Bump undici, @nomicfoundation/hardhat-foundry, @nomicfoundation/hardhat-toolbox, @openzeppelin/hardhat-upgrades and hardhat in /contracts

[dependabot]

Bumps undici to 7.28.0 and updates ancestor dependencies undici, @nomicfoundation/hardhat-foundry, @nomicfoundation/hardhat-toolbox, @openzeppelin/hardhat-upgrades and hardhat. These dependencies need to be updated together.

Updates undici from 7.10.0 to 7.28.0

Release notes

Sourced from undici's releases.

v7.28.0

⚠️ Security Release

This release line addresses 7 security advisories, all shipped in v7.28.0.

Action required: Upgrade to undici 7.28.0 or later.

npm install undici@^7.28.0

The v7 line is not affected by GHSA-38rv-x7px-6hhq (CVE-2026-9675), which is an 8.x-only regression.

Note on GHSA-hm92-r4w5-c3mj: this fix shipped in v7.28.0, not the earlier 7.2x line — the vulnerable single-pool code was still present through v7.27.2. The per-origin pool fix is 3805b8f8 (#5041).

Summary

Advisory	CVE	Severity (CVSS)	Fixed in	Fix commit
GHSA-vxpw-j846-p89q	CVE-2026-12151	High (7.5)	7.28.0	8cb10f98
GHSA-vmh5-mc38-953g	CVE-2026-9697	High (7.4)	7.28.0	04201f89
GHSA-hm92-r4w5-c3mj	CVE-2026-6734	High (7.5)	7.28.0	3805b8f8
GHSA-pr7r-676h-xcf6	CVE-2026-9678	Moderate (5.9)	7.28.0	85a24055
GHSA-p88m-4jfj-68fv	CVE-2026-9679	Moderate (5.9)	7.28.0	d0574cc4
GHSA-g8m3-5g58-fq7m	CVE-2026-11525	Low (3.7)	7.28.0	d0574cc4
GHSA-35p6-xmwp-9g52	CVE-2026-6733	Low (3.7)	7.28.0	ea8930cf

---

High severity

WebSocket DoS via fragment count bypass — CVE-2026-12151

GHSA-vxpw-j846-p89q · CWE-400, CWE-770 Fix: 8cb10f98 websocket: limit the number of fragments in a message (part of backport a027a4a0 Backport WebSocket maxPayloadSize fixes to v7.x, #5423)

A malicious WebSocket server can stream a large number of small or empty continuation frames. Undici enforced a limit on cumulative payload size but did not limit the number of fragments per message, leading to unbounded memory growth and denial of service.

• Affected: applications using new WebSocket(...) or WebSocketStream against untrusted endpoints.
• Workaround: none — upgrade is required.

TLS certificate validation bypass in SOCKS5 ProxyAgent — CVE-2026-9697

GHSA-vmh5-mc38-953g · CWE-295

... (truncated)

Commits

• f9eba0a Bumped v7.28.0 (#5430)
• a027a4a Backport WebSocket maxPayloadSize fixes to v7.x (#5423)
• 8cb10f9 websocket: limit the number of fragments in a message
• 04201f8 fix: honor requestTls when proxy is SOCKS5
• fcd642f fix(socks5): preserve dispatch backpressure return value (#5166)
• bc98c97 fix(socks5): use configured connector in Socks5ProxyAgent (#5168)
• 9e1c743 fix(socks5): encode embedded IPv4 tails in IPv6 literals correctly (#5099)
• 376c8be fix(socks5): enforce authenticated state before CONNECT (#5097)
• 3805b8f fix(socks5-proxy-agent): use per-origin pools to prevent cross-origin routing...
• 85a2405 fix(cache): trim qualified field names
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Updates @nomicfoundation/hardhat-foundry from 1.1.4 to 3.0.4

Release notes

Sourced from @​nomicfoundation/hardhat-foundry's releases.

@​nomicfoundation/hardhat-foundry@​3.0.4

Changes

• #8339 00720e8 Thanks @​alcuadrado! - The plugin now uses definePlugin from hardhat/plugins in its index.ts, so it participates in Hardhat's new "imported but unused plugin" warning when omitted from a project's plugins array.

• Updated dependencies:

  • hardhat@3.8.0
  • @​nomicfoundation/hardhat-errors@​3.0.15

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-foundry@​3.0.3

Changes

• #8264 8452f97 Thanks @​alcuadrado! - Export ./package.json so consumers can import the package's manifest.

