Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

build(deps): bump the npm_and_yarn group across 2 directories with 23 updates #23

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 26, 2024

Bumps the npm_and_yarn group with 6 updates in the /tests/integration_tests/hardhat directory:

Package From To
@openzeppelin/contracts 4.8.2 4.9.6
@openzeppelin/contracts-upgradeable 4.8.2 4.9.6
semver 6.3.0 6.3.1
semver 5.7.1 6.3.1
ethereum-waffle 3.4.4 4.0.10
follow-redirects 1.15.1 1.15.6
undici 5.19.1 5.28.4

Bumps the npm_and_yarn group with 8 updates in the /tests/solidity directory:

Package From To
follow-redirects 1.14.8 1.15.6
browserify-sign 4.2.1 4.2.3
es5-ext 0.10.53 0.10.64
express 4.18.2 4.19.2
apollo-server-core 2.26.0 2.26.2
get-func-name 2.0.0 2.0.2
protobufjs 6.11.3 6.11.4
word-wrap 1.2.3 1.2.5

Updates @openzeppelin/contracts from 4.8.2 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts's releases.

v4.9.6

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

v4.9.5

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

v4.9.4

  • ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

v4.9.3

Note This release contains a fix for GHSA-g4vp-m682-qqmp.

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)

v4.9.2

Note This release contains a fix for GHSA-wprv-93r4-jj2p.

  • MerkleProof: Fix a bug in processMultiProof and processMultiProofCalldata that allows proving arbitrary leaves if the tree contains a node with value 0 at depth 1.

v4.9.1

Note This release contains a fix for GHSA-5h3x-9wvq-w4m2.

  • Governor: Add a mechanism to restrict the address of the proposer using a suffix in the description.

v4.9.0

  • ReentrancyGuard: Add a _reentrancyGuardEntered function to expose the guard status. (#3714)
  • ERC721Wrapper: add a new extension of the ERC721 token which wraps an underlying token. Deposit and withdraw guarantee that the ownership of each token is backed by a corresponding underlying token with the same identifier. (#3863)
  • EnumerableMap: add a keys() function that returns an array containing all the keys. (#3920)
  • Governor: add a public cancel(uint256) function. (#3983)
  • Governor: Enable timestamp operation for blockchains without a stable block time. This is achieved by connecting a Governor's internal clock to match a voting token's EIP-6372 interface. (#3934)
  • Strings: add equal method. (#3774)
  • IERC5313: Add an interface for EIP-5313 that is now final. (#4013)
  • IERC4906: Add an interface for ERC-4906 that is now Final. (#4012)
  • StorageSlot: Add support for string and bytes. (#4008)
  • Votes, ERC20Votes, ERC721Votes: support timestamp checkpointing using EIP-6372. (#3934)
  • ERC4626: Add mitigation to the inflation attack through virtual shares and assets. (#3979)
  • Strings: add toString method for signed integers. (#3773)
  • ERC20Wrapper: Make the underlying variable private and add a public accessor. (#4029)
  • EIP712: add EIP-5267 support for better domain discovery. (#3969)
  • AccessControlDefaultAdminRules: Add an extension of AccessControl with additional security rules for the DEFAULT_ADMIN_ROLE. (#4009)
  • SignatureChecker: Add isValidERC1271SignatureNow for checking a signature directly against a smart contract using ERC-1271. (#3932)
  • SafeERC20: Add a forceApprove function to improve compatibility with tokens behaving like USDT. (#4067)

... (truncated)

Changelog

Sourced from @​openzeppelin/contracts's changelog.

4.9.6 (2024-02-29)

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

4.9.3 (2023-07-28)

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)

4.9.2 (2023-06-16)

  • MerkleProof: Fix a bug in processMultiProof and processMultiProofCalldata that allows proving arbitrary leaves if the tree contains a node with value 0 at depth 1.

4.9.1 (2023-06-07)

  • Governor: Add a mechanism to restrict the address of the proposer using a suffix in the description.

4.9.0 (2023-05-23)

  • ReentrancyGuard: Add a _reentrancyGuardEntered function to expose the guard status. (#3714)
  • ERC721Wrapper: add a new extension of the ERC721 token which wraps an underlying token. Deposit and withdraw guarantee that the ownership of each token is backed by a corresponding underlying token with the same identifier. (#3863)
  • EnumerableMap: add a keys() function that returns an array containing all the keys. (#3920)
  • Governor: add a public cancel(uint256) function. (#3983)
  • Governor: Enable timestamp operation for blockchains without a stable block time. This is achieved by connecting a Governor's internal clock to match a voting token's EIP-6372 interface. (#3934)
  • Strings: add equal method. (#3774)
  • IERC5313: Add an interface for EIP-5313 that is now final. (#4013)
  • IERC4906: Add an interface for ERC-4906 that is now Final. (#4012)
  • StorageSlot: Add support for string and bytes. (#4008)
  • Votes, ERC20Votes, ERC721Votes: support timestamp checkpointing using EIP-6372. (#3934)
  • ERC4626: Add mitigation to the inflation attack through virtual shares and assets. (#3979)
  • Strings: add toString method for signed integers. (#3773)
  • ERC20Wrapper: Make the underlying variable private and add a public accessor. (#4029)
  • EIP712: add EIP-5267 support for better domain discovery. (#3969)
  • AccessControlDefaultAdminRules: Add an extension of AccessControl with additional security rules for the DEFAULT_ADMIN_ROLE. (#4009)
  • SignatureChecker: Add isValidERC1271SignatureNow for checking a signature directly against a smart contract using ERC-1271. (#3932)
  • SafeERC20: Add a forceApprove function to improve compatibility with tokens behaving like USDT. (#4067)
  • ERC1967Upgrade: removed contract-wide oz-upgrades-unsafe-allow delegatecall annotation, replaced by granular annotation in UUPSUpgradeable. (#3971)
  • ERC20Wrapper: self wrapping and deposit by the wrapper itself are now explicitly forbidden. (#4100)
  • ECDSA: optimize bytes32 computation by using assembly instead of abi.encodePacked. (#3853)
  • ERC721URIStorage: Emit ERC-4906 MetadataUpdate in _setTokenURI. (#4012)
  • ShortStrings: Added a library for handling short strings in a gas efficient way, with fallback to storage for longer strings. (#4023)
  • SignatureChecker: Allow return data length greater than 32 from EIP-1271 signers. (#4038)
  • UUPSUpgradeable: added granular oz-upgrades-unsafe-allow-reachable annotation to improve upgrade safety checks on latest version of the Upgrades Plugins (starting with @openzeppelin/[email protected]). (#3971)
  • Initializable: optimize _disableInitializers by using != instead of <. (#3787)
  • Ownable2Step: make acceptOwnership public virtual to enable usecases that require overriding it. (#3960)
  • UUPSUpgradeable.sol: Change visibility to the functions upgradeTo and upgradeToAndCall from external to public. (#3959)

... (truncated)

Commits

Updates @openzeppelin/contracts-upgradeable from 4.8.2 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts-upgradeable's releases.

v4.9.6

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4926)

v4.9.5

  • Multicall: Patch duplicated Address.functionDelegateCall.

v4.9.4

  • ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

v4.9.3

Note This release contains a fix for GHSA-g4vp-m682-qqmp.

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)

v4.9.2

Note This release contains a fix for GHSA-wprv-93r4-jj2p.

  • MerkleProof: Fix a bug in processMultiProof and processMultiProofCalldata that allows proving arbitrary leaves if the tree contains a node with value 0 at depth 1.

v4.9.1

Note This release contains a fix for GHSA-5h3x-9wvq-w4m2.

  • Governor: Add a mechanism to restrict the address of the proposer using a suffix in the description.

v4.9.0

  • ReentrancyGuard: Add a _reentrancyGuardEntered function to expose the guard status. (#3714)
  • ERC721Wrapper: add a new extension of the ERC721 token which wraps an underlying token. Deposit and withdraw guarantee that the ownership of each token is backed by a corresponding underlying token with the same identifier. (#3863)
  • EnumerableMap: add a keys() function that returns an array containing all the keys. (#3920)
  • Governor: add a public cancel(uint256) function. (#3983)
  • Governor: Enable timestamp operation for blockchains without a stable block time. This is achieved by connecting a Governor's internal clock to match a voting token's EIP-6372 interface. (#3934)
  • Strings: add equal method. (#3774)
  • IERC5313: Add an interface for EIP-5313 that is now final. (#4013)
  • IERC4906: Add an interface for ERC-4906 that is now Final. (#4012)
  • StorageSlot: Add support for string and bytes. (#4008)
  • Votes, ERC20Votes, ERC721Votes: support timestamp checkpointing using EIP-6372. (#3934)
  • ERC4626: Add mitigation to the inflation attack through virtual shares and assets. (#3979)
  • Strings: add toString method for signed integers. (#3773)
  • ERC20Wrapper: Make the underlying variable private and add a public accessor. (#4029)
  • EIP712: add EIP-5267 support for better domain discovery. (#3969)
  • AccessControlDefaultAdminRules: Add an extension of AccessControl with additional security rules for the DEFAULT_ADMIN_ROLE. (#4009)
  • SignatureChecker: Add isValidERC1271SignatureNow for checking a signature directly against a smart contract using ERC-1271. (#3932)

