chore(deps): update dependency solidity-coverage to v0.8.16

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
solidity-coverage	0.8.5 -> 0.8.16

---

Release Notes

sc-forks/solidity-coverage (solidity-coverage)

v0.8.16: 0.8.16

Compare Source

Support for custom storage layout syntax

This version updates the plugin's parser dependency to support the layout and at keywords introduced in Solidity v0.8.29

What's Changed

• Update solidity-parser/parser to 0.20.1 by @​cgewecke in #​905

Full Changelog: sc-forks/solidity-coverage@v0.8.15...v0.8.16

v0.8.15: 0.8.15

Compare Source

Speed up test runs when using viaIR

This release adds an irMinimum option which should improve execution speeds if you're generating coverage with solc's viaIR mode enabled. The plugin has handled viaIR for about a year but it runs more slowly in that setting because it has to search for execution traces across a wider range of opcodes. The performance hit is especially notable in solidity code that iterates hundreds of times in loops.

NOTE: Not all code will compile withirMinimum (you may get stack-too-deep errors unfortunately). But if yours does, this option should make things faster for you.

Usage

// .solcover.js
module.exports = {
  irMinimum: true,
}

What's Changed

• docs: fixed dead link by @​iamslown in #​904
• Add irMinimum option by @​cgewecke in #​907

New Contributors

• @​iamslown made their first contribution in #​904

Full Changelog: sc-forks/solidity-coverage@v0.8.14...v0.8.15

v0.8.14: 0.8.14

Compare Source

What's Changed

• Update solidity-parser/parser dep to 0.19.0 for transient storage support by @​cgewecke in #​898
• fix: typos in documentation files by @​leopardracer in #​896

New Contributors

• @​leopardracer made their first contribution in #​896

Full Changelog: sc-forks/solidity-coverage@v0.8.13...v0.8.14

v0.8.13

Compare Source

🐛 Bug Fixes

This release fixes a bug that caused the plugin to error when used with hardhat-viem in combination with a forked network.

What's Changed

• Error if --solcoverjs passed but file is nonexistent by @​area in #​889
• Stop overwriting forking config in extendConfig by @​cgewecke in #​893
• Misc docs fixes

New Contributors

• @​AndreMiras made their first contribution in #​887
• @​nnsW3 made their first contribution in #​892

Full Changelog: sc-forks/solidity-coverage@v0.8.12...v0.8.13

v0.8.12

Compare Source

What's Changed

• Adds "work-around" support for the hardhat-viem plugin. If you're using viem, run the coverage task with:

  SOLIDITY_COVERAGE=true npx hardhat coverage
  

• Adds support for solc v0.4.x
• Fixes a bug where plugin crashed if the contract sources directory name contained a period.
• Fixes a bug where instrumentation failed if there was whitespace between require statement and the terminating semi-colon

PRs

• Add extendConfig logic for hardhat-viem plugin by @​cgewecke in #​883
• Support solc v0.4.x by @​cgewecke in #​877
• Use fs.stat to check directory status by @​cgewecke in #​880
• Update hardhat dev dep to 2.22.2 (EDR) by @​cgewecke in #​881
• Tolerate whitespace between require and terminating ; by @​cgewecke in #​884
• Document extendConfig changes in README by @​cgewecke in #​885

Full Changelog: sc-forks/solidity-coverage@v0.8.11...v0.8.12

v0.8.11

Compare Source

===================

• Check all SWAP opcodes for inst. hashes when viaIR is true (#​873)

v0.8.10

Compare Source

===================

• Check all PUSH opcodes for instr. hashes when viaIR is true (#​871)

v0.8.9

Compare Source

==================

• Fix duplicate hash logic (#​868)
• Improve organization of edge case code in collector (#​869)

v0.8.8

Compare Source

==================

• Coerce sources path to absolute path if necessary (#​866)
• Only inject file-level instr. for first pragma in file (#​865)

v0.8.7

Compare Source

==================

• Documentation Cleanup & Improvements for 0.8.7 release
  (#​859)
• Add tests for file-level function declarations
  (#​858)
• Add try / catch unit tests (#​857)
• Fix test project configs for viaIR detection in overrides
  (#​856)
• Enable coverage when viaIR compiler flag is true
  (#​854)
• Add missing onPreCompile hook
  (#​851)
• Remove ganache-cli related code from API & tests
  (#​849)
• Add command option to specify the source files to run the coverage on
  (#​838)

v0.8.6

Compare Source

==================

• Add test for multi-contract files with inheritance
  (#​836)
• Add test for modifiers with post-conditions (#​835)
• Document Istanbul check-coverage cli command
  (#​834)
• Throw error when mocha parallel is set to true
  (#​833)
• Fix instrumentation error for virtual modifiers
  (#​832)
• Add test for file level using for statements
  (#​831)
• Fix chained ternary conditionals instrumentation
  (#​830)
• Update faq.md with an optimizer config workaround
  (#​822)
• Upgrade solidity-parser to 0.18.0 (#​829)
• Perform ternary conditional injections before branch injections
  (#​828)
• Add drips funding config (#​827)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	is-unicode-supported@​0.1.0
	has-property-descriptors@​1.0.0 ⏵ 1.0.1
	safer-buffer@​2.1.2
	typedarray@​0.0.6
	set-function-length@​1.1.1
	aggregate-error@​3.1.0
	hasown@​2.0.2 ⏵ 2.0.0			+7
	indent-string@​4.0.0
	ghost-testrpc@​0.0.2
	charenc@​0.0.2
	at-least-node@​1.0.0
	crypt@​0.0.2
	parse-cache-control@​1.0.1
	p-try@​1.0.0
	setimmediate@​1.0.5
See 241 more rows in the dashboard

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		@matterlabs/[email protected] has a Git dependency. Dependency: @matterlabs/zksync-telemetry-js@git+https://github.com/matter-labs/zksync-telemetry-js.git#2fd9edbe6b9a5e0c2caeda4b04dd5631d7546a11 Location: Package overview From: ? → npm/@chainlink/[email protected] → npm/@matterlabs/[email protected] ℹ Read more on: This package | This alert | What are git dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Publish the git dependency to npm or a private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@matterlabs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@arbitrum/[email protected] has Install scripts. Install script: postinstall Source: patch-package From: ? → npm/@chainlink/[email protected] → npm/@arbitrum/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arbitrum/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@arbitrum/[email protected] has Install scripts. Install script: postinstall Source: patch-package From: ? → npm/@chainlink/[email protected] → npm/@arbitrum/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arbitrum/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@arbitrum/[email protected] has Install scripts. Install script: postinstall Source: patch-package From: ? → npm/@chainlink/[email protected] → npm/@arbitrum/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@arbitrum/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has Native code. Location: Package overview From: packages/hardhat/yarn.lock → npm/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has Native code. Location: Package overview From: ? → npm/@chainlink/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has Install scripts. Install script: postinstall Source: node scripts/postinstall From: ? → npm/@chainlink/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] has Install scripts. Install script: install Source: node install.js From: ? → npm/@chainlink/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		@protobufjs/[email protected] is a AI-detected potential code anomaly. Notes: The code uses eval to dynamically require a module, which is highly unusual and considered unsafe. The usage of eval can lead to code injection vulnerabilities if the moduleName is not properly validated. Additionally, the use of string manipulation to form 'require' is a form of obfuscation and makes the code harder to read and understand. Confidence: 1.00 Severity: 0.60 From: ? → npm/@chainlink/[email protected] → npm/@protobufjs/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@protobufjs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code poses security risks due to potential unauthorized code execution and obfuscated PowerShell command construction. Confidence: 1.00 Severity: 0.60 From: ? → npm/@chainlink/[email protected] → npm/@chainlink/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code appears to be a WebAssembly (WASM) module implementing HTTP parsing functionality. The code contains suspicious elements such as ability to handle HTTP headers, message bodies, and chunk extensions. While it may be legitimate parser code, the obfuscated nature and presence of low-level binary operations warrants careful review due to potential for misuse in HTTP request/response manipulation or header injection attacks. Confidence: 1.00 Severity: 0.60 From: packages/hardhat/yarn.lock → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		[email protected] is a AI-detected potential code anomaly. Notes: The code appears to be a WebAssembly (WASM) module implementing HTTP parsing functionality. The code contains suspicious elements such as ability to handle HTTP headers, message bodies, and chunk extensions. While it may be legitimate parser code, the obfuscated nature and presence of low-level binary operations warrants careful review due to potential for misuse in HTTP request/response manipulation or header injection attacks. Confidence: 1.00 Severity: 0.60 From: ? → npm/@chainlink/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		@chainlink/[email protected] has a GitHub dependency. Dependency: @zksync/contracts@github:matter-labs/era-contracts@#446d39 Location: Package overview From: packages/hardhat/package.json → npm/@chainlink/[email protected] ℹ Read more on: This package | This alert | What are GitHub dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Publish the GitHub dependency to npm or a private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@chainlink/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report