Bump serialize-javascript and hardhat

[dependabot]

Removes serialize-javascript. It's no longer used after updating ancestor dependency hardhat. These dependencies need to be updated together.

Removes serialize-javascript

Updates hardhat from 2.17.3 to 3.1.10

Release notes

Sourced from hardhat's releases.

Hardhat v3.1.10

This release contains many improvements and bug fixes, including a cleaner display of test coverage reports (--coverage) and support for inline actions in tasks.

Changes

• 726ff37: Update the --coverage table output to match the style used by --gas-stats. Thanks @​jose-blockchain! (#7733)
• f1e9b05: Added support for inline actions in tasks 7851.
• ca26adb: Update hardhat node to always use the new node network (#7989)
• ec03a01: Allow overriding the type of the network configs default and localhost #7805
• 87623db: Introduce new inter-process mutex implementation (7942).
• 2c2e1f5: Throw better error messages when trying to use a Hardhat 2 plugin with Hardhat 3 #7991.
• 87623db: Make the solc downloader safe when run by multiple processes (7946).
• 73cb725: Expose gasLimit configuration for Solidity tests #7996
• 90b5eec: Suggest installing hardhat-foundry when appropriate
• 88e9cb5: Add a SolidityHooks#readNpmPackageRemappings hook

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.1.9

This release improves coverage compatibility with Solidity versions not fully supported by EDR, along with a few quality-of-life improvements to gas analytics and compiler downloads.

Changes

• 621d07e: Make the coverage work with versions of Solidity that aren't fully supported by EDR #7982
• 3e39a06: Round average and median gas usage in the gas analytics output
• 78af2ed: Allow multiple parallel downloads of different compilers (7946).

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.1.8

This release switches to official solc Linux ARM64 builds (when available) and fixes a missing EIP-7212 precompile in Solidity tests.

Changes

• a6947fb: Use the official Linux ARM64 builds of solc in the production profile when available (#7917).
• fd42744: Fixed missing EIP-7212 precompile in Solidity Tests (#7872).

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.1.7

This release adds support for eth_getProof and suppresses solc license and pragma warnings in Solidity test files.

Changes

... (truncated)

Changelog

Sourced from hardhat's changelog.

3.1.10

Patch Changes

• ca26adb: Update hardhat node to always use the new node network (#7989)[https://redirect.github.com/Node network config NomicFoundation/hardhat#7989]
• 87623db: Introduce new inter-process mutex implementation (7942).
• 88e9cb5: Add a SolidityHooks#readNpmPackageRemappings hook
• ec03a01: Allow overriding the type of the network configs default and localhost #7805
• 2c2e1f5: Throw better error messages when trying to use a Hardhat 2 plugin with Hardhat 3 #7991.
• 90b5eec: Suggest installing hardhat-foundry when appropriate
• 87623db: Make the solc downloader safe when run by multiple processes (7946).
• 726ff37: Update the --coverage table output to match the style used by --gas-stats. Thanks @​jose-blockchain! (#7733)
• f1e9b05: Added support for inline actions in tasks 7851.
• 73cb725: Expose gasLimit configuration for Solidity tests #7996

3.1.9

Patch Changes

• 621d07e: Make the coverage work with versions of Solidity that aren't fully supported by EDR #7982
• 3e39a06: Round average and median gas usage in the gas analytics output
• 78af2ed: Allow multiple parallel downloads of different compilers (7946).

3.1.8

Patch Changes

• a6947fb: Use the official Linux ARM64 builds of solc in the production profile when available (#7917).
• fd42744: Fixed missing EIP-7212 precompile in Solidity Tests (#7872).

3.1.7

Patch Changes

• 4995121: Suppressed pragma and license warnings in Solidity test files (7894).
• 22adbcb: Added support for eth_getProof (3345).

3.1.6

Patch Changes

• 98fbf44: Implemented SolidityBuildSystemImplementation#compileBuildInfo (#7891)
• a9445c9: Added ArtifactManager#getAllArtifactPaths (#7902)
• a9445c9: Fixed typechain type generation when compiling a subset of the Solidity files (#7902)
• 127ce88: Suppress Hardhat console.sol memory-safe-assembly warning #7862.
• c40697b: Added a Solidity#build hook (#7890)
• 8e5610f: Fixed a bug where nested folders were not created during the HTML coverage report generation (#7889)
• 13a1e4b: Multiple internal fixes to the solidity build system (#7900)
• 0c47a69: Added compiler downloader retry in case of failure (#7031)

... (truncated)

Commits

• 6ce1e7d Version Packages
• 78aeb59 Add tests to the error-messages module and fix the issues encountered
• e59081b Rename fromHasFoundryToml fields
• 0ea53e0 Improve messaging
• a538ebb Suggest installing hardhat-foundry when appropriate
• 808040c Define a default RemappingsReaderFunction
• bf9b939 Add a comment explaining a mock
• dd874d4 Add #parseAndDeduplicateRemappings
• 6b6b097 Move function to a private method
• 8e4d918 Rename variable
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for hardhat since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hardhat@​2.17.3 ⏵ 3.1.10	+7		-6	-1	+20

