[Snyk] Upgrade web3 from 1.10.4 to 4.16.0 #820

Dargon789 · 2025-07-03T01:48:21Z

Snyk has created this PR to upgrade web3 from 1.10.4 to 4.16.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

The recommended version is 386 versions ahead of your current version.
The recommended version was released 7 months ago.

Issues fixed by the recommended upgrade:

Issue	Score	Exploit Maturity
Improper Verification of Cryptographic Signature SNYK-JS-ELLIPTIC-8187303	243	Proof of Concept
Prototype Pollution SNYK-JS-WEB3UTILS-6229337	243	Proof of Concept
Denial of Service (DoS) SNYK-JS-WS-7266574	243	Proof of Concept
Server-side Request Forgery (SSRF) SNYK-JS-REQUEST-3361831	243	Proof of Concept
Uncontrolled Resource Consumption ('Resource Exhaustion') SNYK-JS-TAR-6476909	243	Proof of Concept
Prototype Pollution SNYK-JS-TOUGHCOOKIE-5672873	243	Proof of Concept
Regular Expression Denial of Service (ReDoS) SNYK-JS-WS-1296835	243	Proof of Concept

Release notes

Package name: web3

4.16.0 - 2024-12-03
What's Changed
- fix: correctly close ws connection in web3-eth-contract integration tests by @ krzysu in #7338
- fix: export Web3Account, Wallet and signature related types by @ krzysu in #7374
- fix: CI workflow cache issues by @ krzysu in #7384
- fix: return type of sendTransaction in docs by @ krzysu in #7386
- chore: update CI actions by @ krzysu in #7385
- Bump express from 4.19.2 to 4.21.1 in /docs by @ dependabot in #7388
- Bump ws from 7.4.6 to 8.18.0 by @ dependabot in #7171
- Bump micromatch from 4.0.7 to 4.0.8 in /docs by @ dependabot in #7225
- [Snyk] Upgrade prism-react-renderer from 2.3.1 to 2.4.0 by @ Muhammad-Altabba in #7367
- Bump express from 4.18.1 to 4.20.0 by @ dependabot in #7258
- chore: update deps to fix vulnerabilities by @ krzysu in #7389
- chore: fix 0 kwei bug by @ whitemoshui in #7387
- [Snyk] Upgrade docusaurus-lunr-search from 3.4.0 to 3.5.0 by @ Muhammad-Altabba in #7396
- Bump cross-spawn from 7.0.3 to 7.0.6 in /docs by @ dependabot in #7399
- [Snyk] Upgrade @ mdx-js/react from 3.0.1 to 3.1.0 by @ Muhammad-Altabba in #7395
- fix: remove force exit from blackbox tests by @ krzysu in #7397
- Replaces #7390, #7391, & #7400 by @ danforbes in #7401
- [Snyk] Upgrade @ cookbookdev/docsbot from 4.24.0 to 4.24.4 by @ avkos in #7403
- chore(deps): bump cross-spawn from 7.0.3 to 7.0.6 by @ dependabot in #7404
- update typescript version to 5 by @ Muhammad-Altabba in #7272
- chore(deps-dev): bump http-proxy-middleware from 2.0.6 to 2.0.7 by @ dependabot in #7407
4.15.1-dev.e79ace2.0 - 2024-11-19
4.15.1-dev.bde1316.0 - 2024-11-14
4.15.1-dev.b3ee417.0 - 2024-12-03
4.15.1-dev.acdb0c7.0 - 2024-12-03
4.15.1-dev.9aab5cd.0 - 2024-11-14
4.15.1-dev.984cb7c.0 - 2024-11-22
4.15.1-dev.926044b.0 - 2024-11-26
4.15.1-dev.8c55cb0.0 - 2024-11-14
4.15.1-dev.7a8df69.0 - 2024-11-25
4.15.1-dev.7109fb2.0 - 2024-11-21
4.15.1-dev.6af068f.0 - 2024-11-13
4.15.1-dev.6ad1ca9.0 - 2024-11-14
4.15.1-dev.6379aa8.0 - 2024-11-19
4.15.1-dev.6229f4d.0 - 2024-11-19
4.15.1-dev.5eeb2d6.0 - 2024-11-19
4.15.1-dev.56d4aec.0 - 2024-11-19
4.15.1-dev.5437fbc.0 - 2024-11-19
4.15.1-dev.4c55d98.0 - 2024-11-21
4.15.1-dev.471c12b.0 - 2024-11-14
4.15.1-dev.3b122a2.0 - 2024-11-21
4.15.1-dev.1b367e6.0 - 2024-11-14
4.15.1-dev.1724f35.0 - 2024-11-11
4.15.1-dev.0cbc23d.0 - 2024-11-21
4.15.1-dev.098ee6d.0 - 2024-11-06
4.15.1-dev.0915cf4.0 - 2024-11-13
4.15.1-dev.079c558.0 - 2024-11-19
4.15.1-dev.2011192.0 - 2024-11-13
4.15.0 - 2024-11-06
What's Changed
- Intermediate dApp Guide by @ danforbes in #7334
- fix: ensure contractInstance.subscriptionManager.subscribe is not throwing by @ Muhammad-Altabba in #7327
- 7202 account abstraction by @ jdevcs in #7311
- make decodeFunctionCall and decodeFunctionReturn available at web3-eth-abi by @ Muhammad-Altabba in #7345
- Add rpc provider public node by @ avkos in #7322
- Update Intermediate dApp Guide by @ danforbes in #7349
- CODEOWNERS update by @ jdevcs in #7350
- Fix Contract methods input param type any[] by @ avkos in #7340
- [Snyk] Upgrade @ cookbookdev/docsbot from 4.21.1 to 4.21.23 by @ Muhammad-Altabba in #7357
- allowing to specify percentage-based factors (like 1.125 for 112.5%) by @ TemirlanBasitov in #7332
- Fix Link to SocketConstructorOpts Type by @ danforbes in #7363
