Bump the npm_and_yarn group across 1 directory with 13 updates #7

dependabot · 2024-12-10T03:27:51Z

Bumps the npm_and_yarn group with 10 updates in the /lib/openzeppelin-contracts directory:

Package	From	To
undici	`5.22.1`	`5.28.4`
body-parser	`1.20.2`	`1.20.3`
express	`4.18.2`	`4.21.2`
braces	`3.0.2`	`3.0.3`
crypto-js	`3.3.0`	`4.2.0`
merkletreejs	`0.2.32`	`0.4.0`
flat	`4.1.1`	`5.0.2`
eth-gas-reporter	`0.2.25`	`0.2.27`
solidity-coverage	`0.8.2`	`0.8.14`
secp256k1	`4.0.3`	`4.0.4`

Updates undici from 5.22.1 to 5.28.4

Release notes

Sourced from undici's releases.

v5.28.4

⚠️ Security Release ⚠️

Fixes GHSA-m4v8-wqvr-p9f7 CVE-2024-30260

Fixes GHSA-9qxr-qj54-h672 CVE-2024-30261

Full Changelog: nodejs/undici@v5.28.3...v5.28.4

v5.28.3

⚠️ Security Release ⚠️

Fixes:

CVE-2024-24758 Proxy-Authorization header not cleared on cross-origin redirect in fetch

Full Changelog: nodejs/undici@v5.28.2...v5.28.3

v5.28.2

What's Changed

fix: remove optional chainning for compatible with Nodejs12 and below by @bugb in nodejs/undici#2470

fix: remove node: prefix by @tsctx in nodejs/undici#2471

perf: avoid Headers initialization by @tsctx in nodejs/undici#2468

fix: handle SharedArrayBuffer correctly by @tsctx in nodejs/undici#2466

fix: Add null type to signal in RequestInit by @gebsh in nodejs/undici#2455

fix: correctly handle data URL with hashes. by @tsctx in nodejs/undici#2475

fix: check response for timinginfo allow flag by @ToshB in nodejs/undici#2477

Make call to onBodySent conditional in RetryHandler by @MzUgM in nodejs/undici#2478

refactor: better integrity check by @tsctx in nodejs/undici#2462

fix: Added support for inline URL username:password proxy auth by @matt-way in nodejs/undici#2473

build(deps-dev): bump jsdom from 22.1.0 to 23.0.0 by @dependabot in nodejs/undici#2472

build(deps-dev): bump sinon from 16.1.3 to 17.0.1 by @dependabot in nodejs/undici#2405

build(deps): bump ossf/scorecard-action from 2.2.0 to 2.3.1 by @dependabot in nodejs/undici#2396

build(deps): bump actions/setup-node from 3.8.1 to 4.0.0 by @dependabot in nodejs/undici#2395

build(deps): bump step-security/harden-runner from 2.5.0 to 2.6.0 by @dependabot in nodejs/undici#2392

build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 by @dependabot in nodejs/undici#2389

build(deps): bump actions/upload-artifact from 3.1.2 to 3.1.3 by @dependabot in nodejs/undici#2302

New Contributors

@bugb made their first contribution in nodejs/undici#2470

@gebsh made their first contribution in nodejs/undici#2455

@ToshB made their first contribution in nodejs/undici#2477

@MzUgM made their first contribution in nodejs/undici#2478

@matt-way made their first contribution in nodejs/undici#2473

Full Changelog: nodejs/undici@v5.28.1...v5.28.2

v5.28.1

What's Changed

perf: Improve normalizeMethod by @tsctx in nodejs/undici#2456

fix: dispatch error handling by @ronag in nodejs/undici#2459

... (truncated)

Commits

fb98306 Bumped v5.28.4
2b39440 Merge pull request from GHSA-9qxr-qj54-h672
64e3402 Merge pull request from GHSA-m4v8-wqvr-p9f7
723c4e7 Revert "build(deps-dev): bump formdata-node from 4.4.1 to 6.0.3 (#2389)"
0e9d54b skip failing test due to Node.js changes
e71cb4c Bumped v5.28.3
20c65b8 Fix tests for Node.js v20.11.0 (#2618)
8ec52cd Fix tests for Node.js v21 (#2609)
d3aa574 Merge pull request from GHSA-3787-6prv-h9w3
9a14e5f Bumped v5.28.2
Additional commits viewable in compare view

Updates body-parser from 1.20.2 to 1.20.3

Release notes

Sourced from body-parser's releases.

