openzeppelin-contracts
openzeppelin-contracts copied to clipboard
OpenZeppelin
Update dependency p-limit to v6
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| p-limit | ^3.1.0 -> ^6.0.0 |
Release Notes
sindresorhus/p-limit (p-limit)
v6.1.0
v6.0.0
- Improve performance (#83)
80273d7- This is a major version because it slightly changes the timing of
.activeCountand.pendingCount. This is unlikely to affect most users, but I wanted to play it safe. Learn more.
- This is a major version because it slightly changes the timing of
v5.0.0
Breaking
- Require Node.js 18
23d61ba
As a reminder, this package continues to require ESM. For TypeScript users, this includes having "module": "node16", "moduleResolution": "node16" in your tsconfig.
Fixes
v4.0.0
Breaking
Configuration
📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
⚠️ No Changeset found
Latest commit: f30191fb03870941d12be8afdc403adf5c419a5d
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
![changeset-bot[bot] avatar](https://avatars.githubusercontent.com/in/28616?v=4 "Published by a pub.dev verified publisher"){kind=small}
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/[email protected] | None | +1 |
14.5 kB | sindresorhus |
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
Related to https://github.com/OpenZeppelin/openzeppelin-contracts/pull/4716#issuecomment-1889689364, we should explore how to update this dependency correctly.
Edited/Blocked Notification
Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.
You can manually request rebase by checking the rebase/retry box above.
⚠️ Warning: custom changes will be lost.
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
| Alert | Package | Note | Source | CI |
|---|---|---|---|---|
| AI-detected potential code anomaly | pypi/[email protected] |
| 🚫 | |
| AI-detected potential code anomaly | pypi/[email protected] |
| 🚫 | |
| AI-detected potential code anomaly | pypi/[email protected] |
| 🚫 | |
| AI-detected potential code anomaly | pypi/[email protected] |
| 🚫 |
Next steps
What is an AI-detected potential code anomaly?
AI has identified unusual behaviors that may pose a security risk.
An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore pypi/[email protected]@SocketSecurity ignore pypi/[email protected]@SocketSecurity ignore pypi/[email protected]@SocketSecurity ignore pypi/[email protected]
Note: p-limit is used only in certora/run.js which we are going to remove as we stop using certora ?
Pushed commits to use imports in the certora run script so that it can use p-limit v6 -- imo we can merge this for now until it's clear we remove certora.
