Update dependency bignumber.js to v11

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
bignumber.js	^9.1.2 → ^11.0.0

---

Release Notes

MikeMcl/bignumber.js (bignumber.js)

v11.1.3

Compare Source

• 05/06/26
• #​406 Fix EXPONENTIAL_AT default value documentation.

v11.1.2

Compare Source

• 30/05/26
• [BUGFIX] #​405 Fix invalid toFormat output for -0.

v11.1.1

Compare Source

• 02/05/26
• Docs: fix version number and decimalPlaces API description.

v11.1.0

Compare Source

• 30/04/26
• #​401 BigNumber.sum: return zero if there are no arguments.
• #​352 Add toBigInt method.
• #​286 Add fromFormat method.
• #​262 decimalPlaces, toFixed and toFormat: support negative decimal places.
• #​260 toFormat: support minimum/maximum decimal places.
• toFormat: fallback to FORMAT for each property not in options.
• [BUGFIX] #​342 Large DECIMAL_PLACES causing slow hex integer base conversion.
• Typescript: add test_api.ts to improved typed API test coverage.

v11.0.0

Compare Source

• 14/04/26
• Add STRICT configuration option:
  if true (default), throw an exception on invalid input.
  if false, return NaN on invalid input.
• toFraction: return [1, 0] for Infinity and [0, 0] for NaN.
• Support underscores as separators.
• If a base is supplied, reject non-finite values and base prefixes.

v10.0.2

Compare Source

• 24/02/26
• Reinstate README.md links.

v10.0.1

Compare Source

• 24/02/26
• Commit dist folder.

v10.0.0

Compare Source

• 23/02/26
• Implement targeted builds for ES modules, CommonJS, and browser (global assignment).
• Add CI workflow.
• Add type declaration import tests.
• Remove BigNumber.DEBUG, so the behaviour is now always as if it was true:
  • throw on invalid input instead of returning NaN.
  • always validate the c, e, and s properties of objects passed to isBigNumber
• Don't call toString on any arbitrary object passed to the constructor.
• Require a BigNumber value to be a string if a base is also passed.
• Add toObject prototype method which returns a plain object with c, e, and s properties.
• Remove .npmignore, as files in package.json is used. Add .gitignore.
• Normalise line endings and add .gitattributes.
• Add typescript to devDependencies.

v9.3.1

Compare Source

• 11/07/25
• [BUGFIX] #​388 toPrecision fix.

v9.3.0

Compare Source

• 19/04/25
• Refactor type declarations:
• Rename bignumber.d.ts to types.d.ts.
• Rename bignumber.d.cts to bignumber.d.ts.
• Add export as namespace to bignumber.d.ts.
• Remove subpath exports from package.json.
• Refactor named export from bignumber.d.mts.
• #​383 Remove ? from static BigNumber and default properties.
• Add blank lines after titles in CHANGELOG.md.

v9.2.1

Compare Source

• 08/04/25
• #​371 #​382 Add BigNumber as named export.

v9.2.0

Compare Source

• 03/04/25
• #​355 Support BigInt argument.
• #​371 Provide separate type definitions for CommonJS and ES modules.
• #​374 Correct comparedTo return type.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​openzeppelin/​defender-sdk-network-client@​2.1.0
	@​openzeppelin/​defender-sdk-base-client@​2.1.0
	@​types/​minimist@​1.2.5
	fgbg@​0.1.5
	promisified@​0.5.0
	@​types/​sinon@​17.0.4
	@​types/​mocha@​7.0.2
	@​types/​proper-lockfile@​4.1.4
	hardhat@​2.28.6
	@​types/​debug@​4.1.12
	solidity-ast@​0.4.60
	@​ava/​typescript@​7.0.0
	cbor@​10.0.3
	@​openzeppelin/​contracts-upgradeable@​5.3.0
	@​openzeppelin/​contracts@​5.3.0
	esmock@​2.7.3
	@​openzeppelin/​defender-sdk-deploy-client@​2.1.0
	bignumber.js@​9.1.2 ⏵ 11.1.3			+1
	sinon@​20.0.0
	@​nomicfoundation/​hardhat-verify@​3.0.11
	@​nomicfoundation/​hardhat-ethers@​3.1.0
	@​openzeppelin/​upgrades-core-legacy@​1.31.3

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Low CVE: jsnpm diff has a Denial of Service vulnerability in parsePatch and applyPatch CVE: GHSA-73rr-hh4g-fpgx jsdiff has a Denial of Service vulnerability in parsePatch and applyPatch (LOW) Affected versions: >= 6.0.0 < 8.0.3; >= 5.0.0 < 5.2.2; >= 4.0.0 < 4.0.4; < 3.5.1 Patched version: 8.0.3 From: ? → npm/sinon@20.0.0 → npm/diff@7.0.0 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/diff@7.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly Notes: The code implements a straightforward, non-malicious, file-backed cache with in-memory tracking and optional pruning. The primary security concern is proper input validation for docId and cacheDir to prevent path traversal outside the intended cache directory. No signs of malware or covert data leakage were observed in the provided fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/flat-cache@3.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@3.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm hardhat is 100.0% likely to have a medium risk anomaly Notes: The code implements a subprocess-based transport to offload event sending. While this can reduce main-process dependencies, it creates a cross-process data path that exposes the serialized event via environment variables to an external subprocess. The subprocess script (not present here) becomes a critical trust boundary. Without inspecting the subprocess implementation and package contents, there is a non-trivial risk of data leakage or tampering via the external process. No explicit malware detected in this fragment, but the design warrants careful review of the subprocess code and supply chain integrity. Confidence: 1.00 Severity: 0.60 From: packages/core/package.json → npm/hardhat@2.28.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hardhat@2.28.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm import-fresh is 100.0% likely to have a medium risk anomaly Notes: This fragment is a focused utility to reload a specified module by name by bypassing the require cache and re-binding it to its parent when possible. It is not inherently malicious, but it can introduce security risks if moduleId can be influenced to load attacker-controlled modules or if used in contexts where modules are loaded from untrusted sources. In a secure supply chain context, it should be treated as a potential risk vector for dynamic code loading and should be restricted to trusted modules only. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@8.57.0 → npm/eslint-plugin-unicorn@51.0.1 → npm/import-fresh@3.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/import-fresh@3.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm locate-path is 100.0% likely to have a medium risk anomaly Notes: The code implements a safe and conventional filesystem path locator for a list of candidate paths, with options to follow symlinks and to restrict to files or directories. No malicious behavior detected; no obvious security vulnerabilities beyond standard filesystem access patterns. Some minor robustness improvements could include explicit error reporting for non-matching cases, and handling of undefined results in a clearer manner. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/@openzeppelin/docs-utils@0.1.5 → npm/eslint-plugin-unicorn@51.0.1 → npm/locate-path@5.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/locate-path@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: This fragment appears to be a bundler-generated bootstrap/initialization piece that imports many modules and executes an initialization function (r). No explicit malicious activity is evident within this fragment itself, but the risk stems from side effects of the imported modules on load. A careful review of the implementations of the imported modules (especially those exporting r and those performing initialization, build-time, or network/file operations) is recommended to rule out hidden telemetry, backdoors, or undesired side effects. Confidence: 1.00 Severity: 0.60 From: ? → npm/hardhat@3.6.0 → npm/tsx@4.20.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.20.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report