Bump the npm_and_yarn group across 3 directories with 10 updates

[dependabot]

Bumps the npm_and_yarn group with 1 update in the /.github/actions/delete-deployments directory: undici.
Bumps the npm_and_yarn group with 3 updates in the /.github/scripts/jira directory: cross-spawn, rollup and vite.
Bumps the npm_and_yarn group with 6 updates in the /contracts directory:

Package	From	To
braces	3.0.2	3.0.3
micromatch	4.0.5	4.0.8
@openzeppelin/contracts	4.9.3	4.9.6
@openzeppelin/contracts-upgradeable	4.9.3	4.9.6
http-cache-semantics	4.0.3	4.1.1
secp256k1	4.0.3	4.0.4

Updates undici from 6.16.0 to 6.21.0

Release notes

Sourced from undici's releases.

v6.21.0

What's Changed

• [Backport v6.x] web: mark as uncloneable when possible (#3709) by @​jazelly in nodejs/undici#3744
• [Backport v6.x] fetch: fix content-encoding order by @​github-actions in nodejs/undici#3764
• [Backport v6.x] fix: handle undefined deref() of WeakRef(socket) by @​github-actions in nodejs/undici#3822
• [Backport v6.x] fix: range end is zero-indexed by @​github-actions in nodejs/undici#3827

Full Changelog: nodejs/undici@v6.20.1...v6.21.0

v6.20.1

What's Changed

• [Backport v6.x] jsdoc: add jsdoc to lib/web/fetch/constants.js by @​github-actions in nodejs/undici#3710
• [Backport v6.x] feat: implement BodyReadable.bytes by @​github-actions in nodejs/undici#3711
• fix: add more expectsPayload methods by @​ronag in nodejs/undici#3715
• [Backport v6.x] chore(H2): onboard H2 into Undici queueing system (#3707) by @​Uzlopak in nodejs/undici#3724
• [Backport v6.x] fix: PoolBase kClose and kDestroy should await and not return the Promise by @​github-actions in nodejs/undici#3723
• [Backport v6.x] fix: extract noop everywhere by @​Uzlopak in nodejs/undici#3727

Full Changelog: nodejs/undici@v6.20.0...v6.20.1

v6.20.0

What's Changed

• Remove patched dom types (v6.x branch) by @​eXhumer in nodejs/undici#3531
• docs(Backport v6.x): Fix signature of RetryHandler by @​github-actions in nodejs/undici#3594
• deps(dev): update @​types/node by @​metcoder95 in nodejs/undici#3618
• fix: throw on retry when payload is consume by downstream by @​github-actions in nodejs/undici#3596
• feat(Backport v6.x): move throwOnError to interceptor by @​github-actions in nodejs/undici#3595
• [Backport v6.x] fix: reduce memory usage in client-h1 by @​github-actions in nodejs/undici#3672
• [Backport v6.x] fix: refactor fast timers, fix UND_ERR_CONNECT_TIMEOUT on event loop blocking by @​github-actions in nodejs/undici#3673
• [Backport v6.x] fix: run asserts first if possible by @​github-actions in nodejs/undici#3674
• [Backport v6.x] fix: use fasttimers for all connection timeouts by @​github-actions in nodejs/undici#3675
• [Backport v6.x] ci: less flaky test/request-timeout.js test by @​github-actions in nodejs/undici#3678
• [Backport v6.x] test: less flaky timers acceptance test, rework fast timer tests to pass them faster by @​github-actions in nodejs/undici#3679
• [Backport v6.x] ignore leading and trailing crlfs in formdata body by @​github-actions in nodejs/undici#3681
• [Backport v6.x] mock: fix mocking of Uint8Array and ArrayBuffers as provided mock-responses by @​github-actions in nodejs/undici#3689
• [Backport v6.x] handle body errors by @​Uzlopak in nodejs/undici#3700

Full Changelog: nodejs/undici@v6.19.8...v6.20.0

v6.19.8

Full Changelog: nodejs/undici@v6.19.7...v6.19.8

v6.19.7

Full Changelog: nodejs/undici@v6.19.6...v6.19.7

v6.19.6

Full Changelog: nodejs/undici@v6.19.5...v6.19.6

... (truncated)

Commits

• 61ec353 Bumped v6.21.0
• 11e31a4 fix: range end is zero-indexed (#3826) (#3827)
• 98d1b1b fix: handle undefined deref() of WeakRef(socket) (#3751) (#3822)
• f21da44 fetch: fix content-encoding order (#3343) (#3764)
• e2e3fd2 web: mark as uncloneable when possible (#3709) (#3744)
• 5344aa5 6.20.1
• 5415911 fix: extract noop everywhere (#3559) (#3727)
• fd32a55 fix: PoolBase kClose and kDestroy should await and not return the Promise (#3...
• a699105 chore(H2): onboard H2 into Undici queueing system (#3707) (#3724)
• 39c5974 fix: add more expectsPayload methods (#3715)
• Additional commits viewable in compare view

Updates cross-spawn from 7.0.3 to 7.0.6

Changelog

Sourced from cross-spawn's changelog.

