build(deps): bump undici and hardhat

[dependabot]

Bumps undici to 6.25.0 and updates ancestor dependency hardhat. These dependencies need to be updated together.

Updates undici from 5.14.0 to 6.25.0

Release notes

Sourced from undici's releases.

v6.25.0

What's Changed

Full Changelog: nodejs/undici@v6.24.1...v6.25.0

v6.24.1

Full Changelog: nodejs/undici@v6.24.0...v6.24.1

v6.24.0

Undici v6.24.0 Security Release Notes (LTS)

This release backports fixes for security vulnerabilities affecting the v6 line.

Upgrade guidance

All users on v6 should upgrade to v6.24.0 or later.

Fixed advisories

• GHSA-2mjp-6q6p-2qxm / CVE-2026-1525 (Medium)
  Inconsistent interpretation of HTTP requests (request/response smuggling class issue).

• GHSA-f269-vfmq-vjvj / CVE-2026-1528 (High)
  Malicious WebSocket 64-bit frame length handling could crash the client.

• GHSA-4992-7rv2-5pvq / CVE-2026-1527 (Medium)
  CRLF injection via the upgrade option.

• GHSA-v9p9-hfj2-hcw8 / CVE-2026-2229 (High)
  Unhandled exception from invalid server_max_window_bits in WebSocket permessage-deflate negotiation.

• GHSA-vrm6-8vpv-qv8q / CVE-2026-1526 (High)
  Unbounded memory consumption in WebSocket permessage-deflate decompression.

Not applicable to v6

• GHSA-phc3-fgpg-7m6h / CVE-2026-2581 affects >= 7.17.0 < 7.24.0 only.

Affected and patched ranges (v6)

• CVE-2026-1525: affected < 6.24.0, patched 6.24.0
• CVE-2026-1528: affected >= 6.0.0 < 6.24.0, patched 6.24.0
• CVE-2026-1527: affected < 6.24.0, patched 6.24.0
• CVE-2026-2229: affected < 6.24.0, patched 6.24.0
• CVE-2026-1526: affected < 6.24.0, patched 6.24.0

References

• GitHub Security Advisories: https://github.com/nodejs/undici/security/advisories

... (truncated)

Commits

• 3420499 Bumped v6.25.0 (#5029)
• d7a1e55 feat: add configurable maxPayloadSize for WebSocket (#4955)
• a9d1848 Do not mark v6.x releases as latest
• 0126586 Ignore local agent configuration files
• c0cf656 Bumped v6.24.1
• f5a9f0c Fix v6 release workflow branch targeting
• af2cb8f wqremove maxDecompressedMessageSize (#4891)
• 8873c94 Bumped v6.24.0
• 411bd01 test(websocket): use node:assert for Node 18 compatibility
• 844bf59 test: fix http2 lint regressions in backport
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for undici since your current version.

Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.

Updates hardhat from 2.12.5 to 3.4.4

Release notes

Sourced from hardhat's releases.

Hardhat v3.4.4

This release is a small bug fix release to improve memory usage while running tests with coverage.

Changes

• #8213 448da88 Thanks @​kanej! - Reduced internal memory usage during coverage test runs (#8213)

• #8197 d3cb008 Thanks @​alcuadrado! - Update the error reporting logic to reduce noise

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.4.3

This is a small release focusing on performance improvements.

Changes

• #8196 b669814 Thanks @​alcuadrado! - Improve error messages in common failures

• #8196 73436aa Thanks @​alcuadrado! - Export missing error types

• #8195 79205cc Thanks @​ChristopherDedominici! - Replace chalk with util.styleText.

• #8224 3614c02 Thanks @​schaable! - Add a fuzz.showLogs option to the Solidity test config to display console.log output from fuzz tests.

• #8218 32f2b59 Thanks @​alcuadrado! - Fix hardhat test solidity --no-compile failing with SELECTED_TEST_FILES_NOT_COMPILED when no test files are specified.

