 7.4.0
  • 20ef0ef Fix prototype pollution on unflatten
  • Additional commits viewable in compare view

Updates follow-redirects from 1.15.2 to 1.15.9

Commits
  • e4e55c7 Release version 1.15.9 of the npm package.
  • 31a1abf Attempt much more gentle detection.
  • d2aaa97 Fix url field.
  • 62558f0 Release version 1.15.8 of the npm package.
  • a8d1cee Return subtlety.
  • 458ca8e Fix native URL test for Node 20.
  • ca49e44 Handle KeepAlive connections in tests.
  • f3711d7 Test on Node 20 and 22.
  • fda0faf Fix typo.
  • 760757f Release version 1.15.7 of the npm package.
  • Additional commits viewable in compare view

Updates serialize-javascript from 6.0.0 to 6.0.2

Release notes

Sourced from serialize-javascript's releases.

v6.0.2

  • fix: serialize URL string contents to prevent XSS (#173) f27d65d
  • Bump @​babel/traverse from 7.10.1 to 7.23.7 (#171) 02499c0
  • docs: update readme with URL support (#146) 0d88527
  • chore: update node version and lock file e2a3a91
  • fix typo (#164) 5a1fa64

yahoo/serialize-javascript@v6.0.1...v6.0.2

v6.0.1

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v6.0.0...v6.0.1

Commits

Updates undici from 5.22.1 to 5.29.0

Release notes

Sourced from undici's releases.

v5.29.0

What's Changed

Full Changelog: nodejs/undici@v5.28.5...v5.29.0

v5.28.5

⚠️ Security Release ⚠️

Fixes CVE CVE-2025-22150 GHSA-c76h-2ccp-4975 (embargoed until 22-01-2025).

Full Changelog: nodejs/undici@v5.28.4...v5.28.5

v5.28.4

⚠️ Security Release ⚠️

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

... (truncated)

Commits

Updates ws from 7.4.6 to 7.5.10

Release notes

Sourced from ws's releases.

7.5.10

Bug fixes

  • Backported e55e5106 to the 7.x release line (22c28763).

7.5.9

Bug fixes

  • Backported bc8bd34e to the 7.x release line (0435e6e1).

7.5.8

Bug fixes

  • Backported 0fdcc0af to the 7.x release line (2758ed35).
  • Backported d68ba9e1 to the 7.x release line (dc1781bc).

7.5.7

Bug fixes

  • Backported 6946f5fe to the 7.x release line (1f72e2e1).

7.5.6

Bug fixes

  • Backported b8186dd1 to the 7.x release line (73dec34b).
  • Backported ed2b8039 to the 7.x release line (22a26afb).

7.5.5

Bug fixes

  • Backported ec9377ca to the 7.x release line (0e274acd).

7.5.4

Bug fixes

  • Backported 6a72da3e to the 7.x release line (76087fbf).
  • Backported 869c9892 to the 7.x release line (27997933).

7.5.3

Bug fixes

  • The WebSocketServer constructor now throws an error if more than one of the noServer, server, and port options are specefied (66e58d27).
  • Fixed a bug where a 'close' event was emitted by a WebSocketServer before the internal HTTP/S server was actually closed (5a587304).
  • Fixed a bug that allowed WebSocket connections to be established after WebSocketServer.prototype.close() was called (772236a1).

7.5.2

Bug fixes

... (truncated)

Commits
  • d962d70 [dist] 7.5.10
  • 22c2876 [security] Fix crash when the Upgrade header cannot be read (#2231)
  • 8a78f87 [dist] 7.5.9
  • 0435e6e [security] Fix same host check for ws+unix: redirects
  • 4271f07 [dist] 7.5.8
  • dc1781b [security] Drop sensitive headers when following insecure redirects
  • 2758ed3 [fix] Abort the handshake if the Upgrade header is invalid
  • a370613 [dist] 7.5.7
  • 1f72e2e [security] Drop sensitive headers when following redirects (#2013)
  • 8ecd890 [dist] 7.5.6
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by Sourcery

Chores:

  • Bump multiple dependencies to their latest patch/minor versions, including @openzeppelin/contracts, braces, elliptic, flat, follow-redirects, serialize-javascript, undici, and ws

@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 13, 2025
@sourcery-ai
Copy link
Contributor

sourcery-ai bot commented Jun 13, 2025
edited
Loading

Reviewer's Guide

This PR bumps eight project dependencies to their latest patch or minor versions and regenerates the lockfile to lock in those updates.

Sequence Diagram: ERC2771Context Handling of Short msg.data

sequenceDiagram
    title ERC2771Context Handling of Short msg.data
    participant Relayer as "Trusted Forwarder"
    participant UserContract as "UserContract (using ERC2771Context)"

    Relayer->>UserContract: Forwarded Call (calldata with signer_data_length < 20)
    activate UserContract
    UserContract->>UserContract: Calls internal _msgSender()
    UserContract-->>UserContract: Returns Relayer's address
    UserContract->>UserContract: Calls internal _msgData()
    UserContract-->>UserContract: Returns full original calldata
    UserContract-->>Relayer: Execution succeeds (no revert due to short calldata)
    deactivate UserContract
Loading

Sequence Diagram: Multicall Context Awareness with ERC2771Context

sequenceDiagram
    title Multicall Context Awareness with ERC2771Context
    actor Initiator
    participant MC as "Multicall Contract"
    participant TargetContract as "TargetContract (using ERC2771Context)"

    Initiator->>MC: multicall(calls[])
    activate MC
    MC->>TargetContract: delegatecall(call_data_for_target)
    activate TargetContract
    TargetContract->>TargetContract: Calls internal _msgSender() (from ERC2771Context)
    TargetContract-->>TargetContract: Returns Initiator's address (correct original sender)
    TargetContract-->>MC: Call_Result
    deactivate TargetContract
    MC-->>Initiator: Aggregated_Results
    deactivate MC
Loading

Updated Class Diagram for ERC2771Context

classDiagram
  class ERC2771Context {
    #_contextPrefixLength(): uint256
    #_msgSender(): address
    #_msgData(): bytes
  }
Loading

File-Level Changes

Change Details Files
Update dependency versions in package.json
  • Bump @openzeppelin/contracts from 4.9.2 to 4.9.6
  • Bump braces from 3.0.2 to 3.0.3
  • Bump elliptic from 6.5.4 to 6.6.1
  • Bump flat from 4.1.1 to 5.0.2
  • Bump follow-redirects from 1.15.2 to 1.15.9
  • Bump serialize-javascript from 6.0.0 to 6.0.2
  • Bump undici from 5.22.1 to 5.29.0
  • Bump ws from 7.4.6 to 7.5.10
 package.json
Regenerate lockfile to reflect new versions
  • Update package-lock.json (or yarn.lock) entries for all bumped dependencies
  • Ensure integrity hashes and dependency tree are up to date
 package-lock.json
Tips and commands

Interacting with Sourcery

  • Trigger a new review: Comment @sourcery-ai review on the pull request.
  • Continue discussions: Reply directly to Sourcery's review comments.
  • Generate a GitHub issue from a review comment: Ask Sourcery to create an
    issue from a review comment by replying to it. You can also reply to a
    review comment with @sourcery-ai issue to create an issue from it.
  • Generate a pull request title: Write @sourcery-ai anywhere in the pull
    request title to generate a title at any time. You can also comment
    @sourcery-ai title on the pull request to (re-)generate the title at any time.
  • Generate a pull request summary: Write @sourcery-ai summary anywhere in
    the pull request body to generate a PR summary at any time exactly where you
    want it. You can also comment @sourcery-ai summary on the pull request to
    (re-)generate the summary at any time.
  • Generate reviewer's guide: Comment @sourcery-ai guide on the pull
    request to (re-)generate the reviewer's guide at any time.
  • Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
    pull request to resolve all Sourcery comments. Useful if you've already
    addressed all the comments and don't want to see them anymore.
  • Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
    request to dismiss all existing Sourcery reviews. Especially useful if you
    want to start fresh with a new review - don't forget to comment
    @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

  • Enable or disable review features such as the Sourcery-generated pull request
    summary, the reviewer's guide, and others.
  • Change the review language.
  • Add, remove or edit custom review instructions.
  • Adjust other review settings.

