Update dependency @openzeppelin/contracts to v5.4.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/contracts (source)	5.3.0 -> 5.4.0

GitHub Vulnerability Alerts

CVE-2025-54070

Impact

The lastIndexOf(bytes,byte,uint256) function of the Bytes.sol library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. buffer.length == 0) and position is not 2**256 - 1 (i.e. pos != type(uint256).max).

The pos argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the buffer would cause a revert under normal conditions.

When triggered, the function reads memory at offset buffer + 0x20 + pos. If memory at that location (outside the buffer) matches the search pattern, the function would return an out of bound index instead of the expected type(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.

Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning type(uint256).max for empty buffers or using the returned index without bounds checking could exhibit undefined behavior.

Patches

Upgrade to 5.4.0

---

Release Notes

OpenZeppelin/openzeppelin-contracts (@​openzeppelin/contracts)

v5.4.0

Compare Source

Breaking changes

• Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#​5716).

Pragma changes

• Reduced pragma requirement of interface files

Changes by category

Account

• Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#​5657)
• AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#​5657)
• AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#​5657)
• EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#​5587)
• IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#​5657)

Governance

• GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#​5574)

Tokens

• ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#​5739)

Cryptography

Signers

• AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#​5657)
• SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#​5657)
• SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#​5659)
• MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#​5659)
• MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#​5741)

Verifiers

• ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#​5659)

Other

• SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#​5659)
• ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#​5664)
• ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#​5664)

Structures

• EnumerableMap: Add support for BytesToBytesMap type. (#​5658)
• EnumerableMap: Add keys(uint256,uint256) that returns a subset (slice) of the keys in the map. (#​5713)
• EnumerableSet: Add support for StringSet and BytesSet types. (#​5658)
• EnumerableSet: Add values(uint256,uint256) that returns a subset (slice) of the values in the set. (#​5713)

Utils

• Arrays: Add unsafeAccess, unsafeMemoryAccess and unsafeSetLength for bytes[] and string[]. (#​5568)
• Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#​5642)
• Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#​5797)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/core/solidity/src/environments/hardhat/upgradeable/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @openzeppelin/[email protected]
npm error Found: @openzeppelin/[email protected]
npm error node_modules/@openzeppelin/contracts
npm error   dev @openzeppelin/contracts@"5.4.0" from the root project
npm error
npm error Could not resolve dependency:
npm error peer @openzeppelin/contracts@"5.3.0" from @openzeppelin/[email protected]
npm error node_modules/@openzeppelin/contracts-upgradeable
npm error   dev @openzeppelin/contracts-upgradeable@"^5.0.0" from the root project
npm error
npm error Conflicting peer dependency: @openzeppelin/[email protected]
npm error node_modules/@openzeppelin/contracts
npm error   peer @openzeppelin/contracts@"5.3.0" from @openzeppelin/[email protected]
npm error   node_modules/@openzeppelin/contracts-upgradeable
npm error     dev @openzeppelin/contracts-upgradeable@"^5.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-07-22T20_41_25_398Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-07-22T20_41_25_398Z-debug-0.log

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​pkgr/​core@​0.2.2 ⏵ 0.2.9

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report