Bump the npm_and_yarn group across 1 directory with 8 updates

[dependabot]

Bumps the npm_and_yarn group with 7 updates in the /tests directory:

Package	From	To
elliptic	6.5.4	6.6.1
@ethersproject/signing-key	5.7.0	5.8.0
base-x	3.0.10	3.0.11
minimatch	3.0.4	5.1.6
mocha	8.4.0	11.1.0
tar	4.4.19	removed
web3	1.10.4	4.16.0

Updates elliptic from 6.5.4 to 6.6.1

Commits

• 9b77436 6.6.1
• 04cb6f5 Merge commit from fork
• b8a7edd 6.6.0
• 34c8534 fix: signature verification due to leading zeros
• 3e46a48 6.5.7
• accb61e lib: DER signature decoding correction
• 03e06e1 6.5.6
• 7ac5360 Merge commit from fork
• 7570078 6.5.5
• 206da2e lib: lint
• Additional commits viewable in compare view

Updates @ethersproject/signing-key from 5.7.0 to 5.8.0

Release notes

Sourced from @​ethersproject/signing-key's releases.

ethers/v5.8.0 (2025-02-25 19:15) [legacy version]

This is a security update for the legacy Ethers v5 branch, addressing two security fixes.

• A bug in elliptic, which does not affect ethers but triggers a critical security warning during nom audit [see: missing signature length check, missing check for leading bit, allow BER-encoded signatures, false negative verification, signing malformed input]
• A bug in ws which can be used as DoS vector when communicating with malicious WebSocket service providers, triggering a high security warning during nom audit [see: too many HTTP headers]

For those that wish to audit the specific changes in the the bundled version between v5.7 and v5.8, see this gist.

Changes

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

---

Embedding UMD with SRI:

<script type="text/javascript"
  integrity="sha384-KpyAXoFibPIUEi79EsnN1EtEWCCrOQ8MtGsa4IrVxeZo514PYarFXujnjyu0DzgC"
  crossorigin="anonymous"
  src="https://cdnjs.cloudflare.com/ajax/libs/ethers/5.8.0/ethers.umd.min.js">
</script>

ethers/v5.7.2 (2022-10-19 04:19)

• Updated tests to use goerli instead of ropsten. (1392803, 706d3ca)
• Added new error strings Pocket returns. (9f990c5)
• Fixed Alchemy goerli URL. (#3320, #3323, #3340, #3358, #3423; 74e3d98)
• Update testnets for third-party providers. (#3320, #3323, #3340, #3358, #3423; 2a3a2e1)

---

Embedding UMD with SRI:

<script type="text/javascript"
        integrity="sha384-Htz1SE4Sl5aitpvFgr2j0sfsGUIuSXI6t8hEyrlQ93zflEF3a29bH2AvkUROUw7J"
        crossorigin="anonymous"
        src="https://cdn-cors.ethers.io/lib/ethers-5.7.2.umd.min.js">
</script>

ethers/v5.7.1 (2022-09-13 21:28)

• Fixed message signing errors that clobbered critical Error properties. (#3356; b14cb0f)
• Add support for all data URL formats. (#3341; 4c86dc9)
• Added Sepolia network. (#3325; d083522)

---

... (truncated)

Changelog

Sourced from @​ethersproject/signing-key's changelog.

ethers/v5.8.0 (2025-02-25 19:15)

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

ethers/v5.7.2 (2022-10-19 04:19)

• Updated tests to use goerli instead of ropsten. (1392803, 706d3ca)
• Added new error strings Pocket returns. (9f990c5)
• Fixed Alchemy goerli URL. (#3320, #3323, #3340, #3358, #3423; 74e3d98)
• Update testnets for third-party providers. (#3320, #3323, #3340, #3358, #3423; 2a3a2e1)

ethers/v5.7.1 (2022-09-13 21:28)

• Fixed message signing errors that clobbered critical Error properties. (#3356; b14cb0f)
• Add support for all data URL formats. (#3341; 4c86dc9)
• Added Sepolia network. (#3325; d083522)

Commits

• 5ff3dc9 admin: updated dist files with update-versions
• f8deaae Updated to latest elliptic library to fix audit warnings.
• fa5f647 admin: updated dist files
• See full diff in compare view

Updates base-x from 3.0.10 to 3.0.11

Commits

• 043a888 3.0.11
• 2705ddd [backport 3.x] Prohibit char codes that would overflow the BASE_MAP
• See full diff in compare view

Updates minimatch from 3.0.4 to 5.1.6

Changelog

Sourced from minimatch's changelog.

change log

10.0

• Require node 20 or 22 and higher

9.0

• No default export, only named exports.