1.20.3

What's Changed

Important

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity). Documentation

Other changes

chore: add support for OSSF scorecard reporting by @inigomarquinez in expressjs/body-parser#522

ci: fix errors in ci github action for node 8 and 9 by @inigomarquinez in expressjs/body-parser#523

fix: pin to [email protected] by @wesleytodd in expressjs/body-parser#527

deps: [email protected] by @melikhov-dev in expressjs/body-parser#521

Add OSSF Scorecard badge by @bjohansebas in expressjs/body-parser#531

Linter by @UlisesGascon in expressjs/body-parser#534

Release: 1.20.3 by @UlisesGascon in expressjs/body-parser#535

New Contributors

@inigomarquinez made their first contribution in expressjs/body-parser#522

@melikhov-dev made their first contribution in expressjs/body-parser#521

@bjohansebas made their first contribution in expressjs/body-parser#531

@UlisesGascon made their first contribution in expressjs/body-parser#534

Full Changelog: expressjs/body-parser@1.20.2...1.20.3

Changelog

Sourced from body-parser's changelog.

1.20.3 / 2024-09-10

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Commits

1752951 1.20.3
39744cf chore: linter (#534)
b2695c4 Merge commit from fork
ade0f3f add scorecard to readme (#531)
99a1bd6 deps: [email protected] (#521)
9478591 fix: pin to [email protected]
83db46a ci: fix errors in ci github action for node 8 and 9 (#523)
9d4e212 chore: add support for OSSF scorecard reporting (#522)
See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for body-parser since your current version.

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: [email protected] by @blakeembrey in expressjs/express#5956

deps: bump [email protected] by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

[email protected] by @wesleytodd in expressjs/express#5954

fix(deps): [email protected] by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: [email protected]

Fix backtracking protection

deps: [email protected]

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: [email protected]

includes [email protected]

deps: [email protected]

deps: [email protected]

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

1faf228 4.21.2
2e0fb64 deps: bump [email protected] (#6209)
59fc270 deps: [email protected] (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): [email protected]
7e562c6 4.21.0
1bcde96 fix(deps): [email protected] (#5946)
7d36477 fix(deps): [email protected] (#5951)
40d2d8f fix(deps): [email protected]
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates braces from 3.0.2 to 3.0.3

Commits

74b2db2 3.0.3
88f1429 update eslint. lint, fix unit tests.
415d660 Snyk js braces 6838727 (#40)
190510f fix tests, skip 1 test in test/braces.expand
716eb9f readme bump
a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
98414f9 remove funding file
665ab5d update keepEscaping doc (#27)
Additional commits viewable in compare view

Updates crypto-js from 3.3.0 to 4.2.0

Commits

808f499 Merge branch 'release/4.2.0'
d5af3ae Update release notes.
9496e07 Bump version.
421dd53 Change default hash algorithm and iteration's for PBKDF2 to prevent weak secu...
d1f4f4d Update grunt.
c755289 Discontinued
1da3dab Discontinued
4dcaa7a Merge pull request #380 from Alanscut/dev
762feb2 chore: rename BF to Blowfish
fb81418 feat: blowfish support
Additional commits viewable in compare view

Updates merkletreejs from 0.2.32 to 0.4.0

Commits

See full diff in compare view

Updates flat from 4.1.1 to 5.0.2

Commits

e5ffd66 Release 5.0.2
fdb79d5 Update dependencies, refresh lockfile, format with standard.
e52185d Test against node 14 in CI.
0189cb1 Avoid arrow function syntax.
f25d3a1 Release 5.0.1
54cc7ad use standard formatting
779816e drop dependencies
2eea6d3 Bump lodash from 4.17.15 to 4.17.19
a61a554 Bump acorn from 7.1.0 to 7.4.0
20ef0ef Fix prototype pollution on unflatten
Additional commits viewable in compare view

Updates eth-gas-reporter from 0.2.25 to 0.2.27

Release notes

Sourced from eth-gas-reporter's releases.

v0.2.27

What's Changed

Remove @ethersproject/abi, use ethers.utils by @cgewecke in cgewecke/eth-gas-reporter#301

