Update @openzeppelin/community-contracts digest to 7322fa7

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
@openzeppelin/community-contracts	devDependencies	digest	b0ddd27 -> 7322fa7

🔡 If you wish to disable git hash updates, add ":disableDigestUpdates" to the extends array in your config.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Walkthrough

Updated the @openzeppelin/community-contracts devDependency in the Solidity package to reference a different commit SHA (from b0ddd27 to 3b358b3) of the same git repository.

Changes

Cohort / File(s)	Summary
Dependency Update packages/core/solidity/package.json	Updated @openzeppelin/community-contracts devDependency git commit reference from b0ddd27 to 3b358b3

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims digest update to 7322fa7, but the actual change is from b0ddd27 to 3b358b3, causing a mismatch.	Update the PR title to reflect the correct commit SHA: 'Update @openzeppelin/community-contracts digest to 3b358b3'.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.
Description check	✅ Passed	The pull request description is related to the changeset - it documents a dependency digest update for @openzeppelin/community-contracts.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Axios is vulnerable to DoS attack through lack of data size check CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH) Affected versions: >= 1.0.0 < 1.12.0; < 0.30.2 Patched version: 1.12.0 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm amdefine is 100.0% likely to have a medium risk anomaly Notes: The code implements a global module loader hook that prepends a require('amdefine')(module) shim to nearly all .js modules before they are compiled. This is not directly overtly malicious, but it is a high-impact supply-chain/style modification: it alters every module load, can obscure behavior from static analysis, and increases attack surface if an attacker can modify this package or the amdefine module. Use of this module should be considered a risk in environments that require strict control of execution semantics or provenance; review and pin amdefine and this loader carefully. No clear evidence of direct data exfiltration or backdoor in this fragment. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/amdefine@1.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/amdefine@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm asynckit is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard wrapper/adapter for long-signature iterators in a streaming context. It includes proper handling to avoid duplicate callbacks, emits errors correctly, and finalizes the stream appropriately. There is no indication of malicious behavior, data exfiltration, or backdoor-like mechanisms. The risk is minimal and primarily relates to correct usage by downstream code (e.g., ensuring stream object has the expected properties). Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/asynckit@0.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/asynckit@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/axios@1.11.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm chalk is 100.0% likely to have a medium risk anomaly Notes: This is a conventional Chalk-like color-styling module. It exhibits expected behavior for terminal styling, uses environment checks for compatibility, and does not demonstrate malicious activity, data leakage, or external communications. Security risk is low in isolation; the primary considerations are safe usage in environments where ANSI sequences could affect log readability or concealment, and ensuring trusted template renderingCode integrity. Overall, the component appears benign within its described scope. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/chalk@2.4.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chalk@2.4.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fs-extra is 100.0% likely to have a medium risk anomaly Notes: The copy.js module appears to be a legitimate and secure filesystem copy utility with appropriate safeguards and options. No malicious activity detected, and typical supply-chain risk is limited to the general risk of filesystem operations. The code is suitable for inclusion in a package like fs-extra with normal risk expectations. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/fs-extra@9.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@9.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm node-addon-api is 100.0% likely to have a medium risk anomaly Notes: The script is a legitimate formatting helper within a Node.js project. It orchestrates clang-format via git-clang-format, supports fix and diff modes, and provides actionable feedback to the developer. While operational dependencies exist, no malicious activity or data leakage is evident based on the provided code and typical usage. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/node-addon-api@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-addon-api@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm pbkdf2 is 72.0% likely to have a medium risk anomaly Notes: The code is a straightforward and correct PBKDF2 implementation using HMAC with support for multiple digests and standard input handling. No malicious behavior detected. Security risk mainly derives from correct usage (encodings, salt handling, and proper key length) and from the absence of explicit side-channel hardening within the function. Recommendations focus on careful integration and memory hygiene, and optional refinements for side-channel resilience in high-assurance contexts. Confidence: 0.72 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/pbkdf2@3.1.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm sc-istanbul is 100.0% likely to have a medium risk anomaly Notes: No direct malicious actions (network exfiltration, reverse shells, or hard-coded credentials) are present in this fragment. However, the module intentionally monkeypatches Node's module loader and VM APIs to transform and execute code at load time. Those capabilities are high-risk: if a malicious transformer/matcher is supplied (or if the package itself is replaced with a malicious version), it can inject arbitrary code into any loaded module, enabling supply-chain attacks, data theft, or backdoors. Reviewers should treat usage of this module as a high-privilege operation, ensure transformers are trusted, and limit hook usage to controlled environments. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/sc-istanbul@0.4.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sc-istanbul@0.4.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/undici@6.21.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.21.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm viem is 100.0% likely to have a medium risk anomaly Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/viem@2.33.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.33.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ws is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.17.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.17.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm ws is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard EventTarget-like mixin for wrapping event listeners and dispatching events to user callbacks. There are no suspicious patterns such as dynamic code execution, hardcoded secrets, or network activity. The risk is contingent on what the consumer does inside their handlers; the snippet itself does not introduce malware or data leakage mechanisms beyond normal event dispatch. Overall security risk is low in isolation. Confidence: 1.00 Severity: 0.60 From: packages/core/solidity/src/environments/hardhat/package-lock.json → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/ws@8.18.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ws@8.18.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json → npm/@openzeppelin/hardhat-upgrades@3.9.1 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​hardhat-toolbox@​6.1.0
	@​openzeppelin/​hardhat-upgrades@​3.9.1
	hardhat@​2.26.3 ⏵ 2.26.5	+1		+2	+1

View full report