8.0

• Recursive descent parser for extglob, allowing correct support for arbitrarily nested extglob expressions
• Bump required Node.js version

7.4

• Add escape() method
• Add unescape() method
• Add Minimatch.hasMagic() method

7.3

• Add support for posix character classes in a unicode-aware way.

7.2

• Add windowsNoMagicRoot option

7.1

• Add optimizationLevel configuration option, and revert the default back to the 6.2 style minimal optimizations, making the advanced transforms introduced in 7.0 opt-in. Also, process provided file paths in the same way in optimizationLevel:2 mode, so most things that matched with optimizationLevel 1 or 0 should match with level 2 as well. However, level 1 is the default, out of an abundance of caution.

7.0

• Preprocess patterns to simplify complicated patterns and reduce out .. pattern portions where possible. Note that this means a pattern like a/b/../* will be equivalent to a/*, and will not match the string a/b/../c. If this causes problems, it can be addressed in a patch release by resolving .. portions in the test string.

6.2

... (truncated)

Commits

• 3e216b9 5.1.6
• 4d0b7f5 Detect leading dots in extglob subpatterns
• 9556826 5.1.5
• 919c856 Count closing parens when closing excess open parens
• 8d5cd74 publish legacy v5 version
• 857a631 5.1.4
• d2c654d Do not apply magic unnecessarily for nocase
• 5878cf2 chore: add copyright year to license
• 9b42a9c 5.1.3
• 49ae7a2 Fix end-anchoring of negative extglobs
• Additional commits viewable in compare view

Updates mocha from 8.4.0 to 11.1.0

Release notes

Sourced from mocha's releases.

v11.1.0

11.1.0 (2025-01-02)

🌟 Features

• bump yargs to 17 (#5165) (8f1c8d8)

v11.0.2

11.0.2 (2024-12-09)

🩹 Fixes

• catch exceptions setting Error.stackTraceLimit (#5254) (259f8f8)
• error handling for unexpected numeric arguments passed to cli (#5263) (210d658)

📚 Documentation

• correct outdated status: accepting prs link (#5268) (f729cd0)
• replace "New in" with "Since" in version annotations (#5262) (6f10d12)

v11.0.1

11.0.1 (2024-12-02)

🌟 Features

• bumped glob dependency from 8 to 10 (#5250) (43c3157)

📚 Documentation

• fix examples for linkPartialObjects methods (#5255) (34e0e52)

v11.0.0 Prerelease

11.0.0 (2024-11-11)

⚠ BREAKING CHANGES

• adapt new engine range for Mocha 11 (#5216)

🌟 Features

• allow calling hook methods (#5231) (e3da641)

🩹 Fixes

... (truncated)

Changelog

Sourced from mocha's changelog.

11.1.0 (2025-01-02)

🌟 Features

• bump yargs to 17 (#5165) (8f1c8d8)
• replace strip-ansi with util.stripVTControlCharacters (#5267) (3c191c0), closes #5265

11.0.2 (2024-12-09)

🩹 Fixes

• catch exceptions setting Error.stackTraceLimit (#5254) (259f8f8)
• error handling for unexpected numeric arguments passed to cli (#5263) (210d658)

📚 Documentation

• correct outdated status: accepting prs link (#5268) (f729cd0)
• replace "New in" with "Since" in version annotations (#5262) (6f10d12)

11.0.1 (2024-12-02)

🌟 Features

• bumped glob dependency from 8 to 10 (#5250) (43c3157)