- [Snyk] Upgrade @ docusaurus/core from 3.4.0 to 3.5.2 by @ Muhammad-Altabba in #7365
- Add accout.signRaw function to sign a message without prefix by @ blackmoshui in #7346
- Lightweight dApp Development Guide by @ danforbes in #7364
- newPendingTransactionFilter by @ jdevcs in #7353
- Bump http-proxy-middleware from 2.0.6 to 2.0.7 in /docs by @ dependabot in #7356
New Contributors
- @ TemirlanBasitov made their first contribution in #7332
- @ blackmoshui made their first contribution in #7346
Full Changelog: v4.5.0...v4.15.0
4.14.1-dev.fab66e9.0 - 2024-10-21
4.14.1-dev.efac906.0 - 2024-10-28
4.14.1-dev.ed85cce.0 - 2024-10-21
4.14.1-dev.d446838.0 - 2024-11-04
4.14.1-dev.d3baae6.0 - 2024-10-24
4.14.1-dev.9fa32c9.0 - 2024-11-05
4.14.1-dev.95b4bab.0 - 2024-10-30
4.14.1-dev.70352cd.0 - 2024-10-23
4.14.1-dev.69d83e7.0 - 2024-10-30
4.14.1-dev.4ca66af.0 - 2024-10-23
4.14.1-dev.4aaf915.0 - 2024-11-04
4.14.1-dev.376f192.0 - 2024-10-21
4.14.1-dev.331aa9c.0 - 2024-10-22
4.14.1-dev.07993c2.0 - 2024-11-05
4.14.1-dev.0681f97.0 - 2024-10-24
4.14.1-dev.3687070.0 - 2024-10-22
4.14.1-dev.3283431.0 - 2024-10-31
4.14.0 - 2024-10-21
What's Changed
- Fix CHANGELOG for PR 7239 by @ danforbes in #7271
- Fix Typos in Docs by @ danforbes in #7283
- Revert CHANGELOG Changes from #7271 by @ danforbes in #7274
- Add Note About create-hardhat-web3 to Hardhat Guide by @ danforbes in #7281
- fix padRight validation failure on large uint by @ Muhammad-Altabba in #7265
- Ok/6984 update e2e network tests by @ avkos in #7276
- feat: make getEthereumjsTxDataFromTransaction not trim extra fields by @ nicolasbrugneaux in #7282
- 7136 decodeparams update by @ jdevcs in #7288
- Update FUNDING.json by @ Redoudou in #7304
- Fix e2e test error "project ID request rate exceeded" by @ avkos in #7290
- fix: correct type and documentation for baseFeePerGas at web3.eth.getFeeHistory by @ Muhammad-Altabba in #7291
- Restructure Docs by @ danforbes in #7298
- Add Support for Nethermind and Besu 'syncing' Subscription Payload Format by @ chebykin in #7306
- Fix Typos by @ danforbes in #7310
- Export EIP-6963 Types by @ danforbes in #7270
- Add Gas Estimation Guide by @ danforbes in #7319
- add migration websocket doc changes by @ luu-alex in #7318
- add ignoregaspricing config by @ luu-alex in #7320
New Contributors
- @ Redoudou made their first contribution in #7304
- @ chebykin made their first contribution in #7306
Full Changelog: v4.13.0...v4.14.0
4.13.1-dev.facc2e6.0 - 2024-10-08
4.13.1-dev.f701406.0 - 2024-10-09
4.13.1-dev.dcd9d6a.0 - 2024-10-02
4.13.1-dev.d6baee6.0 - 2024-09-23
4.13.1-dev.d45b712.0 - 2024-09-24
4.13.1-dev.cc99825.0 - 2024-09-26
4.13.1-dev.c602fc6.0 - 2024-09-24
4.13.1-dev.bbde6ea.0 - 2024-10-11
4.13.1-dev.adf483f.0 - 2024-10-04
4.13.1-dev.aa471e7.0 - 2024-09-24
4.13.1-dev.9edb183.0 - 2024-10-07
4.13.1-dev.822f8c1.0 - 2024-10-16
4.13.1-dev.7c207b8.0 - 2024-10-05
4.13.1-dev.76c468a.0 - 2024-10-04
4.13.1-dev.7008e5c.0 - 2024-10-15
4.13.1-dev.6f9a485.0 - 2024-09-19
4.13.1-dev.69187c5.0 - 2024-10-16
4.13.1-dev.61babcc.0 - 2024-09-24
4.13.1-dev.5a7e302.0 - 2024-09-18
4.13.1-dev.496ed93.0 - 2024-10-07
4.13.1-dev.32c8cc8.0 - 2024-09-26
4.13.1-dev.04da324.0 - 2024-09-26
4.13.0 - 2024-09-18
What's Changed
- unit tests update by @ jdevcs in #7221
- Handle common cases for smart contract errors according to EIP 838 by @ Muhammad-Altabba in #7155
- feat(docs): upgrade-bn by @ danforbes in #7232
- feat(requestEIP6963Providers): return-type by @ danforbes in #7239
- feat(docs): extend by @ danforbes in #7233
- fix(onNewProviderDiscovered): callback-parameter by @ danforbes in #7242
- Format repo, add new rules by @ luu-alex in #7226
- Document Formatting by @ danforbes in #7222
- feat: add custom transaction schema to formatTransaction by @ nicolasbrugneaux in #7227
New Contributors
- @ nicolasbrugneaux made their first contribution in #7227
4.12.2-dev.f351e00.0 - 2024-08-23
4.12.2-dev.b86d8ca.0 - 2024-09-09
4.12.2-dev.b3cb1b7.0 - 2024-09-13
4.12.2-dev.a21078b.0 - 2024-09-17
4.12.2-dev.9b32205.0 - 2024-08-28
4.12.2-dev.973ee80.0 - 2024-09-09
4.12.2-dev.7a6e492.0 - 2024-09-05
4.12.2-dev.75df267.0 - 2024-09-09
4.12.2-dev.2f24244.0 - 2024-09-09
4.12.2-dev.27155ea.0 - 2024-09-09
4.12.1 - 2024-08-23
Hot fix

