[Snyk] Upgrade eslint from 8.57.1 to 9.27.0

[Dargon789]

Snyk has created this PR to upgrade eslint from 8.57.1 to 9.27.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 40 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: eslint

• 9.27.0 - 2025-05-16
  

  Features

  • d71e37f feat: Allow flags to be set in ESLINT_FLAGS env variable (#19717) (Nicholas C. Zakas)
  • ba456e0 feat: Externalize MCP server (#19699) (Nicholas C. Zakas)
  • 07c1a7e feat: add allowRegexCharacters to no-useless-escape (#19705) (sethamus)
  • 7bc6c71 feat: add no-unassigned-vars rule (#19618) (Jacob Bandes-Storch)
  • ee40364 feat: convert no-array-constructor suggestions to autofixes (#19621) (sethamus)
  • 32957cd feat: support TS syntax in max-params (#19557) (Nitin Kumar)

  Bug Fixes

  • 5687ce7 fix: correct mismatched removed rules (#19734) (루밀LuMir)
  • dc5ed33 fix: correct types and tighten type definitions in SourceCode class (#19731) (루밀LuMir)
  • de1b5de fix: correct service property name in Linter.ESLintParseResult type (#19713) (Francesco Trotta)
  • 60c3e2c fix: sort keys in eslint-suppressions.json to avoid git churn (#19711) (Ron Waldon-Howe)
  • 9da90ca fix: add allowReserved to Linter.ParserOptions type (#19710) (Francesco Trotta)
  • fbb8be9 fix: add info to ESLint.DeprecatedRuleUse type (#19701) (Francesco Trotta)

  Documentation

  • 25de550 docs: Update description of frozen rules to mention TypeScript (#19736) (Nicholas C. Zakas)
  • bd5def6 docs: Clean up configuration files docs (#19735) (Nicholas C. Zakas)
  • 4d0c60d docs: Add Neovim to editor integrations (#19729) (Maria José Solano)
  • 71317eb docs: Update README (GitHub Actions Bot)
  • 4c289e6 docs: Update README (GitHub Actions Bot)
  • f0f0d46 docs: clarify that unused suppressions cause non-zero exit code (#19698) (Milos Djermanovic)
  • 8ed3273 docs: fix internal usages of ConfigData type (#19688) (Francesco Trotta)
  • eb316a8 docs: add fmt and check sections to Package.json Conventions (#19686) (루밀LuMir)
  • a3a2559 docs: fix wording in Combine Configs (#19685) (Milos Djermanovic)
  • c8d17e1 docs: Update README (GitHub Actions Bot)

  Chores

  • f8f1560 chore: upgrade @ eslint/js@9.27.0 (#19739) (Milos Djermanovic)
  • ecaef73 chore: package.json update for @ eslint/js release (Jenkins)
  • 596fdc6 chore: update dependency @ arethetypeswrong/cli to ^0.18.0 (#19732) (renovate[bot])
  • f791da0 chore: remove unbalanced curly brace from .editorconfig (#19730) (Maria José Solano)
  • e86edee refactor: Consolidate Config helpers (#19675) (Nicholas C. Zakas)
  • cf36352 chore: remove shared types (#19718) (Francesco Trotta)
  • f60f276 refactor: Easier RuleContext creation (#19709) (Nicholas C. Zakas)
  • 58a171e chore: update dependency @ eslint/plugin-kit to ^0.3.1 (#19712) (renovate[bot])
  • 3a075a2 chore: update dependency @ eslint/core to ^0.14.0 (#19715) (renovate[bot])
  • 44bac9d ci: run tests in Node.js 24 (#19702) (Francesco Trotta)
  • 35304dd chore: add missing funding field to packages (#19684) (루밀LuMir)
  • f305beb test: mock process.emitWarning to prevent output disruption (#19687) (Francesco Trotta)
• 9.26.0 - 2025-05-02
  

  Features

  • e9754e7 feat: add reportGlobalThis to no-shadow-restricted-names (#19670) (sethamus)
  • 0fa2b7a feat: add suggestions for eqeqeq rule (#19640) (Nitin Kumar)
  • dcbdcc9 feat: Add MCP server (#19592) (Nicholas C. Zakas)
  • 2dfd83e feat: add ignoreDirectives option in no-unused-expressions (#19645) (sethamus)

