chore(deps): update dependency @openzeppelin/contracts to v4.9.6 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@openzeppelin/contracts (source)	4.9.5 -> 4.9.6

GitHub Vulnerability Alerts

CVE-2024-27094

Impact

The Base64.encode function encodes a bytes input by iterating over it in chunks of 3 bytes. When this input is not a multiple of 3, the last iteration may read parts of the memory that are beyond the input buffer.

Although the encode function pads the output for these cases, up to 4 bits of data are kept between the encoding and padding, corrupting the output if these bits were dirty (i.e. memory after the input is not 0). These conditions are more frequent in the following scenarios:

• A bytes memory struct is allocated just after the input and the first bytes of it are non-zero.
• The memory pointer is set to a non-empty memory location before allocating the input.

Developers should evaluate whether the extra bits can be maliciously manipulated by an attacker.

Patches

Upgrade to 5.0.2 or 4.9.6.

References

This issue was reported by the Independent Security Researcher Riley Holterhus through Immunefi (@​rileyholterhus on X)

---

Release Notes

OpenZeppelin/openzeppelin-contracts (@​openzeppelin/contracts)

v4.9.6

Compare Source

• Base64: Fix issue where dirty memory located just after the input buffer is affecting the result. (#​4929)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

---

PR-Codex overview

This PR updates the version of @openzeppelin/contracts from 4.9.5 to 4.9.6 in the yarn.lock file.

Detailed summary

• Updated @openzeppelin/contracts version to 4.9.6
• Consolidated versions 4.8.3 and 4.9.5 into a single entry with version 4.9.6

✨ Ask PR-Codex anything about this PR by commenting with /codex {your question}

[netlify]

✅ Deploy Preview for kleros-v2-university ready!

Name	Link
🔨 Latest commit	40db60a
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2-university/deploys/65eb28517d2fef00086c8ca5
😎 Deploy Preview	https://deploy-preview-1531--kleros-v2-university.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[netlify]

✅ Deploy Preview for kleros-v2 ready!

Name	Link
🔨 Latest commit	40db60a
🔍 Latest deploy log	https://app.netlify.com/sites/kleros-v2/deploys/65eb2851b2bc36000811e72d
😎 Deploy Preview	https://deploy-preview-1531--kleros-v2.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[codeclimate]

Code Climate has analyzed commit 40db60a and detected 0 issues on this pull request.

View more on Code Climate.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud