Bump serialize-javascript, @nomicfoundation/hardhat-chai-matchers, @nomicfoundation/hardhat-ethers and @nomicfoundation/hardhat-toolbox

[dependabot]

Removes serialize-javascript. It's no longer used after updating ancestor dependencies serialize-javascript, @nomicfoundation/hardhat-chai-matchers, @nomicfoundation/hardhat-ethers and @nomicfoundation/hardhat-toolbox. These dependencies need to be updated together.

Removes serialize-javascript

Updates @nomicfoundation/hardhat-chai-matchers from 2.1.0 to 3.0.0

Release notes

Sourced from @​nomicfoundation/hardhat-chai-matchers's releases.

@​nomicfoundation/hardhat-ledger@​3.0.0

This is a major update that makes hardhat-ledger compatible and usable from Hardhat 3.

See the README for more details of how to use @nomicfoundation/hardhat-ledger from your project.

Changes

• a7686bd: Update hardhat-ledger to support Hardhat 3 (#7272)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-vendored@​3.0.0

This is the initial release.

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-foundry@​3.0.0

Changes

• 4cd63e9: Introduce the @nomicfoundation/hardhat-foundry plugin for Hardhat 3

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v2.28.6

This release is a small bug fix for an issue affecting hardhat-tracer after a hardhat_reset.

Changes

• f6d5437: Fixed an issue affecting the hardhat-tracer community plugin causing traces to stop being reported after calling hardhat_reset (#7918)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v2.28.5

This release is a small enhancement adding eth_getProof as a JSON-RPC method.

Changes

• 6e1f27c: Added support for eth_getProof as a JSON-RPC method (#7933)

---

💡 The Nomic Foundation is hiring! Check our open positions.

... (truncated)

Changelog

Sourced from @​nomicfoundation/hardhat-chai-matchers's changelog.

3.0.0

Major Changes

• 09ae6db: Deprecate the latest npm tag and redirect users to migrate to Hardhat 3 or to the hh2 tag.

Commits

• 6372d08 Version Packages
• a26e822 Remove the npm tags from the README.md files
• 18bef56 Quote the package in the installation instructions of the readmes
• e5025ae Update the formatting and quote the package in the installation instructions ...
• 40525f5 Update hardhat-chai-matchers
• 81dd4ec Version Packages
• 8da8c38 chore: update readme instructions instructions to use hh2 tag
• e4ad0ad chore: update package metadata for provenance
• f65ee74 Version Packages
• a4f1e27 Hardhat 2 documentation links updated to reflect the domain change to v2.hard...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-chai-matchers since your current version.

Updates @nomicfoundation/hardhat-ethers from 3.1.0 to 4.0.5

Release notes

Sourced from @​nomicfoundation/hardhat-ethers's releases.

@​nomicfoundation/hardhat-ethers@​4.0.5

Changes

• 6674b00: Bump hardhat-utils major

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-ethers@​4.0.4

This release increases the gas limit to 60,000,000.

Patch Changes

• 5abcee6: Use Osaka as the default EVM target for solc 0.8.31+ and increase the gas limit per EIP-7935. Thanks @​Amxx! (#7813)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-ethers@​4.0.3

What's Changed

• Updated installation instructions to use defineConfig

@​nomicfoundation/hardhat-ethers@​3.1.3

This release updates the default gas limit to take into account the Osaka transaction limit.

Changes

• NomicFoundation/hardhat@c69b99d: Update default gas limit to take into account osaka transaction limit (NomicFoundation/hardhat#7751)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-ethers since your current version.

Updates @nomicfoundation/hardhat-toolbox from 6.1.0 to 7.0.0

Release notes

Sourced from @​nomicfoundation/hardhat-toolbox's releases.

@​nomicfoundation/hardhat-toolbox@​6.1.2

This release is a small bump to the version of solidity-coverage to include changes for the Osaka transaction gas limit.

Changes

• NomicFoundation/hardhat@a7e4215: Update solidity-coverage minimum version to include Osaka changes

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-toolbox@​6.1.1

This release is a small bug fix to re-enable the REPORT_GAS envvar when used with the Hardhat toolboxes.

Changes

• dc7ff8c: Fix REPORT_GAS envvar in toolboxes (NomicFoundation/hardhat#7367)
• 9d10226: Links in the code and READMEs updated to point to the Hardhat 2 documentation and resources

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Changelog

Sourced from @​nomicfoundation/hardhat-toolbox's changelog.

7.0.0

Major Changes

• 09ae6db: Deprecate the latest npm tag and redirect users to migrate to Hardhat 3 or to the hh2 tag.

Commits

• 6372d08 Version Packages
• a26e822 Remove the npm tags from the README.md files
• 18bef56 Quote the package in the installation instructions of the readmes
• e5025ae Update the formatting and quote the package in the installation instructions ...
• ee34347 Update hardhat-toolbox
• 7ade974 Version Packages
• a7e4215 feat: bump minimum version of solidity-coverage to Osaka
• e4ad0ad chore: update package metadata for provenance
• f65ee74 Version Packages
• a4f1e27 Hardhat 2 documentation links updated to reflect the domain change to v2.hard...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-toolbox since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0 ⏵ 7.0.0	+3		-7	+4
	@​nomicfoundation/​hardhat-chai-matchers@​2.1.0 ⏵ 3.0.0	+2		-27	+6
	@​nomicfoundation/​hardhat-ethers@​3.1.0 ⏵ 4.0.5	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Network access: npm @sentry/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm esbuild in module https Module: https Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		System shell access: npm esbuild in module child_process Module: child_process Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Network access: npm esbuild in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm esbuild during postinstall Install script: postinstall Source: node install.js From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/edr URLs: https://github.com/NomicFoundation/edr/issues/911, https://eips.ethereum.org/EIPS/eip-7825, https://optimism.alchemyapi.io/v2/... Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@nomicfoundation/edr@0.12.0-next.24 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/edr@0.12.0-next.24. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-chai-matchers URLs: https://hardhat.org/migrate-from-hardhat2 Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-chai-matchers@3.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-chai-matchers@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-errors URLs: https://github.com/nomiclabs/hardhat/issues/new, https://hardhat.org/hd-wallet-config, https://hardhat.org/ethers-library-linking, https://github.com/mochajs/mocha/issues/2706, https://github.com/wevm/viem/blob/main/src/chains/index.ts, https://hardhat.org/hardhat-network-helpers-fixtures, https://hardhat.org/chaining-async-matchers, https://hardhat.org/verify-custom-networks, https://etherscan.io/solcversions, https://getfoundry.sh Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@nomicfoundation/hardhat-errors@3.0.7 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-errors@3.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-toolbox URLs: https://hardhat.org/migrate-from-hardhat2 Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-toolbox@7.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-toolbox@7.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-utils URLs: 127.0.0.1, https://nodejs.org/docs/latest-v20.x/api/fs.html#file-system-flags, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Number/isSafeInteger, https://github.com/juanjoDiaz/streamparser-json/issues/47 Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@nomicfoundation/hardhat-utils@4.0.0 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-utils@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-vendored with https://istanbul.js.org/ URLs: https://istanbul.js.org/ Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@nomicfoundation/hardhat-vendored@3.0.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-vendored@3.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @nomicfoundation/hardhat-zod-utils URLs: https://github.com/colinhacks/zod/issues/2940#issuecomment-2380836931 Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@nomicfoundation/hardhat-zod-utils@3.0.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-zod-utils@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @sentry/core URLs: console.info, https://develop.sentry.dev/sdk/telemetry/traces/#propagated-random-value, mcp.progress.total, https://developers.facebook.com/community/threads/320013549791141/, https://github.com/getsentry/sentry-javascript/issues/15065, mcp.client.name, mcp.method.name, mcp.request.id, mcp.session.id, mcp.server.name, mcp.tool.name, mcp.prompt.name, https://github.com/supabase-community/sentry-integration-js, gen_ai.response.id, gen_ai.operation.name, openai.response.id, Span.id, user.id, user.email, user.name, sentry.sdk.name, https://github.com/jshttp/cookie/blob/a0c84147aab6266bdb3996cf4062e93907c0b0fc/index.js, https://stackoverflow.com/a/3641782, https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string, http://s.io, https://github.com/getsentry/sentry-javascript/pull/8981, http://www.example.com, https://github.com/getsentry/sentry-javascript/issues/1233, https://github.com/getsentry/sentry-javascript/pull/7404, https://github.com/getsentry/sentry-javascript/pull/4196, breadcrumbs.data, ai.model.id, ai.toolCall.name, ai.toolCall.id, https://ai-sdk.dev/docs/ai-sdk-core/telemetry#tool-call-spans, https://opentelemetry.io/docs/specs/semconv/registry/attributes/gen-ai/#gen-ai-tool-type, gen_ai.tool.name, gen_ai.tool.call.id, ai.pipeline.name, ai.stream, ai.run, gen_ai.conversation.id, https://github.com/getsentry/sentry-javascript/issues/2590, https://github.com/mdn/content/issues/4713, https://dev.to/noamr/when-a-millisecond-is-not-a-millisecond-3h6, https://github.com/getsentry/sentry-javascript/issues/2590., https://develop.sentry.dev/sdk/data-handling/#structuring-data, https://opentelemetry.io/docs/specs/semconv/http/., https://opentelemetry.io/docs/specs/semconv/http/http-spans/#name, https://tools.ietf.org/html/rfc3986#appendix-B, http://example.com/my/path/static/asset.js, http://example.com/my/path, cloud.account.id, host.id, ui.click, https://developer.mozilla.org/en-US/docs/Web/API/WorkerLocation., https://en.wikipedia.org/wiki/List_of_tz_database_time_zones, https://docs.sentry.io/product/releases/, https://example.com/, https://external-api.com, gen_ai.request.stream, operation.name, ai.schema.name, resource.name, ai.response.id, span.data Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads FUNCTIONS_WORKER_RUNTIME Env Vars: FUNCTIONS_WORKER_RUNTIME Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads LAMBDA_TASK_ROOT Env Vars: LAMBDA_TASK_ROOT Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads K_SERVICE Env Vars: K_SERVICE Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads CF_PAGES Env Vars: CF_PAGES Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads VERCEL Env Vars: VERCEL Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Environment variable access: npm @sentry/core reads NETLIFY Env Vars: NETLIFY Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is environment variable access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should be clear about which environment variables they access, and care should be taken to ensure they only access environment variables they claim to. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Dynamic module loading: npm @sentry/core Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@sentry/core@9.47.1 ℹ Read more on: This package | This alert | What is dynamic require? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid dynamic imports when possible. Audit the use of dynamic require to ensure it is not executing malicious or vulnerable code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/core@9.47.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm @streamparser/json-node URLs: https://deno.land/x/streamparser_json@v0.0.22/index.ts, https://deno.land/x/streamparser_json@v0.0.22/tokenizer.ts, https://deno.land/x/streamparser_json@v0.0.17/utils/types/parsedElementInfo.ts Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/@streamparser/json-node@0.0.22 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@streamparser/json-node@0.0.22. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm chalk URLs: chalk.red.yellow.green, chalk.green, https://github.com/chalk/chalk/pull/92, https://github.com/Qix-/color-convert/blob/3f0e0d4e92e235796ccb17f6e85c72094a651f49/conversions.js Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/chalk@5.6.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@5.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm esbuild URLs: https://snapcraft.io/, https://nodejs.org/dist/, https://github.com/evanw/esbuild/issues/1711#issuecomment-1027554035, https://registry.npmjs.org/, https://yarnpkg.com/configuration/yarnrc/#supportedArchitectures, https://nodejs.org/en/download/., https://stackoverflow.com/questions/49580725, https://esbuild.github.io/api/#build, https://esbuild.github.io/api/#transform, https://esbuild.github.io/api/#analyze, https://esbuild.github.io/api/#browser Location: Package overview From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: The code represents a thorough and sophisticated installer for esbuild with multiple fallback mechanisms to acquire platform-appropriate binaries. While largely legitimate, its use of direct tarball downloads, manual extraction without explicit integrity validation, and the override/wrapper mechanism create nontrivial supply-chain and abuse risks. Recommend enabling strict binary integrity checks (checksums/signatures), minimizing or auditing the override/wrapper feature, and implementing tighter error visibility and logging to reduce operational risk and potential misuse. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@nomicfoundation/hardhat-ethers@4.0.5 → npm/esbuild@0.27.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 23 more rows in the dashboard

View full report