  Bug Fixes

  • 96e84de fix: check cache file existence before deletion (#19648) (sethamus)
  • d683aeb fix: don't crash on tests with circular references in RuleTester (#19664) (Milos Djermanovic)
  • 9736d5d fix: add namespace to Plugin.meta type (#19661) (Milos Djermanovic)
  • 17bae69 fix: update RuleTester.run() type (#19634) (Nitin Kumar)

  Documentation

  • dd98d63 docs: Update README (GitHub Actions Bot)
  • c25e858 docs: Update README (GitHub Actions Bot)
  • b2397e9 docs: Update README (GitHub Actions Bot)
  • addd0a6 docs: fix formatting of unordered lists in Markdown (#19660) (Milos Djermanovic)
  • a21b38d docs: Update README (GitHub Actions Bot)
  • c0721a7 docs: fix double space in command (#19657) (CamWass)

  Chores

  • 5b247c8 chore: upgrade to @ eslint/js@9.26.0 (#19681) (Francesco Trotta)
  • d6fa4ac chore: package.json update for @ eslint/js release (Jenkins)
  • 0958690 chore: disambiguate internal types LanguageOptions and Rule (#19669) (Francesco Trotta)
  • f1c858e chore: fix internal type references to Plugin and Rule (#19665) (Francesco Trotta)
  • 40dd299 refactor: One-shot ESQuery selector analysis (#19652) (Nicholas C. Zakas)
  • 1cfd702 chore: update dependency @ eslint/json to ^0.12.0 (#19656) (renovate[bot])
• 9.25.1 - 2025-04-21
  

  Bug Fixes

  • cdc8e8c fix: revert directive detection in no-unused-expressions (#19639) (sethamus)

  Chores

  • 1f2b057 chore: upgrade @ eslint/js@9.25.1 (#19642) (Milos Djermanovic)
  • 771317f chore: package.json update for @ eslint/js release (Jenkins)
• 9.25.0 - 2025-04-18
  

  Features

  • dcd95aa feat: support TypeScript syntax in no-empty-function rule (#19551) (sethamus)
  • 77d6d5b feat: support TS syntax in no-unused-expressions (#19564) (Sweta Tanwar)
  • 90228e5 feat: support JSRuleDefinition type (#19604) (루밀LuMir)
  • 59ba6b7 feat: add allowObjects option to no-restricted-properties (#19607) (sethamus)
  • db650a0 feat: support TypeScript syntax in no-invalid-this rule (#19532) (Tanuj Kanti)
  • 9535cff feat: support TS syntax in no-loop-func (#19559) (Nitin Kumar)

  Bug Fixes

  • 910bd13 fix: nodeTypeKey not being used in NodeEventGenerator (#19631) (StyleShit)

  Documentation

  • ca7a735 docs: update no-undef-init when not to use section (#19624) (Tanuj Kanti)
  • 1b870c9 docs: use eslint-config-xo in the getting started guide (#19629) (Nitin Kumar)
  • 5d4af16 docs: add types for multiple rule options (#19616) (Tanuj Kanti)
  • e8f8d57 docs: Update README (GitHub Actions Bot)
  • a40348f docs: no-use-before-define tweaks (#19622) (Kirk Waiblinger)
  • 0ba3ae3 docs: Update README (GitHub Actions Bot)
  • 865dbfe docs: ensure "learn more" deprecation links point to useful resource (#19590) (Kirk Waiblinger)
  • f80b746 docs: add known limitations for no-self-compare (#19612) (Nitin Kumar)
  • 865aed6 docs: Update README (GitHub Actions Bot)

  Chores

  • 88dc196 chore: upgrade @ eslint/js@9.25.0 (#19636) (Milos Djermanovic)
  • 345288d chore: package.json update for @ eslint/js release (Jenkins)
  • affe6be chore: upgrade trunk (#19628) (sethamus)
  • dd20cf2 test: fix no-loop-func test with duplicate variable reports (#19610) (Milos Djermanovic)
  • bd05397 chore: upgrade @ eslint/* dependencies (#19606) (Milos Djermanovic)
  • 22ea18b chore: replace invalid int type with number inside JSDocs. (#19597) (Arya Emami)
• 9.24.0 - 2025-04-04
  