Getting Help

@socket-security
Copy link

socket-security bot commented Jun 13, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedhardhat-deploy-tenderly@​0.2.0 ⏵ 0.2.174 +11009382 +670
Updated@​types/​chai@​4.3.5 ⏵ 4.3.201001007584100
Updated@​types/​mocha@​10.0.1 ⏵ 10.0.101001007580100
Updatedhardhat-deploy-ethers@​0.4.0 ⏵ 0.4.299 +2100100 +676100
Updated@​typechain/​hardhat@​8.0.0 ⏵ 8.0.3100 +110010079100
Updatedts-node@​10.9.1 ⏵ 10.9.297 +110010079100
Updatedchai@​4.3.7 ⏵ 4.5.010010010079100
Updated@​types/​node@​20.3.1 ⏵ 20.19.01001008096100
Updatedfs-extra@​11.1.1 ⏵ 11.3.010010010081100
Updateddotenv@​16.3.1 ⏵ 16.5.0100 +1100100 +183100
Updatedhardhat-gas-reporter@​1.0.9 ⏵ 1.0.1099 +1100100 +186100
Updated@​openzeppelin/​contracts@​4.9.2 ⏵ 4.9.6100100 +9988790
Updatedhardhat@​2.16.0 ⏵ 2.24.394 +110090 +2100 +180
Updatedsolidity-coverage@​0.8.3 ⏵ 0.8.1698100100 +188 +6100
Updatedtypescript@​5.1.3 ⏵ 5.8.310010089100100
Updatedprettier-plugin-solidity@​1.1.3 ⏵ 1.4.3100 +110010090100 +20
Updated@​nomicfoundation/​hardhat-chai-matchers@​2.0.1 ⏵ 2.0.99910096 +1190 +7100
Updatedethers@​6.6.1 ⏵ 6.14.497 +110010093 +2100
Updatedmocha@​7.1.2 ⏵ 10.8.29710094 -697100
Updatedhardhat-deploy@​0.11.34 ⏵ 0.11.4597 +1100100 +195 +2100
Updated@​nomicfoundation/​hardhat-ethers@​3.0.2 ⏵ 3.0.910010010098 +7100

View full report

@socket-security
Copy link

socket-security bot commented Jun 13, 2025
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Warn High
@openzeppelin/contracts@4.9.6 has a License Policy Violation.

License: BUSL-1.1 (package/vendor/arbitrum/IDelayedMessageProvider.sol)

License: BUSL-1.1 (package/vendor/arbitrum/IArbSys.sol)

License: BUSL-1.1 (package/vendor/arbitrum/IInbox.sol)

License: BUSL-1.1 (package/vendor/arbitrum/IBridge.sol)

License: BUSL-1.1 (package/vendor/arbitrum/IOutbox.sol)

From: package.jsonnpm/@openzeppelin/contracts@4.9.6

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@openzeppelin/contracts@4.9.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
chai-as-promised@7.1.2 has a License Policy Violation.

License: WTFPL (npm metadata)

License: WTFPL (package/LICENSE.txt)

License: WTFPL (package/package.json)

From: pnpm-lock.yamlnpm/@nomicfoundation/hardhat-chai-matchers@2.0.9npm/chai-as-promised@7.1.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chai-as-promised@7.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
eth-gas-reporter@0.2.27 has a License Policy Violation.

License: GPL-3.0-only (package/mock/contracts/EtherRouter/EtherRouter.sol)

License: GPL-3.0-only (package/mock/contracts/EtherRouter/Resolver.sol)

From: pnpm-lock.yamlnpm/hardhat-gas-reporter@1.0.10npm/eth-gas-reporter@0.2.27

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eth-gas-reporter@0.2.27. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
glob@7.2.3 has a License Policy Violation.