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		System shell access: npm @nomicfoundation/edr in module child_process Module: child_process Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/edr@0.12.0-next.24 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/edr@0.12.0-next.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm @sentry/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm esbuild in module https Module: https Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm esbuild in module child_process Module: child_process Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm esbuild in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm esbuild during postinstall Install script: postinstall Source: node install.js From: package-lock.json → npm/hardhat@3.1.10 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @noble/curves URLs: https://eprint.iacr.org/2012/685.pdf, https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm, https://hal.science/hal-01534101/file/main.pdf, https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05, https://www.rfc-editor.org/rfc/rfc9380, https://github.com/zkcrypto/bls12_381/blob/080eaa74ec0e394377caa1ba302c8c121df08b07/src/fp2.rs#L250, https://github.com/supranational/blst/blob/aae0c7d70b799ac269ff5edf29d8191dbd357876/src/exp2.c#L1, https://github.com/dalek-cryptography/curve25519-dalek/blob/17698df9d4c834204f83a3574143abacb4fc81a5/src/field.rs#L99, https://eprint.iacr.org/2009/565.pdf, https://eprint.iacr.org/2010/354.pdf, https://eprint.iacr.org/2021/1130.pdf, https://eprint.iacr.org/2019/814.pdf, https://eprint.iacr.org/2019/403, https://eprint.iacr.org/2017/419.pdf, https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script, https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2, https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-element-derivation-2, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-decode-2, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-encode-2, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-ristretto255-decaf448-07#name-equals-2, https://github.com/dalek-cryptography/curve25519-dalek/blob/59837c6ecff02b77b9d5ff84dbc239d0cf33ef90/vendor/ristretto.sage#L699, https://www.rfc-editor.org/rfc/rfc9380#appendix-C, https://www.rfc-editor.org/rfc/rfc9380#section-4.1, https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd, https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd, https://ristretto.group/formulas/elligator.html, https://ristretto.group/formulas/decoding.html, https://ristretto.group/formulas/encoding.html, https://www.secg.org/sec2-v2.pdf,, https://neuromancer.sk/std/nist/P-521, https://gist.github.com/paulmillr/eb670806793e84df628a7c434a873066, https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki, https://www.rfc-editor.org/rfc/rfc9380#section-3 Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@noble/curves@1.4.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/curves@1.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @noble/curves URLs: https://github.com/paulmillr/micro-starknet, https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex, https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#doubling-dbl-2008-hwcd, https://hyperelliptic.org/EFD/g1p/auto-twisted-extended.html#addition-add-2008-hwcd, https://hal.science/hal-01534101/file/main.pdf, https://tools.ietf.org/html/draft-irtf-cfrg-pairing-friendly-curves-11, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-bls-signature-05, https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-pairing-friendly-curves-11, https://eprint.iacr.org/2009/565.pdf, https://eprint.iacr.org/2010/354.pdf, https://eprint.iacr.org/2021/1130.pdf, https://eprint.iacr.org/2019/814.pdf, https://eprint.iacr.org/2019/403, https://eprint.iacr.org/2017/419.pdf, https://ethresear.ch/t/fast-verification-of-multiple-bls-signatures/5407, https://github.com/paulmillr/noble-secp256k1/blob/47cb1669b6e506ad66b35fe7d76132ae97465da2/index.ts#L502-L541, https://www.rfc-editor.org/rfc/rfc7748, https://cr.yp.to/ecdh.html#validate, https://www.typescriptlang.org/docs/handbook/release-notes/typescript-2-7.html#unique-symbol, https://letsencrypt.org/docs/a-warm-welcome-to-asn1-and-der/,, https://luca.ntop.org/Teaching/Appunti/asn1.html, https://crypto.stackexchange.com/a/57734, https://eprint.iacr.org/2015/1060,, https://bitcoin.stackexchange.com/questions/57644/what-are-the-parts-of-a-bitcoin-transaction-input-script, https://www.rfc-editor.org/rfc/rfc9380#section-6.6.2, https://eprint.iacr.org/2012/685.pdf, https://en.wikipedia.org/wiki/Tonelli%E2%80%93Shanks_algorithm, https://hal.science/hal-01534101/file/main.pdf., https://www.rfc-editor.org/rfc/rfc9380#appendix-B, https://www.rfc-editor.org/rfc/rfc9380#section-4.1, https://www.secg.org/sec2-v2.pdf,, https://neuromancer.sk/std/nist/P-521, https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki, https://www.rfc-editor.org/rfc/rfc9380#section-3, https://tches.iacr.org/index.php/TCHES/article/view/7337/6509., https://www.secg.org/sec1-v2.pdf: Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@noble/curves@1.8.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/curves@1.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @noble/hashes URLs: https://github.com/RustCrypto/KDFs/issues/15, https://datatracker.ietf.org/doc/draft-irtf-cfrg-kangarootwelve/ Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@noble/hashes@1.4.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/hashes@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @noble/hashes URLs: https://github.com/RustCrypto/KDFs/issues/15, https://datatracker.ietf.org/doc/html/rfc6151, https://datatracker.ietf.org/doc/draft-irtf-cfrg-kangarootwelve/ Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@noble/hashes@1.7.