Skip to content

[Snyk] Upgrade @openzeppelin/contracts from 5.4.0 to 5.5.0 #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
MastaTrill wants to merge 1 commit into
base: main
Choose a base branch
from
Open

[Snyk] Upgrade @openzeppelin/contracts from 5.4.0 to 5.5.0 #9

MastaTrill wants to merge 1 commit into from

Conversation

@MastaTrill
Copy link
Owner

@MastaTrill MastaTrill commented Jan 4, 2026

snyk-top-banner

Snyk has created this PR to upgrade @openzeppelin/contracts from 5.4.0 to 5.5.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

  • The recommended version is 3 versions ahead of your current version.

  • The recommended version was released 2 months ago.

Release notes
Package name: @openzeppelin/contracts
  • 5.5.0 - 2025-10-31

    Bug fixes

    • AccountERC7579: Prevent revert in isModuleInstalled for fallback modules when additionalContext has fewer than 4 bytes. The function now returns false instead of reverting, ensuring ERC-7579 compliance. (#5961)
    • ERC165Checker: Ensure the supportsERC165 function returns false if the target reverts during the supportsInterface(0xffffffff) call. (#5810)

    Breaking changes

    • Account: Add signature argument to the internal _validateUserOp function for custom signature handling logic. Developers overriding it must now provide the signature from the user operation (i.e. userOp.signature) to keep compatibility. (#5976)
    • AccountERC7579: Installing and uninstalling fallback modules now require the corresponding initData and deInitData arguments to be at least 4 bytes long (matching the selector to which the fallback module is registered). It now reverts with ERC7579CannotDecodeFallbackData instead of treating the missing bytes as 0x00. (#5974)
    • ERC6909 and its extensions (ERC6909ContentURI, ERC6909Metadata and ERC6909TokenSupply) are no longer marked as draft since EIP-6909 is now final. Developers must update the import paths. Contracts behavior is not modified. (#5929)
    • SignerERC7702 is renamed as SignerEIP7702. Imports and inheritance must be updated to that new name and path. Behavior is unmodified. (#5932)
    • ERC721Holder, ERC1155Holder, ReentrancyGuard and ReentrancyGuardTransient are flagged as stateless and are no longer transpiled. Developers using their upgradeable variants from @ openzeppelin/contracts-upgradeable must update their imports to use the equivalent version available in @ openzeppelin/contracts. (#5944, #5942)
    • Update minimum pragma to 0.8.24 in AccessControlEnumerable, Arrays, CircularBuffer, EIP712, EnumerableMap, EnumerableSet, ERC1155, ERC1155Burnable, ERC1155Pausable, ERC1155Supply, ERC1155URIStorage, ERC20Votes, ERC4626,ERC721Burnable, ERC721Consecutive, ERC721Enumerable, ERC721Pausable, ERC721Royalty, ERC721URIStorage, ERC721Votes, ERC721Wrapper, ERC7739, Heap, MerkleTree, MessageHashUtils, Strings, Votes and VotesExtended. (#5723, #5726, #5965)

    Deprecation

    • Initializable and UUPSUpgradeable are no longer transpiled. An alias is present in the @ openzeppelin/contracts-upgradeable package that redirect to the corresponding file in @ openzeppelin/contracts. These alias will be removed in the next major release. Developers are advised to update their imports to get these files directly from the @ openzeppelin/contracts package. #5941
    • ECDSA signature malleability protection is partly deprecated. See documentation for more details. #5814

    Changes by category

    Tokens

    • ERC4626: compute maxWithdraw using maxRedeem and previewRedeem so that changes to the preview functions affect the max functions. (#5130)

    Cross-chain

    • InteroperableAddress: Add a library for formatting and parsing ERC-7930 interoperable addresses. (#5736)
    • ERC7786Recipient: Generic ERC-7786 cross-chain message recipient contract. (#5904)
    • IERC7786: Add the (draft) interface for ERC-7786 "Cross-Chain Messaging Gateway" (#5737)

    Cryptography

    Signers
    • SignerWebAuthn: Add an abstract signer that verifies WebAuthn signatures, with a P256 fallback. (#5809)
    • Add constructors to the different signers. (#5757)
    Verifiers
    • ERC7913WebAuthnVerifier: Add an ERC-7913 verifier that verifies WebAuthn Authentication Assertions for P256 identities. (#5809)
    Other
    • WebAuthn: Add a library for verifying WebAuthn Authentication Assertions. (#5809)
    • ECDSA: Add parse and parseCalldata to parse bytes signatures of length 65 or 64 (erc-2098) into its v,r,s components. (#5814)
    • ECDSA: Add recoverCalldata and tryRecoverCalldata, variants of recover and tryRecover that are more efficient when signatures are in calldata. (#5788)
    • SignatureChecker: Add isValidSignatureNowCalldata(address,bytes32,bytes calldata) for efficient processing of calldata signatures. (#5788)

    Structures

    • Checkpoints: Add a new checkpoint variant Checkpoint256 using uint256 type for the value and key. (#5748)
    • Accumulators: A library for merging an arbitrary dynamic number of bytes buffers. (#5680)

    Utils

    • Arrays: Add slice and splice functions for value types (uint256[], bytes32[], address[]). (#5983)
    • Base58: Add a library for encoding and decoding bytes buffers into base58 strings. (#5762)
    • Base64: Add a new decode function that parses base64 encoded strings. (#5765)
    • Bytes: Add concat that merges a bytes[] array of buffers into a single bytes buffer. (#5882)
    • Bytes: Add reverseBytes32, reverseBytes16, reverseBytes8, reverseBytes4, and reverseBytes2 functions to reverse byte order for converting between little-endian and big-endian representations. (#5724)
    • Bytes: Add splice(bytes,uint256) and splice(bytes,uint256,uint256) functions that move a specified range of bytes to the start of the buffer and truncate it in place, as an alternative to slice. (#5733)
    • Bytes: Add a clz function to count the leading zero bits in a bytes buffer. (#5725)
    • Bytes: Add an equal function to compare byte buffers. (#5726)
    • Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#5797)
    • IERC7751: Add the interface for custom error wrapping of bubbled up reverts. (#5816)
    • LowLevelCall: Add a library to perform low-level calls and deal with the returndata more granularly. (#5094)
    • Math: Add a clz function to count the leading zero bits in a uint256 value. (#5725)
    • Memory: Add library with utilities to manipulate memory (#5189)
    • Memory: Add a UDVT for handling slices on memory space similarly to calldata slices. (#5680)
    • ReentrancyGuard and ReentrancyGuardTransient: Add nonReentrantView, a read-only version of the nonReentrant modifier. (#5800)
    • ReentrancyGuard, ReentrancyGuardTransient: Add an internal _reentrancyGuardStorageSlot function allowing slot customization via override. (#5892)
    • RelayedCall: Add a library to perform indirect calls through minimal and predictable relayers. (#5630)
    • RLP: Add a library for encoding and decoding data in Ethereum's Recursive Length Prefix format. (#5680)
    • Strings: Add toHexString(bytes). (#5761)
  • 5.5.0-rc.1 - 2025-10-10

    Bug fixes

    • AccountERC7579: Prevent revert in isModuleInstalled for fallback modules when additionalContext has fewer than 4 bytes. The function now returns false instead of reverting, ensuring ERC-7579 compliance. (#5961)

    Breaking changes

    • Account: Add signature argument to the internal _validateUserOp function for custom signature handling logic. Developers overriding it must now provide the signature from the user operation (i.e. userOp.signature) to keep compatibility. (#5976)
    • AccountERC7579: Installing and uninstalling fallback modules now require the corresponding initData and deInitData arguments to be at least 4 bytes long (matching the selector to which the fallback module is registered). It now reverts with ERC7579CannotDecodeFallbackData instead of treating the missing bytes as 0x00. (#5974)

    Changes by category

    Utils

    • Arrays: Add slice and splice functions for value types (uint256[], bytes32[], address[]). (#5983)
  • 5.5.0-rc.0 - 2025-09-26

