Bump the npm_and_yarn group across 1 directory with 25 updates

[dependabot]

Bumps the npm_and_yarn group with 16 updates in the / directory:

Package	From	To
express	4.18.2	4.21.2
next	13.4.7	15.5.2
postcss	8.4.26	8.5.6
@babel/runtime	7.22.5	7.28.3
@solana/web3.js	1.78.0	1.98.4
ws	7.4.6	8.18.0
@rainbow-me/rainbowkit	1.0.7	2.2.8
ethers	5.7.2	5.8.0
viem	1.3.0	2.36.0
wagmi	1.3.9	2.16.9
brace-expansion	1.1.11	1.1.12
braces	3.0.2	3.0.3
cookie	0.4.1	0.7.1
cookie-parser	1.4.6	1.4.7
form-data	4.0.2	4.0.4
micromatch	4.0.5	4.0.8

Updates express from 4.18.2 to 4.21.2

Release notes

Sourced from express's releases.

4.21.2

What's Changed

• Add funding field (v4) by @​bjohansebas in expressjs/express#6065
• deps: [email protected] by @​blakeembrey in expressjs/express#5956
• deps: bump [email protected] by @​jonchurch in expressjs/express#6209
• Release: 4.21.2 by @​UlisesGascon in expressjs/express#6094

Full Changelog: expressjs/express@4.21.1...4.21.2

4.21.1

What's Changed

• Backport a fix for CVE-2024-47764 to the 4.x branch by @​joshbuker in expressjs/express#6029
• Release: 4.21.1 by @​UlisesGascon in expressjs/express#6031

Full Changelog: expressjs/express@4.21.0...4.21.1

4.21.0

What's Changed

• Deprecate "back" magic string in redirects by @​blakeembrey in expressjs/express#5935
• [email protected] by @​wesleytodd in expressjs/express#5954
• fix(deps): [email protected] by @​wesleytodd in expressjs/express#5951
• Upgraded dependency qs to 6.13.0 to match qs in body-parser by @​agadzinski93 in expressjs/express#5946

New Contributors

• @​agadzinski93 made their first contribution in expressjs/express#5946

Full Changelog: expressjs/express@4.20.0...4.21.0

4.20.0

What's Changed

Important

• IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect

Other Changes

• 4.19.2 Staging by @​wesleytodd in expressjs/express#5561
• remove duplicate location test for data uri by @​wesleytodd in expressjs/express#5562
• feat: document beta releases expectations by @​marco-ippolito in expressjs/express#5565
• Cut down on duplicated CI runs by @​jonchurch in expressjs/express#5564
• Add a Threat Model by @​UlisesGascon in expressjs/express#5526
• Assign captain of encodeurl by @​blakeembrey in expressjs/express#5579
• Nominate jonchurch as repo captain for http-errors, expressjs.com, morgan, cors, body-parser by @​jonchurch in expressjs/express#5587
• docs: update Security.md by @​inigomarquinez in expressjs/express#5590
• docs: update triage nomination policy by @​UlisesGascon in expressjs/express#5600
• Add CodeQL (SAST) by @​UlisesGascon in expressjs/express#5433
• docs: add UlisesGascon as triage initiative captain by @​UlisesGascon in expressjs/express#5605

... (truncated)

Changelog

Sourced from express's changelog.

4.21.2 / 2024-11-06

• deps: [email protected]
  • Fix backtracking protection
• deps: [email protected]
  • Throws an error on invalid path values

4.21.1 / 2024-10-08

• Backported a fix for CVE-2024-47764

4.21.0 / 2024-09-11

• Deprecate res.location("back") and res.redirect("back") magic string
• deps: [email protected]
  • includes [email protected]
• deps: [email protected]
• deps: [email protected]

4.20.0 / 2024-09-10

• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • Remove link renderization in html while redirecting
• deps: [email protected]
  • add depth option to customize the depth level in the parser
  • IMPORTANT: The default depth level for parsing URL-encoded data is now 32 (previously was Infinity)
• Remove link renderization in html while using res.redirect
• deps: [email protected]
  • Adds support for named matching groups in the routes using a regex
  • Adds backtracking protection to parameters without regexes defined
• deps: encodeurl@~2.0.0
  • Removes encoding of \, |, and ^ to align better with URL spec
• Deprecate passing options.maxAge and options.expires to res.clearCookie
  • Will be ignored in v5, clearCookie will set a cookie with an expires in the past to instruct clients to delete the cookie

