Update dependency @nomicfoundation/hardhat-ethers to v4

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@nomicfoundation/hardhat-ethers (source)	^3.0.5 → ^4.0.0

---

Release Notes

NomicFoundation/hardhat (@​nomicfoundation/hardhat-ethers)

v4.0.13

Compare Source

Patch Changes

• #​8339 00720e8 Thanks @​alcuadrado! - The plugin now uses definePlugin from hardhat/plugins in its index.ts, so it participates in Hardhat's new "imported but unused plugin" warning when omitted from a project's plugins array.

• Updated dependencies:

  • hardhat@​3.8.0
  • @​nomicfoundation/hardhat-errors@​3.0.15

v4.0.12

Compare Source

Patch Changes

• #​8264 8452f97 Thanks @​alcuadrado! - Export ./package.json so consumers can import the package's manifest.

• Updated dependencies:

  • @​nomicfoundation/hardhat-errors@​3.0.13
  • @​nomicfoundation/hardhat-utils@​4.1.2

v4.0.11

Compare Source

Patch Changes

• #​8191 2a4ae8e Thanks @​alcuadrado! - Update how type extensions are handled to optimize the bootstrap process of Hardhat.

• #​8228 417bbf9 Thanks @​alcuadrado! - Small performance optimizations

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.1.1

v4.0.10

Compare Source

Patch Changes

• #​8207 d594209 Thanks @​alcuadrado! - Improved performance by replacing the debug logging library with a lightweight in-tree implementation.

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.1.0
  • @​nomicfoundation/hardhat-errors@​3.0.12

v4.0.9

Compare Source

Patch Changes

• #​8179 d16d82a Thanks @​alcuadrado! - Await all returned promises for better debuggability

• #​8153 e21950e Thanks @​schaable! - Fix gas config fields (gas, gasMultiplier, gasPrice) not being applied when sending transactions through the HardhatEthersSigner

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.0.4

v4.0.8

Compare Source

Patch Changes

• #​8104 e27a7ad Thanks @​ChristopherDedominici! - Use code 3 for JSON-RPC revert error codes to align with standard node behavior and preserve error causes in viem/ethers.

• #​8096 7fb721b Thanks @​alcuadrado! - [chore] Move to packages/ folder.

• #​8116 88787e1 Thanks @​kanej! - Deprecate the hre.network.connect() method in favour of hre.network.create(), exactly the same method but more clearly indicating that it will create a new connection.

• Updated dependencies:

  • hardhat@​3.4.0
  • @​nomicfoundation/hardhat-errors@​3.0.11
  • @​nomicfoundation/hardhat-utils@​4.0.3

v4.0.7

Compare Source

Patch Changes

• #​7997 df7f24a Thanks @​ChristopherDedominici! - Added HardhatEthersProvider.waitForTransaction to provide polling support for non-automining networks (#​7952).

• #​8088 23c0d36 Thanks @​alcuadrado! - Optimize imports.

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.0.2
  • @​nomicfoundation/hardhat-errors@​3.0.10

v4.0.6

Compare Source

Patch Changes

• bc193be: Use concrete value types for contract names in hardhat-viem and hardhat-ethers

v4.0.5

Compare Source

Patch Changes

• 6674b00: Bump hardhat-utils major

v4.0.4

Compare Source

Patch Changes

• 5abcee6: Use Osaka as the default EVM target for solc 0.8.31+ and increase the gas limit per EIP-7935. Thanks @​Amxx! (#​7813)

v4.0.3

Compare Source

Patch Changes

• 558ac5b: Update installation and config instructions

v4.0.2

Compare Source

Patch Changes

• 138d673: Added network.createServer(...) to spawn a Hardhat node programmatically (#​6472)

v4.0.1

Compare Source

Patch Changes

• 27d52b7: Fixed index resolution in clearEventListeners (#​7359)

v4.0.0

Compare Source

Major Changes

• 29cc141: First release of Hardhat 3!

v3.1.3

Compare Source

This release updates the default gas limit to take into account the Osaka transaction limit.

Changes

• c69b99d: Update default gas limit to take into account osaka transaction limit (#​7751)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

v3.1.2

Compare Source

v3.1.1

Compare Source

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​defender-sdk-network-client@​2.1.0
	@​openzeppelin/​defender-sdk-base-client@​2.1.0
	@​types/​minimist@​1.2.5
	fgbg@​0.1.5
	promisified@​0.5.0
	@​types/​sinon@​17.0.4
	@​types/​mocha@​7.0.2
	@​types/​proper-lockfile@​4.1.4
	hardhat@​2.28.6
	@​types/​debug@​4.1.12
	solidity-ast@​0.4.60
	debug@​4.3.6
	@​ava/​typescript@​7.0.0
	cbor@​10.0.3
	@​openzeppelin/​contracts-upgradeable@​5.3.0
	@​openzeppelin/​contracts@​5.3.0
	@​openzeppelin/​defender-sdk-deploy-client@​2.1.0
	esmock@​2.7.3
	bignumber.js@​9.1.2
	sinon@​20.0.0
	@​nomicfoundation/​hardhat-verify@​3.0.11
	@​openzeppelin/​upgrades-core-legacy@​1.31.3
	forge-std@​1.16.1

