Update dependency @nomicfoundation/slang to v1

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@nomicfoundation/slang (source)	^0.18.3 → ^1.0.0

---

Release Notes

NomicFoundation/slang (@​nomicfoundation/slang)

v1.3.4

Compare Source

Patch Changes

• #​1533 afc9f87 Thanks @​OmarTawfik! - Fixed a panic during constructing binding graphs, when the input has incomplete IdentifierPath expressions.

v1.3.3

Compare Source

Patch Changes

• #​1523 27f07a8 Thanks @​teofr! - Remove constant, view, and pure attributes from UnnamedFunctionDefinition, to disambiguate from StateVariableDefinition that have a function type.

• #​1526 a52001d Thanks @​teofr! - Fixed associativity of AssignmentExpression from left to right.

• #​1525 7f3ea6f Thanks @​teofr! - Add support for Solidity 0.8.34.

• #​1502 6963419 Thanks @​teofr! - Fixed the old style revert calls (revert("oops!")) to be parsed as a FunctionCallExpression rather than a RevertStatement.

v1.3.2

Compare Source

Patch Changes

• #​1495 e3f391c Thanks @​OmarTawfik! - Add support for Solidity 0.8.32 and 0.8.33.

v1.3.1

Compare Source

Patch Changes

• #​1479 f03516d Thanks @​teofr! - Add support for Solidity 0.8.31

v1.3.0

Compare Source

Minor Changes

• #​1396 d568dec Thanks @​beta-ziliani! - Add a rewriter API, allowing the transformation of CSTs by extending the BaseRewriter type, overriding the appropriate methods (User Guide).

• #​1440 4438fc8 Thanks @​OmarTawfik! - add TextIndexExtensions.zero() utility to create an index at offset zero, which is useful for creating cursors from child nodes where parent offset is not needed.

• #​1390 6a0f598 Thanks @​OmarTawfik! - Add new TypeScript APIs for creating nodes and edges:

  • NonterminalNode.create(kind: NonterminalKind, children: Edge[]): NonterminalNode
  • TerminalNode.create(kind: TerminalKind, text: string): TerminalNode
  • createEdge(label: EdgeLabel, node: Node): Edge
  • Edge.createWithNonterminal(label: EdgeLabel, node: NonterminalNode): Edge
  • Edge.createWithTerminal(label: EdgeLabel, node: TerminalNode): Edge

Patch Changes

• #​1424 d54a35c Thanks @​ggiraldez! - Resolve identifiers in assembly blocks to locally imported symbols

• #​1388 4607e6a Thanks @​beta-ziliani! - Fixed the pragma grammar and CST nodes:

  • pragma abicoder <version>:
    • Only enabled starting Solidity 0.7.5.
    • <version> is restricted to new keywords (v1 and v2).
  • pragma experimental <flag>:
    • Only enabled starting Solidity 0.4.16.
    • <flag> is restricted to be a string, or new keywords representing ABIEncoderV2 and SMTChecker.

• #​1431 a62c857 Thanks @​OmarTawfik! - fix CST query matches to return an empty array for unmatched named captures, instead of undefined.

v1.2.1

Compare Source

Patch Changes

• #​1377 f3b51be Thanks @​ggiraldez! - Bind untyped tuple deconstruction elements as references, not declarations

• #​1335 6c3ad5d Thanks @​ggiraldez! - Top-level ConstantDefinitions now bind to their type and resolve extension functions called on them

• #​1338 18be0bc Thanks @​ggiraldez! - Make try/catch parameters and vars in for loop initialization available in Yul

• #​1339 f16e4b5 Thanks @​ggiraldez! - Fixes to the binding rules in Solidity:

  • Make the .length member available in all static-size byte arrays
  • Allow assembly blocks (and nested Yul functions) to access inherited state variables
  • Allow assembly blocks access to constructor/modifier/fallback parameters
  • msg.sender is of address type (not payable) until 0.5.0
  • Top-level constants need to be visible from assembly blocks in files that import them
  • Resolve named arguments when calling an extension function
  • Imported symbols using deconstruction syntax can be bound in assembly blocks

• #​1353 8e718dd Thanks @​ggiraldez! - Fixes to the binding rules in Solidity:

  • Values of the deprecated byte type have a length member until 0.8.0
  • Bind a qualified identifier in the same contract, ie. Foo.x in a method body of Foo
  • Correctly bind external constants and built-ins in nested functions in assembly blocks
  • Literal boolean values should bind to the bool type to chain extension functions
  • Public state variables the generate getters should have members of external functions (such as .selector)
  • Event types have a selector member

• #​1326 045179b Thanks @​ggiraldez! - Fixes to binding rules:

  • Update TupleDeconstructionStatement so that their definiens is the TypedTupleMember/UntypedTupleMember for each variable declared.
  • Update YulVariableDeclarationStatement so that their definiens is the YulIdentifier for each variable declared.

