search

rsksmart / rif-marketplace-storage

Pinning contracts
4 stars 5 forks source link

build(deps): bump @openzeppelin/contracts from 3.4.1 to 4.5.0 #352

Closed dependabot[bot] closed 2 years ago

dependabot[bot] commented 2 years ago

Bumps @openzeppelin/contracts from 3.4.1 to 4.5.0.

Release notes

Sourced from @​openzeppelin/contracts's releases.

v4.5.0

  • ERC2981: add implementation of the royalty standard, and the respective extensions for ERC721 and ERC1155. (#3012)
  • GovernorTimelockControl: improve the state() function to have it reflect cases where a proposal has been canceled directly on the timelock. (#2977)
  • Preset contracts are now deprecated in favor of Contracts Wizard. (#2986)
  • Governor: add a relay function to help recover assets sent to a governor that is not its own executor (e.g. when using a timelock). (#2926)
  • GovernorPreventLateQuorum: add new module to ensure a minimum voting duration is available after the quorum is reached. (#2973)
  • ERC721: improved revert reason when transferring from wrong owner. (#2975)
  • Votes: Added a base contract for vote tracking with delegation. (#2944)
  • ERC721Votes: Added an extension of ERC721 enabled with vote tracking and delegation. (#2944)
  • ERC2771Context: use immutable storage to store the forwarder address, no longer an issue since Solidity >=0.8.8 allows reading immutable variables in the constructor. (#2917)
  • Base64: add a library to parse bytes into base64 strings using encode(bytes memory) function, and provide examples to show how to use to build URL-safe tokenURIs. (#2884)
  • ERC20: reduce allowance before triggering transfer. (#3056)
  • ERC20: do not update allowance on transferFrom when allowance is type(uint256).max. (#3085)
  • ERC20: add a _spendAllowance internal function. (#3170)
  • ERC20Burnable: do not update allowance on burnFrom when allowance is type(uint256).max. (#3170)
  • ERC777: do not update allowance on transferFrom when allowance is type(uint256).max. (#3085)
  • ERC777: add a _spendAllowance internal function. (#3170)
  • SignedMath: a new signed version of the Math library with max, min, and average. (#2686)
  • SignedMath: add a abs(int256) method that returns the unsigned absolute value of a signed value. (#2984)
  • ERC1967Upgrade: Refactor the secure upgrade to use ERC1822 instead of the previous rollback mechanism. This reduces code complexity and attack surface with similar security guarantees. (#3021)
  • UUPSUpgradeable: Add ERC1822 compliance to support the updated secure upgrade mechanism. (#3021)
  • Some more functions have been made virtual to customize them via overrides. In many cases this will not imply that other functions in the contract will automatically adapt to the overridden definitions. People who wish to override should consult the source code to understand the impact and if they need to override any additional functions to achieve the desired behavior.

Breaking changes

  • ERC1967Upgrade: The function _upgradeToAndCallSecure was renamed to _upgradeToAndCallUUPS, along with the change in security mechanism described above.
  • Address: The Solidity pragma is increased from ^0.8.0 to ^0.8.1. This is required by the account.code.length syntax that replaces inline assembly. This may require users to bump their compiler version from 0.8.0 to 0.8.1 or later. Note that other parts of the code already include stricter requirements.

v4.5.0-rc.0

This prerelease is now available for review! Let us know your feedback and if you find any security issues.

We have a bug bounty with rewards of up to USD $25,000 and a special POAP for submitting a valid issue.

See the announcement for some more details.

v4.4.2

:warning: This is a patch for a medium severity issue. For more information visit the security advisory.

  • GovernorCompatibilityBravo: Fix error in the encoding of calldata for proposals submitted through the compatibility interface with explicit signatures. (#3100)

v4.4.1

:warning: This is a patch for a low severity vulnerability. For more information visit the security advisory.

  • Initializable: change the existing initializer modifier and add a new onlyInitializing modifier to prevent reentrancy risk. (#3006)

Breaking change

It is no longer possible to call an initializer-protected function from within another initializer function outside the context of a constructor. Projects using OpenZeppelin upgradeable proxies should continue to work as is, since in the common case the initializer is invoked in the constructor directly. If this is not the case for you, the suggested change is to use the new onlyInitializing modifier in the following way:

</tr></table>

... (truncated)

Changelog

Sourced from @​openzeppelin/contracts's changelog.

