Bump undici, @nomicfoundation/hardhat-chai-matchers, @nomicfoundation/hardhat-ethers and @nomicfoundation/hardhat-toolbox

[dependabot]

Bumps undici to 6.24.1 and updates ancestor dependencies undici, @nomicfoundation/hardhat-chai-matchers, @nomicfoundation/hardhat-ethers and @nomicfoundation/hardhat-toolbox. These dependencies need to be updated together.

Updates undici from 5.29.0 to 6.24.1

Release notes

Sourced from undici's releases.

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories
• NVD CVE-2026-1525: https://nvd.nist.gov/vuln/detail/CVE-2026-1525
• NVD CVE-2026-1528: https://nvd.nist.gov/vuln/detail/CVE-2026-1528
• NVD CVE-2026-1527: https://nvd.nist.gov/vuln/detail/CVE-2026-1527
• NVD CVE-2026-2229: https://nvd.nist.gov/vuln/detail/CVE-2026-2229
• NVD CVE-2026-1526: https://nvd.nist.gov/vuln/detail/CVE-2026-1526

... (truncated)

Commits

• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• a444e4f test: stabilize h2 and tls-cert-leak under current test runner
• dc032a1 fix: h2 CI (#4395)
• 4cd3f4b test: increase bitness in test/fixtures/*.pem (#3659)
• 7df6442 fix: adapt websocket frame-limit handling for v6 parser
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates @nomicfoundation/hardhat-chai-matchers from 2.1.0 to 3.0.0

Release notes

Sourced from @​nomicfoundation/hardhat-chai-matchers's releases.

@​nomicfoundation/hardhat-ledger@​3.0.0

This is a major update that makes hardhat-ledger compatible and usable from Hardhat 3.

See the README for more details of how to use @nomicfoundation/hardhat-ledger from your project.

Changes

• a7686bd: Update hardhat-ledger to support Hardhat 3 (#7272)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-vendored@​3.0.0

This is the initial release.

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-foundry@​3.0.0

Changes

• 4cd63e9: Introduce the @nomicfoundation/hardhat-foundry plugin for Hardhat 3

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v2.28.6

This release is a small bug fix for an issue affecting hardhat-tracer after a hardhat_reset.

Changes

• f6d5437: Fixed an issue affecting the hardhat-tracer community plugin causing traces to stop being reported after calling hardhat_reset (#7918)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v2.28.5

This release is a small enhancement adding eth_getProof as a JSON-RPC method.

Changes

• 6e1f27c: Added support for eth_getProof as a JSON-RPC method (#7933)

---

💡 The Nomic Foundation is hiring! Check our open positions.

... (truncated)

Changelog

Sourced from @​nomicfoundation/hardhat-chai-matchers's changelog.

3.0.0

Major Changes

• 09ae6db: Deprecate the latest npm tag and redirect users to migrate to Hardhat 3 or to the hh2 tag.

Commits

• 6372d08 Version Packages
• a26e822 Remove the npm tags from the README.md files
• 18bef56 Quote the package in the installation instructions of the readmes
• e5025ae Update the formatting and quote the package in the installation instructions ...
• 40525f5 Update hardhat-chai-matchers
• 81dd4ec Version Packages
• 8da8c38 chore: update readme instructions instructions to use hh2 tag
• e4ad0ad chore: update package metadata for provenance
• f65ee74 Version Packages
• a4f1e27 Hardhat 2 documentation links updated to reflect the domain change to v2.hard...
• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-chai-matchers since your current version.

Updates @nomicfoundation/hardhat-ethers from 3.1.0 to 4.0.6

Release notes

Sourced from @​nomicfoundation/hardhat-ethers's releases.

@​nomicfoundation/hardhat-ethers@​4.0.6

Changes

• bc193be: Use concrete value types for contract names in hardhat-viem and hardhat-ethers

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-ethers@​4.0.5

Changes

• 6674b00: Bump hardhat-utils major

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-ethers@​4.0.4

This release increases the gas limit to 60,000,000.

Patch Changes

• 5abcee6: Use Osaka as the default EVM target for solc 0.8.31+ and increase the gas limit per EIP-7935. Thanks @​Amxx! (#7813)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-ethers@​3.1.3

This release updates the default gas limit to take into account the Osaka transaction limit.

Changes

• NomicFoundation/hardhat@c69b99d: Update default gas limit to take into account osaka transaction limit (NomicFoundation/hardhat#7751)

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-ethers since your current version.

Updates @nomicfoundation/hardhat-toolbox from 6.1.0 to 7.0.0

Release notes

Sourced from @​nomicfoundation/hardhat-toolbox's releases.

@​nomicfoundation/hardhat-toolbox@​6.1.2

This release is a small bump to the version of solidity-coverage to include changes for the Osaka transaction gas limit.

Changes

• NomicFoundation/hardhat@a7e4215: Update solidity-coverage minimum version to include Osaka changes

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Changelog

Sourced from @​nomicfoundation/hardhat-toolbox's changelog.

7.0.0

Major Changes

• 09ae6db: Deprecate the latest npm tag and redirect users to migrate to Hardhat 3 or to the hh2 tag.

Commits

• 6372d08 Version Packages
• a26e822 Remove the npm tags from the README.md files
• 18bef56 Quote the package in the installation instructions of the readmes
• e5025ae Update the formatting and quote the package in the installation instructions ...
• ee34347 Update hardhat-toolbox
• 7ade974 Version Packages
• a7e4215 feat: bump minimum version of solidity-coverage to Osaka
• e4ad0ad chore: update package metadata for provenance
• f65ee74 Version Packages
• a4f1e27 Hardhat 2 documentation links updated to reflect the domain change to v2.hard...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​nomicfoundation/hardhat-toolbox since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0 ⏵ 7.0.0	+3		-7	+4
	@​nomicfoundation/​hardhat-chai-matchers@​2.1.0 ⏵ 3.0.0	+2		-27	+6
	@​nomicfoundation/​hardhat-ethers@​3.1.0 ⏵ 4.0.6	+1		+1	+2

View full report