... (truncated)

Changelog

Sourced from @​openzeppelin/contracts-upgradeable's changelog.

4.9.6 (2024-02-29)

  • Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

  • Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

4.9.3 (2023-07-28)

  • ERC2771Context: Return the forwarder address whenever the msg.data of a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes), as specified by ERC-2771. (#4481)
  • ERC2771Context: Prevent revert in _msgData() when a call originating from a trusted forwarder is not long enough to contain the request signer address (i.e. msg.data.length is less than 20 bytes). Return the full calldata in that case. (#4484)

4.9.2 (2023-06-16)

  • MerkleProof: Fix a bug in processMultiProof and processMultiProofCalldata that allows proving arbitrary leaves if the tree contains a node with value 0 at depth 1.

4.9.1 (2023-06-07)

  • Governor: Add a mechanism to restrict the address of the proposer using a suffix in the description.

4.9.0 (2023-05-23)

  • ReentrancyGuard: Add a _reentrancyGuardEntered function to expose the guard status. (#3714)
  • ERC721Wrapper: add a new extension of the ERC721 token which wraps an underlying token. Deposit and withdraw guarantee that the ownership of each token is backed by a corresponding underlying token with the same identifier. (#3863)
  • EnumerableMap: add a keys() function that returns an array containing all the keys. (#3920)
  • Governor: add a public cancel(uint256) function. (#3983)
  • Governor: Enable timestamp operation for blockchains without a stable block time. This is achieved by connecting a Governor's internal clock to match a voting token's EIP-6372 interface. (#3934)
  • Strings: add equal method. (#3774)
  • IERC5313: Add an interface for EIP-5313 that is now final. (#4013)
  • IERC4906: Add an interface for ERC-4906 that is now Final. (#4012)
  • StorageSlot: Add support for string and bytes. (#4008)
  • Votes, ERC20Votes, ERC721Votes: support timestamp checkpointing using EIP-6372. (#3934)
  • ERC4626: Add mitigation to the inflation attack through virtual shares and assets. (#3979)
  • Strings: add toString method for signed integers. (#3773)
  • ERC20Wrapper: Make the underlying variable private and add a public accessor. (#4029)
  • EIP712: add EIP-5267 support for better domain discovery. (#3969)
  • AccessControlDefaultAdminRules: Add an extension of AccessControl with additional security rules for the DEFAULT_ADMIN_ROLE. (#4009)
  • SignatureChecker: Add isValidERC1271SignatureNow for checking a signature directly against a smart contract using ERC-1271. (#3932)
  • SafeERC20: Add a forceApprove function to improve compatibility with tokens behaving like USDT. (#4067)
  • ERC1967Upgrade: removed contract-wide oz-upgrades-unsafe-allow delegatecall annotation, replaced by granular annotation in UUPSUpgradeable. (#3971)
  • ERC20Wrapper: self wrapping and deposit by the wrapper itself are now explicitly forbidden. (#4100)
  • ECDSA: optimize bytes32 computation by using assembly instead of abi.encodePacked. (#3853)
  • ERC721URIStorage: Emit ERC-4906 MetadataUpdate in _setTokenURI. (#4012)
  • ShortStrings: Added a library for handling short strings in a gas efficient way, with fallback to storage for longer strings. (#4023)
  • SignatureChecker: Allow return data length greater than 32 from EIP-1271 signers. (#4038)
  • UUPSUpgradeable: added granular oz-upgrades-unsafe-allow-reachable annotation to improve upgrade safety checks on latest version of the Upgrades Plugins (starting with @openzeppelin/[email protected]). (#3971)
  • Initializable: optimize _disableInitializers by using != instead of <. (#3787)
  • Ownable2Step: make acceptOwnership public virtual to enable usecases that require overriding it. (#3960)
  • UUPSUpgradeable.sol: Change visibility to the functions upgradeTo and upgradeToAndCall from external to public. (#3959)

