Bump @openzeppelin/contracts-upgradeable from 4.7.1 to 4.7.3

[dependabot]

Bumps @openzeppelin/contracts-upgradeable from 4.7.1 to 4.7.3.

Release notes

Sourced from @​openzeppelin/contracts-upgradeable's releases.

v4.7.3

⚠️ This is a patch for a medium severity issue. For more information visit the security advisory.

Breaking changes

• ECDSA: recover(bytes32,bytes) and tryRecover(bytes32,bytes) no longer accept compact signatures to prevent malleability. Compact signature support remains available using recover(bytes32,bytes32,bytes32) and tryRecover(bytes32,bytes32,bytes32).

v4.7.2

⚠️ This is a patch for three issues, including a high severity issue in GovernorVotesQuorumFraction. For more information visit the security advisories (1, 2, 3).

1. GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
2. ERC165Checker: Added protection against large returndata. (#3587)
3. LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)

Changelog

Sourced from @​openzeppelin/contracts-upgradeable's changelog.

4.7.3

Breaking changes

• ECDSA: recover(bytes32,bytes) and tryRecover(bytes32,bytes) no longer accept compact signatures to prevent malleability. Compact signature support remains available using recover(bytes32,bytes32,bytes32) and tryRecover(bytes32,bytes32,bytes32).

4.7.2

• LibArbitrumL2, CrossChainEnabledArbitrumL2: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. (#3578)
• GovernorVotesQuorumFraction: Fixed quorum updates so they do not affect past proposals that failed due to lack of quorum. (#3561)
• ERC165Checker: Added protection against large returndata. (#3587)

Commits

• 0a2cb9a Transpile 8aa88c40
• 12ad9ea Transpile dc57a7ea
• 5843c07 Transpile 6b9fbb14
• e2bcd07 Transpile e64bfd92
• da834e3 Transpile b19184c5
• e121641 Transpile 4e23f642
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

[lukemelia]

@alex-cardstack Please review and see if/when we should schedule this.

[alex-cardstack]

This doesn't affect anything we are using, merging update but will not need deployment scheduled

Diff:

       "name": "quorumNumerator",
       "outputs": [
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/build/contracts/LibArbitrumL2Upgradeable.json 4.7.2/build/contracts/LibArbitrumL2Upgradeable.json
--- 4.7.1/build/contracts/LibArbitrumL2Upgradeable.json 1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/build/contracts/LibArbitrumL2Upgradeable.json 1985-10-26 08:15:00.000000000 +0000
@@ -17,8 +17,8 @@
       "type": "function"
     }
   ],
-  "bytecode": "0x6091610038600b82828239805160001a607314602b57634e487b7160e01b600052600060045260246000fd5b30600052607381538281f3fe730000000000000000000000000000000000000000301460806040526004361060335760003560e01c8063bf0a12cf146038575b600080fd5b603f606481565b6040516001600160a01b03909116815260200160405180910390f3fea264697066735822122070eb6e8b2caef3b552c9c54a4320fbc8152ad5e1b946cec8041c29de9b73ae2564736f6c63430008090033",
-  "deployedBytecode": "0x730000000000000000000000000000000000000000301460806040526004361060335760003560e01c8063bf0a12cf146038575b600080fd5b603f606481565b6040516001600160a01b03909116815260200160405180910390f3fea264697066735822122070eb6e8b2caef3b552c9c54a4320fbc8152ad5e1b946cec8041c29de9b73ae2564736f6c63430008090033",
+  "bytecode": "0x6091610038600b82828239805160001a607314602b57634e487b7160e01b600052600060045260246000fd5b30600052607381538281f3fe730000000000000000000000000000000000000000301460806040526004361060335760003560e01c8063bf0a12cf146038575b600080fd5b603f606481565b6040516001600160a01b03909116815260200160405180910390f3fea2646970667358221220f100003732253acff0afe22ae1fd87f62bfd41627989b620bf52660e06e1282b64736f6c63430008090033",
+  "deployedBytecode": "0x730000000000000000000000000000000000000000301460806040526004361060335760003560e01c8063bf0a12cf146038575b600080fd5b603f606481565b6040516001600160a01b03909116815260200160405180910390f3fea2646970667358221220f100003732253acff0afe22ae1fd87f62bfd41627989b620bf52660e06e1282b64736f6c63430008090033",
   "linkReferences": {},
   "deployedLinkReferences": {}
 }
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/crosschain/arbitrum/LibArbitrumL2Upgradeable.sol 4.7.2/crosschain/arbitrum/LibArbitrumL2Upgradeable.sol
--- 4.7.1/crosschain/arbitrum/LibArbitrumL2Upgradeable.sol  1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/crosschain/arbitrum/LibArbitrumL2Upgradeable.sol  1985-10-26 08:15:00.000000000 +0000
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Contracts (last updated v4.7.0) (crosschain/arbitrum/LibArbitrumL2.sol)
+// OpenZeppelin Contracts (last updated v4.7.2) (crosschain/arbitrum/LibArbitrumL2.sol)
 
 pragma solidity ^0.8.4;
 