[4.12.1]

Fixed

web3-eth-accounts
- Revert TransactionFactory.registerTransactionType if there is a version mistatch between web3-eth and web3-eth-accounts and fix nextjs problem. (#7216)
What's Changed
- fix yml by @ avkos in #6803
4.12.1-dev.e746566.0 - 2024-08-22
4.12.1-dev.0b75589.0 - 2024-08-23
4.12.0 - 2024-08-22
[4.12.0]

Fixed

web3-core
- setConfig() fix for setMaxListenerWarningThreshold fix (#5079)
web3-eth-accounts
- Fix TransactionFactory.registerTransactionType not working, if there is a version mistatch between web3-eth and web3-eth-accounts by saving extraTxTypes at globals. (#7197)
Added

web3-eth-accounts
- Added public function signMessageWithPrivateKey (#7174)
web3-eth-contract
- Added populateTransaction to the contract.deploy(...) properties. (#7197)
web3-providers-http
- Added statusCode of response in ResponseError, statusCode is optional property in ResponseError.
web3-rpc-providers
- Updated rate limit error of QuickNode provider for HTTP transport
- Added optional HttpProviderOptions | SocketOptions in Web3ExternalProvider and QuickNodeProvider for provider configs
web3-errors
- Added optional statusCode property of response in ResponseError.
Changed

web3-eth-contract
- The returnred properties of contract.deploy(...) are structured with a newly created class named DeployerMethodClass. (#7197)
- Add a missed accepted type for the abi parameter, at dataInputEncodeMethodHelper and getSendTxParams. (#7197)
What's Changed
- Cookbook integration branch by @ SantiagoDevRel in #7178
- feat(glossary): updated glossary by @ EmmanuelOluwafemi in #7168
- fix infura tests and secrets by @ luu-alex in #7163
- Zk sync plugin related changes by @ avkos in #7174
- 4x tests updates by @ jdevcs in #7162
- feat(docs): Expand web3 config guide by @ mmyyrroonn in