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Regular Expression Denial of Service (ReDoS) in npm cross-spawn CVE: GHSA-3xgq-45jj-v275 Regular Expression Denial of Service (ReDoS) in cross-spawn (HIGH) Affected versions: >= 7.0.0 < 7.0.5; < 6.0.6 Patched version: 7.0.5 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/cross-spawn@7.0.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions CVE: GHSA-23c5-xmqv-rm74 minimatch ReDoS: nested *() extglobs generate catastrophically backtracking regular expressions (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.4 Patched version: 3.1.4 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/eslint-plugin-unicorn@51.0.1 → npm/minimatch@3.1.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern CVE: GHSA-3ppc-4f35-3m26 minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern (HIGH) Affected versions: >= 10.0.0 < 10.2.1; >= 9.0.0 < 9.0.6; >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.4.7; >= 6.0.0 < 6.2.1; >= 5.0.0 < 5.1.7; >= 4.0.0 < 4.2.4; < 3.1.3 Patched version: 3.1.3 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/eslint-plugin-unicorn@51.0.1 → npm/minimatch@3.1.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments CVE: GHSA-7r86-cg39-jmmj minimatch has ReDoS: matchOne() combinatorial backtracking via multiple non-adjacent GLOBSTAR segments (HIGH) Affected versions: >= 10.0.0 < 10.2.3; >= 9.0.0 < 9.0.7; >= 8.0.0 < 8.0.6; >= 7.0.0 < 7.4.8; >= 6.0.0 < 6.2.2; >= 5.0.0 < 5.1.8; >= 4.0.0 < 4.2.5; < 3.1.3 Patched version: 3.1.3 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/eslint-plugin-unicorn@51.0.1 → npm/minimatch@3.1.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/minimatch@3.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation CVE: GHSA-v9p9-hfj2-hcw8 Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 6.24.0 From: ? → npm/hardhat@2.28.6 → npm/undici@5.29.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression CVE: GHSA-vrm6-8vpv-qv8q Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression (HIGH) Affected versions: < 6.24.0; >= 7.0.0 < 7.24.0 Patched version: 6.24.0 From: ? → npm/hardhat@2.28.6 → npm/undici@5.29.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@5.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @eslint/eslintrc is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, well-structured ESLint configuration loader/factory. It reads configuration data from various sources, resolves and loads plugins and parsers, and normalizes configurations for ESLint. While the code is not malicious by itself, it inherently executes user-provided plugin and parser code through require/imports, which is a normal but security-sensitive behavior. In the OpenVSX context, trusted inputs (config files and plugins) should be enforced; untrusted or tampered configs could introduce risk by executing arbitrary code during loading. No explicit malware indicators (exfiltration, backdoors, cryptomining) are present in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/@eslint/eslintrc@2.1.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@eslint/eslintrc@2.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: npm brace-expansion Regular Expression Denial of Service vulnerability CVE: GHSA-v6h2-p8h4-qcjw brace-expansion Regular Expression Denial of Service vulnerability (LOW) Affected versions: = 3.0.0, 4.0.0; >= 2.0.0 < 2.0.2; >= 1.0.0 < 1.1.12; >= 3.0.0 < 3.0.1; >= 4.0.0 < 4.0.1 Patched version: 1.1.12 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/eslint-plugin-unicorn@51.0.1 → npm/brace-expansion@1.1.11 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/brace-expansion@1.1.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm brace-expansion is 100.0% likely to have a medium risk anomaly Notes: The analyzed code provides a self-contained brace expansion utility with support for sequences and nested options. There is no evidence of data exfiltration, remote communication, or destructive actions. The random escape tokens are benign and scoped to processing. Overall risk is low, with moderate trust in correctness and performance considerations for complex expansions. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/eslint-plugin-unicorn@51.0.1 → npm/brace-expansion@1.1.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/brace-expansion@1.1.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm convert-source-map is 100.0% likely to have a medium risk anomaly Notes: The codebase largely behaves as a conventional, safe utility for source-map handling with low inherent malicious risk. The primary concerns are: (a) a definite bug due to an undefined variable in decodeBase64WithNewBuffer, (b) inconsistent and deprecated Buffer usage that should be modernized (prefer Buffer.from and avoid new Buffer), and (c) potential filesystem path exposure in error messages when map files cannot be read. If used responsibly with validated inputs and updated API usage, the risk remains low; otherwise, address the bug and update encoding paths to align with current Node.js best practices to mitigate runtime errors and potential misbehavior. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/convert-source-map@1.9.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/convert-source-map@1.9.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm cross-spawn is 100.0% likely to have a medium risk anomaly Notes: This file is a minimal, legitimate wrapper around Node.js child_process.spawn and spawnSync to provide improved ENOENT (command not found) error handling. It does not perform any network requests, dynamic code evaluation, secret disclosure, or telemetry. The only “sink” is the intended execution of local processes as directed by the calling application. No malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/cross-spawn@7.0.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@7.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Low CVE: jsnpm diff has a Denial of Service vulnerability in parsePatch and applyPatch CVE: GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch (LOW) Affected versions: >= 6.0.0 < 8.0.3; >= 5.0.0 < 5.2.2; >= 4.0.0 < 4.0.4; < 3.5.1 Patched version: 8.0.3 From: ? → npm/sinon@20.0.0 → npm/diff@7.0.0 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/diff@7.