• #​1350 0594fe8 Thanks @​ggiraldez! - Fixes to bindings rules in Solidity:

  • Allow binding of using directives inside interfaces in Solidity < 0.7.1
  • Bind literal fixed arrays types
  • Fix generating binding graph for built-ins: remove the memory location specifier from types so they bind properly
  • Fix return type of value() and gas() legacy call options to allow chaining them
  • Bind legacy call options in the result of new expressions
  • Bind output type of public getters when the state variable is a nested mapping or array
  • A using directive with the global modifier should impact the source unit's lexical scope
  • Relax the Solidity version where the transfer() method works for non-payable addresses; this is a workaround for a Solidity quirk that makes it possible to do address(uint160(to)).transfer(amount) even after 0.5.0
  • Fix bound return types of wrap() and unwrap() methods of a user value defined type
  • Resolve the type of min() and max() of type() expressions for integer types to the integer type given in the expression operand
  • Fix binding of fully qualified modifier invocations
  • Fix #​1321: min() and max() for type() expressions on enum types should bind only after Solidity 0.8.8
  • Bound type for literal number expressions is uint256 by default; this allows correctly binding extension methods operating on literal values
  • The type bytes is an array type and should bind the push() and pop() methods
  • Contract or interface reference values implicitly inherit from the address type on Solidity < 0.5.0
  • Modifiers are allowed inside interfaces until Solidity 0.8.8 and thus should properly bind and be accessible from inheriting contracts
  • Libraries before Solidity 0.5.0 allowed this in function methods and work as an address type

v1.2.0

Compare Source

Minor Changes

• #​1330 56393d5 Thanks @​OmarTawfik! - add support for Solidity 0.8.30

Patch Changes

• #​1314 743d6b0 Thanks @​mjoerussell! - Adding missing YUL built in functions:

  • codesize()
  • codecopy(f, t, s)

v1.1.0

Compare Source

Minor Changes

• #​1288 2090ab8 Thanks @​OmarTawfik! - support Solidity 0.8.29 and Custom Storage Layouts:

  • ContractDefinition nodes will no longer have an optional InheritanceSpecifier child directly, but will hold a list of ContractSpecifier children
  • ContractSpecifier nodes have either InheritanceSpecifier or StorageLayoutSpecifier children

• #​1265 2312260 Thanks @​mjoerussell! - Add LanguageUtils::infer_language_versions(source_code) -> Version[] API, which will analyze version pragmas inside a source file, and return a list of supported language versions that they allow. This can be used to select a valid language version to use with the rest of Slang APIs. Please see the Choosing a Solidity Version guide for more information.

Patch Changes

• #​1291 da1f863 Thanks @​ggiraldez! - Resolve arguments to inheritance specifiers and expressions in storage layout specifiers using the contract's parent scope.

v1.0.0

Compare Source

Major Changes

• #​1279 6de3e41 Thanks @​OmarTawfik! - release Slang v1 🚀🚀🚀

v0.20.1

Compare Source

Patch Changes

• #​1275 ed2cae9 Thanks @​OmarTawfik! - rename ComparisonExpression to InequalityExpression

v0.20.0

Compare Source

Minor Changes

• #​1203 a5c3b1a Thanks @​ggiraldez! - add separate contexts (ie. binding scopes) for Solidity and Yul built-ins

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - export assertUserFileLocation() and assertBuiltInLocation() utilities from the bindings module

• #​1243 99d182f Thanks @​ggiraldez! - add definition.references() API to find all references that resolve to a definition.

• #​1205 103b331 Thanks @​mjoerussell! - Make Edge::label a required field instead of being optional.

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - update user guides with new binding graph and compilation APIs

• #​1257 9f5d8f0 Thanks @​OmarTawfik! - export assertNonterminalNode() and assertTerminalNode() utilities from the cst module

Patch Changes

• #​1246 aea2dd0 Thanks @​OmarTawfik! - unreserve jump and jumpi yul keywords between 0.6.0 and 0.8.0

• #​1203 a5c3b1a Thanks @​ggiraldez! - enable address payable from 0.5.0 and remove transfer built-in from non-payable addresses

• #​1246 aea2dd0 Thanks @​OmarTawfik! - make sure assembly flags are only enabled starting from 0.8.13

• #​1246 aea2dd0 Thanks @​OmarTawfik! - enable yul's true and false keywords starting from 0.6.2

• #​1246 aea2dd0 Thanks @​OmarTawfik! - make sure super and this keywords are unreserved before 0.8.0.

v0.19.0

Compare Source

Minor Changes

• #​1156 3a82f06 Thanks @​OmarTawfik! - add node.descendants() and cursor.descendants() APIs to allow iterating over all descendants of the current node in pre-order traversal.