... (truncated)

Commits

Updates semver from 6.3.0 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

6.2.0

  • Coerce numbers to strings when passed to semver.coerce()
  • Add rtl option to coerce from right to left

6.1.3

  • Handle X-ranges properly in includePrerelease mode

6.1.2

  • Do not throw when testing invalid version strings

6.1.1

  • Add options support for semver.coerce()
  • Handle undefined version passed to Range.test

6.1.0

  • Add semver.compareBuild function
  • Support * in semver.intersects

6.0

  • Fix intersects logic.

    This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

  • Add minVersion method

5.6

  • Move boolean loose param to an options object, with backwards-compatibility protection.
  • Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.


Updates semver from 5.7.1 to 6.3.1

Release notes

Sourced from semver's releases.

v6.3.1

6.3.1 (2023-07-10)

Bug Fixes

Changelog

Sourced from semver's changelog.

6.3.1 (2023-07-10)

Bug Fixes

6.2.0

  • Coerce numbers to strings when passed to semver.coerce()
  • Add rtl option to coerce from right to left

6.1.3

  • Handle X-ranges properly in includePrerelease mode

6.1.2

  • Do not throw when testing invalid version strings

6.1.1

  • Add options support for semver.coerce()
  • Handle undefined version passed to Range.test

6.1.0

  • Add semver.compareBuild function
  • Support * in semver.intersects

6.0

  • Fix intersects logic.

    This is technically a bug fix, but since it is also a change to behavior that may require users updating their code, it is marked as a major version increment.

5.7

  • Add minVersion method

5.6

  • Move boolean loose param to an options object, with backwards-compatibility protection.
  • Add ability to opt out of special prerelease version handling with the includePrerelease option flag.

5.5

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by lukekarrys, a new releaser for semver since your current version.


Updates ethereum-waffle from 3.4.4 to 4.0.10

Release notes

Sourced from ethereum-waffle's releases.

@​ethereum-waffle/chai@​4.0.10

Patch Changes

  • 4d83cde: Emit matcher improvement

[email protected]

Patch Changes

  • Updated dependencies [4d83cde]
    • @​ethereum-waffle/mock-contract@​4.0.4
    • @​ethereum-waffle/chai@​4.0.10
    • @​ethereum-waffle/compiler@​4.0.3

@​ethereum-waffle/chai@​4.0.9

Patch Changes

  • 216f1d8: Switch hardhat error priority

[email protected]

Patch Changes

  • Updated dependencies [216f1d8]
    • @​ethereum-waffle/chai@​4.0.9
    • @​ethereum-waffle/compiler@​4.0.3
    • @​ethereum-waffle/mock-contract@​4.0.3

@​ethereum-waffle/chai@​4.0.8

Patch Changes

  • f93abe9: Move call history injection logic to hardhat plugin
  • 9602243: 👔 revertedWith().withArgs no longer fails for uint values exceeding JavaScript's max int limit
  • b54c6b9: Add delta to balance changing matchers
  • 64707ae: Allow special characters in revertedWith regex
  • 702c6ab: 🗾 Extend matching of Hardhat revert reasons
  • a0f721a: Move ethers to peer deps
  • f6d240e: 🛶 Updates for hardhat v2.11
  • Updated dependencies [ee1d1b8]
  • Updated dependencies [a0f721a]
    • @​ethereum-waffle/provider@​4.0.5

[email protected]

Patch Changes

  • f93abe9: Move call history injection logic to hardhat plugin
  • a0f721a: Move ethers to peer deps
  • Updated dependencies [da92375]
  • Updated dependencies [f93abe9]
  • Updated dependencies [46b954e]
  • Updated dependencies [9602243]
  • Updated dependencies [fb6863d]

... (truncated)

Commits

Updates ws from 3.3.3 to 7.4.6

Release notes

Sourced from ws's releases.

7.4.6

Bug fixes

  • Fixed a ReDoS vulnerability (00c425ec).

A specially crafted value of the Sec-Websocket-Protocol header could be used to significantly slow down a ws server.

for (const length of [1000, 2000, 4000, 8000, 16000, 32000]) {
  const value = 'b' + ' '.repeat(length) + 'x';
  const start = process.hrtime.bigint();
value.trim().split(/ *, */);
const end = process.hrtime.bigint();
console.log('length = %d, time = %f ns', length, end - start);
}

The vulnerability was responsibly disclosed along with a fix in private by Robert McLaughlin from University of California, Santa Barbara.

In vulnerable versions of ws, the issue can be mitigated by reducing the maximum allowed length of the request headers using the --max-http-header-size=size and/or the maxHeaderSize options.

7.4.5

Bug fixes

  • UTF-8 validation is now done even if utf-8-validate is not installed (23ba6b29).
  • Fixed an edge case where websocket.close() and websocket.terminate() did not close the connection (67e25ff5).

7.4.4

Bug fixes

  • Fixed a bug that could cause the process to crash when using the permessage-deflate extension (92774377).

7.4.3

Bug fixes

  • The deflate/inflate stream is now reset instead of reinitialized when context takeover is disabled (#1840).

7.4.2

Bug fixes

... (truncated)

Commits
  • f5297f7 [dist] 7.4.6
  • 00c425e [security] Fix ReDoS vulnerability
  • 990306d [lint] Fix prettier error
  • 32e3a84 [security] Remove reference to Node Security Project
  • 8c914d1 [minor] Fix nits
  • fc7e27d [ci] Test on node 16
  • 587c201 [ci] Do not test on node 15
  • f672710 [dist] 7.4.5
  • 67e25ff [fix] Fix case where abortHandshake() does not close the connection
  • 23ba6b2 [fix] Make UTF-8 validation work even if utf-8-validate is not installed
  • Additional commits viewable in compare view

Updates async from 1.5.2 to 2.6.4

Release notes

Sourced from async's releases.

v2.3.0

  • Added support for ES2017 async functions. Wherever you can pass a Node-style/CPS function that uses a callback, you can also pass an async function. Previously, you had to wrap async functions with asyncify. The caveat is that it will only work if async functions are supported natively in your environment, transpiled implementations can't be detected. (#1386, #1390)

v2.2.0

  • Added groupBy, and the Series/Limit equivalents, analogous to _.groupBy (#1364)
  • Fixed transform bug when callback was not passed (#1381)

v2.1.5

  • Fix auto bug when function names collided with Array.prototype (#1358)
  • Improve some error messages (#1349)
  • Avoid stack overflow case in queue
  • Fixed an issue in some, every and find where processing would continue after the result was determined.
  • Cleanup implementations of some, every and find

v2.1.3

  • Make bundle size smaller
  • Create optimized hotpath for filter in array case.

v2.1.2

  • Fixed a stackoverflow bug with detect, some, every on large inputs (#1293).

v2.1.0

  • retry and retryable now support an optional errorFilter function that determines if the task should retry on the error (#1256, #1261)
  • Optimized array iteration in race, cargo, queue, and priorityQueue (#1253)

v2.0.0

Lots of changes here!

First and foremost, we have a slick new site for docs. Special thanks to @​hargasinski for his work converting our old docs to jsdoc format and implementing the new website. Also huge ups to @​ivanseidel for designing our new logo. It was a long process for both of these tasks, but I think these changes turned out extraordinary well.

The biggest feature is modularization. You can now require("async/series") to only require the series function. Every Async library function is available this way. You still can require("async") to require the entire library, like you could do before.

We also provide Async as a collection of ES2015 modules. You can now import {each} from 'async-es' or import waterfall from 'async-es/waterfall'. If you are using only a few Async functions, and are using a ES bundler such as Rollup, this can significantly lower your build size.

Major thanks to @​Kikobeats, @​aearly and @​megawac for doing the majority of the modularization work, as well as @​jdalton and @​Rich-Harris for advisory work on the general modularization strategy.

Another one of the general themes of the 2.0 release is standardization of what an "async" function is. We are now more strictly following the node-style continuation passing style. That is, an async function is a function that:

  1. Takes a variable number of arguments
  2. The last argument is always a callback
  3. The callback can accept any number of arguments
  4. The first argument passed to the callback will be treated as an error result, if the argument is truthy
  5. Any number of result arguments can be passed after the "error" argument
  6. The callback is called once and exactly once, either on the same tick or later tick of the JavaScript event loop.