• #8139 536b745 Thanks @​anaPerezGhiglia! - Bumped EDR version to 0.12.0-next.31

• #8199 2cb91f1 Thanks @​alcuadrado! - Add LPT scheduling to the Solidity build system

• #8219 2cad309 Thanks @​schaable! - Improved performance by replacing the semver dependency with a lightweight in-tree implementation.

• #8207 d594209 Thanks @​alcuadrado! - Improved performance by replacing the debug logging library with a lightweight in-tree implementation.

• #8189 b5ca1ae Thanks @​alcuadrado! - Introduce a TrueCasePathResolver class to optimize repeated filesystem casing resolution

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.1.0
  • @​nomicfoundation/hardhat-errors@​3.0.12
  • @​nomicfoundation/hardhat-vendored@​3.0.3

---

💡 The Nomic Foundation is hiring! Check our open positions.

---

Hardhat v3.4.2

This release includes a set of small performance improvements targeted at Hardhat's bootstrap time.

... (truncated)

Changelog

Sourced from hardhat's changelog.

3.4.4

Patch Changes

• #8213 448da88 Thanks @​kanej! - Reduced internal memory usage during coverage test runs (#8213)

• #8197 d3cb008 Thanks @​alcuadrado! - Update the error reporting logic to reduce noise

3.4.3

Patch Changes

• #8196 b669814 Thanks @​alcuadrado! - Improve error messages in common failures

• #8196 73436aa Thanks @​alcuadrado! - Export missing error types

• #8195 79205cc Thanks @​ChristopherDedominici! - Replace chalk with util.styleText.

• #8224 3614c02 Thanks @​schaable! - Add a fuzz.showLogs option to the Solidity test config to display console.log output from fuzz tests.

• #8218 32f2b59 Thanks @​alcuadrado! - Fix hardhat test solidity --no-compile failing with SELECTED_TEST_FILES_NOT_COMPILED when no test files are specified.

• #8139 536b745 Thanks @​anaPerezGhiglia! - Bumped EDR version to 0.12.0-next.31

• #8199 2cb91f1 Thanks @​alcuadrado! - Add LPT scheduling to the Solidity build system

• #8219 2cad309 Thanks @​schaable! - Improved performance by replacing the semver dependency with a lightweight in-tree implementation.

• #8207 d594209 Thanks @​alcuadrado! - Improved performance by replacing the debug logging library with a lightweight in-tree implementation.

• #8189 b5ca1ae Thanks @​alcuadrado! - Introduce a TrueCasePathResolver class to optimize repeated filesystem casing resolution

• Updated dependencies:

  • @​nomicfoundation/hardhat-utils@​4.1.0
  • @​nomicfoundation/hardhat-errors@​3.0.12
  • @​nomicfoundation/hardhat-vendored@​3.0.3

3.4.2

Patch Changes

• #8177 7cab964 Thanks @​alcuadrado! - Optimize the HookManager and the coverage plugin

• #8187 8f6a418 Thanks @​ChristopherDedominici! - Improved the logic for handling Node.js versions that fall below the minimum requirement.

• #8183 88f8d59 Thanks @​schaable! - Speed up startup by loading the coverage manager only when --coverage is set.

• #8183 82208ba Thanks @​schaable! - Speed up HRE creation by loading user-interruption support only when it's first used.

• #8175 eeea0aa Thanks @​ChristopherDedominici! - Restructure the imports of the network-manager.

... (truncated)

Commits

• 82bf1ee Version Packages
• f435b04 Merge pull request #8213 from NomicFoundation/fix/reduce-retained-coverage-me...
• 0ca507e Merge pull request #8217 from Zhen-in-progress/test/implement-solidity-config...
• 448da88 fix: update memory usage when passing coverage
• a6310ad Merge pull request #8197 from NomicFoundation/error-classifier-and-filter
• 505c3b6 Fix linter errors
• a3931e1 Use lowercaseMessageByError map for case-insensitive matching
• 21d6e31 Break cycles and bound depth in getNodeErrorCode
• 50329e9 Assert isUnknownEdrError input is in the error chain
• 04d70b3 Document that the migration matcher is temporary
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for hardhat since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.