Full Changelog: cgewecke/eth-gas-reporter@v0.2.26...v0.2.27

v0.2.26

What's Changed

Update Mocha to v10 by @frangio in cgewecke/eth-gas-reporter#295

Bump ethers version by @ChristopherDedominici in cgewecke/eth-gas-reporter#296

Remove unused request package by @ChristopherDedominici in cgewecke/eth-gas-reporter#297

Replace request-promise-native with axios by @cgewecke in cgewecke/eth-gas-reporter#299

New Contributors

@ChristopherDedominici made their first contribution in cgewecke/eth-gas-reporter#296

Full Changelog: cgewecke/eth-gas-reporter@v0.2.2...v0.2.26

Changelog

Sourced from eth-gas-reporter's changelog.

0.2.27 / 2023-09-30

Remove @ethersproject/abi, use ethers.utils instead (cgewecke/eth-gas-reporter#301)

0.2.26 / 2023-09-29

Replace request-promise-native with axios / avoid default price API calls (cgewecke/eth-gas-reporter#299)

Remove request package (cgewecke/eth-gas-reporter#297)

Bump ethers version (cgewecke/eth-gas-reporter#296)

Update Mocha to v10 (cgewecke/eth-gas-reporter#295)

0.2.23 / 2021-11-26

Add notes to README about missing price data & remote data fetching race condition

Add support for multiple gas price tokens (BNB, MATIC, AVAX, HR, MOVR) (cgewecke/eth-gas-reporter#251)

Make @codechecks/client peer dep optional (cgewecke/eth-gas-reporter#257)

Update @solidity-parser/parser to 0.14.0 (cgewecke/eth-gas-reporter#261)

0.2.22 / 2021-03-04

Update @solidity-parser/parser to ^0.12.0 (support Panic keyword in catch blocks) (cgewecke/eth-gas-reporter#243)

0.2.21 / 2021-02-16

Fix missing truffle migration deployments data (cgewecke/eth-gas-reporter#240)

Upgrade solidity-parser/parser to 0.11.1 (cgewecke/eth-gas-reporter#239)

0.2.20 / 2020-12-01

Add support for remote contracts data pre-loading (hardhat-gas-reporter feature)

0.2.19 / 2020-10-29

Delegate contract loading/parsing to artifactor & make optional (#227)

0.2.18 / 2020-10-13

Support multiple codechecks reports per CI run

Add CI error threshold options: maxMethodDiff, maxDeploymentDiff

Add async collection methods for BuidlerEVM

Update solidity-parser/parser to 0.8.0 (contribution: @vicnaum)

Update dev deps / use Node 12 in CI

0.2.17 / 2020-04-13

Use @solidity-parser/parser for better solc 0.6.x parsing

Upgrade Mocha to ^7.1.1 (to remove minimist vuln warning)

Stop crashing when parser or ABI Encoder fails

Update @ethersproject/abi to ^5.0.0-beta.146 (and unpin)

... (truncated)

Commits

See full diff in compare view

Updates solidity-coverage from 0.8.2 to 0.8.14

Release notes

Sourced from solidity-coverage's releases.

0.8.14

What's Changed

Update solidity-parser/parser dep to 0.19.0 for transient storage support by @cgewecke in sc-forks/solidity-coverage#898

fix: typos in documentation files by @leopardracer in sc-forks/solidity-coverage#896

New Contributors

@leopardracer made their first contribution in sc-forks/solidity-coverage#896

Full Changelog: sc-forks/solidity-coverage@v0.8.13...v0.8.14

v0.8.13

🐛 Bug Fixes

This release fixes a bug that caused the plugin to error when used with hardhat-viem in combination with a forked network.

What's Changed

Error if --solcoverjs passed but file is nonexistent by @area in sc-forks/solidity-coverage#889

Stop overwriting forking config in extendConfig by @cgewecke in sc-forks/solidity-coverage#893

Misc docs fixes

New Contributors

@AndreMiras made their first contribution in sc-forks/solidity-coverage#887

@nnsW3 made their first contribution in sc-forks/solidity-coverage#892

Full Changelog: sc-forks/solidity-coverage@v0.8.12...v0.8.13

v0.8.12

What's Changed
Adds "work-around" support for the hardhat-viem plugin. If you're using viem, run the coverage task with:
SOLIDITY_COVERAGE=true npx hardhat coverage
Adds support for solc v0.4.x

Fixes a bug where plugin crashed if the contract sources directory name contained a period.