4.19.2 / 2024-03-25

• Improved fix for open redirect allow list bypass

4.19.1 / 2024-03-20

• Allow passing non-strings to res.location with new encoding handling checks

... (truncated)

Commits

• 1faf228 4.21.2
• 2e0fb64 deps: bump [email protected] (#6209)
• 59fc270 deps: [email protected] (#5956)
• 51fc39c docs: add funding (#6065)
• 8e229f9 4.21.1
• a024c8a fix(deps): [email protected]
• 7e562c6 4.21.0
• 1bcde96 fix(deps): [email protected] (#5946)
• 7d36477 fix(deps): [email protected] (#5951)
• 40d2d8f fix(deps): [email protected]
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by jonchurch, a new releaser for express since your current version.

Updates next from 13.4.7 to 15.5.2

Release notes

Sourced from next's releases.

v15.5.2

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: disable unknownatrules lint rule entirely (#83059)
• revert: add ?dpl to fonts in /_next/static/media (#83062)

Credits

Huge thanks to @​bgub and @​ztanner for helping!

v15.5.1

[!NOTE]
This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• fix: aliased navigations should apply scroll handling (#82900)
• Turbopack: fix invalid NFT entry with file behind symlink (#82887)
• fix: typesafe linking to route handlers and pages API routes (#82858)
• fix: change "noUnknownAtRules" to "warn" for Biome (#82974)
• fix: add path normalization to getRelativePath for Windows (#82918)
• feat: add typesafety with config.typedRoutes to redirect() and permanentRedirect() (#82860)
• fix: avoid importing types that will be unused (#82856)
• fix: update the config.api.responseLimit type (#82852)
• fix: update validation return types (#82854)

Credits

Huge thanks to @​bgub, @​mischnic, and @​ztanner for helping!

v15.5.1-canary.20

Misc Changes

• Turbopack: hide blocking spans in trace server: #83167
• Update Rspack production test manifest: #83207
• [create-next-app] Generate route types after setup: #82956
• Update Rspack development test manifest: #83208
• docs: fix snippets in getting started: #83228

Credits

Huge thanks to @​sokra, @​vercel-release-bot, @​bgub, and @​icyJoseph for helping!

v15.5.1-canary.19

Core Changes

• [sourcemaps] Always check for vendor chunks regardless of Node.js version: #83114
• Turbopack: Remove undocumented legacy syntax for built-in conditions (e.g. foreign, browser): #83068
• [metadata] update metadata routes cache headers: #83215

... (truncated)

Commits

• 497ec6a v15.5.2
• bc72f41 [backport] revert: add ?dpl to fonts in /_next/static/media (#83062) (#83066)
• c8faf68 [backport] fix: disable unknownatrules lint rule entirely (#83059) (#83060)
• cc68ced v15.5.1
• 1ce9857 [backport] fix: update validation return types (#82854) (#83027)
• b93c894 [backport] fix: update the config.api.responseLimit type (#82852) (#83028)
• 8a92f28 [backport] fix: avoid importing types that will be unused (#82856) (#83026)
• 19617ab [backport] feat: add typesafety with config.typedRoutes to redirect() and per...
• 822e4c0 [backport] fix: add path normalization to getRelativePath for Windows (#82918...
• bb67ca9 [backport] fix: change "noUnknownAtRules" to "warn" for Biome (#82974) (#83022)
• Additional commits viewable in compare view

Updates postcss from 8.4.26 to 8.5.6

Release notes

Sourced from postcss's releases.

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

PostCSS 8.5 brought API to work better with non-CSS sources like HTML, Vue.js/Svelte sources or CSS-in-JS.

@​romainmenke during his work on Stylelint added Input#document in additional to Input#css.

root.source.input.document //=> "<p>Hello</p>
                           //    <style>
                           //    p {
                           //      color: green;
                           //    }
                           //    </style>"
root.source.input.css      //=> "p {
                           //      color: green;
                           //    }"

Thanks to Sponsors

This release was possible thanks to our community.