📚 Documentation

• fix examples for linkPartialObjects methods (#5255) (34e0e52)

11.0.0 (2024-11-11)

⚠ BREAKING CHANGES

• adapt new engine range for Mocha 11 (#5216)

🌟 Features

• allow calling hook methods (#5231) (e3da641)

🩹 Fixes

• adapt new engine range for Mocha 11 (#5216) (80da25a)

📚 Documentation

... (truncated)

Commits

• a87fb11 chore(main): release 11.1.0 (#5277)
• 3c191c0 feat: replace strip-ansi with util.stripVTControlCharacters (#5267)
• 8f1c8d8 feat: bump yargs to 17 (#5165)
• 6caa902 chore(main): release 11.0.2 (#5269)
• 259f8f8 fix: catch exceptions setting Error.stackTraceLimit (#5254)
• 210d658 fix: error handling for unexpected numeric arguments passed to cli (#5263)
• 6f10d12 docs: replace "New in" with "Since" in version annotations (#5262)
• f729cd0 docs: correct outdated status: accepting prs link (#5268)
• 4c558fb chore(main): release 11.0.1 (#5257)
• a5bd707 Release v11.0.1
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Removes tar

Updates web3 from 1.10.4 to 4.16.0

Release notes

Sourced from web3's releases.

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Changed

• Update version to 1.0.0-alpha.1 for web3-providers-base
• Update version to 4.0.0-alpha.0 for web3-utils in web3-providers-base

[email protected]

Initial alpha release

Install with yarn add [email protected]

[email protected]

Initial alpha release

Install with yarn add [email protected]

Changelog

Sourced from web3's changelog.

[4.16.0]

Fixed

web3

• Export Web3Account, Wallet and signature related types. (#7374)

web3-utils

• Make fromWei return "0" when input is 0 (#7387)

Removed

web3-eth-accounts

• Move signature related types to web3-types. Re-export them for backwards compatibility. (#7374)

Added

web3-types

• Add signature related types. (#7374)
• Updated Typescript version 4 -> 5 (#7272)

web3-eth-accounts

• Updated Typescript version 4 -> 5 (#7272)

web3

• Updated Typescript version 4 -> 5 (#7272)

web3-core

• Updated Typescript version 4 -> 5 (#7272)

web3-account-abstraction

• RC release

web3-errors

• Updated Typescript version 4 -> 5 (#7272)

web3-eth

• Updated Typescript version 4 -> 5 (#7272)

web3-eth-contract

... (truncated)

Commits

• aa197b8 add typescript and version bump to changelogs
• 82ceab7 update web3-types
• 2b7cf1c v4.16.0 release
• 926044b chore(deps-dev): bump http-proxy-middleware from 2.0.6 to 2.0.7 (#7407)
• 7a8df69 update typescript version to 5 (#7272)
• 984cb7c chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 (#7404)
• 3b122a2 fix: upgrade @​cookbookdev/docsbot from 4.24.0 to 4.24.4 (#7403)
• 56d4aec Replaces #7390, #7391, & #7400 (#7401)
• 6379aa8 fix: remove force exit from blackbox tests (#7397)
• 5437fbc fix: upgrade @​mdx-js/react from 3.0.1 to 3.1.0 (#7395)
• Additional commits viewable in compare view

Updates ws from 3.3.3 to 8.18.1

Release notes

Sourced from ws's releases.

8.18.1

Bug fixes

• The length of the UNIX domain socket paths in the tests has been shortened to make them work when run via CITGM (021f7b8b).

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
</tr></table>

... (truncated)

Commits

• b92745a [dist] 8.18.1
• b3d9747 [doc] Fix nit
• 021f7b8 [test] Shorten the path lengths
• b9ca55b [pkg] Update eslint-config-prettier to version 10.0.1
• c798dd4 [doc] Fix typo (#2271)
• 6861472 [ci] Test on node 23
• 019f28f [minor] Improve JSDoc-inferred types (#2242)
• bfe1b2a [doc] Remove unnecessary period (#2240)
• f7dc469 [doc] Fix the type of the data argument
• 976c53c [dist] 8.18.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.