7.0.6 (2024-11-18)

Bug Fixes

• update cross-spawn version to 7.0.5 in package-lock.json (f700743)

7.0.5 (2024-11-07)

Bug Fixes

• fix escaping bug introduced by backtracking (640d391)

7.0.4 (2024-11-07)

Bug Fixes

• disable regexp backtracking (#160) (5ff3a07)

Commits

• 77cd97f chore(release): 7.0.6
• 6717de4 chore: upgrade standard-version
• f700743 fix: update cross-spawn version to 7.0.5 in package-lock.json
• 9a7e3b2 chore: fix build status badge
• 0852683 chore(release): 7.0.5
• 640d391 fix: fix escaping bug introduced by backtracking
• bff0c87 chore: remove codecov
• a7c6abc chore: replace travis with github workflows
• 9b9246e chore(release): 7.0.4
• 5ff3a07 fix: disable regexp backtracking (#160)
• Additional commits viewable in compare view

Updates rollup from 4.18.1 to 4.27.3

Release notes

Sourced from rollup's releases.

v4.27.3

4.27.3

2024-11-18

Bug Fixes

• Revert object property tree-shaking for now (#5736)

Pull Requests

• #5736: Revert object tree-shaking until some issues have been resolved (@​lukastaegert)

v4.27.2

4.27.2

2024-11-15

Bug Fixes

• Ensure unused variables in patterns are always deconflicted if rendered (#5728)

Pull Requests

• #5728: Fix more variable deconflicting issues (@​lukastaegert)

v4.27.1

4.27.1

2024-11-15

Bug Fixes

• Fix some situations where parameter declarations could put Rollup into an infinite loop (#5727)

Pull Requests

• #5727: Debug out-of-memory issues with Rollup v4.27.0 (@​lukastaegert)

v4.27.0

4.27.0

2024-11-15

Features

• Tree-shake unused properties in object literals (#5420)

Bug Fixes

... (truncated)

Changelog

Sourced from rollup's changelog.

4.27.3

2024-11-18

Bug Fixes

• Revert object property tree-shaking for now (#5736)

Pull Requests

• #5736: Revert object tree-shaking until some issues have been resolved (@​lukastaegert)

4.27.2

2024-11-15

Bug Fixes

• Ensure unused variables in patterns are always deconflicted if rendered (#5728)

Pull Requests

• #5728: Fix more variable deconflicting issues (@​lukastaegert)

4.27.1

2024-11-15

Bug Fixes

• Fix some situations where parameter declarations could put Rollup into an infinite loop (#5727)

Pull Requests

• #5727: Debug out-of-memory issues with Rollup v4.27.0 (@​lukastaegert)

4.27.0

2024-11-15

Features

• Tree-shake unused properties in object literals (#5420)

Bug Fixes

• Change hash length limit to 21 to avoid inconsistent hash length (#5423)

Pull Requests

... (truncated)

Commits

• 7c0b1f8 4.27.3
• 10bc150 Revert object tree-shaking (#5420) until some issues have been resolved (#5736)
• a503a4d 4.27.2
• 6c68455 Fix more variable deconflicting issues (#5728)
• aaf38b7 4.27.1
• faeb905 Debug out-of-memory issues with Rollup v4.27.0 (#5727)
• c035068 4.27.0
• b58e48b fix(deps): update swc monorepo (major) (#5724)
• 50697b8 Reduce max hash size to 21 (#5723)
• a9acb57 feat: implement object tree-shaking (#5420)
• Additional commits viewable in compare view

Updates vite from 5.3.3 to 5.4.11

Release notes

Sourced from vite's releases.

v5.4.11

Please refer to CHANGELOG.md for details.

v5.4.10

Please refer to CHANGELOG.md for details.

v5.4.9

Please refer to CHANGELOG.md for details.

v5.4.8

Please refer to CHANGELOG.md for details.

v5.4.7

Please refer to CHANGELOG.md for details.

v5.4.6

Please refer to CHANGELOG.md for details.

v5.4.5

Please refer to CHANGELOG.md for details.

v5.4.4

Please refer to CHANGELOG.md for details.

v5.4.3

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v5.4.2

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v5.4.1

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

[email protected]

Please refer to CHANGELOG.md for details.

v5.4.0

Please refer to CHANGELOG.md for details.

