Upgrade openzeppelin dependency to 5.6.1

[arr00]

Summary by CodeRabbit

Chores

• Upgraded OpenZeppelin contracts and contracts-upgradeable packages to version 5.6.1.

[netlify]

✅ Deploy Preview for confidential-tokens ready!

Name	Link
🔨 Latest commit	6e47bc9
🔍 Latest deploy log	https://app.netlify.com/projects/confidential-tokens/deploys/69a6013fd2c30700085656de
😎 Deploy Preview	https://deploy-preview-314--confidential-tokens.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

These changes update OpenZeppelin library dependencies to version 5.6.1 by bumping git submodule commit pointers for contracts and contracts-upgradeable, along with a corresponding changeset entry for release documentation.

Changes

Cohort / File(s)	Summary
Dependency Updates lib/openzeppelin-contracts, lib/openzeppelin-contracts-upgradeable	Submodule pointers updated to latest commits; no functional code or API changes.
Changeset .changeset/happy-hands-find.md	New changeset file documenting minor version bump for openzeppelin-confidential-contracts package and OpenZeppelin dependency upgrades to 5.6.1.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

• james-toussaint

Poem

🐰 The OpenZeppelin gardens grew,
With contracts-five-point-six so new,
Through submodules we softly hop,
Dependencies won't let us stop,
Version bumps—our work is done! 📚✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title 'Upgrade openzeppelin dependency to 5.6.1' directly and clearly summarizes the main change: upgrading OpenZeppelin packages to version 5.6.1.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch chore/update-oz-5.6.1

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.changeset/happy-hands-find.md:
- Line 2: Update the changeset entry so the package update is a patch rather
than a minor bump: in .changeset/happy-hands-find.md change the version type for
'openzeppelin-confidential-contracts' from minor to patch (i.e., replace "minor"
with "patch") to reflect that the upstream OpenZeppelin changes are a
bugfix-only release.

---

ℹ️ Review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 77aaf92 and 2c49656.

📒 Files selected for processing (3)

• .changeset/happy-hands-find.md
• lib/openzeppelin-contracts
• lib/openzeppelin-contracts-upgradeable

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# First, explore the repository structure to understand the project
find . -type f -name "*.json" -o -name "*.md" | grep -E "(package\.json|README|CHANGELOG)" | head -20

Repository: OpenZeppelin/openzeppelin-confidential-contracts

Length of output: 175

---

🏁 Script executed:

# Check git diff to see what actually changed in this PR
git diff --stat HEAD~1 HEAD 2>/dev/null || echo "Git history not available"

Repository: OpenZeppelin/openzeppelin-confidential-contracts

Length of output: 117

---

🏁 Script executed:

# Look at the changeset file itself
cat -n .changeset/happy-hands-find.md

Repository: OpenZeppelin/openzeppelin-confidential-contracts

Length of output: 260

---

🏁 Script executed:

# Check if there's a package.json for openzeppelin-confidential-contracts
fd "package.json" | xargs grep -l "openzeppelin-confidential-contracts" 2>/dev/null || echo "Searching for package.json files..."
fd -t f "package.json" | head -10

Repository: OpenZeppelin/openzeppelin-confidential-contracts

Length of output: 163

---

🌐 Web query:

OpenZeppelin Contracts v5.6.1 release notes changelog breaking changes

💡 Result:

OpenZeppelin Contracts v5.6.1 — release notes / changelog / breaking changes

Release date

• 2026-02-27 (raw.githubusercontent.com)

Changelog (what changed in v5.6.1)

• InteroperableAddress: Fixed an overflow in parsing functions that could cause a silent mis-parse of large interoperable addresses. (github.com)

Breaking changes in v5.6.1

• None listed for v5.6.1 (it’s a patch release with a targeted fix). (raw.githubusercontent.com)

Note (if you’re upgrading to v5.6.1 from < v5.6.0)

• The breaking changes are in v5.6.0, not v5.6.1 (e.g., Strings.escapeJSON behavior, ERC1155 single-element batch receiver hook behavior, proxy initialization requirement, etc.). (raw.githubusercontent.com)

Citations:

• 1: https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v5.6.1/CHANGELOG.md
• 2: https://github.com/OpenZeppelin/openzeppelin-contracts/releases
• 3: https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v5.6.1/CHANGELOG.md
• 4: https://raw.githubusercontent.com/OpenZeppelin/openzeppelin-contracts/v5.6.1/CHANGELOG.md

---

🌐 Web query:

OpenZeppelin Contracts Upgradeable v5.6.1 new features behavior changes

💡 Result:

OpenZeppelin Contracts Upgradeable v5.6.1 — new features / behavior changes

Release date: 2026-02-27. [1]

What changed (patch release; no new features)

• InteroperableAddress bug fix: fixed an overflow in parsing functions that could cause silent misparsing of large “interoperable address” inputs. [1]

Behavior change (what you might observe)

• Previously, in tryParseV1 / tryParseV1Calldata, intermediate length variables were uint8, so chainReferenceLength + addrLength could wrap at 256, letting bounds checks pass and returning success = true with an incorrect/empty address slice for certain large inputs. [2]
• With v5.6.1, those large inputs should no longer silently parse incorrectly (they’ll parse correctly or be rejected depending on the input and parser constraints). [1][2]

Sources: OpenZeppelin contracts-upgradeable changelog (v5.6.1), and the upstream PR that implemented the fix. [1][2]

---

Change bump type from minor to patch.

OpenZeppelin Contracts v5.6.1 and Contracts Upgradeable v5.6.1 are patch releases containing only a bug fix for an overflow in InteroperableAddress parsing. No new features or public API changes are included. The changeset should be patch to accurately reflect that this is a dependency patch upgrade.

'openzeppelin-confidential-contracts': patch

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.changeset/happy-hands-find.md at line 2, Update the changeset entry so the
package update is a patch rather than a minor bump: in
.changeset/happy-hands-find.md change the version type for
'openzeppelin-confidential-contracts' from minor to patch (i.e., replace "minor"
with "patch") to reflect that the upstream OpenZeppelin changes are a
bugfix-only release.