• Updated dependencies:

  • @​nomicfoundation/hardhat-errors@​3.0.13
  • @​nomicfoundation/hardhat-utils@​4.1.2

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Changelog

Sourced from @​nomicfoundation/hardhat-foundry's changelog.

3.0.4

Patch Changes

• #8339 00720e8 Thanks @​alcuadrado! - The plugin now uses definePlugin from hardhat/plugins in its index.ts, so it participates in Hardhat's new "imported but unused plugin" warning when omitted from a project's plugins array.

• Updated dependencies:

  • hardhat@3.8.0
  • @​nomicfoundation/hardhat-errors@​3.0.15

3.0.3

Patch Changes

• #8264 8452f97 Thanks @​alcuadrado! - Export ./package.json so consumers can import the package's manifest.

• Updated dependencies:

  • @​nomicfoundation/hardhat-errors@​3.0.13
  • @​nomicfoundation/hardhat-utils@​4.1.2

3.0.2

Patch Changes

• #8179 d16d82a Thanks @​alcuadrado! - Await all returned promises for better debuggability

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.0.4

3.0.1

Patch Changes

• #8096 7fb721b Thanks @​alcuadrado! - [chore] Move to packages/ folder.

• Updated dependencies:

  • @​nomicfoundation/hardhat-errors@​3.0.11
  • @​nomicfoundation/hardhat-utils@​4.0.3

3.0.0

Major Changes

• 4cd63e9: Introduce the @nomicfoundation/hardhat-foundry plugin for Hardhat 3

Commits

• 9be35f7 Version Packages
• 76d0a2c Update external plugins
• ccb55d9 Version Packages
• 54343f7 Upgrade TS everywhere
• 31f33cf Merge pull request #8264 from NomicFoundation/export-package-jsons
• 0033686 scripts: run eslint before prettier in lint-file wrapper and pnpm lint/lint:fix
• 8452f97 Export package.json files
• aee1508 Version Packages
• 4b790b7 Autoapply new rule
• 5f08586 Version Packages
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​nomicfoundation/hardhat-foundry since your current version.

Updates @nomicfoundation/hardhat-toolbox from 4.0.0 to 7.0.0

Release notes

Sourced from @​nomicfoundation/hardhat-toolbox's releases.

@​nomicfoundation/hardhat-toolbox-viem@​5.0.7

Changes

• #8339 00720e8 Thanks @​alcuadrado! - The plugin now uses definePlugin from hardhat/plugins in its index.ts, so it participates in Hardhat's new "imported but unused plugin" warning when omitted from a project's plugins array.

• Updated dependencies:

  • hardhat@3.8.0

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-toolbox-viem@​5.0.6

Changes

• #8264 8452f97 Thanks @​alcuadrado! - Export ./package.json so consumers can import the package's manifest.

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

@​nomicfoundation/hardhat-toolbox-viem@​5.0.5

Changes

• #8191 2a4ae8e Thanks @​alcuadrado! - Update how type extensions are handled to optimize the bootstrap process of Hardhat.

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Changelog

Sourced from @​nomicfoundation/hardhat-toolbox's changelog.

7.0.0

Major Changes

• 09ae6db: Deprecate the latest npm tag and redirect users to migrate to Hardhat 3 or to the hh2 tag.

Commits

• 6372d08 Version Packages
• a26e822 Remove the npm tags from the README.md files
• 18bef56 Quote the package in the installation instructions of the readmes
• e5025ae Update the formatting and quote the package in the installation instructions ...
• ee34347 Update hardhat-toolbox
• 7ade974 Version Packages
• a7e4215 feat: bump minimum version of solidity-coverage to Osaka
• e4ad0ad chore: update package metadata for provenance
• f65ee74 Version Packages
• a4f1e27 Hardhat 2 documentation links updated to reflect the domain change to v2.hard...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​nomicfoundation/hardhat-toolbox since your current version.

Updates @openzeppelin/hardhat-upgrades from 3.9.0 to 4.0.2

Release notes

Sourced from @​openzeppelin/hardhat-upgrades's releases.