    Bug fixes

    • ERC165Checker: Ensure the supportsERC165 function returns false if the target reverts during the supportsInterface(0xffffffff) call. (#5810)

    Breaking changes

    • ERC6909 and its extensions (ERC6909ContentURI, ERC6909Metadata and ERC6909TokenSupply) are no longer marked as draft since EIP-6909 is now final. Developers must update the import paths. Contracts behavior is not modified. (#5929)
    • SignerERC7702 is renamed as SignerEIP7702. Imports and inheritance must be updated to that new name and path. Behavior is unmodified. (#5932)
    • ERC721Holder, ERC1155Holder, ReentrancyGuard and ReentrancyGuardTransient are flagged as stateless and are no longer transpiled. Developers using their upgradeable variants from @ openzeppelin/contracts-upgradeable must update their imports to use the equivalent version available in @ openzeppelin/contracts. (#5944, #5942)
    • Update minimum pragma to 0.8.24 in Votes, VotesExtended, ERC20Votes, Strings, ERC1155URIStorage, MessageHashUtils, ERC721URIStorage, ERC721Votes, ERC721Wrapper, ERC721Burnable, ERC721Consecutive, ERC721Enumerable, ERC721Pausable, ERC721Royalty, ERC721Wrapper, EIP712, ERC4626 and ERC7739. (#5726)

    Deprecation

    • Initializable and UUPSUpgradeable are no longer transpiled. An alias is present in the @ openzeppelin/contracts-upgradeable package that redirect to the corresponding file in @ openzeppelin/contracts. These alias will be removed in the next major release. Developers are advised to update their imports to get these files directly from the @ openzeppelin/contracts package. #5941
    • ECDSA signature malleability protection is partly deprecated. See documentation for more details. #5814

    Changes by category

    Tokens

    • ERC4626: compute maxWithdraw using maxRedeem and previewRedeem so that changes to the preview functions affect the max functions. (#5130)

    Cross-chain

    • InteroperableAddress: Add a library for formatting and parsing ERC-7930 interoperable addresses. (#5736)
    • ERC7786Recipient: Generic ERC-7786 cross-chain message recipient contract. (#5904)
    • IERC7786: Add the (draft) interface for ERC-7786 "Cross-Chain Messaging Gateway" (#5737)

    Cryptography

    Signers
    • SignerWebAuthn: Add an abstract signer that verifies WebAuthn signatures, with a P256 fallback. (#5809)
    • Add constructors to the different signers. (#5757)
    Verifiers
    • ERC7913WebAuthnVerifier: Add an ERC-7913 verifier that verifies WebAuthn Authentication Assertions for P256 identities. (#5809)
    Other
    • WebAuthn: Add a library for verifying WebAuthn Authentication Assertions. (#5809)
    • ECDSA: Add parse and parseCalldata to parse bytes signatures of length 65 or 64 (erc-2098) into its v,r,s components. (#5814)
    • ECDSA: Add recoverCalldata and tryRecoverCalldata, variants of recover and tryRecover that are more efficient when signatures are in calldata. (#5788)
    • SignatureChecker: Add isValidSignatureNowCalldata(address,bytes32,bytes calldata) for efficient processing of calldata signatures. (#5788)

    Structures

    • Checkpoints: Add a new checkpoint variant Checkpoint256 using uint256 type for the value and key. (#5748)
    • Accumulators: A library for merging an arbitrary dynamic number of bytes buffers. (#5680)