Snyk has created this PR to upgrade web3 from 1.10.4 to 4.16.0. See this package in npm: web3 See this project in Snyk: https://app.snyk.io/org/dargon789/project/2c0bb5c3-7507-432e-a6b5-2de9762d778b?utm_source=github&utm_medium=referral&page=upgrade-pr

vercel · 2025-07-03T01:48:24Z

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
hardhat-project-uz7z	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Jul 3, 2025 1:48am

codesandbox · 2025-07-03T01:48:24Z

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

sourcery-ai · 2025-07-03T01:48:26Z

Reviewer's Guide

This PR upgrades the Web3 dependency in the Hardhat‐Web3 plugin from a 1.x beta to the stable 4.16.0 release by adjusting its version specifier in package.json.

File-Level Changes

Change	Details	Files
Bump Web3 dependency version	Changed Web3 version specifier from ^1.0.0-beta.36 to ^4.16.0 in package.json	`packages/hardhat-web3/package.json`

Tips and commands

Interacting with Sourcery

Trigger a new review: Comment @sourcery-ai review on the pull request.
Continue discussions: Reply directly to Sourcery's review comments.
Generate a GitHub issue from a review comment: Ask Sourcery to create an
issue from a review comment by replying to it. You can also reply to a
review comment with @sourcery-ai issue to create an issue from it.
Generate a pull request title: Write @sourcery-ai anywhere in the pull
request title to generate a title at any time. You can also comment
@sourcery-ai title on the pull request to (re-)generate the title at any time.
Generate a pull request summary: Write @sourcery-ai summary anywhere in
the pull request body to generate a PR summary at any time exactly where you
want it. You can also comment @sourcery-ai summary on the pull request to
(re-)generate the summary at any time.
Generate reviewer's guide: Comment @sourcery-ai guide on the pull
request to (re-)generate the reviewer's guide at any time.
Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
pull request to resolve all Sourcery comments. Useful if you've already
addressed all the comments and don't want to see them anymore.
Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
request to dismiss all existing Sourcery reviews. Especially useful if you
want to start fresh with a new review - don't forget to comment
@sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

Enable or disable review features such as the Sourcery-generated pull request
summary, the reviewer's guide, and others.
Change the review language.
Add, remove or edit custom review instructions.
Adjust other review settings.

Getting Help

Contact our support team for questions or feedback.
Visit our documentation for detailed guides and information.
Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

github-actions · 2025-07-03T01:48:35Z

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

Package	Version	Score	Details
npm/web3	^4.16.0	Unknown	Unknown

Scanned Files

packages/hardhat-web3/package.json

socket-security · 2025-07-03T01:49:18Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jest-diff@29.7.0

View full report

github-actions bot added the status:ready label Jul 3, 2025

vercel bot temporarily deployed to Preview July 3, 2025 01:48 Inactive

Dargon789 merged commit 244a7ff into main Jul 3, 2025
19 of 28 checks passed

Dargon789 deleted the snyk-upgrade-eaa5af08b637a94cdac0349563102a49 branch July 3, 2025 04:46

github-actions bot locked as resolved and limited conversation to collaborators Oct 2, 2025

[Snyk] Upgrade web3 from 1.10.4 to 4.16.0 #820

[Snyk] Upgrade web3 from 1.10.4 to 4.16.0 #820

Uh oh!

Conversation

Dargon789 commented Jul 3, 2025 • edited by sourcery-ai bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Snyk has created this PR to upgrade web3 from 1.10.4 to 4.16.0.

Issues fixed by the recommended upgrade:

What's Changed

What's Changed

New Contributors

What's Changed

New Contributors

What's Changed

New Contributors

[4.12.1]

Fixed

web3-eth-accounts

What's Changed

[4.12.0]

Fixed

web3-core

web3-eth-accounts

Added

web3-eth-accounts

web3-eth-contract

web3-providers-http

web3-rpc-providers

web3-errors

Changed

web3-eth-contract

What's Changed

Uh oh!

vercel bot commented Jul 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codesandbox bot commented Jul 3, 2025

Review or Edit in CodeSandbox

Uh oh!

sourcery-ai bot commented Jul 3, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Reviewer's Guide

File-Level Changes

Interacting with Sourcery

Customizing Your Experience

Getting Help

Uh oh!

github-actions bot commented Jul 3, 2025

Dependency Review

OpenSSF Scorecard

Scanned Files

Uh oh!

socket-security bot commented Jul 3, 2025

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Dargon789 commented Jul 3, 2025 •

edited by sourcery-ai bot

Loading

vercel bot commented Jul 3, 2025 •

edited

Loading

sourcery-ai bot commented Jul 3, 2025 •

edited

Loading