chore(deps): update dependency @openzeppelin/contracts to v5.4.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
@openzeppelin/contracts (source)	5.2.0 → 5.4.0

GitHub Vulnerability Alerts

CVE-2025-54070

Impact

The lastIndexOf(bytes,byte,uint256) function of the Bytes.sol library may access uninitialized memory when the following two conditions hold: 1) the provided buffer length is empty (i.e. buffer.length == 0) and position is not 2**256 - 1 (i.e. pos != type(uint256).max).

The pos argument could be used to access arbitrary data outside of the buffer bounds. This could lead to the operation running out of gas, or returning an invalid index (outside of the empty buffer). Processing this invalid result for accessing the buffer would cause a revert under normal conditions.

When triggered, the function reads memory at offset buffer + 0x20 + pos. If memory at that location (outside the buffer) matches the search pattern, the function would return an out of bound index instead of the expected type(uint256).max. This creates unexpected behavior where callers receive a valid-looking index pointing outside buffer bounds.

Subsequent memory accesses that don't check bounds and use the returned index must carefully review the potential impact depending on their setup. Code relying on this function returning type(uint256).max for empty buffers or using the returned index without bounds checking could exhibit undefined behavior.

Patches

Upgrade to 5.4.0

---

Release Notes

OpenZeppelin/openzeppelin-contracts (@​openzeppelin/contracts)

v5.4.0

Compare Source

Breaking changes

• Update minimum pragma to 0.8.24 in SignatureChecker, Governor and Governor's extensions. (#​5716).

Pragma changes

• Reduced pragma requirement of interface files.

Changes by category

Account

• Account: Added a simple ERC-4337 account implementation with minimal logic to process user operations. (#​5657)
• AccountERC7579: Extension of Account that implements support for ERC-7579 modules of type executor, validator, and fallback handler. (#​5657)
• AccountERC7579Hooked: Extension of AccountERC7579 that implements support for ERC-7579 hook modules. (#​5657)
• EIP7702Utils: Add a library for checking if an address has an EIP-7702 delegation in place. (#​5587)
• IERC7821, ERC7821: Interface and logic for minimal batch execution. No support for additional opData is included. (#​5657)

Governance

• GovernorNoncesKeyed: Extension of Governor that adds support for keyed nonces when voting by sig. (#​5574)

Tokens

• ERC20Bridgeable: Implementation of ERC-7802 that makes an ERC-20 compatible with crosschain bridges. (#​5735)

Cryptography

Signers

• AbstractSigner, SignerECDSA, SignerP256, and SignerRSA: Add an abstract contract and various implementations for contracts that deal with signature verification. (#​5657)
• SignerERC7702: Implementation of AbstractSigner for Externally Owned Accounts (EOAs). Useful with ERC-7702. (#​5657)
• SignerERC7913: Abstract signer that verifies signatures using the ERC-7913 workflow. (#​5659)
• MultiSignerERC7913: Implementation of AbstractSigner that supports multiple ERC-7913 signers with a threshold-based signature verification system. (#​5659)
• MultiSignerERC7913Weighted: Extension of MultiSignerERC7913 that supports assigning different weights to each signer, enabling more flexible governance schemes. (#​5718)

Verifiers

• ERC7913P256Verifier and ERC7913RSAVerifier: Ready to use ERC-7913 verifiers that implement key verification for P256 (secp256r1) and RSA keys. (#​5659)

Other

• SignatureChecker: Add support for ERC-7913 signatures alongside existing ECDSA and ERC-1271 signature verification. (#​5659)
• ERC7739: An abstract contract to validate signatures following the rehashing scheme from ERC7739Utils. (#​5664)
• ERC7739Utils: Add a library that implements a defensive rehashing mechanism to prevent replayability of smart contract signatures based on the ERC-7739. (#​5664)

Structures

• EnumerableMap: Add support for BytesToBytesMap type. (#​5658)
• EnumerableMap: Add keys(uint256,uint256) that returns a subset (slice) of the keys in the map. (#​5713)
• EnumerableSet: Add support for StringSet and BytesSet types. (#​5658)
• EnumerableSet: Add values(uint256,uint256) that returns a subset (slice) of the values in the set. (#​5713)

Utils

• Arrays: Add unsafeAccess, unsafeMemoryAccess and unsafeSetLength for bytes[] and string[]. (#​5568)
• Blockhash: Add a library that provides access to historical block hashes using EIP-2935's history storage, extending the standard 256-block limit to 8191 blocks. (#​5642)
• Bytes: Fix lastIndexOf(bytes,byte,uint256) with empty buffers and finite position to correctly return type(uint256).max instead of accessing uninitialized memory sections. (#​5797)

v5.3.0

Compare Source

Breaking Changes

• Replace GovernorCountingOverridable.VoteReceipt struct parameter member names hasOverriden and overridenWeight for hasOverridden and overriddenWeight respectively.

Custom error changes

• Replace GovernorAlreadyOverridenVote with GovernorAlreadyOverriddenVote.
• Replace GovernorOnlyProposer with GovernorUnableToCancel.

Changes by category

Account

• ERC4337Utils: Update the hash function to call getUserOpHash on the specified entrypoint and add an ENTRYPOINT_V08 constant. (#​5614)
• ERC7579Utils: Add ABI decoding checks on calldata bounds within decodeBatch. (#​5371)
• ERC7579Utils: Replace address(0) with address(this) during execution for calldata compression efficiency. (#​5614)

Governance

• IGovernor: Add the getProposalId function to the governor interface. (#​5290)
• GovernorProposalGuardian: Add a governance extension that defines a proposal guardian who can cancel proposals at any stage in their lifecycle. (#​5303)
• GovernorSequentialProposalId: Adds a Governor extension that sequentially numbers proposal ids instead of using the hash. (#​5290)
• GovernorSuperQuorum: Add a governance extension to support a super quorum. Proposals that meet the super quorum (and have a majority of for votes) advance to the Succeeded state before the proposal deadline. (#​5526)
• GovernorVotesSuperQuorumFraction: Add a variant of the GovernorSuperQuorum extensions where the super quorum is expressed as a fraction of the total supply. (#​5526)
• TimelockController: Receive function is now virtual. (#​5509)

Structures

• EnumerableSet: Add clear function to EnumerableSets which deletes all values in the set. (#​5486)
• EnumerableMap: Add clear function to EnumerableMaps which deletes all entries in the map. (#​5486)
• MerkleTree: Add an update function that replaces a previously inserted leaf with a new value, updating the tree root along the way. (#​5526)

Tokens

• ERC4626: Use the asset getter in totalAssets, _deposit and _withdraw. (#​5322)
• IERC6909: Add the interface for ERC-6909. (#​5343)
• ERC6909: Add a standard implementation of ERC6909. (#​5394)
• ERC6909TokenSupply: Add an extension of ERC6909 which tracks total supply for each token id. (#​5394)
• ERC6909Metadata: Add an extension of ERC6909 which adds metadata functionality. (#​5394)
• ERC6909ContentURI: Add an extension of ERC6909 which adds content URI functionality. (#​5394)
• SafeERC20: Add trySafeTransfer and trySafeTransferFrom that do not revert and return false if the transfer is not successful. (#​5483)

Other

• Address: bubble up revert data on sendValue failed call. (#​5379)
• Calldata: Library with emptyBytes and emptyString functions to generate empty bytes and string calldata types. (#​5422)
• ERC2771Forwarder: Expose the _isTrustedByTarget internal function to check whether a target trusts the forwarder. (#​5416)
• Hashes: Expose efficientKeccak256 for hashing non-commutative pairs of bytes32 without allocating extra memory. (#​5442)
• Initializable: Add _initializableStorageSlot function that returns a pointer to the storage struct. The function allows customizing with a custom storage slot with an override. (#​5526)
• Math: Add add512, mul512 and mulShr. (#​5526)
• Math: Add saturating arithmetic operations saturatingAdd, saturatingSub and saturatingMul. (#​5526)
• MessageHashUtils: Add toDataWithIntendedValidatorHash(address, bytes32). (#​5526)
• P256: Adjust precompile detection in verifyNative to consider empty returndata on invalid verification. Previously, invalid signatures would've reverted with a MissingPrecompile error in chains with RIP-7212 support. (#​5620)
• Pausable: Stop explicitly setting paused to false during construction. (#​5448)
• Strings: Add espaceJSON that escapes special characters in JSON strings. (#​5526)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Visit the preview URL for this PR (updated for commit c34feb1):

https://community-cookbook-staging--pr142-renovate-npm-openzep-qv441hw4.web.app

_{(expires Mon, 09 Feb 2026 19:12:27 GMT)}

_{🔥 via Firebase Hosting GitHub Action 🌎}

_{Sign: 1b876338aafcf55b4a02f1877984e116731756b1}