chore(deps): update dependency solidity-coverage to v0.8.17

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
solidity-coverage	0.8.7 → 0.8.17

---

Release Notes

sc-forks/solidity-coverage (solidity-coverage)

v0.8.17: 0.8.17 (Osaka Support)

Compare Source

This release contains changes to support the Osaka hardfork (thanks to @​fvictorio 💯 ).

What's Changed

• Fix default tx gas limit after osaka by @​fvictorio in #​916

Full Changelog: sc-forks/solidity-coverage@v0.8.16...v0.8.17

v0.8.16: 0.8.16

Compare Source

Support for custom storage layout syntax

This version updates the plugin's parser dependency to support the layout and at keywords introduced in Solidity v0.8.29

What's Changed

• Update solidity-parser/parser to 0.20.1 by @​cgewecke in #​905

Full Changelog: sc-forks/solidity-coverage@v0.8.15...v0.8.16

v0.8.15: 0.8.15

Compare Source

Speed up test runs when using viaIR

This release adds an irMinimum option which should improve execution speeds if you're generating coverage with solc's viaIR mode enabled. The plugin has handled viaIR for about a year but it runs more slowly in that setting because it has to search for execution traces across a wider range of opcodes. The performance hit is especially notable in solidity code that iterates hundreds of times in loops.

NOTE: Not all code will compile withirMinimum (you may get stack-too-deep errors unfortunately). But if yours does, this option should make things faster for you.

Usage

// .solcover.js
module.exports = {
  irMinimum: true,
}

What's Changed

• docs: fixed dead link by @​iamslown in #​904
• Add irMinimum option by @​cgewecke in #​907

New Contributors

• @​iamslown made their first contribution in #​904

Full Changelog: sc-forks/solidity-coverage@v0.8.14...v0.8.15

v0.8.14: 0.8.14

Compare Source

What's Changed

• Update solidity-parser/parser dep to 0.19.0 for transient storage support by @​cgewecke in #​898
• fix: typos in documentation files by @​leopardracer in #​896

New Contributors

• @​leopardracer made their first contribution in #​896

Full Changelog: sc-forks/solidity-coverage@v0.8.13...v0.8.14

v0.8.13

Compare Source

🐛 Bug Fixes

This release fixes a bug that caused the plugin to error when used with hardhat-viem in combination with a forked network.

What's Changed

• Error if --solcoverjs passed but file is nonexistent by @​area in #​889
• Stop overwriting forking config in extendConfig by @​cgewecke in #​893
• Misc docs fixes

New Contributors

• @​AndreMiras made their first contribution in #​887
• @​nnsW3 made their first contribution in #​892

Full Changelog: sc-forks/solidity-coverage@v0.8.12...v0.8.13

v0.8.12

Compare Source

What's Changed

• Adds "work-around" support for the hardhat-viem plugin. If you're using viem, run the coverage task with:

  SOLIDITY_COVERAGE=true npx hardhat coverage
  

• Adds support for solc v0.4.x
• Fixes a bug where plugin crashed if the contract sources directory name contained a period.
• Fixes a bug where instrumentation failed if there was whitespace between require statement and the terminating semi-colon

PRs

• Add extendConfig logic for hardhat-viem plugin by @​cgewecke in #​883
• Support solc v0.4.x by @​cgewecke in #​877
• Use fs.stat to check directory status by @​cgewecke in #​880
• Update hardhat dev dep to 2.22.2 (EDR) by @​cgewecke in #​881
• Tolerate whitespace between require and terminating ; by @​cgewecke in #​884
• Document extendConfig changes in README by @​cgewecke in #​885

Full Changelog: sc-forks/solidity-coverage@v0.8.11...v0.8.12

v0.8.11

Compare Source

===================

• Check all SWAP opcodes for inst. hashes when viaIR is true (#​873)

v0.8.10

Compare Source

===================

• Check all PUSH opcodes for instr. hashes when viaIR is true (#​871)

v0.8.9

Compare Source

==================

• Fix duplicate hash logic (#​868)
• Improve organization of edge case code in collector (#​869)

v0.8.8

Compare Source

==================

• Coerce sources path to absolute path if necessary (#​866)
• Only inject file-level instr. for first pragma in file (#​865)

---

Configuration

📅 Schedule: Branch creation - Between 12:00 AM and 03:59 AM, only on Monday ( * 0-3 * * 1 ) (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		viem@1.21.4 has Telemetry. Note: The code seems to be related to URI manipulation and validation, but the use of dynamic image loading could be an attempt to obfuscate network communication, raising potential security concerns. From: ? → npm/@celo/rainbowkit-celo@1.1.1 → npm/@wagmi/connectors@3.1.11 → npm/viem@1.21.4 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@1.21.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		viem@2.0.0 has Telemetry. Note: The code seems to be related to URI manipulation and validation, but the use of dynamic image loading could be an attempt to obfuscate network communication, raising potential security concerns. From: ? → npm/@celo/rainbowkit-celo@1.1.1 → npm/viem@2.0.0 ℹ Read more on: This package | This alert | What is telemetry? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Most telemetry comes with settings to disable it. Consider disabling telemetry if you do not want to be tracked. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		bufferutil@4.0.9 has Native code. Location: Package overview From: ? → npm/@celo/rainbowkit-celo@1.1.1 → npm/@wagmi/connectors@3.1.11 → npm/viem@2.33.3 → npm/wagmi@2.16.3 → npm/bufferutil@4.0.9 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bufferutil@4.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		utf-8-validate@5.0.10 has Native code. Location: Package overview From: ? → npm/@celo/rainbowkit-celo@1.1.1 → npm/@wagmi/connectors@3.1.11 → npm/viem@2.33.3 → npm/wagmi@2.16.3 → npm/utf-8-validate@5.0.10 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/utf-8-validate@5.0.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		viem@2.31.0 is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: ? → npm/@celo/rainbowkit-celo@1.1.1 → npm/viem@2.31.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.31.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		viem@2.33.3 is a AI-detected potential code anomaly. Notes: The code implements a cross-chain deposit flow with proper validations, artifact reads, and on-chain interactions. There is no evidence of hidden backdoors, data exfiltration, or malware. The main security considerations relate to token approval logic and correct configuration of flags to avoid granting excessive allowances. Overall, the module appears legitimate for a bridge deposit flow, with moderate risk primarily around configuration of approvals and correct handling of gas/fees. Confidence: 1.00 Severity: 0.60 From: packages/react-app/package.json → npm/viem@2.33.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/viem@2.33.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​celo/​rainbowkit-celo@​1.1.1
	wagmi@​2.16.3
	yallist@​4.0.0
	y18n@​5.0.8 ⏵ 4.0.3	+1
	yargs-parser@​20.2.9 ⏵ 18.1.3	+2
	@​celo/​abis@​10.0.0
	@​wagmi/​connectors@​3.1.11
	yargs@​16.2.0 ⏵ 15.4.1
	yaml@​2.2.2
	zod@​3.21.4
	viem@​2.33.3

View full report