4.5.0 (2022-02-09)

  • ERC2981: add implementation of the royalty standard, and the respective extensions for ERC721 and ERC1155. (#3012)
  • GovernorTimelockControl: improve the state() function to have it reflect cases where a proposal has been canceled directly on the timelock. (#2977)
  • Preset contracts are now deprecated in favor of Contracts Wizard. (#2986)
  • Governor: add a relay function to help recover assets sent to a governor that is not its own executor (e.g. when using a timelock). (#2926)
  • GovernorPreventLateQuorum: add new module to ensure a minimum voting duration is available after the quorum is reached. (#2973)
  • ERC721: improved revert reason when transferring from wrong owner. (#2975)
  • Votes: Added a base contract for vote tracking with delegation. (#2944)
  • ERC721Votes: Added an extension of ERC721 enabled with vote tracking and delegation. (#2944)
  • ERC2771Context: use immutable storage to store the forwarder address, no longer an issue since Solidity >=0.8.8 allows reading immutable variables in the constructor. (#2917)
  • Base64: add a library to parse bytes into base64 strings using encode(bytes memory) function, and provide examples to show how to use to build URL-safe tokenURIs. (#2884)
  • ERC20: reduce allowance before triggering transfer. (#3056)
  • ERC20: do not update allowance on transferFrom when allowance is type(uint256).max. (#3085)
  • ERC20: add a _spendAllowance internal function. (#3170)
  • ERC20Burnable: do not update allowance on burnFrom when allowance is type(uint256).max. (#3170)
  • ERC777: do not update allowance on transferFrom when allowance is type(uint256).max. (#3085)
  • ERC777: add a _spendAllowance internal function. (#3170)
  • SignedMath: a new signed version of the Math library with max, min, and average. (#2686)
  • SignedMath: add a abs(int256) method that returns the unsigned absolute value of a signed value. (#2984)
  • ERC1967Upgrade: Refactor the secure upgrade to use ERC1822 instead of the previous rollback mechanism. This reduces code complexity and attack surface with similar security guarantees. (#3021)
  • UUPSUpgradeable: Add ERC1822 compliance to support the updated secure upgrade mechanism. (#3021)
  • Some more functions have been made virtual to customize them via overrides. In many cases this will not imply that other functions in the contract will automatically adapt to the overridden definitions. People who wish to override should consult the source code to understand the impact and if they need to override any additional functions to achieve the desired behavior.

Breaking changes

  • ERC1967Upgrade: The function _upgradeToAndCallSecure was renamed to _upgradeToAndCallUUPS, along with the change in security mechanism described above.
  • Address: The Solidity pragma is increased from ^0.8.0 to ^0.8.1. This is required by the account.code.length syntax that replaces inline assembly. This may require users to bump their compiler version from 0.8.0 to 0.8.1 or later. Note that other parts of the code already include stricter requirements.

4.4.2 (2022-01-11)

Bugfixes

  • GovernorCompatibilityBravo: Fix error in the encoding of calldata for proposals submitted through the compatibility interface with explicit signatures. (#3100)

4.4.1 (2021-12-14)

  • Initializable: change the existing initializer modifier and add a new onlyInitializing modifier to prevent reentrancy risk. (#3006)

Breaking change

It is no longer possible to call an initializer-protected function from within another initializer function outside the context of a constructor. Projects using OpenZeppelin upgradeable proxies should continue to work as is, since in the common case the initializer is invoked in the constructor directly. If this is not the case for you, the suggested change is to use the new onlyInitializing modifier in the following way:

 contract A {
-    function initialize() public   initializer { ... }
+    function initialize() internal onlyInitializing { ... }
 }
 contract B is A {
     function initialize() public initializer {
         A.initialize();
</tr></table>

... (truncated)

Commits
  • a5445b0 4.5.0
  • 494b1b9 Add a _spendAllowance function to ERC20 & ERC777 (#3170)
  • 234a971 Rename some ERC20 parameters to match the standard document. (#3167)
  • 2248e37 Fix typo in CHANGELOG (#3138)
  • c1a5c27 Make royaltyInfo(uint256 _tokenId, uint256 _salePrice) virtual (#3133)
  • a976023 Fix broken pull request links in change log (#3114)
  • fdfd972 Move abs(int256) from Math to SafeMath (#3110)
  • a8a08be Improve documentation of various governance aspects (#3161)
  • ac8c536 Add "available since" on Base64.sol
  • a9e5759 Simplify inheritance to avoid overrides
  • Additional commits viewable in compare view


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
dependabot[bot] commented 2 years ago

Dependabot tried to add @artem-brazhnikov as a reviewer to this PR, but received the following error from GitHub:

POST https://api.github.com/repos/rsksmart/rif-marketplace-storage/pulls/352/requested_reviewers: 422 - Reviews may only be requested from collaborators. One or more of the users or teams you specified is not a collaborator of the rsksmart/rif-marketplace-storage repository. // See: https://docs.github.com/rest/reference/pulls#request-reviewers-for-a-pull-request
dependabot[bot] commented 2 years ago

Superseded by #380.