@​openzeppelin/hardhat-upgrades@​4.0.2

• Re-export @nomicfoundation/hardhat-ethers types so that TypeScript recognizes connection.ethers when only this plugin is registered. (#1275)

@​openzeppelin/hardhat-upgrades@​4.0.1

• Update dependencies. (#1255)

@​openzeppelin/hardhat-upgrades@​4.0.0

• Migrate to Hardhat 3 with ESM module structure and plugin hooks architecture. (#1241)

  Breaking Changes

  • Requires Hardhat 3: minimum hardhat@^3.6.0 required.
  • ESM-only: package converted to ESM; CommonJS is no longer supported.
  • API Changes:
    • No automatic hre.upgrades — call the upgrades(hre, connection) factory explicitly.
    • Factory functions (upgrades, defender) are async and require a network connection.
    • Network connection must be explicitly created: const connection = await hre.network.create(). Share one connection across operations.
    • ethers now comes from the connection (const { ethers } = connection), not hre.ethers.
  • Import Changes: import factory functions instead of a side-effect import.
    • Before: import '@openzeppelin/hardhat-upgrades'
    • After: import { upgrades, defender } from '@openzeppelin/hardhat-upgrades'

  Usage and Migration

  See the README for Hardhat 3 usage, the examples directory for sample projects, and the Migration Guide for Hardhat 2 to 3 migration steps.

  Changes

  • Migrated from extendEnvironment to Hardhat 3's HardhatPlugin with hookHandlers.
  • Converted package to ESM.
  • Etherscan verification requires @nomicfoundation/hardhat-verify@^3.0.10 (optional peer dependency).
  • Support Solidity tests in Hardhat 3 with @openzeppelin/foundry-upgrades.
  • Added example projects for Hardhat 3 (Transparent, UUPS, and Solidity-test scaffolds under packages/plugin-hardhat/examples/).

• Updated dependencies [7f3e4c6, 668f70c]:

  • @​openzeppelin/upgrades-core@​1.45.0

@​openzeppelin/hardhat-upgrades@​4.0.0-alpha.0

Note ⚠️ This version is still in testing. Do not use it to deploy or upgrade production deployments.

• Migrate to Hardhat 3 with ESM module structure and plugin hooks architecture. (#1194)

  Breaking Changes

  • Requires Hardhat 3: Minimum hardhat@^3.0.0 required
  • ESM-only: Package converted to ESM, CommonJS no longer supported
  • API Changes:
    • No automatic hre.upgrades - must call factory function explicitly
    • Factory functions are async: await upgrades(hre, connection)
    • Network connection must be explicitly created: await hre.network.connect()

... (truncated)

Commits

• e8d0f6f Prepare Release (#1276)
• 43af631 Re-export hardhat-ethers from hardhat-upgrades (#1275)
• 70813e8 Rename to hre.network.create() in markdown docs (#1273)
• 7c63a5f Update dependencies in Hardhat 3 example projects (#1271)
• 5257231 Add error message assertions in Solidity tests (#1272)
• a4562e9 Fix concurrent-publish race in package build scripts (#1268)
• 490cd7b Update codecov/codecov-action action to v6 (#1265)
• efe0e08 Update dependency @​ava/typescript to v7 (#1266)
• c5b129f Update actions/setup-node action to v6 (#1262)
• 90ca593 Prepare Release (#1264)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​openzeppelin/hardhat-upgrades since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates hardhat from 2.25.0 to 3.9.0

Release notes

Sourced from hardhat's releases.

Hardhat v3.9.0

This release adds support for excluding files from test coverage instrumentation and reporting (i.e. npx hardhat test --coverage).

Changes

• #8380 0fd498d Thanks @​kanej! - Added support for coverage.skipFiles, a list of globs of Solidity files to exclude from coverage instrumentation and reporting during a --coverage run.

• #8383 1660f1e Thanks @​schaable! - Fixed an intermittent "Provider for provided chain type does not exist" error that could occur when multiple network connections were created concurrently.

• #8371 287620e Thanks @​gultekinmakif! - Account overrides that share an address with the network's built-in genesis accounts are now correctly merged into a single genesis entry.

• #8375 931a5f0 Thanks @​schaable! - Suppressed the solc initcode size warning for Solidity test contracts and when running under --coverage.

• #8372 5f6aff2 Thanks @​gultekinmakif! - Improved validation for initialDate network configuration. Invalid Date objects and unparseable date strings are now rejected during config loading rather than causing a runtime error later.

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.8.0

This release includes two improvements: a warning is now printed if a plugin is imported in hardhat.config.ts but not included in the plugins array and node:test now more cleanly displays Solidity errors.

Changes

• #8339 f21390f Thanks @​alcuadrado! - Added definePlugin, a new helper exported from hardhat/plugins. Plugin authors should wrap their plugin literal with it so the default export of their index module becomes:

  import type { HardhatPlugin } from "hardhat/types/plugins";
  import { definePlugin } from "hardhat/plugins";
  const hardhatPlugin: HardhatPlugin = definePlugin({
  id: "my-plugin",
  // ...
  });
  export default hardhatPlugin;

  definePlugin returns its argument unchanged and, as a side effect, registers the plugin's id in a process-wide registry of loaded plugins. Hardhat's CLI uses that registry to warn when a plugin is imported but missing from the user's plugins array.

• #8339 19c6927 Thanks @​alcuadrado! - Hardhat now warns when a plugin is imported in your Hardhat config file but missing from the plugins array. The warning is printed to stderr after the runtime environment is created, listing the offending plugins and pointing the user at the fix.

  If your Hardhat config file is written in TypeScript, for the warning to be reliable your project's tsconfig.json must enable verbatimModuleSyntax: true. Without it, TypeScript deletes unused default-value imports, so an unused plugin can't be detected.

• #8336 86bfe66 Thanks @​Wodann! - - Fixed default gas limit of Solidity test runner when a custom transaction gas cap (EIP-7825) or block gas limit is specified

  • Fixed process deadlock/hang when dropping a provider with interval mining and logging enabled
  • Print more detailed error descriptions for EVM, invariant fuzz, and cheatcode errors

• #8345 9d5b96c Thanks @​alcuadrado! - Add .solidityStack property to the SolidityError exceptions generated by EDR

... (truncated)

Changelog

Sourced from hardhat's changelog.

3.9.0

Minor Changes

• #8380 0fd498d Thanks @​kanej! - Added support for coverage.skipFiles, a list of globs of Solidity files to exclude from coverage instrumentation and reporting during a --coverage run.

Patch Changes

• #8383 1660f1e Thanks @​schaable! - Fixed an intermittent "Provider for provided chain type does not exist" error that could occur when multiple network connections were created concurrently.

• #8371 287620e Thanks @​gultekinmakif! - Account overrides that share an address with the network's built-in genesis accounts are now correctly merged into a single genesis entry.

• #8375 931a5f0 Thanks @​schaable! - Suppressed the solc initcode size warning for Solidity test contracts and when running under --coverage.

• #8372 5f6aff2 Thanks @​gultekinmakif! - Improved validation for initialDate network configuration. Invalid Date objects and unparseable date strings are now rejected during config loading rather than causing a runtime error later.

3.8.0

Minor Changes

• #8339 f21390f Thanks @​alcuadrado! - Added definePlugin, a new helper exported from hardhat/plugins. Plugin authors should wrap their plugin literal with it so the default export of their index module becomes:

  import type { HardhatPlugin } from "hardhat/types/plugins";
  import { definePlugin } from "hardhat/plugins";
  const hardhatPlugin: HardhatPlugin = definePlugin({
  id: "my-plugin",
  // ...
  });
  export default hardhatPlugin;

  definePlugin returns its argument unchanged and, as a side effect, registers the plugin's id in a process-wide registry of loaded plugins. Hardhat's CLI uses that registry to warn when a plugin is imported but missing from the user's plugins array.

• #8339 19c6927 Thanks @​alcuadrado! - Hardhat now warns when a plugin is imported in your Hardhat config file but missing from the plugins array. The warning is printed to stderr after the runtime environment is created, listing the offending plugins and pointing the user at the fix.

  If your Hardhat config file is written in TypeScript, for the warning to be reliable your project's tsconfig.json must enable verbatimModuleSyntax: true. Without it, TypeScript deletes unused default-value imports, so an unused plugin can't be detected.

Patch Changes

• #8336 86bfe66 Thanks @​Wodann! - - Fixed default gas limit of Solidity test runner when a custom transaction gas cap (EIP-7825) or block gas limit is specified

  • Fixed process deadlock/hang when dropping a provider with interval mining and logging enabled
  • Print more detailed error descriptions for EVM, invariant fuzz, and cheatcode errors

• #8345 9d5b96c Thanks @​alcuadrado! - Add .solidityStack property to the SolidityError exceptions generated by EDR

... (truncated)

Commits

• 59c0787 Version Packages
• 904a944 Merge pull request #8380 from NomicFoundation/feat/coverage-skip-files
• 9602831 feat: skip instrumentation for coverage.skipFiles matches
• ac16d41 Merge pull request #8371 from gultekinmakif/fix/genesis-state-merge
• 84a0b5d test(network-manager): cover empty-list and new-entry paths for mergeGenesisS...
• b96bf45 test(network-manager): cover mergeGenesisState with crafted address collisions
• b089f07 fix(network-manager): favor user override over chain default in mergeGenesisS...
• aea8440 refactor(network-manager): extract genesis-state merge loop to mergeGenesisState
• f69ec6a fix(network-manager): call genesisState.set when merging an existing override
• 75de11d test(network-manager): refactor test desc
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hardhat since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.