• #​1156 3a82f06 Thanks @​OmarTawfik! - fix node.children() and parseOutput.errors() return types

• #​1194 7a25d63 Thanks @​OmarTawfik! - split parser/Parser.supportedVersions() into a new utils/LanguageFacts API, with allVersions(), earliestVersion(), and latestVersion() methods.

• #​1194 7a25d63 Thanks @​OmarTawfik! - expose the BingingGraph API to allow querying definitions/references between source files.

• #​1156 3a82f06 Thanks @​OmarTawfik! - add cursor.ancestors() API to allow iterating over all ancestors of the current node, starting with the immediate parent, and moving upwards, ending with the root node.

• #​1156 3a82f06 Thanks @​OmarTawfik! - add cursor.remainingNodes() API to allow iterating over all the remaining nodes in the current tree, moving in pre-order traversal, until the tree is completed.

• #​1223 3e85a14 Thanks @​OmarTawfik! - split Parser.parse() API into parse_file_contents() and parse_nonterminal().

• #​1194 7a25d63 Thanks @​OmarTawfik! - add a CompilationBuilder API to incrementally load and resolve source files and their imports.

• #​1223 3e85a14 Thanks @​OmarTawfik! - rename Query.parse() to Query.create(), and provide exact TextRange for any errors it returns.

• #​1172 6102886 Thanks @​beta-ziliani! - Improved error recovery, where leading trivia are always parsed and included before an erroneous terminal.

• #​1223 3e85a14 Thanks @​OmarTawfik! - add TerminalKindExtensions.is_identifier() API to distinguish terminals like Solidity's Identifier and Yul's YulIdentifier.

• #​1187 6389361 Thanks @​beta-ziliani! - Change ParseOutput and File.tree to return a NonTerminal instead of a Node.

Patch Changes

• #​1134 cfc62f2 Thanks @​OmarTawfik! - remove YulPathComponent and just use YulIdentifier instead.

• #​1138 44a706f Thanks @​OmarTawfik! - add ThisKeyword and SuperKeyword to the grammar, instead of parsing them as identifiers.

• #​1134 cfc62f2 Thanks @​OmarTawfik! - unreserve AddressKeyword, and let it be used for MemberAccessExpression, StructMember, etc...

• #​1154 7b9b478 Thanks @​beta-ziliani! - Adding support for deprecated keywords jump and jumpi

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​nomicfoundation/​slang@​0.18.3 ⏵ 1.3.4	+1		+20	+2

View full report

[coderabbitai]

Walkthrough

The @nomicfoundation/slang dependency version in packages/core/package.json is updated from ^0.18.3 to ^1.0.0, representing a major version constraint change with no other modifications.

Changes

Cohort / File(s)	Summary
Dependency Version Update packages/core/package.json	Bump @nomicfoundation/slang from ^0.18.3 to ^1.0.0 major version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A carrot for the slang so fine,
From point-one-eight to one, it's mine!
Dependencies hop along the way,
Major versions grow each day! 🌱

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Update dependency @nomicfoundation/slang to v1' directly and accurately describes the main change in the pull request: bumping the @nomicfoundation/slang dependency from ^0.18.3 to ^1.0.0.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/nomicfoundation-slang-1.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Potential code anomaly (AI signal): npm chownr is 100.0% likely to have a medium risk anomaly Notes: The code represents a standard, well-scoped recursive ownership utility with deliberate cross-version compatibility. No evidence of malicious activity, data leakage, or external communications. The main risk is the potential for broad permission changes if invoked with untrusted uid/gid values; usage should be restricted to trusted contexts. Confidence: 1.00 Severity: 0.60 From: ? → npm/ava@6.1.3 → npm/chownr@2.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/chownr@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm delayed-stream is 100.0% likely to have a medium risk anomaly Notes: The DelayedStream module intercepts and buffers events from a source stream. While the core functionality appears to be for stream delay and management, two aspects raise concern: the overriding of the source's emit method and the attachment of a silent error handler (source.on('error', function() {})). The silent error handler is particularly suspicious as it can mask underlying problems or potential malicious activity originating from the source stream. Without further context on why errors are being suppressed, this behavior warrants caution. The code itself does not exhibit direct malware patterns like network exfiltration or reverse shells, but the error suppression could be a component of a larger, more covert operation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@openzeppelin/defender-sdk-deploy-client@2.1.0 → npm/@openzeppelin/defender-sdk-network-client@2.1.0 → npm/delayed-stream@1.0.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/delayed-stream@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report