refactor: migrate test infrastructure from ethers v5 to v6 by gtg7784 · Pull Request #473 · Uniswap/universal-router

gtg7784 · 2026-03-24T07:49:09Z

Summary

Migrate the entire TypeScript test infrastructure from ethers v5 to ethers v6, updating all 29 TypeScript files across shared helpers, integration tests, and gas benchmark tests.

Upgrade ethers ^5.7.2 → ^6.13.0 and all associated Hardhat/TypeChain plugins
Replace BigNumber with native bigint throughout (265+ occurrences)
Replace contract.address with await contract.getAddress() / pre-cached addresses
Replace ethers.utils.* namespace with ethers v6 top-level exports
Replace receipt.events?.find() with interface.parseLog() pattern
No changes to Solidity contracts or external interfaces

Motivation

ethers v6 brings native bigint support, smaller bundle size, and improved TypeScript types. This migration modernizes the test infrastructure while keeping all contract interfaces and test logic unchanged.

Changes

Infrastructure (3 files)

File	Changes
`package.json`	ethers v6, hardhat-ethers v3, typechain-ethers-v6, typescript v5
`hardhat.config.ts`	Updated plugin imports, typechain outDir config
`tsconfig.json`	`target: es2020` for bigint support

Shared Helpers (14 files)

Types: BigNumber → bigint, BigNumberish retained (valid in v6)
Constants: ethers.constants.AddressZero → ethers.ZeroAddress
ABI Encoding: defaultAbiCoder from ethers/lib/utils → AbiCoder from ethers
Signatures: splitSignature → Signature.from(), _signTypedData → signTypedData
Addresses: contract.address → await contract.getAddress()

Test Files (7 files)

UniversalRouter.test.ts, CheckOwnership.test.ts, UniswapV2.test.ts
UniswapV3.test.ts, UniswapV4.test.ts, UniswapMixed.test.ts
V3ToV4Migration.test.ts

Gas Tests (6 files)

All gas benchmark test files migrated
Obsolete gas snapshots removed (to be regenerated with yarn test:gas)

Key Migration Patterns

// BigNumber → bigint
BigNumber.from(1)          → 1n
a.sub(b)                   → a - b
a.mul(b).div(c)            → a * b / c
wethTraded.mul(-1)         → -wethTraded

// Contract addresses
contract.address           → await contract.getAddress()  // async
                           → contract.target               // sync alternative

// Signatures
splitSignature(sig)        → Signature.from(sig)
signer._signTypedData(...) → signer.signTypedData(...)

// Event parsing
receipt.events?.find(...)  → receipt.logs.map(l => iface.parseLog(l)).find(...)

// TypeChain casts
as IPermit2               → as unknown as IPermit2

Verification

✅ npm run compile passes — 158 Solidity files compiled, 374 ethers-v6 typings generated
✅ Zero remaining v5 patterns (@ethersproject/*, ethers.utils.*, .sub()/.add()/.mul()/.div())
✅ No Solidity contract changes
⚠️ Tests require valid INFURA_API_KEY in .env for mainnet fork execution

- ethers ^5.7.2 → ^6.13.0 - @nomicfoundation/hardhat-ethers ^3.0.0 (replaces @nomiclabs/hardhat-ethers) - @nomicfoundation/hardhat-chai-matchers ^2.0.0 (replaces @nomicfoundation/hardhat-chai-matchers v1) - @typechain/ethers-v6 ^0.5.0 (replaces @typechain/ethers-v5) - @typechain/hardhat ^9.0.0 - typescript ^5.0.0, ts-node ^10.9.0, typechain ^8.3.0 - Remove hardhat-typechain, ts-generator - Configure typechain outDir to 'typechain' for backward compatibility - Update tsconfig target to es2020 for bigint support

- Replace ethers.constants.AddressZero with ethers.ZeroAddress - Replace BigNumber return types with native bigint - Update expandTo18DecimalsBN/expandTo6DecimalsBN to return bigint - Convert BigNumber.from() to BigInt() throughout

- Replace defaultAbiCoder import from ethers/lib/utils with AbiCoder from ethers - Use AbiCoder.defaultAbiCoder() for encoding

- Update imports from @ethersproject/* to ethers - Use ReadonlyArray<string> for log topics compatibility - Replace ethers.utils.id with id, AbiCoder imports from ethers - Update bigint types for interface parameter encoding

- Replace splitSignature with Signature.from() - Replace _signTypedData with signTypedData - Replace contract.address with await contract.getAddress() - Replace wallet.getChainId() with provider.getNetwork() pattern - Import BigNumberish, MaxUint256, Signature from ethers

- Replace MaxUint256 import from ethers constants to ethers top-level - Replace BigNumber types with bigint throughout - Replace contract.address with await contract.getAddress() - Replace gasUsed.mul(effectiveGasPrice) with bigint multiplication - Use 'as unknown as' cast for ethers v6 Contract type compatibility - Import TransactionResponse from ethers instead of @ethersproject

- Replace BigNumber arithmetic with native bigint operators - Convert BigInt('...') for large price constants - Use .toString() for JSBI compatibility with v6 bigint returns - Update sqrtPrice parameter types to bigint