  Features

  • 556c25b feat: support loading TS config files using --experimental-strip-types (#19401) (Arya Emami)
  • 72650ac feat: support TS syntax in init-declarations (#19540) (Nitin Kumar)
  • 03fb0bc feat: normalize patterns to handle "./" prefix in files and ignores (#19568) (Pixel998)
  • 071dcd3 feat: support TS syntax in no-dupe-class-members (#19558) (Nitin Kumar)
  • cd72bcc feat: Introduce a way to suppress violations (#19159) (Iacovos Constantinou)
  • 2a81578 feat: support TS syntax in no-loss-of-precision (#19560) (Nitin Kumar)
  • 30ae4ed feat: add new options to class-methods-use-this (#19527) (sethamus)
  • b79ade6 feat: support TypeScript syntax in no-array-constructor (#19493) (Tanuj Kanti)

  Bug Fixes

  • b23d1c5 fix: deduplicate variable names in no-loop-func error messages (#19595) (Nitin Kumar)
  • fb8cdb8 fix: use any[] type for context.options (#19584) (Francesco Trotta)

  Documentation

  • f857820 docs: update documentation for --experimental-strip-types (#19594) (Nikolas Schröter)
  • 803e4af docs: simplify gitignore path handling in includeIgnoreFile section (#19596) (Thomas Broyer)
  • 6d979cc docs: Update README (GitHub Actions Bot)
  • 82177e4 docs: Update README (GitHub Actions Bot)
  • e849dc0 docs: replace existing var with const (#19578) (Sweta Tanwar)
  • 0c65c62 docs: don't pass filename when linting rule examples (#19571) (Milos Djermanovic)
  • 6be36c9 docs: Update custom-rules.md code example of fixer (#19555) (Yifan Pan)

  Build Related

  • 366e369 build: re-enable Prettier formatting for package.json files (#19569) (Francesco Trotta)

  Chores

  • ef67420 chore: upgrade @ eslint/js@9.24.0 (#19602) (Milos Djermanovic)
  • 4946847 chore: package.json update for @ eslint/js release (Jenkins)
  • a995acb chore: correct 'flter'/'filter' typo in package script (#19587) (Josh Goldberg ✨)
  • b9a5efa test: skip symlink test on Windows (#19503) (fisker Cheung)
  • 46eea6d chore: remove Rule & FormatterFunction from shared/types.js (#19556) (Nitin Kumar)
  • bdcc91d chore: modify .editorconfig to keep parity with prettier config (#19577) (Sweta Tanwar)
  • 7790d83 chore: fix some typos in comment (#19576) (todaymoon)
  • 76064a6 test: ignore package-lock.json for eslint-webpack-plugin (#19572) (Francesco Trotta)
• 9.23.0 - 2025-03-21
  

  Features

  • 557a0d2 feat: support TypeScript syntax in no-useless-constructor (#19535) (Josh Goldberg ✨)
  • 8320241 feat: support TypeScript syntax in default-param-last (#19431) (Josh Goldberg ✨)
  • 833c4a3 feat: defineConfig() supports "flat/" config prefix (#19533) (Nicholas C. Zakas)
  • 4a0df16 feat: circular autofix/conflicting rules detection (#19514) (Milos Djermanovic)
  • be56a68 feat: support TypeScript syntax in class-methods-use-this (#19498) (Josh Goldberg ✨)

  Bug Fixes

  • 0e20aa7 fix: move deprecated RuleContext methods to subtype (#19531) (Francesco Trotta)
  • cc3bd00 fix: reporting variable used in catch block in no-useless-assignment (#19423) (Tanuj Kanti)
  • d46ff83 fix: no-dupe-keys false positive with proto setter (#19508) (Milos Djermanovic)
  • e732773 fix: navigation of search results on pressing Enter (#19502) (Tanuj Kanti)
  • f4e9c5f fix: allow RuleTester to test files inside node_modules/ (#19499) (fisker Cheung)

  Documentation

  • 5405939 docs: show red underlines in TypeScript examples in rules docs (#19547) (Milos Djermanovic)
  • 48b53d6 docs: replace var with const in examples (#19539) (Nitin Kumar)
  • c39d7db docs: Update README (GitHub Actions Bot)
  • a4f8760 docs: revert accidental changes (#19542) (Francesco Trotta)
  • 280128f docs: add copy button (#19512) (xbinaryx)
  • cd83eaa docs: replace var with const in examples (#19530) (Nitin Kumar)
  • 7ff0cde docs: Update README (GitHub Actions Bot)
  • 996cfb9 docs: migrate sass to module system (#19518) (xbinaryx)
  • 17cb958 docs: replace var with let and const in rule examples (#19515) (Tanuj Kanti)
  • 83e24f5 docs: Replace var with let or const (

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
hardhat-project-uz7z	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jun 13, 2025 4:11pm

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[sourcery-ai]

Reviewer's Guide

This PR performs a single dependency bump, updating the ESLint version in the hardhat-network-helpers package from 8.x to the latest 9.27.0 release.

File-Level Changes

Change	Details	Files
Upgrade ESLint dependency to v9.27.0	Change the "eslint" version spec in package.json from "^8.44.0" to "^9.27.0"	packages/hardhat-network-helpers/package.json

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bignumber.js@​5.0.4
	@​types/​lodash.isequal@​4.5.8
	@​types/​lodash.clonedeep@​4.5.9
	@​types/​lodash.memoize@​4.1.9
	@​types/​find-up@​2.1.1
	@​types/​ci-info@​2.0.0
	eslint-module-utils@​2.7.3 ⏵ 2.12.0			+2
	@​types/​uuid@​8.3.4
	@​types/​async-eventemitter@​0.2.4
	@​types/​sinon-chai@​3.2.12
	eslint-config-prettier@​8.5.0 ⏵ 8.3.0	+1		+1
	@​types/​lru-cache@​5.1.1
	@​types/​resolve@​1.20.6
	@​nomicfoundation/​hardhat-toolbox@​2.0.2
	@​types/​fs-extra@​5.1.0
	@​types/​semver@​7.5.0 ⏵ 6.2.7			-1
	@​types/​ws@​7.4.7
	@​types/​chai-as-promised@​7.1.8
	@​types/​bn.js@​5.1.6
	@​types/​sinon@​9.0.11
	@​types/​chai@​4.3.20
	@​typescript-eslint/​utils@​5.13.0 ⏵ 8.26.1	+1		-3
	@​types/​mocha@​10.0.10
	@​fvictorio/​tabtab@​0.0.3
	env-paths@​2.2.1
	get-port@​5.1.1
	deep-eql@​4.1.4
	ansi-escapes@​4.3.2
	flag@​5.0.1
	eslint-plugin-node@​11.1.0
See 65 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		crypto-js@3.3.0 has a Critical CVE. CVE: GHSA-xwcq-pm8m-c4vf crypto-js PBKDF2 1,000 times weaker than specified in 1993 and 1.3M times weaker than current standard (CRITICAL) Affected versions: < 4.2.0 Patched version: 4.2.0 From: pnpm-lock.yaml → npm/crypto-js@3.3.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/crypto-js@3.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		elliptic@6.5.4 has a Critical CVE. CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/elliptic@6.5.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/elliptic@6.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		antlr4ts@0.5.0-alpha.4 has a License Policy Violation. License: BSD-3-Clause-HP (package/LICENSE) From: pnpm-lock.yaml → npm/hardhat-gas-reporter@1.0.10 → npm/antlr4ts@0.5.0-alpha.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/antlr4ts@0.5.0-alpha.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		axios@0.21.4 has a High CVE. CVE: GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL (HIGH) Affected versions: >= 1.0.0 < 1.8.2; < 0.30.0 Patched version: 0.30.0 From: pnpm-lock.yaml → npm/axios@0.21.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@0.21.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		axios@1.7.7 has a High CVE. CVE: GHSA-jr5f-v2jv-69x6 axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL (HIGH) Affected versions: >= 1.0.0 < 1.8.2; < 0.30.0 Patched version: 0.30.0 From: pnpm-lock.yaml → npm/@ledgerhq/hw-app-eth@6.42.5 → npm/axios@1.7.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		bcrypt-pbkdf@1.0.2 has a License Policy Violation. License: BSD-3-Clause-HP (package/LICENSE) From: pnpm-lock.yaml → npm/bcrypt-pbkdf@1.0.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bcrypt-pbkdf@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		caniuse-lite@1.0.30001703 has a License Policy Violation. License: CC-BY-4.0 (npm metadata) License: CC-BY-4.0 (package/LICENSE) License: CC-BY-4.0 (package/package.json) From: pnpm-lock.yaml → npm/caniuse-lite@1.0.30001703 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/caniuse-lite@1.0.30001703. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		chai-as-promised@7.1.2 has a License Policy Violation. License: WTFPL (npm metadata) License: WTFPL (package/LICENSE.txt) License: WTFPL (package/package.json) From: packages/hardhat-chai-matchers/package.json → npm/chai-as-promised@7.1.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chai-as-promised@7.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		cids@0.7.5 has a License Policy Violation. License: OFL-1.1 (package/docs/assets/fonts/LICENSE.txt) From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/cids@0.7.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cids@0.7.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		es5-ext@0.10.64 is Protestware or potentially unwanted behavior. Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: pnpm-lock.yaml → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		es5-ext@0.10.64 is Protestware or potentially unwanted behavior. Note: This package prints a protestware console message on install regarding Ukraine for users with Russian language locale From: pnpm-lock.yaml → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		eth-gas-reporter@0.2.27 has a License Policy Violation. License: GPL-3.0-only (package/mock/contracts/EtherRouter/EtherRouter.sol) License: GPL-3.0-only (package/mock/contracts/EtherRouter/Resolver.sol) From: pnpm-lock.yaml → npm/hardhat-gas-reporter@1.0.10 → npm/eth-gas-reporter@0.2.27 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eth-gas-reporter@0.2.27. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		glob@7.2.0 has a License Policy Violation. License: CC-BY-SA-4.0 (package/LICENSE) From: pnpm-lock.yaml → npm/glob@7.2.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		highlightjs-solidity@2.0.6 has a License Policy Violation. License: WTFPL (package/LICENSE) From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/highlightjs-solidity@2.0.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/highlightjs-solidity@2.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@ensdomains/ens@0.4.5 is Deprecated. Reason: Please use @ensdomains/ens-contracts From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@ensdomains/ens@0.4.5 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ensdomains/ens@0.4.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@ensdomains/resolver@0.2.4 is Deprecated. Reason: Please use @ensdomains/ens-contracts From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@ensdomains/resolver@0.2.4 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ensdomains/resolver@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@nomiclabs/hardhat-solpp@2.0.1 is an Unpopular package. Location: Package overview From: package-lock.json → npm/@nomiclabs/hardhat-solpp@2.0.1 ℹ Read more on: This package | This alert | What are unpopular packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Unpopular packages may have less maintenance and contain other problems. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomiclabs/hardhat-solpp@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/abi-utils@1.0.3 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/abi-utils@1.0.3 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/abi-utils@1.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/blockchain-utils@0.1.9 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/blockchain-utils@0.1.9 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/blockchain-utils@0.1.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/codec@0.17.3 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/codec@0.17.3 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/codec@0.17.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/compile-common@0.9.8 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/compile-common@0.9.8 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/compile-common@0.9.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/contract-schema@3.4.16 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/contract-schema@3.4.16 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/contract-schema@3.4.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/debug-utils@6.0.57 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/debug-utils@6.0.57 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/debug-utils@6.0.57. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/error@0.1.1 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/error@0.1.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/error@0.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@truffle/error@0.2.2 is Deprecated. Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@nomiclabs/truffle-contract@4.5.10 → npm/@truffle/error@0.2.2 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@truffle/error@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 9 more rows in the dashboard

View full report

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/eslint	^9.27.0	🟢 7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 25 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 8 Found 25/30 approved changesets -- score normalized to 8 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected License 🟢 10 license file detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Vulnerabilities 🟢 10 0 existing vulnerabilities detected Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration Security-Policy 🟢 10 security policy file detected Signed-Releases ⚠️ -1 no releases found Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• packages/hardhat-network-helpers/package.json