... (truncated)

Changelog

Sourced from vite's changelog.

5.4.11 (2024-11-11)

5.4.10 (2024-10-23)

• fix: backport #18367,augment hash for CSS files to prevent chromium erroring by loading previous fil (7d1a3bc), closes #18367 #18412

5.4.9 (2024-10-14)

• fix: bump launch-editor-middleware to v2.9.1 (#18348) (508d9ab), closes #18348
• fix(css): fix lightningcss dep url resolution with custom root (#18125) (eae00b5), closes #18125
• fix(data-uri): only match ids starting with data: (#18241) (96084d6), closes #18241
• fix(deps): bump tsconfck (#18322) (dc5434c), closes #18322
• fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252) (851b258), closes #18252
• fix(ssr): (backport #18150) fix source map remapping with multiple sources (#18204) (262a879), closes #18204
• chore: update all url references of vitejs.dev to vite.dev (#18276) (c23558a), closes #18276
• chore: update license copyright (#18278) (1864eb1), closes #18278
• docs: update homepage (#18274) (ae44163), closes #18274

5.4.8 (2024-09-25)

• fix(css): backport #18113, fix missing source file warning with sass modern api custom importer (#18 (7d47fc1), closes #18183
• fix(css): backport #18128, ensure sass compiler initialized only once (#18184) (8464d97), closes #18128 #18184

5.4.7 (2024-09-20)

• fix: treat config file as ESM in Deno (#18158) (b5908a2), closes #18158

5.4.6 (2024-09-16)

• fix: avoid DOM Clobbering gadget in getRelativeUrlFromDocument (#18115) (179b177), closes #18115
• fix: fs raw query (#18112) (6820bb3), closes #18112

5.4.5 (2024-09-13)

• fix(preload): backport #18098, throw error preloading module as well (#18099) (faa2405), closes #18098 #18099

... (truncated)

Commits

• c54c860 release: v5.4.11
• 5f52bc8 release: v5.4.10
• 7d1a3bc fix: backport #18367,augment hash for CSS files to prevent chromium erroring ...
• 898d61f release: v5.4.9
• 508d9ab fix: bump launch-editor-middleware to v2.9.1 (#18348)
• dc5434c fix(deps): bump tsconfck (#18322)
• 851b258 fix(hmr): don't try to rewrite imports for direct CSS soft invalidation (#18252)
• 96084d6 fix(data-uri): only match ids starting with data: (#18241)
• eae00b5 fix(css): fix lightningcss dep url resolution with custom root (#18125)
• c23558a chore: update all url references of vitejs.dev to vite.dev (#18276)
• Additional commits viewable in compare view

Updates braces from 3.0.2 to 3.0.3

Commits

• 74b2db2 3.0.3
• 88f1429 update eslint. lint, fix unit tests.
• 415d660 Snyk js braces 6838727 (#40)
• 190510f fix tests, skip 1 test in test/braces.expand
• 716eb9f readme bump
• a5851e5 Merge pull request #37 from coderaiser/fix/vulnerability
• 2092bd1 feature: braces: add maxSymbols (https://github.com/micromatch/braces/issues/...
• 9f5b4cf fix: vulnerability (https://security.snyk.io/vuln/SNYK-JS-BRACES-6838727)
• 98414f9 remove funding file
• 665ab5d update keepEscaping doc (#27)
• Additional commits viewable in compare view

Updates micromatch from 4.0.5 to 4.0.8

Release notes

Sourced from micromatch's releases.

4.0.8

Ultimate release that fixes both CVE-2024-4067 and CVE-2024-4068. We consider the issues low-priority, so even if you see automated scanners saying otherwise, don't be scared.

Changelog

Sourced from micromatch's changelog.

[4.0.8] - 2024-08-22

• backported CVE-2024-4067 fix (from v4.0.6) over to 4.x branch

[4.0.7] - 2024-05-22

• this is basically v4.0.5, with some README updates
• it is vulnerable to CVE-2024-4067
• Updated braces to v3.0.3 to avoid CVE-2024-4068
• does NOT break API compatibility

[4.0.6] - 2024-05-21

• Added hasBraces to check if a pattern contains braces.
• Fixes CVE-2024-4067
• BREAKS API COMPATIBILITY
• Should be labeled as a major release, but it's not.

