fix: dependabot alerts (backport #21531 to v4)#21592
Merged
PhilWindle merged 2 commits intobackport-to-v4-stagingfrom Mar 16, 2026
Merged
fix: dependabot alerts (backport #21531 to v4)#21592PhilWindle merged 2 commits intobackport-to-v4-stagingfrom
PhilWindle merged 2 commits intobackport-to-v4-stagingfrom
Conversation
Cherry-pick of d11638d with conflicts (backport to v4).
Resolved lock file conflicts for backport to v4: - Kept v4 specifiers while updating to new versions where applicable - barretenberg/acir_tests, boxes, docs, playground: updated tar 7.4.3/7.5.1 -> 7.5.11 - barretenberg/ts: updated glob 10.4.5 -> 10.5.0 - barretenberg/docs: kept tar@6, updated tar@7 -> 7.5.11 - yarn-project: kept tar@6.2.1 (v4 uses tar@6, not tar@7) - nodejs_module: kept v4 version (different lock format)
PhilWindle
approved these changes
Mar 16, 2026
spalladino
added a commit
that referenced
this pull request
Mar 16, 2026
Temporarily skips the `acir_tests/browser-test-app` browser prove tests (`verify_honk_proof` and `a_1_mul`) which are failing with "Failed to fetch" errors in CI, blocking the v4 merge train. This unblocks #21595 and transitively #21592 and #21443. ClaudeBox log: https://claudebox.work/s/8663550bd346778b?run=1 --------- Co-authored-by: Santiago Palladino <santiago@aztec-labs.com>
alexghr
pushed a commit
that referenced
this pull request
Mar 17, 2026
BEGIN_COMMIT_OVERRIDE fix(aztec-nr): return Option from decode functions and fix event commitment capacity (backport #21264) (#21360) fix: backport #21271 — handle bad note lengths on compute_note_hash_and_nullifier (#21364) fix: not reusing tags of partially reverted txs (#20817) chore: revert accidental backport of #20817 (#21583) feat: Implement commit all and revert all for world state checkpoints (#21532) cherry-pick: fix: dependabot alerts (#21531) fix: dependabot alerts (backport #21531 to v4) (#21592) fix: backport #21443 — Don't update state if we failed to execute sufficient transactions (v4) (#21610) chore: Fix msgpack serialisation (#21612) END_COMMIT_OVERRIDE --------- Co-authored-by: Jan Beneš <janbenes1234@gmail.com> Co-authored-by: PhilWindle <60546371+PhilWindle@users.noreply.github.com> Co-authored-by: Phil Windle <philip.windle@gmail.com> Co-authored-by: Santiago Palladino <santiago@aztecprotocol.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: ludamad <adam.domurad@gmail.com>
This was referenced Mar 14, 2026
alexghr
added a commit
that referenced
this pull request
Mar 17, 2026
BEGIN_COMMIT_OVERRIDE fix(aztec-nr): return Option from decode functions and fix event commitment capacity (backport #21264) (#21360) fix: backport #21271 — handle bad note lengths on compute_note_hash_and_nullifier (#21364) fix: not reusing tags of partially reverted txs (#20817) chore: revert accidental backport of #20817 (#21583) feat: Implement commit all and revert all for world state checkpoints (#21532) cherry-pick: fix: dependabot alerts (#21531) fix: dependabot alerts (backport #21531 to v4) (#21592) fix: backport #21443 — Don't update state if we failed to execute sufficient transactions (v4) (#21610) chore: Fix msgpack serialisation (#21612) fix(p2p): fall back to maxTxsPerCheckpoint for per-block tx validation (#21605) chore: merge v4 into backport-to-v4-staging (#21618) fix(revert): avm sim uses event loop again (#21138) (#21630) fix(e2e): remove historic/finalized block checks from epochs_multiple test (#21642) fix: clamp finalized block to oldest available in world-state (#21643) fix: skip handleChainFinalized when block is behind oldest available (#21656) chore: demote finalized block skip log to trace (#21661) fix: off-by-1 in getBlockHashMembershipWitness archive snapshot (backport #21648) (#21663) fix: capture txs not available error reason in proposal handler (#21670) chore: add L1 inclusion time to stg public (#21665) END_COMMIT_OVERRIDE --------- Co-authored-by: Jan Beneš <janbenes1234@gmail.com> Co-authored-by: PhilWindle <60546371+PhilWindle@users.noreply.github.com> Co-authored-by: Phil Windle <philip.windle@gmail.com> Co-authored-by: Santiago Palladino <santiago@aztecprotocol.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: ludamad <adam.domurad@gmail.com> Co-authored-by: Alex Gherghisan <alexghr@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Backport of #21531 to v4.
Updates vulnerable dependencies in lock files:
Some files from the original PR were skipped because they don't apply to v4:
yarn-project/yarn.lock: v4 uses tar@6, not tar@7nodejs_module/yarn.lock: v4 uses different lock file format (yarn v1 vs berry)Cherry-pick conflicts
Lock file conflicts due to different base versions on v4. Resolved by keeping v4 specifiers while updating to the patched versions.
ClaudeBox log: https://claudebox.work/s/c3fa261b77bf8f67?run=1