Skip to content

chore(deps): update hardhat packages (major)#191

Open
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-hardhat-packages
Open

chore(deps): update hardhat packages (major)#191
renovate[bot] wants to merge 1 commit intomainfrom
renovate/major-hardhat-packages

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Nov 4, 2025
edited
Loading

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change OpenSSF
@nomicfoundation/hardhat-foundry (source) dependencies major 1.2.03.0.1 OpenSSF Scorecard
@nomicfoundation/hardhat-ignition-viem (source) dependencies major 0.15.163.1.2 OpenSSF Scorecard
@nomicfoundation/hardhat-toolbox-viem (source) dependencies major 4.1.15.0.4 OpenSSF Scorecard
@nomiclabs/hardhat-solhint (source) dependencies major 4.1.05.0.0 OpenSSF Scorecard
hardhat (source) dependencies major 2.27.13.4.0 OpenSSF Scorecard

Release Notes

NomicFoundation/hardhat (@​nomicfoundation/hardhat-foundry)

v3.0.1

Compare Source

Patch Changes

v3.0.0

Compare Source

Major Changes
  • 4cd63e9: Introduce the @nomicfoundation/hardhat-foundry plugin for Hardhat 3

v1.2.1

Compare Source

NomicFoundation/hardhat (@​nomicfoundation/hardhat-ignition-viem)

v3.1.2

Compare Source

Patch Changes

v3.1.1

Compare Source

Patch Changes

v3.1.0

Compare Source

Minor Changes
Patch Changes

v3.0.9

Compare Source

Patch Changes

v3.0.8

Compare Source

Patch Changes
  • 6674b00: Bump hardhat-utils major

v3.0.7

Compare Source

Patch Changes
  • 2bc18b2: Bumped viem version across all packages 7861.

v3.0.6

Compare Source

Patch Changes
  • dac916b: Expose ignition retry loop variables in user config (Hardhat v3) (#​7303)

v3.0.5

Compare Source

Patch Changes
  • d1c1803: Make @nomicfoundation/hardhat-ignition's UI work well with other plugins, like Ledger's.

v3.0.4

Compare Source

Patch Changes
  • 843c1ae: Fixed a bug preventing Ignition from using the hre.config.ignition settings when deploying via script (#​7641)
  • 558ac5b: Update installation and config instructions

v3.0.3

Compare Source

Patch Changes

v3.0.2

Compare Source

Patch Changes
  • ddefbff: Added guard to stop multiple simultaneous calls to ignition.deploy(...) at once (#​6440)

v3.0.1

Compare Source

Patch Changes

v3.0.0

Compare Source

Major Changes
  • 29cc141: First release of Hardhat 3!
NomicFoundation/hardhat (@​nomicfoundation/hardhat-toolbox-viem)

v5.0.4

Compare Source

Patch Changes

  • #​8104 e27a7ad Thanks @​ChristopherDedominici! - Use code 3 for JSON-RPC revert error codes to align with standard node behavior and preserve error causes in viem/ethers.

  • #​8096 7fb721b Thanks @​alcuadrado! - [chore] Move to packages/ folder.

  • #​8116 88787e1 Thanks @​kanej! - Deprecate the hre.network.connect() method in favour of hre.network.create(), exactly the same method but more clearly indicating that it will create a new connection.

  • Updated dependencies:

    • hardhat@​3.4.0

v5.0.3

Compare Source

Patch Changes

v5.0.2

Compare Source

Patch Changes
  • 2bc18b2: Bumped viem version across all packages 7861.

v5.0.1

Compare Source

Patch Changes
  • 558ac5b: Update installation and config instructions

v5.0.0

Compare Source

Major Changes
  • 29cc141: First release of Hardhat 3!

v4.1.2

Compare Source

This release is a small bump to the version of solidity-coverage to include changes for the Osaka transaction gas limit.

Changes
  • a7e4215: Update solidity-coverage minimum version to include Osaka changes

💡 The Nomic Foundation is hiring! Check our open positions.

NomicFoundation/hardhat (@​nomiclabs/hardhat-solhint)

v5.0.0

Compare Source

v4.1.2

Compare Source

v4.1.1

Compare Source

NomicFoundation/hardhat (hardhat)

v3.4.0

Compare Source

Minor Changes
Patch Changes

v3.3.0

Compare Source

Minor Changes
Patch Changes

v3.2.0

Compare Source

Minor Changes
Patch Changes

v3.1.12

Compare Source

Patch Changes
  • 01b41ee: Added support for function gas snapshots and snapshot cheatcodes in Solidity tests with --snapshot and --snapshot-check flags (#​7769)
  • e37f96c: Add TestRunResult type that wraps TestSummary, allowing plugins to extend test results with additional data
  • bda5a0a: Bumped EDR version to 0.12.0-next.28

v3.1.11

Compare Source

Patch Changes

  • 2cbf218: Bumped EDR version to 0.12.0-next.27

    BREAKING CHANGE: Memory capture used to be enabled by default on geth, but has since been flipped ethereum/go-ethereum#23558 and is now disabled by default. We have followed suit and disabled it by default as well. If you were relying on memory capture, you will need to explicitly enable it by setting the enableMemory option to true in your tracer configuration.