If your company wants to support the sustainability of front-end infrastructure or wants to give some love to PostCSS, you can join our supporters by:

• Tidelift with a Spotify-like subscription model supporting all projects from your lock file.
• Direct donations at GitHub Sponsors or Open Collective.

... (truncated)

Changelog

Sourced from postcss's changelog.

8.5.6

• Fixed ContainerWithChildren type discriminating (by @​Goodwine).

8.5.5

• Fixed package.json→exports compatibility with some tools (by @​JounQin).

8.5.4

• Fixed Parcel compatibility issue (by @​git-sumitchaudhary).

8.5.3

• Added more details to Unknown word error (by @​hiepxanh).
• Fixed types (by @​romainmenke).
• Fixed docs (by @​catnipan).

8.5.2

• Fixed end position of rules with semicolon (by @​romainmenke).

8.5.1

• Fixed backwards compatibility for complex cases (by @​romainmenke).

8.5 “Duke Alloces”

• Added Input#document for sources like CSS-in-JS or HTML (by @​romainmenke).

8.4.49

• Fixed custom syntax without source.offset (by @​romainmenke).

8.4.48

• Fixed position calculation in error/warnings methods (by @​romainmenke).

8.4.47

• Removed debug code.

8.4.46

• Fixed Cannot read properties of undefined (reading 'before').

8.4.45

• Removed unnecessary fix which could lead to infinite loop.

8.4.44

• Another way to fix markClean is not a function error.

8.4.43

• Fixed markClean is not a function error.

8.4.42

• Fixed CSS syntax error on long minified files (by @​varpstar).

8.4.41

• Fixed types (by @​nex3 and @​querkmachine).
• Cleaned up RegExps (by @​bluwy).

... (truncated)

Commits

• 91d6eb5 Release 8.5.6 version
• 65ffc55 Update dependencies
• ecd20eb Fix ContainerWithChildren to allow discriminating the node type by comparing ...
• c181597 Release 8.5.5 version
• c5523fb Update dependencies
• 2e3450c refactor: import should be listed before require (#2052)
• 4d720bd Update EM text
• 6cb4a66 Release 8.5.4 version
• ec5c1e0 Update dependencies
• e85e938 Fix code format
• Additional commits viewable in compare view

Updates @babel/runtime from 7.22.5 to 7.28.3

Release notes

Sourced from @​babel/runtime's releases.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Jam Balaya (@​JamBalaya56562)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• easrng (@​easrng)

v7.28.2 (2025-07-24)

Thanks @​souhailaS for your first PR!

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• SOUHAILA SERBOUT (@​souhailaS)
• @​liuxingbaoyu

v7.28.1 (2025-07-12)

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.28.3 (2025-08-14)

👓 Spec Compliance

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env
  • #17443 [static blocks] Do not inject new static fields after static code (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-parser
  • #17465 fix(parser/typescript): parse import("./a", {with:{},}) (@​easrng)
  • #17478 fix(parser): stop subscript parsing on async arrow (@​JLHwung)

💅 Polish

• babel-plugin-transform-regenerator, babel-plugin-transform-runtime
  • #17363 Do not save last yield in call in temp var (@​nicolo-ribaudo)

📝 Documentation

• #17448 move eslint-{parser,plugin} docs to the website (@​JLHwung)

🏠 Internal

• #17454 Enable type checking for scripts and babel-worker.cjs (@​JLHwung)

🔬 Output optimization

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions
  • #17444 Optimize do expression output (@​JLHwung)

v7.28.2 (2025-07-24)

🐛 Bug Fix

• babel-types
  • #17445 [babel 7] Make operator param in t.tsTypeOperator optional (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17441 fix: regeneratorDefine compatibility with es5 strict mode (@​liuxingbaoyu)

v7.28.1 (2025-07-12)

🐛 Bug Fix

• babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator
  • #17426 fix: regenerator correctly handles throw outside of try (@​liuxingbaoyu)

📝 Documentation

• babel-types
  • #17422 Add missing FunctionParameter docs (@​JLHwung)

