search

celo-org / optics-monorepo

🔮 OPTimistic Interchain Communication
Other
119 stars 37 forks source link

chore(deps): bump flat and hardhat in /typescript/optics-tests #987

Open dependabot[bot] opened 1 year ago

dependabot[bot] commented 1 year ago

Bumps flat to 5.0.2 and updates ancestor dependency hardhat. These dependencies need to be updated together.

Updates flat from 4.1.1 to 5.0.2

Commits
  • e5ffd66 Release 5.0.2
  • fdb79d5 Update dependencies, refresh lockfile, format with standard.
  • e52185d Test against node 14 in CI.
  • 0189cb1 Avoid arrow function syntax.
  • f25d3a1 Release 5.0.1
  • 54cc7ad use standard formatting
  • 779816e drop dependencies
  • 2eea6d3 Bump lodash from 4.17.15 to 4.17.19
  • a61a554 Bump acorn from 7.1.0 to 7.4.0
  • 20ef0ef Fix prototype pollution on unflatten
  • Additional commits viewable in compare view


Updates hardhat from 2.6.3 to 2.12.5

Release notes

Sourced from hardhat's releases.

Hardhat v2.12.5

  • The full return data of unrecognized custom errors is now shown in error messages
  • Fixed a bug that was causing the flatten task to produce non-deterministic results
  • Fixed a bug when gasPrice was set to "auto", which is the default configuration when connecting to a JSON-RPC network. This bug was preventing the results from eth_feeHistory from being used when they should.
  • Added an experimental environment variable flag to disable the local installation check (thanks @​arijoon!)

Hardhat v2.12.4

This release fixes a small issue that was affecting our VSCode extension in some edge cases.

It also includes a non-intrusive message promoting this year's Solidity Developer Survey.

Hardhat v2.12.3

  • Added a new hardhat_metadata RPC method
  • Trim leading and trailing spaces in mnemonics (thanks @​winor30!)
  • Pending blocks now include the bloom field (thanks @​InoMurko!)
  • A better error is shown if a Solidity file makes an import through its own package name (thanks @​KaanKC!)
  • Added a getBuildInfoSync function to the hre.artifacts object (thanks @​emretepedev!)
  • Fixed an edge case where Hardhat would hang if debug_traceTransaction was used with an OOG transaction sent to a precompile

Hardhat v2.12.2

  • Fixed an issue when forking networks like Arbitrum Nitro that use non-standard transaction types (#2995, #3194).
  • Fixed an issue that was causing build-info file names to not be deterministic.

Hardhat v2.12.1

Fixed a problem that was preventing Hardhat from being used in Alpine Linux.

Hardhat v2.12.0

This new minor version sets the merge hardfork as the default hardfork used by the Hardhat Network. Most users shouldn't be affected by this change.

Besides that, this version fixes a couple of issues related to our compilation pipeline.

Hardhat v2.11.2

This new version of Hardhat brings several fixes and improvements:

  • Solidity 0.8.17 is now supported and used by default in the sample projects.
  • When forking a network, the disk cache is always used (thanks @​bernard-wagner!)
  • Stack traces are shown by default in CI servers
  • We fixed a problem related to the validation of the eth_getStorageAt being too restrictive (thanks @​aathan!)
  • Reverted an unintentional breaking change in the type of the resolved config
  • Improved the heuristic for detecting that a contract deployment failed because the code size was too large

Hardhat v2.11.1

This release fixes a couple of bugs in v2.11.0:

  • Some chains, like Polygon, were causing issues when they were forked
  • The WASM version of the solidity compiler, which is used in some machines, was not being correctly downloaded.

Hardhat v2.11.0 — The Merge support and fast compilation

We are excited to release this new version of Hardhat, as it makes Hardhat Network compatible with The Merge and makes our compilation much faster. Read on to learn more about these and other improvements.

... (truncated)

Commits
  • a1a36f8 Version Packages
  • 3152b55 Merge pull request #3494 from NomicFoundation/fix-vyper-timeouts
  • 7e81377 Add changesets
  • 633f20b [vyper] Use the GITHUB_TOKEN and increase timeout
  • b24b994 Accept extra headers in the downloader module
  • 7404d28 Merge pull request #3489 from NomicFoundation/remove-trailing-whitespace
  • 240779d Remove all trailing whitespace
  • e3fc55c Set trim_trailing_whitespace to true
  • 727740f Merge pull request #3470 from NomicFoundation/return-data-custom-error
  • 23a594a Create warm-radios-cross.md
  • Additional commits viewable in compare view


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/celo-org/optics-monorepo/network/alerts).
socket-security[bot] commented 1 year ago

Socket Security Pull Request Report

Dependency issues detected. If you merge this pull request, you will not be alerted to the instances of these issues again.

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package Script field Source
classic-level@1.2.0 (added) binding.gyp typescript/optics-tests/package.json via hardhat@2.12.5, @nomicfoundation/ethereumjs-blockchain@6.0.0, level@8.0.0
classic-level@1.2.0 (added) install typescript/optics-tests/package.json via hardhat@2.12.5, @nomicfoundation/ethereumjs-blockchain@6.0.0, level@8.0.0
🫣 Native code

Contains native code which could be a vector to obscure malicious code, and generally decrease the likelihood of reproducible or reliable installs.

Ensure that native code bindings are expected. Consumers may consider pure JS and functionally similar alternatives to avoid the challenges and risks associated with native code bindings.

Package Location Source
classic-level@1.2.0 (added) binding.gyp typescript/optics-tests/package.json via hardhat@2.12.5, @nomicfoundation/ethereumjs-blockchain@6.0.0, level@8.0.0
😵‍💫 Bin script confusion

This package has multiple bin scripts with the same name. This can cause non-deterministic behavior when installing or could be a sign of a supply chain attack

Consider removing one of the conflicting packages. Packages should only export bin scripts with their name

Package Bin script Source
@nomicfoundation/ethereumjs-rlp@4.0.0 (added) rlp typescript/optics-tests/package.json via hardhat@2.12.5
rlp@2.2.6 (added) rlp solidity/optics-core/package.json via hardhat@2.6.0, @ethereumjs/blockchain@5.4.0,solidity/optics-xapps/package.json via hardhat@2.6.0, @ethereumjs/blockchain@5.4.0,typescript/optics-tests/package.json via ethereum-waffle@3.4.0, @ethereum-waffle/provider@3.4.0, ganache-core@2.13.2, ethereumjs-account@3.0.0
rlp@2.2.7 (added) rlp typescript/optics-tests/package.json via hardhat@2.12.5, @metamask/eth-sig-util@4.0.1, ethereumjs-util@6.2.1
Pull request report summary
Issue Status
Install scripts ⚠️ 2 issues
Native code ⚠️ 1 issue
Bin script confusion ⚠️ 3 issues
Bin script shell injection ✅ 0 issues
Unresolved require ✅ 0 issues
Invalid package.json ✅ 0 issues
HTTP dependency ✅ 0 issues
Git dependency ✅ 0 issues
Potential typo squat ✅ 0 issues
Known Malware ✅ 0 issues
Telemetry ✅ 0 issues
Protestware/Troll package ✅ 0 issues
Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@2.4.2

  • @SocketSecurity ignore classic-level@1.2.0
  • @SocketSecurity ignore @nomicfoundation/ethereumjs-rlp@4.0.0
  • @SocketSecurity ignore rlp@2.2.6
  • @SocketSecurity ignore rlp@2.2.7

Powered by socket.dev