  • bc193be: Use concrete value types for contract names in hardhat-viem and hardhat-ethers

  • 2cbf218: Make SolidityBuildSystem easier to work with (#​7988)

  • 19b691d: Fix typo in assertion message #​8028

  • 2cbf218: Expose Result type for task action success/failure signaling.

  • 2cbf218: Fixed the acceptance of relative paths to node_modules in npm remappings (#​8007)

  • 2cbf218: Implement a global banner logic in Hardhat 3 #​8021

  • 4ff11c1: Return typed Result from test runners and telemetry tasks (#​8015).

  • 2cbf218: Show fs paths and better error messages when a Solidity file can't be compiled with any configured compiler (#​7988)

  • 2cbf218: Add onTestRunStart, onTestWorkerDone, and onTestRunDone test hooks (#​8001)

v3.1.10

Compare Source

Patch Changes
  • ca26adb: Update hardhat node to always use the new node network (#​7989)[#​7989]
  • 87623db: Introduce new inter-process mutex implementation (7942).
  • 88e9cb5: Add a SolidityHooks#readNpmPackageRemappings hook
  • ec03a01: Allow overriding the type of the network configs default and localhost #​7805
  • 2c2e1f5: Throw better error messages when trying to use a Hardhat 2 plugin with Hardhat 3 #​7991.
  • 90b5eec: Suggest installing hardhat-foundry when appropriate
  • 87623db: Make the solc downloader safe when run by multiple processes (7946).
  • 726ff37: Update the --coverage table output to match the style used by --gas-stats. Thanks @​jose-blockchain! (#​7733)
  • f1e9b05: Added support for inline actions in tasks 7851.
  • 73cb725: Expose gasLimit configuration for Solidity tests #​7996

v3.1.9

Compare Source

Patch Changes
  • 621d07e: Make the coverage work with versions of Solidity that aren't fully supported by EDR #​7982
  • 3e39a06: Round average and median gas usage in the gas analytics output
  • 78af2ed: Allow multiple parallel downloads of different compilers (7946).

v3.1.8

Compare Source

Patch Changes
  • a6947fb: Use the official Linux ARM64 builds of solc in the production profile when available (#​7917).
  • fd42744: Fixed missing EIP-7212 precompile in Solidity Tests (#​7872).

v3.1.7

Compare Source

Patch Changes
  • 4995121: Suppressed pragma and license warnings in Solidity test files (7894).
  • 22adbcb: Added support for eth_getProof (3345).

v3.1.6

Compare Source

Patch Changes
  • 98fbf44: Implemented SolidityBuildSystemImplementation#compileBuildInfo (#​7891)
  • a9445c9: Added ArtifactManager#getAllArtifactPaths (#​7902)
  • a9445c9: Fixed typechain type generation when compiling a subset of the Solidity files (#​7902)
  • 127ce88: Suppress Hardhat console.sol memory-safe-assembly warning #​7862.
  • c40697b: Added a Solidity#build hook (#​7890)
  • 8e5610f: Fixed a bug where nested folders were not created during the HTML coverage report generation (#​7889)
  • 13a1e4b: Multiple internal fixes to the solidity build system (#​7900)
  • 0c47a69: Added compiler downloader retry in case of failure (#​7031)

v3.1.5

Compare Source

Patch Changes
  • 346f92a: Improve how solidity tests are displayed, making it more consistent with the js reporters.
  • 2bc18b2: Bumped viem version across all packages 7861.
  • 865e346: Updated the incorrect JSDOC against the preprocessProjectFileBeforeBuilding Solidity Hook (#​7870)
  • c9bdbd0: Added invokeSolc in SolidityHooks to allow plugins to respond to the input/output from solc (#​7646)

v3.1.4

Compare Source

Patch Changes
  • d7c13fa: Fixes a bug in how code coverage for Solidity tests is calculated (7767).
  • b6a9d5a: Hardhat tries to use the latest Solidity version supported by Slang in case the a newer, unsupported version is selected (7846).
  • 268acbf: Added HTML coverage report for solidity tests (7787).