There were several cases where Async accepted some functions that did not strictly have these properties, most notably auto, every, some, and filter.

Another theme is performance. We have eliminated internal deferrals in all cases where they make sense. For example, in waterfall and auto, there was a setImmediate between each task -- these deferrals have been removed. A setImmediate call can add up to 1ms of delay. This might not seem like a lot, but it can add up if you are using many Async functions in the course of processing a HTTP request, for example. Nearly all asynchronous functions that do I/O already have some sort of deferral built in, so the extra deferral is unnecessary. The trade-off of this change is removing our built-in stack-overflow defense. Many synchronous callback calls in series can quickly overflow the JS call stack. If you do have a function that is sometimes synchronous (calling its callback on the same tick), and are running into stack overflows, wrap it with async.ensureAsync().

Another big performance win has been re-implementing queue, cargo, and priorityQueue with doubly linked lists instead of arrays. This has lead to queues being an order of magnitude faster on large sets of tasks.

... (truncated)

Changelog

Sourced from async's changelog.

v2.6.4

  • Fix potential prototype pollution exploit (#1828)

v2.6.3

  • Updated lodash to squelch a security warning (#1675)

v2.6.2

  • Updated lodash to squelch a security warning (#1620)

v2.6.1

  • Updated lodash to prevent npm audit warnings. (#1532, #1533)
  • Made async-es more optimized for webpack users (#1517)
  • Fixed a stack overflow with large collections and a synchronous iterator (#1514)
  • Various small fixes/chores (#1505, #1511, #1527, #1530)

v2.6.0

  • Added missing aliases for many methods. Previously, you could not (e.g.) require('async/find') or use async.anyLimit. (#1483)
  • Improved queue performance. (#1448, #1454)
  • Add missing sourcemap (#1452, #1453)
  • Various doc updates (#1448, #1471, #1483)

v2.5.0

  • Added concatLimit, the Limit equivalent of concat (#1426, #1430)
  • concat improvements: it now preserves order, handles falsy values and the iteratee callback takes a variable number of arguments (#1437, #1436)
  • Fixed an issue in queue where there was a size discrepancy between workersList().length and running() (#1428, #1429)
  • Various doc fixes (#1422, #1424)

v2.4.1

  • Fixed a bug preventing functions wrapped with timeout() from being re-used. (#1418, #1419)

v2.4.0

  • Added tryEach, for running async functions in parallel, where you only expect one to succeed. (#1365, #687)
  • Improved performance, most notably in parallel and waterfall (#1395)
  • Added queue.remove(), for removing items in a queue (#1397, #1391)
  • Fixed using eval, preventing Async from running in pages with Content Security Policy (#1404, #1403)
  • Fixed errors thrown in an asyncifyed function's callback being caught by the underlying Promise (#1408)
  • Fixed timing of queue.empty() (#1367)
  • Various doc fixes (

… updates

Bumps the npm_and_yarn group with 6 updates in the /tests/integration_tests/hardhat directory:

| Package | From | To |
| --- | --- | --- |
| [@openzeppelin/contracts](https://github.com/OpenZeppelin/openzeppelin-contracts) | `4.8.2` | `4.9.6` |
| [@openzeppelin/contracts-upgradeable](https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable) | `4.8.2` | `4.9.6` |
| [semver](https://github.com/npm/node-semver) | `6.3.0` | `6.3.1` |
| [semver](https://github.com/npm/node-semver) | `5.7.1` | `6.3.1` |
| [ethereum-waffle](https://github.com/EthWorks/Waffle) | `3.4.4` | `4.0.10` |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.15.1` | `1.15.6` |
| [undici](https://github.com/nodejs/undici) | `5.19.1` | `5.28.4` |

Bumps the npm_and_yarn group with 8 updates in the /tests/solidity directory:

| Package | From | To |
| --- | --- | --- |
| [follow-redirects](https://github.com/follow-redirects/follow-redirects) | `1.14.8` | `1.15.6` |
| [browserify-sign](https://github.com/crypto-browserify/browserify-sign) | `4.2.1` | `4.2.3` |
| [es5-ext](https://github.com/medikoo/es5-ext) | `0.10.53` | `0.10.64` |
| [express](https://github.com/expressjs/express) | `4.18.2` | `4.19.2` |
| [apollo-server-core](https://github.com/apollographql/apollo-server/tree/HEAD/packages/apollo-server-core) | `2.26.0` | `2.26.2` |
| [get-func-name](https://github.com/chaijs/get-func-name) | `2.0.0` | `2.0.2` |
| [protobufjs](https://github.com/protobufjs/protobuf.js) | `6.11.3` | `6.11.4` |
| [word-wrap](https://github.com/jonschlinkert/word-wrap) | `1.2.3` | `1.2.5` |