Commits

• 8bd704e 4.0.8
• a0e6841 run verb to generate README documentation
• 4ec2884 Merge branch 'v4' into hauserkristof-feature/v4.0.8
• 03aa805 Merge pull request #266 from hauserkristof/feature/v4.0.8
• 814f5f7 lint
• 67fcce6 fix: CHANGELOG about braces & CVE-2024-4068, v4.0.5
• 113f2e3 fix: CVE numbers in CHANGELOG
• d9dbd9a feat: updated CHANGELOG
• 2ab1315 fix: use actions/setup-node@v4
• 1406ea3 feat: rework test to work on macos with node 10,12 and 14
• Additional commits viewable in compare view

Updates @openzeppelin/contracts from 4.9.3 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts's releases.

v4.9.6

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

v4.9.5

• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

v4.9.4

• ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

Changelog

Sourced from @​openzeppelin/contracts's changelog.

4.9.6 (2024-02-29)

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

Commits

• dc44c9f Release v4.9.6 (#4931)
• a6286d0 Port Base64 tests to truffle (#4926) (#4929)
• bd325d5 Release v4.9.5 (#4790)
• ad6a5b6 Add changeset
• 88ac712 Replace double functionDelegateCall
• a83918d Bump node CI version to 16.x
• 0d5f54e Release v4.9.4 (#4784)
• ccfffe1 Make Multicall context-aware
• 9329cfa Remove Wizard page from 4.x
• e1b3d8c Remove Wizard from 4.x navigation
• Additional commits viewable in compare view

Updates @openzeppelin/contracts-upgradeable from 4.9.3 to 4.9.6

Release notes

Sourced from @​openzeppelin/contracts-upgradeable's releases.

v4.9.6

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4926)

v4.9.5

• Multicall: Patch duplicated Address.functionDelegateCall.

v4.9.4

• ERC2771Context and Context: Introduce a _contextPrefixLength() getter, used to trim extra information appended to msg.data.
• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context.

Changelog

Sourced from @​openzeppelin/contracts-upgradeable's changelog.

4.9.6 (2024-02-29)

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#4929)

4.9.5 (2023-12-08)

• Multicall: Make aware of non-canonical context (i.e. msg.sender is not _msgSender()), allowing compatibility with ERC2771Context. Patch duplicated Address.functionDelegateCall in v4.9.4 (removed).

Commits

• 2d081f2 Transpile dc44c9f1
• 2492017 Transpile a6286d0f
• a40cb0b Transpile bd325d56
• 4c73bfa Transpile ad6a5b68
• 31f9fb9 Transpile 88ac712e
• f55babc Transpile a83918df
• 5bc5999 Transpile 98c7a4cf
• 152b820 Transpile 0ed435b7
• f34a3a7 Transpile 17c1a3a4
• See full diff in compare view

Updates http-cache-semantics from 4.0.3 to 4.1.1

Commits

• 2449650 Update mocha
• 560b2d8 Don't use regex to trim whitespace
• b1bdb92 Remove linting package zoo
• c20dc7e Cache 308
• ed83aec Explain trust server date
• 1b35980 rfc 5861 (stale-if-error, stale-while-revalidate)
• 2c2fac2 Drop trustServerDate
• eb7028f Test names
• 84cc9a8 Bump
• ae5ecd5 Add status to tests
• Additional commits viewable in compare view

Updates secp256k1 from 4.0.3 to 4.0.4

Commits

• 756fce1 4.0.4
• 8bd6446 elliptic: fix key verification in loadCompressedPublicKey
• 840834e Update elliptic to 6.5.7 (CVE-2024-42461) (#206)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@octokit/[email protected]	environment Transitive: network	+16	8.03 MB	octokitbot
npm/@octokit/[email protected]	Transitive: eval, network	+13	5.73 MB	octokitbot
npm/@octokit/[email protected]	Transitive: eval, network	+11	1.01 MB	octokitbot
npm/@octokit/[email protected]	None	+1	4.45 MB	octokitbot
npm/@openzeppelin/[email protected]	None	0	2.11 MB	amxx
npm/@openzeppelin/[email protected]	None	0	2.02 MB	frangio
npm/@types/[email protected]	None	0	2.06 MB	types
npm/[email protected]	None	0	32.4 MB	typescript-bot

🚮 Removed packages: npm/@openzeppelin/[email protected], npm/@openzeppelin/[email protected], npm/@types/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