Prepare Release

[github-actions]

This PR was opened by the Changesets release GitHub action. When you're ready to do a release, you can merge this and publish to npm yourself or setup this action to publish automatically. If you're not ready to do a release yet, that's fine, whenever you add more changesets to master, this PR will be updated.

Releases

@openzeppelin/[email protected]

Changelog

0.8.1 (2025-10-08)

• Updated community-contracts digest version (#659)

0.8.0 (2025-09-16)

• Add constructors for SignerECDSA, SignerP256, SignerRSA, SignerERC7702, SignerERC7913, MultiSignerERC7913 and MultiSignerERC7913Weighted (#609)
• Enable upgradeability for AccountERC7579, AccountERC7579Hooked, SignerECDSA, SignerP256, SignerRSA, SignerERC7702, SignerERC7913 and MultiSignerERC7913 (#609)
• Breaking change: Use Account, AccountERC7579, AccountERC7579Hooked, ERC7812, ERC7739Utils, ERC7913Utils, AbstractSigner, SignerECDSA, SignerP256, SignerRSA, SignerERC7702, SignerERC7913, MultiSignerERC7913, and MultiSignerERC7913Weighted from OpenZeppelin Contracts 5.4.0 instead of Community Contracts (#609)
• Remove all initializers from non-upgradeable accounts. (#658)

0.7.1 (2025-08-15)

• Add compatible git commit in comments when importing OpenZeppelin Community Contracts (#627)

0.7.0 (2025-08-12)

• Breaking change: Use ERC20Bridgeable from OpenZeppelin Contracts 5.4.0 instead of Community Contracts (#619)

0.6.0 (2025-06-20)

• Add support for Wizard MCP server. (#569)

  • Possibly breaking changes:
    • Governor: Remove usage of access option. This option now has no effect.

• Accounts: Add _disableInitializers() to account implementations (#568)

0.5.6 (2025-05-21)

• MultisigERC7913: Add onlyEntryPointOrSelf modifier to public configuration functions. (#554)
• Use onlyGovernance to restrict upgrades for Governor with UUPS (#544)
  • Potentially breaking changes:
    • Governor with UUPS: _authorizeUpgrade function is restricted by onlyGovernance instead of onlyOwner

0.5.5 (2025-05-13)

• Add account contract types for ERC-4337. (#486, #523, #527)
• Use unicode syntax for strings with non-ASCII characters (#476)
• Remove redundant overrides in Governor. (#522)
• Simplify Community Contracts imports. (#537)
• Potentially breaking changes:
  • Update pragma versions to 0.8.27. (#486)
  • Changes import path format for @openzeppelin/community-contracts. (#537)

0.5.4 (2025-04-01)

• Add validation for ERC20 premint field. (#488)
• Add callback in ERC20 features. (#500)

0.5.3 (2025-03-13)

• Add ERC20 Cross-Chain Bridging, SuperchainERC20. (#436)
  Note: Cross-Chain Bridging is experimental and may be subject to change.

• Potentially breaking changes:

  • Change order of constructor argument recipient when using premint.

0.5.2 (2025-02-21)

• Fix modifiers order to follow Solidity style guides. (#450)
• ERC721: Return tokenId on safeMint with incremental id. (#455)

0.5.1 (2025-02-05)

• Potentially breaking changes:
  • Add constructor argument recipient when using premint in erc20, stablecoin, and realWorldAsset. (#435)

0.5.0 (2025-01-23)

• Update to use TypeScript v5. (#231)

• Remove unused dependencies. (#430)

• Breaking changes:

  • Update Contracts Wizard license to AGPLv3. (#424)

0.4.6 (2024-11-20)

• Use named imports. (#411)

0.4.5 (2024-11-18)

• Add stablecoin and realWorldAsset contract types. (#404)
  Note: stablecoin and realWorldAsset are experimental and may be subject to change.

0.4.4 (2024-10-23)

Potentially breaking changes

• Update pragma versions to 0.8.22. (#401)

0.4.3 (2024-04-08)

• Add timestamp based Governor and Votes clock options. (#347)

0.4.2 (2024-02-22)

• Add code comments for compatible OpenZeppelin Contracts versions. (#331)

0.4.1 (2023-10-18)

• Add managed access control option for use with AccessManager. (#298)

0.4.0 (2023-10-05)

Breaking changes

• Update to OpenZeppelin Contracts 5.0. (#284)
• Require constructor or initializer arguments for initial owner or role assignments if using access control.
• Use token-specific pausable extensions.
• Enable ERC20Permit by default.

0.3.0 (2023-05-25)

• Breaking change: Update to OpenZeppelin Contracts 4.9. (#252)
• Change default voting delay to 1 day in governor. (#258)

0.2.3 (2023-03-23)

• Fix module not found error. (#235)

0.2.2 (2023-03-17)

• Fix missing file. (#234)

0.2.1 (2023-03-17)

• Remove unspecified dependency on @openzeppelin/contracts. (#233)

0.2.0 (2022-11-08)

• Reduce default block time to 12 seconds in governor. (fdcf912)
• Breaking change: Update to OpenZeppelin Contracts 4.8 and Solidity ^0.8.9. (#199)

0.1.1 (2022-06-30)

• Support custom contract type, optional access control. (#112)

0.1.0 (2022-06-15)

• Initial API for Solidity. (#136)

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		[email protected] has a High CVE. CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has a Low CVE. CVE: GHSA-pxg6-pf52-xh8x cookie accepts cookie name, path, and domain with out of bounds characters (LOW) Affected versions: < 0.7.0 Patched version: 0.7.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code appears to be a WebAssembly (WASM) module implementing HTTP parsing functionality. The code contains suspicious elements such as ability to handle HTTP headers, message bodies, and chunk extensions. While it may be legitimate parser code, the obfuscated nature and presence of low-level binary operations warrants careful review due to potential for misuse in HTTP request/response manipulation or header injection attacks. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/[email protected] → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/[email protected] → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/[email protected] → npm/@nomicfoundation/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		[email protected] has Obfuscated code. Confidence: 0.96 Location: Package overview From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0
	@​openzeppelin/​hardhat-upgrades@​3.9.1
	hardhat@​2.26.3
	@​openzeppelin/​contracts-upgradeable@​5.4.0
	@​openzeppelin/​contracts@​5.4.0

View full report