v3.1.3

Compare Source

Patch Changes

v3.1.2

Compare Source

Patch Changes
Minor Changes
Patch Changes

v3.1.1

Compare Source

Patch Changes
  • 01b41ee: Added support for function gas snapshots and snapshot cheatcodes in Solidity tests with --snapshot and --snapshot-check flags (#​7769)
  • e37f96c: Add TestRunResult type that wraps TestSummary, allowing plugins to extend test results with additional data
  • bda5a0a: Bumped EDR version to 0.12.0-next.28

v3.1.0

Compare Source

Minor Changes
  • 7b851f3: Bumped EDR version to 0.12.0-next.17
    • Changed default L1 hardfork to Osaka
    • Changed default OP stack hardfork to Isthmus
    • Fixed default transaction gas limit for post-Osaka hardforks in OP stack and generic chains
Patch Changes
  • 7697451: Test summaries are now merged when running multiple test tasks (#​7053)
  • a3bf244: Fixed the download of solc, which broke for v0.8.31

v3.0.17

Compare Source

Patch Changes

v3.0.16

Compare Source

Patch Changes
  • 478ee07: Bumped EDR version to 0.12.0-next.16
    • Added support for Osaka hardfork
    • Added full support for OP stack Isthmus hardfork
  • 806ee5a: Fixed an issue caused by networks that don't implement eth_feeHistory correctly (#​7678)
  • f4b7f7e: Fix: use user config provided value for defaultChainType (#​7700)
  • 6b2ed9a: Add ability for task options to be hidden from the CLI (#​7426)
  • 6d10d05: Update hardfork validation and resolution to use defaultChainType when chainType is undefined (#​7700)

v3.0.15

Compare Source

Patch Changes
  • 9fb054a: Fix the initialization of the Mocha and Ethers sample project when using pnpm

v3.0.14

Compare Source

Patch Changes

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies label Nov 4, 2025
sentry[bot]
sentry bot reviewed Nov 4, 2025
View reviewed changes
Comment thread package.json Outdated
"@nomicfoundation/hardhat-toolbox-viem": "5.0.1",
"@nomiclabs/hardhat-solhint": "4.1.0",
"hardhat": "2.26.5",
"hardhat": "3.0.11",

This comment was marked as outdated.

Sign in to view

cubic-dev-ai[bot]
cubic-dev-ai bot reviewed Nov 4, 2025
View reviewed changes
Copy link
Copy Markdown

@cubic-dev-ai cubic-dev-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 2 files

@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 5 times, most recently from 1434eee to 47e4ec1 Compare November 13, 2025 01:49
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 47e4ec1 to 36cfcc5 Compare November 16, 2025 02:57
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 3 times, most recently from 4e7734f to 373851f Compare December 4, 2025 05:03
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 373851f to 657200c Compare December 11, 2025 03:08
sentry[bot]
sentry bot reviewed Dec 11, 2025
View reviewed changes
Comment thread package.json Outdated
"@nomicfoundation/hardhat-ignition-viem": "0.15.16",
"@nomicfoundation/hardhat-toolbox-viem": "4.1.1",
"@nomicfoundation/hardhat-ignition-viem": "3.0.6",
"@nomicfoundation/hardhat-toolbox-viem": "5.0.1",
Copy link
Copy Markdown

@sentry sentry bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The update to @nomicfoundation/hardhat-toolbox-viem introduces peer dependency conflicts. Several related @nomicfoundation packages are not updated to the required major version.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

Updating @nomicfoundation/hardhat-toolbox-viem to 5.0.1 requires several peer dependencies like @nomicfoundation/hardhat-network-helpers and @nomicfoundation/hardhat-viem to be at version ^3.0.0. However, the lockfile indicates that older, incompatible versions (e.g., 1.1.2, 2.1.3) are still in use. This mismatch will likely lead to installation warnings or failures with npm/bun, and could cause runtime errors due to API incompatibilities between major versions if the installation succeeds.

💡 Suggested Fix

Update all related @nomicfoundation packages in package.json to their required major versions (^3.0.0) to satisfy the peer dependencies of @nomicfoundation/hardhat-toolbox-viem@5.0.1. After updating package.json, run the package manager's install command to regenerate the lockfile.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L41

Potential issue: Updating `@nomicfoundation/hardhat-toolbox-viem` to `5.0.1` requires
several peer dependencies like `@nomicfoundation/hardhat-network-helpers` and
`@nomicfoundation/hardhat-viem` to be at version `^3.0.0`. However, the lockfile
indicates that older, incompatible versions (e.g., `1.1.2`, `2.1.3`) are still in use.
This mismatch will likely lead to installation warnings or failures with `npm`/`bun`,
and could cause runtime errors due to API incompatibilities between major versions if
the installation succeeds.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 6983511