↩️ Revert

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-types
  • #17432 Do not mark OptionalMemberExpresion as LVal (@​JLHwung)

v7.28.0 (2025-07-02)

🚀 New Feature

• babel-node
  • #17147 Support top level await in node repl (@​liuxingbaoyu)
• babel-types

... (truncated)

Commits

• ef155f5 v7.28.3
• cac0ff4 v7.28.2
• f68ac51 chore: Avoid CITGM errors (#17382)
• baa4cb8 v7.27.6
• 7d06930 v7.27.4
• 5b9468d Reduce regenerator size more (#17287)
• cb78b5b [babel 8] Do not replace global regeneratorRuntime references in regenerato...
• a0690e3 Split regeneratorRuntime into multiple helpers (#17238)
• da5e371 v7.27.3
• eebd3a0 v7.27.1
• Additional commits viewable in compare view

Updates @solana/web3.js from 1.78.0 to 1.98.4

Release notes

Sourced from @​solana/web3.js's releases.

v1.98.4

1.98.4 (2025-07-31)

Bug Fixes

• Add Cost Units (Transaction Cost) (#3750) (c26c13b)

v1.98.3

1.98.3 (2025-07-31)

Reverts

• Revert "chore: Add costUnits to transaction classes (#3748)" (#3749) (3d0e82a)

v1.98.2

1.98.2 (2025-04-24)

Bug Fixes

• update base-x to 3.0.11 in lockfile (#3731) (6f265af)

v1.98.1

1.98.1 (2025-04-22)

Bug Fixes

• patch bigint-buffer (#3727) (d3dc5d5)

v1.98.0

1.98.0 (2024-12-16)

Features

• Agave v2 RPC: replace getRecentBlockhash with getLatestBlockhash (#3419) (8ea27fc)

v1.97.0

1.97.0 (2024-12-16)

Features

• agave v2 rpc: replace getConfirmedTransaction with getTransaction (#3418) (a805cb9)

v1.96.0

1.96.0 (2024-12-16)

Features

• Agave v2 RPC: replace getConfirmedBlock with getBlock (#3417) (60e39a6)

v1.95.8

... (truncated)

Commits

• c26c13b fix: Add Cost Units (Transaction Cost) (#3750)
• 3d0e82a Revert "chore: Add costUnits to transaction classes (#3748)" (#3749)
• 720a428 chore: Add costUnits to transaction classes (#3748)
• 6f265af fix: update base-x to 3.0.11 in lockfile (#3731)
• d3dc5d5 fix: patch bigint-buffer (#3727)
• d0e77cf updated for migrated repo (#3728)
• 4e9988c chore: readme (#3725)
• 8ea27fc feat: Agave v2 RPC: replace getRecentBlockhash with getLatestBlockhash (#...
• a805cb9 feat: agave v2 rpc: replace getConfirmedTransaction with getTransaction (...
• 60e39a6 feat: Agave v2 RPC: replace getConfirmedBlock with getBlock (#3417)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by solana-devs, a new releaser for @​solana/web3.js since your current version.

Updates ws from 7.4.6 to 8.18.0

Release notes

Sourced from ws's releases.

8.18.0

Features

• Added support for Blob (#2229).

8.17.1

Bug fixes

• Fixed a DoS vulnerability (#2231).

A request with a number of headers exceeding the[server.maxHeadersCount][] threshold could be used to crash a ws server.

const http = require('http');
const WebSocket = require('ws');
const wss = new WebSocket.Server({ port: 0 }, function () {
const chars = "!#$%&'*+-.0123456789abcdefghijklmnopqrstuvwxyz^_`|~".split('');
const headers = {};
let count = 0;
for (let i = 0; i < chars.length; i++) {
if (count === 2000) break;
for (let j = 0; j &lt; chars.length; j++) {
  const key = chars[i] + chars[j];
  headers[key] = 'x';
if (++count === 2000) break;
}

}
headers.Connection = 'Upgrade';
headers.Upgrade = 'websocket';
headers['Sec-WebSocket-Key'] = 'dGhlIHNhbXBsZSBub25jZQ==';
headers['Sec-WebSocket-Version'] = '13';
const request = http.request({
headers: headers,
host: '127.0.0.1',
port: wss.address().port
});
request.end();
});

The vulnerability was reported by Ryan LaPointe in websockets/ws#2230.