License: CC-BY-SA-4.0 (package/LICENSE)

From: pnpm-lock.yamlnpm/solidity-coverage@0.8.16npm/glob@7.2.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@7.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
hardhat-deploy-tenderly@0.2.1 has a License Policy Violation.

License: GPL-3.0 (package/LICENSE)

From: package.jsonnpm/hardhat-deploy-tenderly@0.2.1

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat-deploy-tenderly@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
typescript@5.8.3 has a License Policy Violation.

License: CC-BY-4.0 (package/ThirdPartyNoticeText.txt)

License: MIT-Khronos-old (package/ThirdPartyNoticeText.txt)

From: package.jsonnpm/typescript@5.8.3

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@5.8.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
web3-utils@1.10.4 has a License Policy Violation.

License: GPL-3.0-or-later (package/types/tests/hex-to-number-test.ts)

From: pnpm-lock.yamlnpm/solidity-coverage@0.8.16npm/web3-utils@1.10.4

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/web3-utils@1.10.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
lodash.isequal@4.5.0 is Deprecated.

Reason: This package is deprecated. Use require('node:util').isDeepStrictEqual instead.

From: pnpm-lock.yamlnpm/@nomicfoundation/hardhat-ethers@3.0.9npm/lodash.isequal@4.5.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.isequal@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot @Dargon789
Bump the npm_and_yarn group across 1 directory with 8 updates
e49d7a6 
Bumps the npm_and_yarn group with 1 update in the / directory: [@openzeppelin/contracts](https://github.com/OpenZeppelin/openzeppelin-contracts).


Updates `@openzeppelin/contracts` from 4.9.2 to 4.9.6
- [Release notes](https://github.com/OpenZeppelin/openzeppelin-contracts/releases)
- [Changelog](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md)
- [Commits](OpenZeppelin/openzeppelin-contracts@v4.9.2...v4.9.6)

Updates `braces` from 3.0.2 to 3.0.3
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](micromatch/braces@3.0.2...3.0.3)

Updates `elliptic` from 6.5.4 to 6.6.1
- [Commits](indutny/elliptic@v6.5.4...v6.6.1)

Updates `flat` from 4.1.1 to 5.0.2
- [Release notes](https://github.com/hughsk/flat/releases)
- [Commits](hughsk/flat@4.1.1...5.0.2)

Updates `follow-redirects` from 1.15.2 to 1.15.9
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.2...v1.15.9)

Updates `serialize-javascript` from 6.0.0 to 6.0.2
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.0...v6.0.2)

Updates `undici` from 5.22.1 to 5.29.0
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.22.1...v5.29.0)

Updates `ws` from 7.4.6 to 7.5.10
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@7.4.6...7.5.10)

---
updated-dependencies:
- dependency-name: "@openzeppelin/contracts"
  dependency-version: 4.9.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-version: 3.0.3
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: elliptic
  dependency-version: 6.6.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: flat
  dependency-version: 5.0.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.15.9
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: serialize-javascript
  dependency-version: 6.0.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-version: 5.29.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-version: 7.5.10
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@Dargon789 Dargon789 force-pushed the dependabot/npm_and_yarn/npm_and_yarn-64002aa3b8 branch from e1528e7 to e49d7a6 Compare June 13, 2025 18:44
@github-actions
Copy link

github-actions bot commented Jun 13, 2025

Dependency Review

The following issues were found:

  • ❌ 3 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ⚠️ 4 package(s) with unknown licenses.
  • ⚠️ 46 packages with OpenSSF Scorecard issues.

View full job summary

@Dargon789 Dargon789 merged commit 556947b into master Jun 13, 2025
3 of 7 checks passed
@Dargon789 Dargon789 deleted the dependabot/npm_and_yarn/npm_and_yarn-64002aa3b8 branch June 13, 2025 19:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dargon789