Fixes a bug where instrumentation failed if there was whitespace between require statement and the terminating semi-colon
PRs

Add extendConfig logic for hardhat-viem plugin by @cgewecke in sc-forks/solidity-coverage#883

Support solc v0.4.x by @cgewecke in sc-forks/solidity-coverage#877

Use fs.stat to check directory status by @cgewecke in sc-forks/solidity-coverage#880

Update hardhat dev dep to 2.22.2 (EDR) by @cgewecke in sc-forks/solidity-coverage#881

Tolerate whitespace between require and terminating ; by @cgewecke in sc-forks/solidity-coverage#884

Document extendConfig changes in README by @cgewecke in sc-forks/solidity-coverage#885

Full Changelog: sc-forks/solidity-coverage@v0.8.11...v0.8.12

v0.8.11

Summary

0.8.11 fixes a(nother) bug that resulted in some line hits remaining undetected when compiling with viaIR=true

... (truncated)

Changelog

Sourced from solidity-coverage's changelog.

Changelog

0.8.11 / 2024-03-07

Check all SWAP opcodes for inst. hashes when viaIR is true (sc-forks/solidity-coverage#873)

0.8.10 / 2024-02-29

Check all PUSH opcodes for instr. hashes when viaIR is true (sc-forks/solidity-coverage#871)

0.8.9 / 2024-02-27

Fix duplicate hash logic (sc-forks/solidity-coverage#868)

Improve organization of edge case code in collector (sc-forks/solidity-coverage#869)

0.8.8 / 2024-02-21

Coerce sources path to absolute path if necessary (sc-forks/solidity-coverage#866)

Only inject file-level instr. for first pragma in file (sc-forks/solidity-coverage#865)

0.8.7 / 2024-02-09

Documentation Cleanup & Improvements for 0.8.7 release (sc-forks/solidity-coverage#859)

Add tests for file-level function declarations (sc-forks/solidity-coverage#858)

Add try / catch unit tests (sc-forks/solidity-coverage#857)

Fix test project configs for viaIR detection in overrides (sc-forks/solidity-coverage#856)

Enable coverage when viaIR compiler flag is true (sc-forks/solidity-coverage#854)

Add missing onPreCompile hook (sc-forks/solidity-coverage#851)

Remove ganache-cli related code from API & tests (sc-forks/solidity-coverage#849)

Add command option to specify the source files to run the coverage on (sc-forks/solidity-coverage#838)

0.8.6 / 2024-01-28

Add test for multi-contract files with inheritance (sc-forks/solidity-coverage#836)

Add test for modifiers with post-conditions (sc-forks/solidity-coverage#835)

Document Istanbul check-coverage cli command (sc-forks/solidity-coverage#834)

Throw error when mocha parallel is set to true (sc-forks/solidity-coverage#833)

Fix instrumentation error for virtual modifiers (sc-forks/solidity-coverage#832)

Add test for file level using for statements

... (truncated)

Commits

0a9ac96 0.8.14
7c64eb6 Add transient storage support (#898)
de0452a Update matrix.md (#896)
97dadf8 0.8.13
df1df12 Stop overwriting forking config in extendConfig (#893)
fcf858f Docs: fix additional spelling issues (#892)
adaeb54 Error if solcoverjs passed but nonexistent (#889)
04d178e Update OpenZeppelin Codecov example link (#887)
f550eae 0.8.12
a1158f5 Document extendConfig changes in README (#885)
Additional commits viewable in compare view

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

Add funding field (v4) by @bjohansebas in expressjs/express#6065

deps: [email protected] by @blakeembrey in expressjs/express#5956

deps: bump [email protected] by @jonchurch in expressjs/express#6209

Release: 4.21.2 by @UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

Backport a fix for CVE-2024-47764 to the 4.x branch by @joshbuker in expressjs/express#6029

Release: 4.21.1 by @UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

Deprecate "back" magic string in redirects by @blakeembrey in expressjs/express#5935

[email protected] by @wesleytodd in expressjs/express#5954

fix(deps): [email protected] by @wesleytodd in expressjs/express#5951

Upgraded dependency qs to 6.13.0 to match qs in body-parser by @agadzinski93 in expressjs/express#5946

