Support PolkaVM for Hardhat Upgrades Plugin

[KitHat]

Support precompiled contracts for PolkaVM deployments.

What should be done to move this PR to ready state:

• Fix automatic import resolution paritytech/revive#98 merged and released in resolc
• version of Hardhat Polkadot plugin with this compiler released
• ignored tests moved back in

NB: NodeJS version was pushed to 22.x, because Hardhat Polkadot plugin requires built-in WebSocket, that is present only in v22 and higher

Closes #1188

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: npm tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball CVE: GHSA-vj76-c3g6-qr5v tar-fs has a symlink validation bypass if destination directory is predictable with a specific tarball (HIGH) Affected versions: >= 3.0.0 < 3.1.1; >= 2.0.0 < 2.1.4; < 1.16.6 Patched version: 2.1.4 From: ? → npm/tar-fs@2.1.3 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar-fs@2.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-imports is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation. Confidence: 1.00 Severity: 0.60 From: ? → npm/@babel/helper-module-imports@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/@babel/helper-module-transforms@7.28.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.28.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: ? → npm/nyc@17.0.0 → npm/@babel/helper-string-parser@7.24.8 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.24.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: ? → npm/@babel/helper-string-parser@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm @parity/hardhat-polkadot is 75.0% likely to have a medium risk anomaly Notes: This module monkey-patches Node's module loader to locate and neutralize util.checkMaxInitCodeSize inside @nomicfoundation/ethereumjs-tx when specific CLI arguments are present, and it ensures a global WebSocket via the ws package when absent. There is no evidence of data exfiltration, credential harvesting, networking to malicious domains, or obfuscated payloads. However, modifying Module._load and disabling a library validation function at runtime is a significant supply-chain and runtime risk: it can silently bypass intended safety checks and enable behavior (e.g., deploying oversized init code) that the original library prevented. If this behavior is undocumented, unexpected, or occurs in production flows, treat it as dangerous and require removal, explicit opt-in, or code review. If it is intended for local testing or tooling, restrict its scope and document it clearly. Confidence: 0.75 Severity: 0.60 From: ? → npm/@parity/hardhat-polkadot@0.2.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@parity/hardhat-polkadot@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/acorn@8.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/acorn@8.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm fs-extra is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, legitimate implementation of a recursive copy utility (copySync) from the fs-extra library. It includes typical safeguards (type checks, destination directory creation, overwrite logic, symlink handling, and optional timestamp preservation) and does not exhibit any malicious behavior such as data exfiltration, remote communication, backdoors, or code injection. The warning about preserveTimestamps on ia32 is a benign, user-facing message. Overall security risk is low, with normal filesystem side effects expected. If any concern exists, it would be about untrusted path manipulation via the src/dest, but this is inherent to any filesystem copy utility and mitigated by the provided option hooks (filter, dereference, etc.). Confidence: 1.00 Severity: 0.60 From: ? → npm/fs-extra@11.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fs-extra@11.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm get-stream is 100.0% likely to have a medium risk anomaly Notes: The code implements a conventional stream-to-buffer utility with a MaxBuffer guard and convenient helpers. The main risk is the default Infinity maxBuffer which can enable memory exhaustion with untrusted streams; ensure downstream usage sets a sane maxBuffer or prefer streaming aggregations. No evidence of malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/get-stream@6.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-stream@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm run-container is 100.0% likely to have a medium risk anomaly Notes: This file is a helper library that wraps dockerode and execa to pull images, create and start Docker containers via the host socket (/var/run/docker.sock). It accepts unvalidated options for Image names, host bind mounts, environment variables, ports, commands, and container names. A malicious or careless caller could supply a crafted image name to pull and execute arbitrary code, mount sensitive host paths (e.g. /etc, /), inject secrets via environment variables, expose host ports, or otherwise gain remote code execution and privilege escalation on the host. Use only in fully trusted contexts, enforce strict access controls on who can call these functions, and sanitize or whitelist inputs before invoking any Docker actions. Confidence: 1.00 Severity: 0.60 From: ? → npm/run-container@2.0.12 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/run-container@2.0.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential code anomaly (AI signal): npm tar-fs is 100.0% likely to have a medium risk anomaly Notes: The analyzed code implements a tar packing/extraction utility with standard safeguards such as path normalization and root-bound validation to mitigate path traversal. The main security concern centers on symlink handling during extraction, where link targets are processed but may benefit from stricter canonicalization/validation to ensure targets remain within the extraction root. Hardlinks are validated to some extent. Overall risk remains low when used with trusted tar headers and proper options; however, tightening symlink handling would further reduce risk potential. Confidence: 1.00 Severity: 0.60 From: ? → npm/tar-fs@2.1.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar-fs@2.1.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[ericglau]

Looking good!

This compiles the core package for both EVM and PVM, but I don't see a way for it to actually run any test cases with the PVM code path.

We should try to find a way to run all of the tests (in both core and plugin-hardhat) using the PVM code path, if feasible, perhaps using a custom GitHub workflow to modify the way it runs. Even if that is not feasible, we should aim to add at least one mainline test scenario (e.g. deploy and upgrade a proxy) using PVM.

(If that has been tested manually already, I think this would be ok as-is, and the automated tests can be added later)

[ericglau]

Can we also add some simple negative tests?

These could be based on

• packages/plugin-hardhat/test/uups-upgrade-validation.js for basic contract validations which do not use storage layout. The current test case checks for selfdestruct, but since that opcode isn't in PolkaVM, it can be adjusted to test for some other unsafe pattern, such as a contract with a constructor.
• packages/plugin-hardhat/test/uups-upgrade-storage.js for basic storage layout validation (when storage layouts are available in resolc)

[ericglau]

This test case was originally intended to check for unsafe patterns in the implementation contract itself, unrelated to storage layout. Since there is no selfdestruct, we should test for another pattern such as with a constructor in InvalidPVMProxiable.

Specifically, I would suggest:

1. Add a storage variable string greeting; in InvalidPVMProxiable so that its storage layout matches that of GreeterProxiable
2. Add a constructor in InvalidPVMProxiable
3. Change this expect to look for an error about the constructor.