chore(deps): update dependency solhint to v6.2.1

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
solhint (source)	dependencies	minor	6.0.1 → 6.2.1

---

Release Notes

protofire/solhint (solhint)

v6.2.1

Compare Source

🧹 Chore: added poster

v6.2.0

Compare Source

🛠️ Fix: code-complexity rule no longer crashes when configured with a numeric option (e.g. ["error", 8]) (#​758)

🧹 Chore: bump glob to 13.0.6 — removes deprecated inflight transitive dependency

🧹 Chore: bump rimraf to 6.1.3 (devDep)

🧹 Chore: bump brace-expansion, picomatch and flatted to patched versions via overrides

🧰 Infra: drop Node.js 16 and 18 support (both EOL). Minimum supported version is now Node.js 20. CI matrix updated to [20, 22]

v6.1.0

Compare Source

🛠️ Fix: natspec rule no longer flags unnamed parameters, which Solidity prohibits documenting with @​param (#​749)

🛠️ Fix: natspec rule and import-path-check rules related issues (#​750)

🛠️ Fix: scoped package names now supported for shareable configs (#​741)

🛠️ Fix: misc minor issues and general polish (#​739)

🧱 Enhancement: added pluginPaths config option for resolving plugins from custom locations.
Supports editor integrations and external project setups. Failed plugins emit warnings instead of crashing (#​751)

🧹 Chore: bump ajv to 8.18.0

🧹 Chore: bump minimatch to 10.2.4

🧹 Chore: bump loadash to 4.17.23

🧹 Chore: update LICENSE copyright year to 2026 (thanks xiaobei0715!!) (#​745)

✨🛡️ Kudos to our contributors! 🛡️✨

• xiaobei0715

v6.0.3

Compare Source

🛠️ Fix: removed unused files, normalized schema for validation, load-rules, base-checker and validator improvements

🛠️ Fix: removing console log from use-natspec rule (thanks brossetti1!!)

🛠️ Fix: misc minor issues and typos. General polish and stability

✨🛡️ Kudos to our contributors! 🛡️✨

• brossetti1
• maradini77

v6.0.2

Compare Source

🛠️ Fix: corrected use-natspec enforcement behavior on internal functions

🛠️ Fix: misc minor issues and typos. General polish and stability

🆕 Rule: added foundry-no-block to detect usage of block.timestamp and block.number in Solidity tests

🆕 Rule: added no-unused-private-functions to prevent unused private function declarations

🆕 Rule: added no-immutable-before-declaration to enforce correct immutable declaration order

🧱 Enhancement: improvements to foundry-test-function rule, including naming and configuration updates

🧰 Infra: update GitHub Actions in CI workflows to v5 and v6. Keeps CI aligned with latest ecosystem changes

🧰 Infra: bump js-yaml dependency following security recommendations

🧹 Chore: stop publishing the test directory to npm packages. Reduces package size and noise

🧹 Chore: foundry-test-functions is deprecated and will be removed in v7.0.0. Please rename to foundry-test-function-naming.
WILL BE REPLACED IN v7

✨🛡️ Kudos to our contributors! 🛡️✨

• MamunC0der
• @​MarkFizz77
• RidaMichofi
• Daulox92

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[cubic-dev-ai]

No issues found across 2 files

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	solhint@​6.0.1 ⏵ 6.2.1				+3	+31

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		High CVE: Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() in npm serialize-javascript CVE: GHSA-5c6j-r48x-rmvq Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() (HIGH) Affected versions: < 7.0.3 Patched version: 7.0.3 From: ? → npm/@nomicfoundation/hardhat-toolbox@6.1.0 → npm/@nomicfoundation/hardhat-toolbox-viem@4.1.1 → npm/hardhat@2.27.1 → npm/serialize-javascript@6.0.2 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/serialize-javascript@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report