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm esquery is 100.0% likely to have a medium risk anomaly Notes: The analyzed file is a legitimate PEG.js-generated parser module. It does not exhibit malicious exfiltration, backdoors, or external I/O mechanisms. The main security consideration is the potential risk around RegExp construction from user input, which should be mitigated by downstream code validating or constraining the resulting patterns. Overall, the security posture of this module is low risk when considered in isolation, with attention recommended for how parsed regexes are subsequently used by the host application. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/esquery@1.6.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esquery@1.6.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly Notes: The code implements a straightforward, non-malicious, file-backed cache with in-memory tracking and optional pruning. The primary security concern is proper input validation for docId and cacheDir to prevent path traversal outside the intended cache directory. No signs of malware or covert data leakage were observed in the provided fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/flat-cache@3.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@3.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional, non-malicious implementation of a globbing helper with ignore pattern support. It reads inputs from configuration and filesystem state, and writes results to an internal cache/result set. There are no indicators of malware or exfiltration within this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/nyc@17.0.0 → npm/wsrun@5.2.4 → npm/glob@7.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@7.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly Notes: The code implements a subprocess-based transport to offload event sending. While this can reduce main-process dependencies, it creates a cross-process data path that exposes the serialized event via environment variables to an external subprocess. The subprocess script (not present here) becomes a critical trust boundary. Without inspecting the subprocess implementation and package contents, there is a non-trivial risk of data leakage or tampering via the external process. No explicit malware detected in this fragment, but the design warrants careful review of the subprocess code and supply chain integrity. Confidence: 1.00 Severity: 0.60 From: packages/core/package.json → npm/hardhat@2.28.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat@2.28.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm import-fresh is 100.0% likely to have a medium risk anomaly Notes: This fragment is a focused utility to reload a specified module by name by bypassing the require cache and re-binding it to its parent when possible. It is not inherently malicious, but it can introduce security risks if moduleId can be influenced to load attacker-controlled modules or if used in contexts where modules are loaded from untrusted sources. In a secure supply chain context, it should be treated as a potential risk vector for dynamic code loading and should be restricted to trusted modules only. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/import-fresh@3.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/import-fresh@3.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm istanbul-lib-processinfo is 100.0% likely to have a medium risk anomaly Notes: No explicit malicious activity detected. The module appears to be a dedicated utility for process information management and optional external process spawning for coverage collection. However, silent JSON parse errors, potentially unsafe file deletions in expunge, and unvalidated environment injection for spawned processes warrant careful input validation, robust error handling, and strict access controls in deployment. Overall security risk remains moderate, driven by destructive capabilities and external process control rather than overt malware. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/istanbul-lib-processinfo@2.0.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/istanbul-lib-processinfo@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm locate-path is 100.0% likely to have a medium risk anomaly Notes: The code implements a safe and conventional filesystem path locator for a list of candidate paths, with options to follow symlinks and to restrict to files or directories. No malicious behavior detected; no obvious security vulnerabilities beyond standard filesystem access patterns. Some minor robustness improvements could include explicit error reporting for non-matching cases, and handling of undefined results in a clearer manner. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/@openzeppelin/docs-utils@0.1.5 → npm/eslint-plugin-unicorn@51.0.1 → npm/locate-path@5.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/locate-path@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-preload is 100.0% likely to have a medium risk anomaly Notes: The file itself is a small bootstrap that installs a spawn hook and requires a list of modules to execute. By design it executes arbitrary modules and can modify child process behavior, which is a high-impact capability. There is no direct evidence of exfiltration or malicious payloads in this fragment, but the code should be treated as potentially dangerous because it enables execution of other modules (the real risk depends on those modules). Recommend auditing ../preload-list.js, ../internal-preload-module.js, ../hook-spawn.js and every module referenced in the preload list before trusting this package. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/node-preload@0.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-preload@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 12 more rows in the dashboard

View full report