- Replace _signTypedData with signTypedData - Replace contract.address with await contract.getAddress() - Update BigNumber types to bigint

- Replace @ethersproject/* imports with ethers - Replace @nomiclabs/hardhat-ethers with @nomicfoundation/hardhat-ethers - Replace BigNumber types with bigint, .sub()/.add() with native operators - Pre-cache contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts

- Replace @nomiclabs/hardhat-ethers with @nomicfoundation/hardhat-ethers - Use 'as unknown as' for TypeChain contract casts - Pre-cache contract addresses via getAddress()

- Replace @ethersproject/* imports with ethers - Replace BigNumber types with bigint, arithmetic with native operators - Pre-cache contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts

- Replace @ethersproject/* imports with ethers - Replace BigNumber/BigNumberish types with bigint/number - Replace .sub()/.add()/.mul() with native bigint operators - Pre-cache permit2Address, routerAddress via getAddress() - Use 'as unknown as' for TypeChain contract casts

- Replace @ethersproject/* imports with ethers - Replace BigNumber types with bigint throughout - Replace .sub()/.add()/.mul()/.div() with native bigint operators - Pre-cache all contract addresses (permit2, router, v4PositionManager, tokens) - Use BigInt(ONE_PERCENT_BIPS) for percentage calculations - Use 'as unknown as' for TypeChain contract casts

- Replace @ethersproject/* imports with ethers - Replace BigNumber types with bigint, BigNumber.from() with BigInt() - Replace .sub()/.add()/.mul() with native bigint operators - Pre-cache all contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts

- Replace @ethersproject/* imports with ethers - Replace ethers.utils.Interface/AbiCoder/id with ethers v6 equivalents - Replace BigNumber types with bigint, BigNumber.from() with BigInt/0n - Replace .sub()/.add() with native bigint operators - Replace receipt.events?.find() with interface.parseLog() pattern - Pre-cache contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts

- Migrate all 6 gas test files to ethers v6 patterns - Replace @ethersproject/* and @nomiclabs/* imports - Replace BigNumber/BigNumberish types with bigint - Replace .sub()/.add() with native bigint operators - Replace receipt.events?.find() with interface.parseLog() - Pre-cache contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts - Remove obsolete gas snapshots (to be regenerated)

socket-security · 2026-03-24T07:49:33Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Quality	Maintenance	License
@uniswap/sdk-core@3.0.1 ⏵ 3.2.3	⁺¹	⁺¹	⁺⁵
@uniswap/v2-sdk@3.0.1 ⏵ 3.3.0		⁺¹
ethers@5.7.2 ⏵ 6.16.0	^-24	⁺¹
@uniswap/router-sdk@1.3.0 ⏵ 1.23.0	⁺¹	⁺¹
@types/chai@4.3.3 ⏵ 4.3.20
@uniswap/v3-sdk@3.9.0 ⏵ 3.30.0	⁺⁵		⁺¹
mocha-chai-jest-snapshot@1.1.4 ⏵ 1.1.7	⁺²	⁺¹
@typechain/ethers-v6@0.5.1
@typechain/hardhat@9.1.0
typechain@4.0.3 ⏵ 8.3.2		⁺¹
ts-node@8.10.2 ⏵ 10.9.2	^-2
chai@4.3.6 ⏵ 4.5.0
@nomicfoundation/hardhat-chai-matchers@1.0.4 ⏵ 2.1.2	⁺¹	⁺¹⁰	⁺²
typescript@3.9.10 ⏵ 5.9.3	⁺¹	^-10		⁺¹⁰
bignumber.js@9.1.1 ⏵ 9.3.1	⁺¹	⁺¹
prettier@2.7.1 ⏵ 2.8.8	⁺¹
@nomicfoundation/hardhat-ethers@3.1.3
prettier-plugin-solidity@1.0.0-beta.24 ⏵ 1.4.3	⁺¹	⁺¹	⁺⁶