    Utils

    • Base58: Add a library for encoding and decoding bytes buffers into base58 strings. (#5762)
    • Base64: Add a new decode function that parses base64 encoded strings. (#5765)
    • Bytes: Add concat that merges a bytes[] array of buffers into a single bytes buffer. (#5882)
    • Bytes: Add reverseBytes32, reverseBytes16, reverseBytes8, reverseBytes4, and reverseBytes2 functions to reverse byte order for converting between little-endian and big-endian representations. (#5724)
    • Bytes: Add splice(bytes,uint256) and splice(bytes,uint256,uint256) functions that move a specified range of bytes to the start of the buffer and truncate it in place, as an alternative to slice. (#5733)
    • Bytes: Add a clz function to count the leading zero bits in a bytes buffer. (#5725)
    • Bytes: Add an equal function to compare byte buffers. (#5726)
    • Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#5797)
    • IERC7751: Add the interface for custom error wrapping of bubbled up reverts. (#5816)
    • LowLevelCall: Add a library to perform low-level calls and deal with the returndata more granularly. (#5094)
    • Math: Add a clz function to count the leading zero bits in a uint256 value. (#5725)
    • Memory: Add library with utilities to manipulate memory (#5189)
    • Memory: Add a UDVT for handling slices on memory space similarly to calldata slices. (#5680)
    • ReentrancyGuard and ReentrancyGuardTransient: Add nonReentrantView, a read-only version of the nonReentrant modifier. (#5800)
    • ReentrancyGuard, ReentrancyGuardTransient: Add an internal _reentrancyGuardStorageSlot function allowing slot customization via override. (#5892)
    • RelayedCall: Add a library to perform indirect calls through minimal and predictable relayers. (#5630)
    • RLP: Add a library for encoding and decoding data in Ethereum's Recursive Length Prefix format. (#5680)
    • Strings: Add toHexString(bytes). (#5761)
  • 5.4.0 - 2025-07-17

    Breaking changes

    • Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#5716).

    Pragma changes

    • Reduced pragma requirement of interface files

    Changes by category

    Account

    • Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#5657)
    • AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#5657)
    • AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#5657)
    • EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#5587)
    • IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#5657)

    Governance

    • GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#5574)

    Tokens

    • ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#5739)

    Cryptography

    Signers
    • AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#5657)
    • SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#5657)
    • SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#5659)
    • MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#5659)
    • MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#5741)
    Verifiers
    • ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#5659)
    Other
    • SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#5659)
    • ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#5664)
    • ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#5664)

    Structures

    • EnumerableMap: Add support for BytesToBytesMap type. (#5658)
    • EnumerableMap: Add keys(uint256,uint256) that returns a subset (slice) of the keys in the map. (#5713)
    • EnumerableSet: Add support for StringSet and BytesSet types. (#5658)
    • EnumerableSet: Add values(uint256,uint256) that returns a subset (slice) of the values in the set. (#5713)

    Utils

    • Arrays: Add unsafeAccess, unsafeMemoryAccess and unsafeSetLength for bytes[] and string[]. (#5568)
    • Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#5642)
    • Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#5797)
from @openzeppelin/contracts GitHub release notes

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

@snyk-bot
fix: upgrade @openzeppelin/contracts from 5.4.0 to 5.5.0
a9980fc 
Snyk has created this PR to upgrade @openzeppelin/contracts from 5.4.0 to 5.5.0.

See this package in npm:
@openzeppelin/contracts

See this project in Snyk:
https://app.snyk.io/org/mastatrill/project/7b4999b0-305f-4b36-b26f-d55578b1ec0e?utm_source=github&utm_medium=referral&page=upgrade-pr
Copilot AI review requested due to automatic review settings January 4, 2026 03:48
@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 4, 2026
edited
Loading

Deploying aetheron-platform with  Cloudflare Pages  Cloudflare Pages

Latest commit: a9980fc
Status:🚫  Build failed.

View logs

@vercel
Copy link

vercel bot commented Jan 4, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
aetheron Error Error Jan 4, 2026 3:50am
vercel-node-app-1 Error Error Jan 4, 2026 3:50am

Copilot AI reviewed Jan 4, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR proposes upgrading the @openzeppelin/contracts dependency from version 5.4.0 to 5.5.0, as suggested by Snyk. However, there is a critical issue with the release date information that needs verification before proceeding with this upgrade.

Key Changes:

  • Update @openzeppelin/contracts from ^5.4.0 to ^5.5.0 in package.json
  • The upgrade spans 3 versions according to Snyk

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@cloudflare-workers-and-pages
Copy link

cloudflare-workers-and-pages bot commented Jan 4, 2026
edited
Loading

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Updated (UTC)
❌ Deployment failed
View logs		 aetheron a9980fc Jan 04 2026, 03:52 AM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@MastaTrill @snyk-bot