New Contributors

@agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

Other Changes

4.19.2 Staging by @wesleytodd in expressjs/express#5561

remove duplicate location test for data uri by @wesleytodd in expressjs/express#5562

feat: document beta releases expectations by @marco-ippolito in expressjs/express#5565

Cut down on duplicated CI runs by @jonchurch in expressjs/express#5564

Add a Threat Model by @UlisesGascon in expressjs/express#5526

Assign captain of encodeurl by @blakeembrey in expressjs/express#5579

Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @jonchurch in expressjs/express#5587

docs: update Security.md by @inigomarquinez in expressjs/express#5590

docs: update triage nomination policy by @UlisesGascon in expressjs/express#5600

Add CodeQL (SAST) by @UlisesGascon in expressjs/express#5433

docs: add UlisesGascon as triage initiative captain by @UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

deps: [email protected]

Fix backtracking protection

deps: [email protected]

Throws an error on invalid path values

4.21.1 / 2024-10-08

Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

Deprecate res.location("back") and res.redirect("back") magic string

deps: [email protected]

includes [email protected]

deps: [email protected]

deps: [email protected]

4.20.0 / 2024-09-10

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

Remove link renderization in html while redirecting

deps: [email protected]

add depth option to customize the depth level in the parser

IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)

Remove link renderization in html while using res.redirect

deps: [email protected]

Adds support for named matching groups in the routes using a regex

Adds backtracking protection to parameters without regexes defined

deps: encodeurl@~2.0.0

Removes encoding of \, |, and ^ to align better with URL spec

Deprecate passing options.maxAge and options.expires to res.clearCookie

Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

1faf228 4.21.2
2e0fb64 deps: bump [email protected] (#6209)
59fc270 deps: [email protected] (#5956)
51fc39c docs: add funding (#6065)
8e229f9 4.21.1
a024c8a fix(deps): [email protected]
7e562c6 4.21.0
1bcde96 fix(deps): [email protected] (#5946)
7d36477 fix(deps): [email protected] (#5951)
40d2d8f fix(deps): [email protected]
Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates follow-redirects from 1.15.2 to 1.15.9

Commits

e4e55c7 Release version 1.15.9 of the npm package.
31a1abf Attempt much more gentle detection.
d2aaa97 Fix url field.
62558f0 Release version 1.15.8 of the npm package.
a8d1cee Return subtlety.
458ca8e Fix native URL test for Node 20.
ca49e44 Handle KeepAlive connections in tests.
f3711d7 Test on Node 20 and 22.
fda0faf Fix typo.
760757f Release version 1.15.7 of the npm package.
Additional commits viewable in compare view

Updates secp256k1 from 4.0.3 to 4.0.4

Commits

756fce1 4.0.4
8bd6446 elliptic: fix key verification in loadCompressedPublicKey
840834e Update elliptic to 6.5.7 (CVE-2024-42461) (#206)
See full diff in compare view

Updates send from 0.18.0 to 0.19.0

Release notes

Sourced from send's releases.

0.19.0

What's Changed

Remove link renderization in html while redirecting (pillarjs/send#235)

New Contributors

@UlisesGascon made their first contribution in pillarjs/send#235

Full Changelog: pillarjs/send@0.18.0...0.19.0

Changelog

Sourced from send's changelog.

0.19.0 / 2024-09-10

Remove link renderization in html while redirecting

Commits

9d2db99 0.19.0
ae4f298 Merge commit from fork
See full diff in compare view

Maintainer changes

This version was pushed to npm by ulisesgascon, a new releaser for send since your current version.

Updates serve-static from 1.15.0 to 1.16.2

Release notes

Sourced from serve-static's releases.

1.16.0

What's Changed

Remove link renderization in html while redirecting (expressjs/serve-static#173)...
Description has been truncated

Bumps the npm_and_yarn group with 10 updates in the /lib/openzeppelin-contracts directory: | Package | From | To | | --- | --- | --- | | [undici](https://github.com/nodejs/undici) | `5.22.1` | `5.28.4` | | [body-parser](https://github.com/expressjs/body-parser) | `1.20.2` | `1.20.3` | | [express](https://github.com/expressjs/express) | `4.18.2` | `4.21.2` | | [braces](https://github.com/micromatch/braces) | `3.0.2` | `3.0.3` | | [crypto-js](https://github.com/brix/crypto-js) | `3.3.0` | `4.2.0` | | [merkletreejs](https://github.com/miguelmota/merkletreejs) | `0.2.32` | `0.4.0` | | [flat](https://github.com/hughsk/flat) | `4.1.1` | `5.0.2` | | [eth-gas-reporter](https://github.com/cgewecke/eth-gas-reporter) | `0.2.25` | `0.2.27` | | [solidity-coverage](https://github.com/sc-forks/solidity-coverage) | `0.8.2` | `0.8.14` | | [secp256k1](https://github.com/cryptocoinjs/secp256k1-node) | `4.0.3` | `4.0.4` | Updates `undici` from 5.22.1 to 5.28.4 - [Release notes](https://github.com/nodejs/undici/releases) - [Commits](nodejs/undici@v5.22.1...v5.28.4) Updates `body-parser` from 1.20.2 to 1.20.3 - [Release notes](https://github.com/expressjs/body-parser/releases) - [Changelog](https://github.com/expressjs/body-parser/blob/master/HISTORY.md) - [Commits](expressjs/body-parser@1.20.2...1.20.3) Updates `express` from 4.18.2 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](expressjs/express@4.18.2...4.21.2) Updates `braces` from 3.0.2 to 3.0.3 - [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md) - [Commits](micromatch/braces@3.0.2...3.0.3) Updates `crypto-js` from 3.3.0 to 4.2.0 - [Commits](brix/crypto-js@3.3.0...4.2.0) Updates `merkletreejs` from 0.2.32 to 0.4.0 - [Commits](https://github.com/miguelmota/merkletreejs/commits) Updates `flat` from 4.1.1 to 5.0.2 - [Release notes](https://github.com/hughsk/flat/releases) - [Commits](hughsk/flat@4.1.1...5.0.2) Updates `eth-gas-reporter` from 0.2.25 to 0.2.27 - [Release notes](https://github.com/cgewecke/eth-gas-reporter/releases) - [Changelog](https://github.com/cgewecke/eth-gas-reporter/blob/master/CHANGELOG.md) - [Commits](https://github.com/cgewecke/eth-gas-reporter/commits/v0.2.27) Updates `solidity-coverage` from 0.8.2 to 0.8.14 - [Release notes](https://github.com/sc-forks/solidity-coverage/releases) - [Changelog](https://github.com/sc-forks/solidity-coverage/blob/master/CHANGELOG.md) - [Commits](sc-forks/solidity-coverage@v0.8.2...v0.8.14) Updates `express` from 4.18.2 to 4.21.2 - [Release notes](https://github.com/expressjs/express/releases) - [Changelog](https://github.com/expressjs/express/blob/4.21.2/History.md) - [Commits](expressjs/express@4.18.2...4.21.2) Updates `follow-redirects` from 1.15.2 to 1.15.9 - [Release notes](https://github.com/follow-redirects/follow-redirects/releases) - [Commits](follow-redirects/follow-redirects@v1.15.2...v1.15.9) Updates `secp256k1` from 4.0.3 to 4.0.4 - [Release notes](https://github.com/cryptocoinjs/secp256k1-node/releases) - [Commits](cryptocoinjs/secp256k1-node@v4.0.3...v4.0.4) Updates `send` from 0.18.0 to 0.19.0 - [Release notes](https://github.com/pillarjs/send/releases) - [Changelog](https://github.com/pillarjs/send/blob/master/HISTORY.md) - [Commits](pillarjs/send@0.18.0...0.19.0) Updates `serve-static` from 1.15.0 to 1.16.2 - [Release notes](https://github.com/expressjs/serve-static/releases) - [Changelog](https://github.com/expressjs/serve-static/blob/v1.16.2/HISTORY.md) - [Commits](expressjs/serve-static@v1.15.0...v1.16.2) --- updated-dependencies: - dependency-name: undici dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: body-parser dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: express dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: braces dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: crypto-js dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: merkletreejs dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: flat dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: eth-gas-reporter dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: solidity-coverage dependency-type: direct:development dependency-group: npm_and_yarn - dependency-name: express dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: follow-redirects dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: secp256k1 dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: send dependency-type: indirect dependency-group: npm_and_yarn - dependency-name: serve-static dependency-type: indirect dependency-group: npm_and_yarn ... Signed-off-by: dependabot[bot] <[email protected]>

socket-security · 2024-12-10T03:28:17Z

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	None	`+2`	850 kB	miguelmota
npm/[email protected]	None	`0`	91.4 kB	npm-cli-ops

🚮 Removed packages: npm/[email protected]

View full report↗︎

socket-security · 2024-12-10T03:28:19Z

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
License Policy Violation	npm/[email protected]	License: CC-BY-SA-4.0 - Not allowed by license policy (package/LICENSE, package/LICENSE)	`lib/openzeppelin-contracts/package-lock.json` `lib/openzeppelin-contracts/package.json`	⚠︎
License Policy Violation	npm/[email protected]	License: GPL-3.0-only - Not allowed by license policy (package/mock/contracts/EtherRouter/Resolver.sol, package/mock/contracts/EtherRouter/EtherRouter.sol)	`lib/openzeppelin-contracts/package-lock.json` `lib/openzeppelin-contracts/package.json`	⚠︎

View full report↗︎

Next steps

What is a license policy violation?

This package is not allowed per your license policy. Review the package's license to ensure compliance.

Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]

Setland34

LG

dependabot bot added the dependencies Pull requests that update a dependency file label Dec 10, 2024

This was referenced Dec 10, 2024

Bump secp256k1 from 4.0.3 to 4.0.4 in /lib/openzeppelin-contracts #2

Closed

Bump body-parser and express in /lib/openzeppelin-contracts #4

Closed

Bump serve-static and express in /lib/openzeppelin-contracts #5

Closed

dependabot bot assigned Setland34 Dec 10, 2024

dependabot bot mentioned this pull request Dec 10, 2024

Bump send and express in /lib/openzeppelin-contracts #6

Closed

Setland34 merged commit 8278b8f into main Dec 25, 2024
3 of 6 checks passed

dependabot bot deleted the dependabot/npm_and_yarn/lib/openzeppelin-contracts/npm_and_yarn-e8f91a0896 branch December 25, 2024 07:29

Setland34 self-requested a review December 25, 2024 08:26

Setland34 reviewed Dec 25, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Bump the npm_and_yarn group across 1 directory with 13 updates #7

Bump the npm_and_yarn group across 1 directory with 13 updates #7

dependabot bot commented on behalf of github Dec 10, 2024

socket-security bot commented Dec 10, 2024

socket-security bot commented Dec 10, 2024

Setland34 left a comment

Bump the npm_and_yarn group across 1 directory with 13 updates #7

Bump the npm_and_yarn group across 1 directory with 13 updates #7

Conversation

dependabot bot commented on behalf of github Dec 10, 2024

v5.28.4

⚠️ Security Release ⚠️

v5.28.3

⚠️ Security Release ⚠️

v5.28.2

What's Changed

New Contributors

v5.28.1

What's Changed

1.20.3

What's Changed

Important

Other changes

New Contributors

1.20.3 / 2024-09-10

4.21.2

What's Changed

4.21.1

What's Changed

4.21.0

What's Changed

New Contributors

4.20.0

What's Changed

Important

Other Changes

4.21.2 / 2024-11-06

4.21.1 / 2024-10-08

4.21.0 / 2024-09-11

4.20.0 / 2024-09-10

4.19.2 / 2024-03-25

4.19.1 / 2024-03-20

v0.2.27

What's Changed

v0.2.26

What's Changed

New Contributors

0.2.27 / 2023-09-30

0.2.26 / 2023-09-29

0.2.23 / 2021-11-26

0.2.22 / 2021-03-04

0.2.21 / 2021-02-16

0.2.20 / 2020-12-01

0.2.19 / 2020-10-29

0.2.18 / 2020-10-13

0.2.17 / 2020-04-13

0.8.14

What's Changed

New Contributors

v0.8.13

🐛 Bug Fixes

What's Changed

New Contributors

v0.8.12

What's Changed

PRs

v0.8.11

Summary

Changelog

0.8.11 / 2024-03-07

0.8.10 / 2024-02-29

0.8.9 / 2024-02-27

0.8.8 / 2024-02-21

0.8.7 / 2024-02-09

0.8.6 / 2024-01-28

4.21.2

What's Changed

4.21.1

What's Changed

4.21.0

What's Changed

New Contributors

4.20.0

What's Changed

Important

Other Changes