... (truncated)

Commits

• 976c53c [dist] 8.18.0
• 59b9629 [feature] Add support for Blob (#2229)
• 0d1b5e6 [security] Use more descriptive text for 2017 vulnerability link
• 15f11a0 [security] Add new DoS vulnerability to SECURITY.md
• 3c56601 [dist] 8.17.1
• e55e510 [security] Fix crash when the Upgrade header cannot be read (#2231)
• 6a00029 [test] Increase code coverage
• ddfe4a8 [perf] Reduce the amount of crypto.randomFillSync() calls
• b73b118 [dist] 8.17.0
• 29694a5 [test] Use the highWaterMark variable
• Additional commits viewable in compare view

Updates @rainbow-me/rainbowkit from 1.0.7 to 2.2.8

Release notes

Sourced from @​rainbow-me/rainbowkit's releases.

@​rainbow-me/rainbowkit@​2.2.8

Patch Changes

• f542876: The metaMaskWallet wallet connector now utilizes the MetaMask SDK for more reliable, faster connections on mobile

@​rainbow-me/rainbowkit@​2.2.7

Patch Changes

• a147620: Fixed error handling when connect requests are rejected on mobile.
• 10090d2: Mitigated WalletConnect Core is already initialized warnings that began appearing with recent distributions of Wagmi and WalletConnect.
• 50c7f13: Added missing rdns metadata for wallet connectors that now support EIP-6963.
• 15ddd4a: Improved QR Code error correction and rendering with cuer

@​rainbow-me/rainbowkit@​2.2.6

Patch Changes

• 624a38a: The coinbaseWallet connector now supports additional SDK configuration options to enable Paymasters and Sub Accounts for your dapp.

  import { coinbaseWallet } from "@rainbow-me/rainbowkit/wallets";
  // Configure Paymaster for gas sponsorship
  coinbaseWallet.paymasterUrls = {
  [base.id]: "...",
  };
  // Enable Sub Accounts
  coinbaseWallet.subAccounts = {
  enableAutoSubAccounts: true,
  defaultSpendLimits: {
  // ...
  },
  };

• f6ad6aa: Added support for Superposition chain

@​rainbow-me/rainbowkit@​2.2.5

Patch Changes

• 03ae0d0: Added xPortal Wallet support with xPortalWallet wallet connector
• 3d73508: Added ZilPay Wallet support with zilPayWallet wallet connector
• 5b54649: MEW Wallet now supports WalletConnect on mobile
• c5a9cc1: Fixed SVG encoding in wallet connector icons for Cool Mode
• 8515fd3: Resolved a warning for mismatched dApp url metadata on recent versions of WalletConnect

@​rainbow-me/rainbowkit@​2.2.4

Patch Changes

• f5a7cec: Added support for Unichain

... (truncated)

Changelog

Sourced from @​rainbow-me/rainbowkit's changelog.

2.2.8

Patch Changes

• f542876: The metaMaskWallet wallet connector now utilizes the MetaMask SDK for more reliable, faster connections on mobile

2.2.7

Patch Changes

• a147620: Fixed error handling when connect requests are rejected on mobile.
• 10090d2: Mitigated WalletConnect Core is already initialized warnings that began appearing with recent distributions of Wagmi and WalletConnect.
• 50c7f13: Added missing rdns metadata for wallet connectors that now support EIP-6963.
• 15ddd4a: Improved QR Code error correction and rendering with cuer

2.2.6

Patch Changes

• 624a38a: The coinbaseWallet connector now supports additional SDK configuration options to enable Paymasters and Sub Accounts for your dapp.

  import { coinbaseWallet } from "@rainbow-me/rainbowkit/wallets";
  // Configure Paymaster for gas sponsorship
  coinbaseWallet.paymasterUrls = {
  [base.id]: "...",
  };
  // Enable Sub Accounts
  coinbaseWallet.subAccounts = {
  enableAutoSubAccounts: true,
  defaultSpendLimits: {
  // ...
  },
  };

