Skip to content

Comments

V1#65

Merged
0age merged 600 commits intomainfrom
v1
Sep 16, 2025
Merged

V1#65
0age merged 600 commits intomainfrom
v1

Conversation

@0age
Copy link
Contributor

@0age 0age commented Apr 8, 2025

This PR is meant to serve as a forum for review and comments for V1 development. Work is still underway on implementing the final V1 feature set.

@codecov-commenter
Copy link

codecov-commenter commented Apr 16, 2025

Codecov Report

❌ Patch coverage is 97.81977% with 15 lines in your changes missing coverage. Please review.
✅ Project coverage is 98.39%. Comparing base (e2874e3) to head (3d000f9).

Files with missing lines Patch % Lines
src/lib/ClaimHashFunctionCastLib.sol 0.00% 6 Missing ⚠️
src/lib/ClaimProcessorFunctionCastLib.sol 0.00% 4 Missing ⚠️
src/lib/TransferBenchmarker.sol 96.73% 3 Missing ⚠️
src/lib/Tstorish.sol 95.12% 2 Missing ⚠️
Additional details and impacted files

Impacted file tree graph

@@            Coverage Diff             @@
##             main      #65      +/-   ##
==========================================
+ Coverage   90.62%   98.39%   +7.77%     
==========================================
  Files          36       41       +5     
  Lines        1706     1809     +103     
  Branches       98       99       +1     
==========================================
+ Hits         1546     1780     +234     
+ Misses        150       29     -121     
+ Partials       10        0      -10     
Files with missing lines Coverage Δ
src/TheCompact.sol 100.00% <100.00%> (ø)
src/lib/AllocatorLib.sol 100.00% <100.00%> (ø)
src/lib/AllocatorLogic.sol 100.00% <100.00%> (ø)
src/lib/BenchmarkERC20.sol 100.00% <ø> (+36.36%) ⬆️
src/lib/ClaimHashLib.sol 100.00% <100.00%> (ø)
src/lib/ClaimProcessor.sol 100.00% <ø> (ø)
src/lib/ClaimProcessorLib.sol 100.00% <100.00%> (ø)
src/lib/ClaimProcessorLogic.sol 100.00% <100.00%> (ø)
src/lib/ComponentLib.sol 100.00% <100.00%> (ø)
src/lib/ConstructorLogic.sol 100.00% <100.00%> (+15.62%) ⬆️
... and 31 more

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update e2874e3...3d000f9. Read the comment docs.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@socket-security
Copy link

socket-security bot commented May 14, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​nomicfoundation/​hardhat-foundry@​1.2.0881007390100
Added@​nomicfoundation/​hardhat-toolbox-viem@​4.1.0791007499100
Added@​types/​chai@​4.3.201001007782100
Addedhardhat-gas-reporter@​2.3.09810010080100
Addedhardhat@​2.26.3941009110080
Addedchai@​4.5.010010010092100
Addedviem@​2.29.210010010097100

View full report

@socket-security
Copy link

socket-security bot commented May 14, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Socket optimized override available for aggregate-error@3.1.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat@2.26.3npm/aggregate-error@3.1.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/aggregate-error@3.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for available-typed-arrays@1.0.7.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/available-typed-arrays@1.0.7

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/available-typed-arrays@1.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
axios@1.11.0 has a High CVE.

CVE: GHSA-4hjh-wcwx-xvwj Axios is vulnerable to DoS attack through lack of data size check (HIGH)

Affected versions: < 1.12.0

Patched version: 1.12.0

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/axios@1.11.0

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for es-define-property@1.0.1.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/es-define-property@1.0.1

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-define-property@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for es-set-tostringtag@2.1.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/es-set-tostringtag@2.1.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-set-tostringtag@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for for-each@0.3.5.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/for-each@0.3.5

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/for-each@0.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for function-bind@1.1.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/function-bind@1.1.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/function-bind@1.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for gopd@1.2.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/gopd@1.2.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/gopd@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for has-property-descriptors@1.0.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/has-property-descriptors@1.0.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/has-property-descriptors@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for has-symbols@1.1.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/has-symbols@1.1.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/has-symbols@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for has-tostringtag@1.0.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/has-tostringtag@1.0.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/has-tostringtag@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for hasown@2.0.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat-gas-reporter@2.3.0npm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/hasown@2.0.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hasown@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for indent-string@4.0.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat@2.26.3npm/indent-string@4.0.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/indent-string@4.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for is-typed-array@1.1.15.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/is-typed-array@1.1.15

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/is-typed-array@1.1.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for is-unicode-supported@0.1.0.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/hardhat@2.26.3npm/is-unicode-supported@0.1.0

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/is-unicode-supported@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for isarray@2.0.5.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/isarray@2.0.5

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/isarray@2.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for path-parse@1.0.7.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/hardhat@2.26.3npm/path-parse@1.0.7

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/path-parse@1.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for safe-buffer@5.2.1.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/hardhat@2.26.3npm/safe-buffer@5.2.1

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safe-buffer@5.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for safer-buffer@2.1.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/hardhat@2.26.3npm/safer-buffer@2.1.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
safer-buffer@2.1.2 has Obfuscated code.

Confidence: 0.94

Location: Package overview

From: package-lock.jsonnpm/hardhat@2.26.3npm/safer-buffer@2.1.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for set-function-length@1.2.2.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/set-function-length@1.2.2

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/set-function-length@1.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for typed-array-buffer@1.0.3.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/typed-array-buffer@1.0.3

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typed-array-buffer@1.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Socket optimized override available for which-typed-array@1.1.19.

cleanup available: Run npx socket optimize

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/which-typed-array@1.1.19

ℹ Read more on: This package | This alert | Using Socket CLI to optimize dependencies

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Run `npx socket optimize` in your repository to optimize your dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/which-typed-array@1.1.19. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@nomicfoundation/edr@0.11.3 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/hardhat@2.26.3npm/@nomicfoundation/edr@0.11.3

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/edr@0.11.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@nomicfoundation/hardhat-foundry@1.2.0 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/@nomicfoundation/hardhat-foundry@1.2.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-foundry@1.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@nomicfoundation/hardhat-ignition@0.15.13 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/@nomicfoundation/hardhat-ignition@0.15.13

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/hardhat-ignition@0.15.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@nomicfoundation/solidity-analyzer@0.1.2 has Shell access.

Module: child_process

Location: Package overview

From: package-lock.jsonnpm/@nomicfoundation/hardhat-toolbox-viem@4.1.0npm/hardhat@2.26.3npm/@nomicfoundation/solidity-analyzer@0.1.2

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nomicfoundation/solidity-analyzer@0.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 95 more rows in the dashboard

View full report

0age and others added 29 commits June 28, 2025 10:48
use isolate for forge tests
improve benchmarking accuracy via raw opcode contracts
added IOnChainAllocation interface
add reentrancy lock to transfer and include some contributors
…-not-set

revert before emissary call if no emissary is set
@0age 0age merged commit c84929a into main Sep 16, 2025
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.