build(deps): bump hardhat and ignore two advisories (#597)

fionnachan · web-flow · commit 7892afaae847 · 2025-05-16T17:21:18.000+01:00
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -69,6 +69,17 @@
     // from: @arbitrum/token-bridge-contracts>@openzeppelin/contracts-upgradeable
     // from: @arbitrum/nitro-contracts>@openzeppelin/contracts
     // from: @arbitrum/token-bridge-contracts>@openzeppelin/contracts
-    "GHSA-9vx6-7xxf-x967"
+    "GHSA-9vx6-7xxf-x967",
+    // https://github.com/advisories/GHSA-xq7p-g2vc-g82p
+    // Homograph attack allows Unicode lookalike characters to bypass validation.
+    // we don't use them in this repo, they are nested dependencies
+    // from: @arbitrum/token-bridge-contracts>@openzeppelin/upgrades-core>ethereumjs-util>ethereum-cryptography>bs58check>bs58>base-x
+    // from: @offchainlabs/l1-l3-teleport-contracts>@arbitrum/token-bridge-contracts>@openzeppelin/upgrades-core>ethereumjs-util>ethereum-cryptography>bs58check>bs58>base-x
+    "GHSA-xq7p-g2vc-g82p",
+    // https://github.com/advisories/GHSA-cxrh-j4jr-qwg3
+    // undici Denial of Service attack via bad certificate data
+    // we only use hardhat in a test and we don't use undici in the sdk
+    // from: hardhat>undici
+    "GHSA-cxrh-j4jr-qwg3"
   ]
 }
diff --git a/package.json b/package.json
@@ -38,7 +38,7 @@
     "eslint-plugin-mocha": "^9.0.0",
     "eslint-plugin-prettier": "^4.0.0",
     "ethers": "^5.0.0",
-    "hardhat": "^2.22.19",
+    "hardhat": "^2.24.0",
     "mocha": "^9.2.1",
     "nyc": "^15.1.0",
     "prettier": "^2.3.2",
diff --git a/yarn.lock b/yarn.lock