@@ -21,7 +21,7 @@
     address public constant ARBSYS = 0x0000000000000000000000000000000000000064;
 
     function isCrossChain(address arbsys) internal view returns (bool) {
-        return ArbitrumL2_Bridge(arbsys).isTopLevelCall();
+        return ArbitrumL2_Bridge(arbsys).wasMyCallersAddressAliased();
     }
 
     /**
@@ -35,9 +35,6 @@
     function crossChainSender(address arbsys) internal view returns (address) {
         if (!isCrossChain(arbsys)) revert NotCrossChainCall();
 
-        return
-            ArbitrumL2_Bridge(arbsys).wasMyCallersAddressAliased()
-                ? ArbitrumL2_Bridge(arbsys).myCallersAddressWithoutAliasing()
-                : msg.sender;
+        return ArbitrumL2_Bridge(arbsys).myCallersAddressWithoutAliasing();
     }
 }
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/governance/GovernorUpgradeable.sol 4.7.2/governance/GovernorUpgradeable.sol
--- 4.7.1/governance/GovernorUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/governance/GovernorUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Contracts (last updated v4.7.0) (governance/Governor.sol)
+// OpenZeppelin Contracts (last updated v4.7.2) (governance/Governor.sol)
 
 pragma solidity ^0.8.0;
 
@@ -126,7 +126,7 @@
     /**
      * @dev See {IGovernor-hashProposal}.
      *
-     * The proposal id is produced by hashing the RLC encoded `targets` array, the `values` array, the `calldatas` array
+     * The proposal id is produced by hashing the ABI encoded `targets` array, the `values` array, the `calldatas` array
      * and the descriptionHash (bytes32 which itself is the keccak256 hash of the description string). This proposal id
      * can be produced from the proposal data which is part of the {ProposalCreated} event. It can even be computed in
      * advance, before the proposal is submitted.
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/governance/IGovernorUpgradeable.sol 4.7.2/governance/IGovernorUpgradeable.sol
--- 4.7.1/governance/IGovernorUpgradeable.sol 1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/governance/IGovernorUpgradeable.sol 1985-10-26 08:15:00.000000000 +0000
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Contracts (last updated v4.7.0) (governance/IGovernor.sol)
+// OpenZeppelin Contracts (last updated v4.7.2) (governance/IGovernor.sol)
 
 pragma solidity ^0.8.0;
 
@@ -147,7 +147,7 @@
     /**
      * @notice module:user-config
      * @dev Delay, in number of block, between the proposal is created and the vote starts. This can be increassed to
-     * leave time for users to buy voting power, of delegate it, before the voting of a proposal starts.
+     * leave time for users to buy voting power, or delegate it, before the voting of a proposal starts.
      */
     function votingDelay() public view virtual returns (uint256);
 
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/governance/extensions/GovernorVotesQuorumFractionUpgradeable.sol 4.7.2/governance/extensions/GovernorVotesQuorumFractionUpgradeable.sol
--- 4.7.1/governance/extensions/GovernorVotesQuorumFractionUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/governance/extensions/GovernorVotesQuorumFractionUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
@@ -1,9 +1,11 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Contracts (last updated v4.5.0) (governance/extensions/GovernorVotesQuorumFraction.sol)
+// OpenZeppelin Contracts (last updated v4.7.2) (governance/extensions/GovernorVotesQuorumFraction.sol)
 
 pragma solidity ^0.8.0;
 
 import "./GovernorVotesUpgradeable.sol";
+import "../../utils/CheckpointsUpgradeable.sol";
+import "../../utils/math/SafeCastUpgradeable.sol";
 import "../../proxy/utils/Initializable.sol";
 
 /**
@@ -13,7 +15,10 @@
  * _Available since v4.3._
  */
 abstract contract GovernorVotesQuorumFractionUpgradeable is Initializable, GovernorVotesUpgradeable {
-    uint256 private _quorumNumerator;
+    using CheckpointsUpgradeable for CheckpointsUpgradeable.History;
+
+    uint256 private _quorumNumerator; // DEPRECATED
+    CheckpointsUpgradeable.History private _quorumNumeratorHistory;
 
     event QuorumNumeratorUpdated(uint256 oldQuorumNumerator, uint256 newQuorumNumerator);
 
@@ -36,7 +41,27 @@
      * @dev Returns the current quorum numerator. See {quorumDenominator}.
      */
     function quorumNumerator() public view virtual returns (uint256) {
-        return _quorumNumerator;
+        return _quorumNumeratorHistory._checkpoints.length == 0 ? _quorumNumerator : _quorumNumeratorHistory.latest();
+    }
+
+    /**
+     * @dev Returns the quorum numerator at a specific block number. See {quorumDenominator}.
+     */
+    function quorumNumerator(uint256 blockNumber) public view virtual returns (uint256) {
+        // If history is empty, fallback to old storage
+        uint256 length = _quorumNumeratorHistory._checkpoints.length;
+        if (length == 0) {
+            return _quorumNumerator;
+        }
+
+        // Optimistic search, check the latest checkpoint
+        CheckpointsUpgradeable.Checkpoint memory latest = _quorumNumeratorHistory._checkpoints[length - 1];
+        if (latest._blockNumber <= blockNumber) {
+            return latest._value;
+        }
+
+        // Otherwize, do the binary search
+        return _quorumNumeratorHistory.getAtBlock(blockNumber);
     }
 
     /**
@@ -50,7 +75,7 @@
      * @dev Returns the quorum for a block number, in terms of number of votes: `supply * numerator / denominator`.
      */
     function quorum(uint256 blockNumber) public view virtual override returns (uint256) {
-        return (token.getPastTotalSupply(blockNumber) * quorumNumerator()) / quorumDenominator();
+        return (token.getPastTotalSupply(blockNumber) * quorumNumerator(blockNumber)) / quorumDenominator();
     }
 
     /**
@@ -82,8 +107,17 @@
             "GovernorVotesQuorumFraction: quorumNumerator over quorumDenominator"
         );
 
-        uint256 oldQuorumNumerator = _quorumNumerator;
-        _quorumNumerator = newQuorumNumerator;
+        uint256 oldQuorumNumerator = quorumNumerator();
+
+        // Make sure we keep track of the original numerator in contracts upgraded from a version without checkpoints.
+        if (oldQuorumNumerator != 0 && _quorumNumeratorHistory._checkpoints.length == 0) {
+            _quorumNumeratorHistory._checkpoints.push(
+                CheckpointsUpgradeable.Checkpoint({_blockNumber: 0, _value: SafeCastUpgradeable.toUint224(oldQuorumNumerator)})
+            );
+        }
+
+        // Set new quorum for future proposals
+        _quorumNumeratorHistory.push(newQuorumNumerator);
 
         emit QuorumNumeratorUpdated(oldQuorumNumerator, newQuorumNumerator);
     }
@@ -93,5 +127,5 @@
      * variables without shifting down storage in the inheritance chain.
      * See https://docs.openzeppelin.com/contracts/4.x/upgradeable#storage_gaps
      */
-    uint256[49] private __gap;
+    uint256[48] private __gap;
 }
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/package.json 4.7.2/package.json
--- 4.7.1/package.json  1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/package.json  1985-10-26 08:15:00.000000000 +0000
@@ -1,7 +1,7 @@
 {
   "name": "@openzeppelin/contracts-upgradeable",
   "description": "Secure Smart Contract library for Solidity",
-  "version": "4.7.1",
+  "version": "4.7.2",
   "files": [
     "**/*.sol",
     "/build/contracts/*.json",
diff --recursive --unified --new-file --exclude test --exclude Makefile 4.7.1/utils/introspection/ERC165CheckerUpgradeable.sol 4.7.2/utils/introspection/ERC165CheckerUpgradeable.sol
--- 4.7.1/utils/introspection/ERC165CheckerUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
+++ 4.7.2/utils/introspection/ERC165CheckerUpgradeable.sol  1985-10-26 08:15:00.000000000 +0000
@@ -1,5 +1,5 @@
 // SPDX-License-Identifier: MIT
-// OpenZeppelin Contracts (last updated v4.7.1) (utils/introspection/ERC165Checker.sol)
+// OpenZeppelin Contracts (last updated v4.7.2) (utils/introspection/ERC165Checker.sol)
 
 pragma solidity ^0.8.0;
 
@@ -105,9 +105,19 @@
      * Interface identification is specified in ERC-165.
      */
     function _supportsERC165Interface(address account, bytes4 interfaceId) private view returns (bool) {
+        // prepare call
         bytes memory encodedParams = abi.encodeWithSelector(IERC165Upgradeable.supportsInterface.selector, interfaceId);
-        (bool success, bytes memory result) = account.staticcall{gas: 30000}(encodedParams);
-        if (result.length < 32) return false;
-        return success && abi.decode(result, (uint256)) > 0;
+
+        // perform static call
+        bool success;
+        uint256 returnSize;
+        uint256 returnValue;
+        assembly {
+            success := staticcall(30000, account, add(encodedParams, 0x20), mload(encodedParams), 0x00, 0x20)
+            returnSize := returndatasize()
+            returnValue := mload(0x00)
+        }
+
+        return success && returnSize >= 0x20 && returnValue > 0;
     }
 }