• f6ad6aa: Added support for Superposition chain

2.2.5

Patch Changes

• 3d73508: Added ZilPay Wallet support with zilPayWallet wallet connector
• c5a9cc1: Fixed SVG encoding in wallet connector icons for Cool Mode
• 8515fd3: Resolved a warning for mismatched dApp url metadata on recent versions of WalletConnect
• 5b54649: MEW Wallet now supports WalletConnect on mobile
• 03ae0d0: Added xPortal Wallet support with xPortalWallet wallet connector

... (truncated)

Commits

• 32c6720 chore: version packages (#2471)
• f542876 feat: metamask sdk connector (#2425)
• cbdf578 chore: version packages (#2423)
• 10090d2 fix: isolate walletconnect storages (#2452)
• 50c7f13 fix: add missing rdns metadata (#2451)
• 56b5ce7 fix: inherited qr code colors in dark mode (#2443)
• 205de36 chore: upgrade vanilla-extract dependencies (#2439)
• d5535c3 revert: package node engine minimum bump (#2436)
• 15ddd4a Migrate QRCode to cuer (#2429)
• 479ebf0 feat: wallet registry fetch script (#2428)
• Additional commits viewable in compare view

Updates ethers from 5.7.2 to 5.8.0

Release notes

Sourced from ethers's releases.

ethers/v5.8.0 (2025-02-25 19:15) [legacy version]

This is a security update for the legacy Ethers v5 branch, addressing two security fixes.

• A bug in elliptic, which does not affect ethers but triggers a critical security warning during nom audit [see: missing signature length check, missing check for leading bit, allow BER-encoded signatures, false negative verification, signing malformed input]
• A bug in ws which can be used as DoS vector when communicating with malicious WebSocket service providers, triggering a high security warning during nom audit [see: too many HTTP headers]

For those that wish to audit the specific changes in the the bundled version between v5.7 and v5.8, see this gist.

Changes

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

---

Embedding UMD with SRI:

<script type="text/javascript"
  integrity="sha384-KpyAXoFibPIUEi79EsnN1EtEWCCrOQ8MtGsa4IrVxeZo514PYarFXujnjyu0DzgC"
  crossorigin="anonymous"
  src="https://cdnjs.cloudflare.com/ajax/libs/ethers/5.8.0/ethers.umd.min.js">
</script>

Changelog

Sourced from ethers's changelog.

ethers/v5.8.0 (2025-02-25 19:15)

• Updated to latest elliptic library to fix audit warnings. (f8deaae)
• Added ENS to Sepolia. (0065547)
• Bump ws package version to address DoS security concern. (#4791; f345816)
• Added modern networks, updated third-party backend URLs and added QuickNode. (#3935, #4010; f7c813d)

Commits

• 5ff3dc9 admin: updated dist files with update-versions
• 808153e admin: updated sort issue in package.json
• f8deaae Updated to latest elliptic library to fix audit warnings.
• c6a1b15 Updated browser tests; but karma is still defunct
• c7c07f5 admin: update dist files
• 01dccc7 tests: swapped goerli for sepolia; contracts re-deployed
• 0065547 Added ENS to Sepolia.
• d7e8ad1 admin: updated dist files
• f345816 Bump ws package version to address DoS security concern (#4791).
• 9f42637 tests: updates test details
• Additional commits viewable in compare view

Updates viem from 1.3.0 to 2.36.0

Release notes

Sourced from viem's releases.

[email protected]

Minor Changes

• #3883 4758e2ca5ba8a91bec4da9fa952d9e9b920c045d Thanks @​jxom! - Added deployless option to batch.multicall on createClient.

• #3883 4758e2ca5ba8a91bec4da9fa952d9e9b920c045d Thanks @​jxom! - Added deployless parameter to multicall Action.

Patch Changes

• 427ff4c156b8ef6b2bd4b6f833f6b9008f0ac4b8 Thanks @​jxom! - Updated Ox.

[email protected]

Patch Changes

• 768cf82c32dc7f5d9601eb5f601efcef857184c2 Thanks @​jxom! - Added authorizationList to readContract and multicall.

[email protected]

Minor Changes

• #3848 390fff8db23f388f520356c9d3847a22acf56a72 Thanks @​TateB! - Added support for chain-specific ENS resolution and ENS UniversalResolver v3.
Description has been truncated