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@noble/hashes@1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/edr URLs: https://github.com/NomicFoundation/edr/issues/911, https://eips.ethereum.org/EIPS/eip-7825, https://optimism.alchemyapi.io/v2/... Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/edr@0.12.0-next.24 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/edr@0.12.0-next.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Filesystem access: npm @nomicfoundation/edr with module fs Module: fs Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/edr@0.12.0-next.24 ℹ Read more on: This package | This alert | What is filesystem access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/edr@0.12.0-next.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-errors URLs: https://github.com/nomiclabs/hardhat/issues/new, https://hardhat.org/hd-wallet-config, https://hardhat.org/ethers-library-linking, https://github.com/mochajs/mocha/issues/2706, https://github.com/wevm/viem/blob/main/src/chains/index.ts, https://hardhat.org/hardhat-network-helpers-fixtures, https://hardhat.org/chaining-async-matchers, https://hardhat.org/verify-custom-networks, https://etherscan.io/solcversions, https://getfoundry.sh Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/hardhat-errors@3.0.7 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-errors@3.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-utils URLs: 127.0.0.1, https://nodejs.org/docs/latest-v20.x/api/fs.html#file-system-flags, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger, https://github.com/juanjoDiaz/streamparser-json/issues/47 Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/hardhat-utils@4.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-utils@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-vendored with https://istanbul.js.org/ URLs: https://istanbul.js.org/ Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/hardhat-vendored@3.0.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-vendored@3.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-zod-utils URLs: https://github.com/colinhacks/zod/issues/2940#issuecomment-2380836931 Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@nomicfoundation/hardhat-zod-utils@3.0.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-zod-utils@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @scure/base URLs: https://www.crockford.com/base32.html, https://caniuse.com/mdn-javascript_builtins_uint8array_frombase64, https://github.com/paulmillr/scure-btc-signer., https://caniuse.com/mdn-javascript_builtins_uint8array_fromhex Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@scure/base@1.2.6 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@scure/base@1.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @sentry/core URLs: console.info, https://develop.sentry.dev/sdk/telemetry/traces/#propagated-random-value, mcp.progress.total, https://developers.facebook.com/community/threads/320013549791141/, https://github.com/getsentry/sentry-javascript/issues/15065, mcp.client.name, mcp.method.name, mcp.request.id, mcp.session.id, mcp.server.name, mcp.tool.name, mcp.prompt.name, https://github.com/supabase-community/sentry-integration-js, gen_ai.response.id, gen_ai.operation.name, openai.response.id, Span.id, user.id, user.email, user.name, sentry.sdk.name, https://github.com/jshttp/cookie/blob/a0c84147aab6266bdb3996cf4062e93907c0b0fc/index.js, https://stackoverflow.com/a/3641782, https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string, http://s.io, https://github.com/getsentry/sentry-javascript/pull/8981, http://www.example.com, https://github.com/getsentry/sentry-javascript/issues/1233, https://github.com/getsentry/sentry-javascript/pull/7404, https://github.com/getsentry/sentry-javascript/pull/4196, breadcrumbs.data, ai.model.id, ai.toolCall.name, ai.toolCall.id, https://ai-sdk.dev/docs/ai-sdk-core/telemetry#tool-call-spans, https://opentelemetry.io/docs/specs/semconv/registry/attributes/gen-ai/#gen-ai-tool-type, gen_ai.tool.name, gen_ai.tool.call.id, ai.pipeline.name, ai.stream, ai.run, gen_ai.conversation.id, https://github.com/getsentry/sentry-javascript/issues/2590, https://github.com/mdn/content/issues/4713, https://dev.to/noamr/when-a-millisecond-is-not-a-millisecond-3h6, https://github.com/getsentry/sentry-javascript/issues/2590., https://develop.sentry.dev/sdk/data-handling/#structuring-data, https://opentelemetry.io/docs/specs/semconv/http/., https://opentelemetry.io/docs/specs/semconv/http/http-spans/#name, https://tools.ietf.org/html/rfc3986#appendix-B, http://example.com/my/path/static/asset.js, http://example.com/my/path, cloud.account.id, host.id, ui.click, https://developer.mozilla.org/en-US/docs/Web/API/WorkerLocation., https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, https://docs.sentry.io/product/releases/, https://example.com/, https://external-api.com, gen_ai.request.stream, operation.name, ai.schema.name, resource.name, ai.response.id, span.data Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads FUNCTIONS_WORKER_RUNTIME Env Vars: FUNCTIONS_WORKER_RUNTIME Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads LAMBDA_TASK_ROOT Env Vars: LAMBDA_TASK_ROOT Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads K_SERVICE Env Vars: K_SERVICE Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads CF_PAGES Env Vars: CF_PAGES Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads VERCEL Env Vars: VERCEL Location: Package overview From: package-lock.json → npm/hardhat@3.1.10 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 35 more rows in the dashboard

View full report