Updates `@openzeppelin/contracts` from 4.8.2 to 4.9.6
- [Release notes](https://github.com/OpenZeppelin/openzeppelin-contracts/releases)
- [Changelog](https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/CHANGELOG.md)
- [Commits](OpenZeppelin/openzeppelin-contracts@v4.8.2...v4.9.6)

Updates `@openzeppelin/contracts-upgradeable` from 4.8.2 to 4.9.6
- [Release notes](https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/releases)
- [Changelog](https://github.com/OpenZeppelin/openzeppelin-contracts-upgradeable/blob/master/CHANGELOG.md)
- [Commits](OpenZeppelin/openzeppelin-contracts-upgradeable@v4.8.2...v4.9.6)

Updates `semver` from 6.3.0 to 6.3.1
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md)
- [Commits](npm/node-semver@v6.3.0...v6.3.1)

Updates `semver` from 5.7.1 to 6.3.1
- [Release notes](https://github.com/npm/node-semver/releases)
- [Changelog](https://github.com/npm/node-semver/blob/v6.3.1/CHANGELOG.md)
- [Commits](npm/node-semver@v6.3.0...v6.3.1)

Updates `ethereum-waffle` from 3.4.4 to 4.0.10
- [Release notes](https://github.com/EthWorks/Waffle/releases)
- [Commits](https://github.com/EthWorks/Waffle/compare/[email protected]@4.0.10)

Updates `ws` from 3.3.3 to 7.4.6
- [Release notes](https://github.com/websockets/ws/releases)
- [Commits](websockets/ws@3.3.3...7.4.6)

Updates `async` from 1.5.2 to 2.6.4
- [Release notes](https://github.com/caolan/async/releases)
- [Changelog](https://github.com/caolan/async/blob/v2.6.4/CHANGELOG.md)
- [Commits](caolan/async@v1.5.2...v2.6.4)

Updates `braces` from 2.3.2 to 3.0.2
- [Changelog](https://github.com/micromatch/braces/blob/master/CHANGELOG.md)
- [Commits](https://github.com/micromatch/braces/commits/3.0.2)

Updates `elliptic` from 6.5.3 to 6.5.4
- [Commits](indutny/elliptic@v6.5.3...v6.5.4)

Updates `follow-redirects` from 1.15.1 to 1.15.6
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.1...v1.15.6)

Updates `qs` from 6.5.2 to 6.5.3
- [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md)
- [Commits](ljharb/qs@v6.5.2...v6.5.3)

Updates `node-fetch` from 1.7.3 to 2.7.0
- [Release notes](https://github.com/node-fetch/node-fetch/releases)
- [Commits](node-fetch/node-fetch@1.7.3...v2.7.0)

Updates `json-schema` from 0.2.3 to 0.4.0
- [Commits](kriszyp/json-schema@v0.2.3...v0.4.0)

Updates `lodash` from 4.17.20 to 4.17.21
- [Release notes](https://github.com/lodash/lodash/releases)
- [Commits](lodash/lodash@4.17.20...4.17.21)

Updates `minimatch` from 3.0.4 to 3.1.2
- [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md)
- [Commits](isaacs/minimatch@v3.0.4...v3.1.2)

Updates `minimist` from 1.2.5 to 1.2.8
- [Changelog](https://github.com/minimistjs/minimist/blob/main/CHANGELOG.md)
- [Commits](minimistjs/minimist@v1.2.5...v1.2.8)

Updates `undici` from 5.19.1 to 5.28.4
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](nodejs/undici@v5.19.1...v5.28.4)

Updates `follow-redirects` from 1.14.8 to 1.15.6
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.1...v1.15.6)

Updates `browserify-sign` from 4.2.1 to 4.2.3
- [Changelog](https://github.com/browserify/browserify-sign/blob/main/CHANGELOG.md)
- [Commits](browserify/browserify-sign@v4.2.1...v4.2.3)

Updates `es5-ext` from 0.10.53 to 0.10.64
- [Release notes](https://github.com/medikoo/es5-ext/releases)
- [Changelog](https://github.com/medikoo/es5-ext/blob/main/CHANGELOG.md)
- [Commits](medikoo/es5-ext@v0.10.53...v0.10.64)

Updates `express` from 4.18.2 to 4.19.2
- [Release notes](https://github.com/expressjs/express/releases)
- [Changelog](https://github.com/expressjs/express/blob/master/History.md)
- [Commits](expressjs/express@4.18.2...4.19.2)

Updates `apollo-server-core` from 2.26.0 to 2.26.2
- [Release notes](https://github.com/apollographql/apollo-server/releases)
- [Commits](https://github.com/apollographql/apollo-server/commits/[email protected]/packages/apollo-server-core)

Updates `get-func-name` from 2.0.0 to 2.0.2
- [Release notes](https://github.com/chaijs/get-func-name/releases)
- [Commits](https://github.com/chaijs/get-func-name/commits/v2.0.2)

Updates `protobufjs` from 6.11.3 to 6.11.4
- [Release notes](https://github.com/protobufjs/protobuf.js/releases)
- [Changelog](https://github.com/protobufjs/protobuf.js/blob/master/CHANGELOG.md)
- [Commits](https://github.com/protobufjs/protobuf.js/commits)

Updates `word-wrap` from 1.2.3 to 1.2.5
- [Release notes](https://github.com/jonschlinkert/word-wrap/releases)
- [Commits](jonschlinkert/word-wrap@1.2.3...1.2.5)

---
updated-dependencies:
- dependency-name: "@openzeppelin/contracts"
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: "@openzeppelin/contracts-upgradeable"
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: semver
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: semver
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ethereum-waffle
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: ws
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: async
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: braces
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: elliptic
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: qs
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: node-fetch
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: json-schema
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: lodash
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimatch
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: minimist
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: undici
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: browserify-sign
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: es5-ext
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: express
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: apollo-server-core
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: get-func-name
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: protobufjs
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: word-wrap
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Apr 26, 2024
Copy link

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@nomiclabs/[email protected] Transitive: network +44 18.1 MB fvictorio
npm/@nomiclabs/[email protected] Transitive: environment, eval, filesystem, network, shell, unsafe +364 200 MB alcuadrado
npm/@openzeppelin/[email protected] None 0 2.11 MB amxx
npm/@openzeppelin/[email protected] None 0 2.02 MB frangio
npm/@openzeppelin/[email protected] filesystem Transitive: environment, eval, network, unsafe +125 31.8 MB ericglau
npm/@typechain/[email protected] Transitive: network +44 18.1 MB ethereum-ts-bot
npm/[email protected] filesystem 0 17.7 kB rhlsthrm
npm/[email protected] environment, filesystem, network, shell Transitive: eval, unsafe +290 78.7 MB fvictorio
npm/[email protected] filesystem Transitive: environment, unsafe +28 18 MB krzkaczor
npm/[email protected] environment, filesystem, unsafe +17 3.68 MB cspotcode
npm/[email protected] Transitive: environment, filesystem +14 1.98 MB ethereum-ts-bot
npm/[email protected] None 0 67.2 MB typescript-bot

🚮 Removed packages: npm/@apollographql/[email protected], npm/@apollographql/[email protected], npm/@babel/[email protected], npm/@consento/[email protected], npm/@graphql-tools/[email protected], npm/@graphql-tools/[email protected], npm/@graphql-tools/[email protected], npm/@graphql-tools/[email protected], npm/@graphql-tools/[email protected], npm/@graphql-tools/[email protected], npm/@protobufjs/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@truffle/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

Copy link

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert Package NoteSource
Install scripts npm/[email protected]
  • Install script: postinstall
  • Source: node -e "try{require('./postinstall')}catch(e){}"

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Copy link

This pull request has been automatically marked as stale because it has not had recent activity. It will be closed in 7 days-before-close if no further activity occurs.

Copy link
Contributor Author

dependabot bot commented on behalf of github Jun 18, 2024

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/tests/integration_tests/hardhat/npm_and_yarn-2f1057003c branch June 18, 2024 00:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code Status: Stale
Projects
None yet
Development

Successfully merging this pull request may close these issues.

0 participants