View full report

socket-security · 2026-03-24T07:49:35Z

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Potential vulnerability: npm `node-gyp` with risk level "medium" Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/node-gyp@12.2.0` ℹ Read more on: This package \| This alert \| Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-gyp@12.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential vulnerability: npm `node-gyp` with risk level "medium" Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/node-gyp@12.2.0` ℹ Read more on: This package \| This alert \| Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-gyp@12.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm `@nomicfoundation/solidity-analyzer` in module child_process Module: child_process Location: Package overview From: `?` → `npm/hardhat@2.22.14` → `npm/@nomicfoundation/solidity-analyzer@0.1.2` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@nomicfoundation/solidity-analyzer@0.1.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm `node-gyp` in module child_process Module: child_process Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/node-gyp@12.2.0` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-gyp@12.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `@cspotcode/source-map-support` Location: Package overview From: `?` → `npm/ts-node@10.9.2` → `npm/@cspotcode/source-map-support@0.8.1` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@cspotcode/source-map-support` with module fs Module: fs Location: Package overview From: `?` → `npm/ts-node@10.9.2` → `npm/@cspotcode/source-map-support@0.8.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@cspotcode/source-map-support@0.8.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@isaacs/fs-minipass` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/@isaacs/fs-minipass@4.0.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@isaacs/fs-minipass@4.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@npmcli/fs` with module fs/promises Module: fs/promises Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/@npmcli/fs@5.0.0` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@npmcli/fs@5.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@typechain/ethers-v6` with module fs Module: fs Location: Package overview From: package.json → `npm/@typechain/ethers-v6@0.5.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@typechain/ethers-v6@0.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `@typechain/hardhat` with module fs-extra Module: fs-extra Location: Package overview From: package.json → `npm/@typechain/hardhat@9.1.0` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@typechain/hardhat@9.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `create-require` with module fs Module: fs Location: Package overview From: `?` → `npm/ts-node@10.9.2` → `npm/create-require@1.1.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/create-require@1.1.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `ethers` Location: Package overview From: package.json → `npm/ethers@6.16.0` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ethers@6.16.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `fdir` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/fdir@6.5.0` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/fdir@6.5.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `fs-minipass` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/fs-minipass@3.0.3` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/fs-minipass@3.0.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `path-scurry` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/path-scurry@2.0.2` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/path-scurry@2.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `tar` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/tar@7.5.13` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tar@7.5.13`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `tinyglobby` with module fs Module: fs Location: Package overview From: `?` → `npm/@uniswap/v3-sdk@3.30.0` → `npm/hardhat@2.22.14` → `npm/@uniswap/router-sdk@1.23.0` → `npm/mocha-chai-jest-snapshot@1.1.7` → `npm/tinyglobby@0.2.15` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/tinyglobby@0.2.15`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `ts-command-line-args` with module fs Module: fs Location: Package overview From: `?` → `npm/typechain@8.3.2` → `npm/ts-command-line-args@2.5.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ts-command-line-args@2.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `ts-command-line-args` Location: Package overview From: `?` → `npm/typechain@8.3.2` → `npm/ts-command-line-args@2.5.1` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ts-command-line-args@2.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `ts-node` with module fs Module: fs Location: Package overview From: package.json → `npm/ts-node@10.9.2` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/ts-node@10.9.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `typechain` with module fs Module: fs Location: Package overview From: package.json → `npm/typechain@8.3.2` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typechain@8.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `typechain` Location: Package overview From: package.json → `npm/typechain@8.3.2` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typechain@8.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm `v8-compile-cache-lib` Location: Package overview From: `?` → `npm/ts-node@10.9.2` → `npm/v8-compile-cache-lib@3.0.1` ℹ Read more on: This package \| This alert \| What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/v8-compile-cache-lib@3.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm `v8-compile-cache-lib` with module fs Module: fs Location: Package overview From: `?` → `npm/ts-node@10.9.2` → `npm/v8-compile-cache-lib@3.0.1` ℹ Read more on: This package \| This alert \| What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/v8-compile-cache-lib@3.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

gtg7784 added 16 commits March 24, 2026 16:11

refactor: migrate route planner helpers to ethers v6

107474f

- Replace defaultAbiCoder import from ethers/lib/utils with AbiCoder from ethers - Use AbiCoder.defaultAbiCoder() for encoding

refactor: migrate swap and v4 helpers to ethers v6

029138c

- Replace BigNumber arithmetic with native bigint operators - Convert BigInt('...') for large price constants - Use .toString() for JSBI compatibility with v6 bigint returns - Update sqrtPrice parameter types to bigint

refactor: migrate permit2 protocol helper to ethers v6

74ff84d

- Replace _signTypedData with signTypedData - Replace contract.address with await contract.getAddress() - Update BigNumber types to bigint

refactor: migrate CheckOwnership tests to ethers v6

b6b71b1

- Replace @nomiclabs/hardhat-ethers with @nomicfoundation/hardhat-ethers - Use 'as unknown as' for TypeChain contract casts - Pre-cache contract addresses via getAddress()

refactor: migrate UniswapV2 tests to ethers v6

92c825b

- Replace @ethersproject/* imports with ethers - Replace BigNumber types with bigint, arithmetic with native operators - Pre-cache contract addresses via getAddress() - Use 'as unknown as' for TypeChain contract casts

gtg7784 requested a review from a team as a code owner March 24, 2026 07:49

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

refactor: migrate test infrastructure from ethers v5 to v6#473

refactor: migrate test infrastructure from ethers v5 to v6#473
gtg7784 wants to merge 16 commits intoUniswap:mainfrom
gtg7784:refactor/migrate-ethers-v6

gtg7784 commented Mar 24, 2026

Uh oh!

socket-security bot commented Mar 24, 2026

Uh oh!

socket-security bot commented Mar 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

gtg7784 commented Mar 24, 2026

Summary

Motivation

Changes

Infrastructure (3 files)

Shared Helpers (14 files)

Test Files (7 files)

Gas Tests (6 files)

Key Migration Patterns

Verification

Uh oh!

socket-security bot commented Mar 24, 2026

Uh oh!

socket-security bot commented Mar 24, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant