Update dependency bn.js to v5.2.3 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
bn.js	5.2.1 → 5.2.3

GitHub Vulnerability Alerts

CVE-2026-2739

This affects versions of the package bn.js before 4.12.3 and 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

---

bn.js affected by an infinite loop

CVE-2026-2739 / GHSA-378v-28hj-76wf

More information

Details

This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P

References

• https://nvd.nist.gov/vuln/detail/CVE-2026-2739
• https://github.com/indutny/bn.js/issues/186
• https://github.com/indutny/bn.js/issues/316
• https://github.com/indutny/bn.js/pull/317
• https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b
• https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91
• https://github.com/indutny/bn.js
• https://github.com/indutny/bn.js/releases/tag/v5.2.3
• https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

indutny/bn.js (bn.js)

v5.2.3

Compare Source

• fix: imaskn state (#​317)

v5.2.2

Compare Source

• fix: imuln/muln with zero (#​313)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 72df414

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

size-limit report 📦

Path	Size
require('@celo/actions') (cjs)	98.85 KB (0%)
import * from '@celo/actions' (esm)	23.55 KB (0%)
import { resolveAddress } from '@celo/actions' (esm)	23.49 KB (0%)
import { getGasPriceOnCelo } from '@celo/actions' (esm)	73 B (0%)
import { getAccountsContract } from '@celo/actions/contracts/accounts' (esm)	46.11 KB (0%)
import * from '@celo/actions/staking' (esm)	50.66 KB (0%)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.61%. Comparing base (a695c5c) to head (72df414).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #762   +/-   ##
=======================================
  Coverage   69.61%   69.61%           
=======================================
  Files         150      150           
  Lines        7075     7075           
  Branches     1144     1147    +3     
=======================================
  Hits         4925     4925           
+ Misses       2085     2037   -48     
- Partials       65      113   +48     

Components	Coverage Δ
celocli	∅ <ø> (∅)
sdk	69.12% <ø> (ø)
wallets	73.14% <ø> (ø)
viem-sdks	94.15% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.