Comment thread package.json Outdated
Comment on lines +40 to +43
"@nomicfoundation/hardhat-ignition-viem": "3.0.6",
"@nomicfoundation/hardhat-toolbox-viem": "5.0.1",
"@nomiclabs/hardhat-solhint": "4.1.0",
"hardhat": "2.27.1",
"hardhat": "3.1.0",
Copy link
Copy Markdown

@sentry sentry bot Dec 11, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug: The hardhat.config.ts file has not been updated for Hardhat 3's new plugin system, which will cause plugins to fail to load and tests to crash.
Severity: CRITICAL | Confidence: High

🔍 Detailed Analysis

The upgrade to Hardhat 3.1.0 introduces a breaking change in how plugins are loaded. The hardhat.config.ts file still uses the old Hardhat 2 method of importing plugins for their side effects. The new required method is to explicitly list plugins in a plugins array within a defineConfig call. Because the plugins are not loaded correctly, extensions to the Hardhat Runtime Environment, such as hre.viem, will be undefined. This will cause tests calling hre.viem.deployContract() to fail with a TypeError.

💡 Suggested Fix

Refactor hardhat.config.ts to use the defineConfig function from hardhat/config. Import the plugins directly and list them in the plugins array within the configuration object. This will ensure they are loaded correctly by Hardhat 3.

🤖 Prompt for AI Agent 
Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: package.json#L40-L43

Potential issue: The upgrade to Hardhat 3.1.0 introduces a breaking change in how
plugins are loaded. The `hardhat.config.ts` file still uses the old Hardhat 2 method of
importing plugins for their side effects. The new required method is to explicitly list
plugins in a `plugins` array within a `defineConfig` call. Because the plugins are not
loaded correctly, extensions to the Hardhat Runtime Environment, such as `hre.viem`,
will be `undefined`. This will cause tests calling `hre.viem.deployContract()` to fail
with a `TypeError`.

Did we get this right? 👍 / 👎 to inform future reviews.
Reference ID: 6983511

@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from 1a875a2 to 3c6bdd2 Compare December 30, 2025 16:02
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from cb5bc81 to fbd52d8 Compare January 14, 2026 19:14
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from fbd52d8 to 270028d Compare January 19, 2026 22:42
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from 68f12fb to 6715241 Compare February 5, 2026 19:51
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 6715241 to 7c2691e Compare February 12, 2026 12:59
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from 8587603 to 58d5967 Compare February 25, 2026 17:47
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 58d5967 to d06e249 Compare February 26, 2026 19:32
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from b11d714 to 82389f6 Compare March 11, 2026 15:46
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch 2 times, most recently from 13dd2d8 to 449d686 Compare March 19, 2026 22:40
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 449d686 to ec185a6 Compare March 26, 2026 19:27
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from ec185a6 to 1a11c14 Compare March 31, 2026 16:02
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 31, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​nomiclabs/​hardhat-solhint@​4.1.0 ⏵ 5.0.09310069 -1388 +6100
Updated@​nomicfoundation/​hardhat-foundry@​1.2.0 ⏵ 3.0.188 +110079 +589 +8100
Updatedhardhat@​2.27.1 ⏵ 3.4.099 +610082 -996 -1100 +20
Updated@​nomicfoundation/​hardhat-ignition-viem@​0.15.16 ⏵ 3.1.288 +210083 -296 +2100
Updated@​nomicfoundation/​hardhat-toolbox-viem@​4.1.1 ⏵ 5.0.483 -610089 +1494 +1100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 31, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
High CVE: lodash vulnerable to Code Injection via _.template imports key names in npm `lodash-es`

CVE: GHSA-r5fr-rjxr-66jc lodash vulnerable to Code Injection via _.template imports key names (HIGH)

Affected versions: >= 4.0.0 < 4.18.0

Patched version: 4.18.0

From: ?npm/@nomicfoundation/hardhat-ignition-viem@3.1.2npm/@nomicfoundation/hardhat-toolbox-viem@5.0.4npm/lodash-es@4.17.21

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash-es@4.17.21. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm typescript

License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt)

From: ?npm/@nomicfoundation/hardhat-ignition-viem@3.1.2npm/@nomicfoundation/hardhat-toolbox-viem@5.0.4npm/@graphprotocol/graph-cli@0.96.0npm/solhint@6.0.1npm/typescript@6.0.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@renovate
chore(deps): update hardhat packages
a5554a1 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot force-pushed the renovate/major-hardhat-packages branch from 1a11c14 to a5554a1 Compare April 16, 2026 21:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@sentry sentry[bot] sentry[bot] left review comments

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants