chore(deps): update dependency @openzeppelin/contracts to v5.4.0 [security] (#155)

This PR contains the following updates:

| Package | Type | Update | Change | OpenSSF |
|---|---|---|---|---|
| [@openzeppelin/contracts](https://openzeppelin.com/contracts/)
([source](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts))
| dependencies | minor | [`5.3.0` ->
`5.4.0`](https://renovatebot.com/diffs/npm/@openzeppelin%2fcontracts/5.3.0/5.4.0)
| [![OpenSSF
Scorecard](https://api.securityscorecards.dev/projects/github.com/OpenZeppelin/openzeppelin-contracts/badge)](https://securityscorecards.dev/viewer/?uri=github.com/OpenZeppelin/openzeppelin-contracts)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-54070](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/security/advisories/GHSA-9rcw-c2f9-2j55)

### Impact

The `lastIndexOf(bytes,byte,uint256)` function of the `Bytes.sol`
library may access uninitialized memory when the following two
conditions hold: 1) the provided buffer length is empty (i.e.
`buffer.length == 0`) and position is not `2**256 - 1` (i.e. `pos !=
type(uint256).max`).

The `pos` argument could be used to access arbitrary data outside of the
buffer bounds. This could lead to the operation running out of gas, or
returning an invalid index (outside of the empty buffer). Processing
this invalid result for accessing the `buffer` would cause a revert
under normal conditions.

When triggered, the function reads memory at offset `buffer + 0x20 +
pos`. If memory at that location (outside the `buffer`) matches the
search pattern, the function would return an out of bound index instead
of the expected `type(uint256).max`. This creates unexpected behavior
where callers receive a valid-looking index pointing outside buffer
bounds.

Subsequent memory accesses that don't check bounds and use the returned
index must carefully review the potential impact depending on their
setup. Code relying on this function returning `type(uint256).max` for
empty buffers or using the returned index without bounds checking could
exhibit undefined behavior.

### Patches

Upgrade to 5.4.0

---

### Release Notes

<details>
<summary>OpenZeppelin/openzeppelin-contracts
(@&#8203;openzeppelin/contracts)</summary>

###
[`v5.4.0`](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/blob/HEAD/CHANGELOG.md#540-2025-07-17)

[Compare
Source](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/compare/v5.3.0...v5.4.0)

##### Breaking changes

- Update minimum pragma to 0.8.24 in `SignatureChecker`, `Governor` and
Governor's extensions.
([#&#8203;5716](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5716)).

##### Pragma changes

- Reduced pragma requirement of interface files

##### Changes by category

##### Account

- `Account`: Added a simple ERC-4337 account implementation with minimal
logic to process user operations.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))
- `AccountERC7579`: Extension of `Account` that implements support for
ERC-7579 modules of type executor, validator, and fallback handler.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))
- `AccountERC7579Hooked`: Extension of `AccountERC7579` that implements
support for ERC-7579 hook modules.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))
- `EIP7702Utils`: Add a library for checking if an address has an
EIP-7702 delegation in place.
([#&#8203;5587](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5587))
- `IERC7821`, `ERC7821`: Interface and logic for minimal batch
execution. No support for additional `opData` is included.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))

##### Governance

- `GovernorNoncesKeyed`: Extension of `Governor` that adds support for
keyed nonces when voting by sig.
([#&#8203;5574](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5574))

##### Tokens

- `ERC20Bridgeable`: Implementation of ERC-7802 that makes an ERC-20
compatible with crosschain bridges.
([#&#8203;5739](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5739))

##### Cryptography

##### Signers

- `AbstractSigner`, `SignerECDSA`, `SignerP256`, and `SignerRSA`: Add an
abstract contract and various implementations for contracts that deal
with signature verification.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))
- `SignerERC7702`: Implementation of `AbstractSigner` for Externally
Owned Accounts (EOAs). Useful with ERC-7702.
([#&#8203;5657](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5657))
- `SignerERC7913`: Abstract signer that verifies signatures using the
ERC-7913 workflow.
([#&#8203;5659](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5659))
- `MultiSignerERC7913`: Implementation of `AbstractSigner` that supports
multiple ERC-7913 signers with a threshold-based signature verification
system.
([#&#8203;5659](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5659))
- `MultiSignerERC7913Weighted`: Extension of `MultiSignerERC7913` that
supports assigning different weights to each signer, enabling more
flexible governance schemes.
([#&#8203;5741](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5741))

##### Verifiers

- `ERC7913P256Verifier` and `ERC7913RSAVerifier`: Ready to use ERC-7913
verifiers that implement key verification for P256 (secp256r1) and RSA
keys.
([#&#8203;5659](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5659))

##### Other

- `SignatureChecker`: Add support for ERC-7913 signatures alongside
existing ECDSA and ERC-1271 signature verification.
([#&#8203;5659](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5659))
- `ERC7739`: An abstract contract to validate signatures following the
rehashing scheme from `ERC7739Utils`.
([#&#8203;5664](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5664))
- `ERC7739Utils`: Add a library that implements a defensive rehashing
mechanism to prevent replayability of smart contract signatures based on
the ERC-7739.
([#&#8203;5664](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5664))

##### Structures

- `EnumerableMap`: Add support for `BytesToBytesMap` type.
([#&#8203;5658](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5658))
- `EnumerableMap`: Add `keys(uint256,uint256)` that returns a subset
(slice) of the keys in the map.
([#&#8203;5713](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5713))
- `EnumerableSet`: Add support for `StringSet` and `BytesSet` types.
([#&#8203;5658](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5658))
- `EnumerableSet`: Add `values(uint256,uint256)` that returns a subset
(slice) of the values in the set.
([#&#8203;5713](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5713))

##### Utils

- `Arrays`: Add `unsafeAccess`, `unsafeMemoryAccess` and
`unsafeSetLength` for `bytes[]` and `string[]`.
([#&#8203;5568](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5568))
- `Blockhash`: Add a library that provides access to historical block
hashes using EIP-2935's history storage, extending the standard
256-block limit to 8191 blocks.
([#&#8203;5642](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5642))
- `Bytes`: Fix `lastIndexOf(bytes,byte,uint256)` with empty buffers and
finite position to correctly return `type(uint256).max` instead of
accessing uninitialized memory sections.
([#&#8203;5797](https://redirect.github.com/OpenZeppelin/openzeppelin-contracts/pull/5797))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/settlemint/solidity-token-erc721a).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4yMy4yIiwidXBkYXRlZEluVmVyIjoiNDEuMjMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIl19-->

## Summary by Sourcery

Upgrade @openzeppelin/contracts to v5.4.0 to address a security
vulnerability and apply library improvements

Bug Fixes:
- Patch CVE-2025-54070 by fixing out-of-bounds memory access in
Bytes.lastIndexOf for empty buffers

Enhancements:
- Bump OpenZeppelin Contracts from v5.3.0 to v5.4.0
- Update lock file to reflect the upgraded dependency

Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

Author: renovate[bot]

bun.lock

@@ -11,7 +11,7 @@
         "@nomicfoundation/hardhat-ignition-viem": "0.15.13",
         "@nomicfoundation/hardhat-toolbox-viem": "3.0.0",
         "@nomiclabs/hardhat-solhint": "4.1.0",
-        "@openzeppelin/contracts": "5.3.0",
+        "@openzeppelin/contracts": "5.4.0",
         "@openzeppelin/subgraphs": "0.1.8-5",
         "erc721a": "4.3.0",
         "hardhat": "2.26.0",
@@ -253,7 +253,7 @@
 
     "@oclif/plugin-warn-if-update-available": ["@oclif/[email protected]", "", { "dependencies": { "@oclif/core": "^4", "ansis": "^3.5.2", "debug": "^4.4.0", "http-call": "^5.2.2", "lodash": "^4.17.21", "registry-auth-token": "^5.0.3" } }, "sha512-0ZN7o+Tv00gYrwlKsfMQ8VvJGb9Vhr3UYStFJh1AbEdGTPlURv51aatTW27AIV2atfluCh0MMntVZSzoDcuxSQ=="],
 
-    "@openzeppelin/contracts": ["@openzeppelin/contracts@5.3.0", "", {}, "sha512-zj/KGoW7zxWUE8qOI++rUM18v+VeLTTzKs/DJFkSzHpQFPD/jKKF0TrMxBfGLl3kpdELCNccvB3zmofSzm4nlA=="],
+    "@openzeppelin/contracts": ["@openzeppelin/contracts@5.4.0", "", {}, "sha512-eCYgWnLg6WO+X52I16TZt8uEjbtdkgLC0SUX/xnAksjjrQI4Xfn4iBRoI5j55dmlOhDv1Y7BoR3cU7e3WWhC6A=="],
 
     "@openzeppelin/subgraphs": ["@openzeppelin/[email protected]", "", { "dependencies": { "@amxx/graphprotocol-utils": "^1.1.0", "@openzeppelin/contracts": "^4.6.0" } }, "sha512-7k8x6A/lI33Dggah0S6Q+n348KaTBOUD7pK49K0lBSvCHZw5PqpMNZopfD/Kk+0nyFRzhAoPUU97RhmKz+YFJw=="],
 

package.json

@@ -41,7 +41,7 @@
     "@nomicfoundation/hardhat-ignition-viem": "0.15.13",
     "@nomicfoundation/hardhat-toolbox-viem": "3.0.0",
     "@nomiclabs/hardhat-solhint": "4.1.0",
-    "@openzeppelin/contracts": "5.3.0",
+    "@openzeppelin/contracts": "5.4.0",
     "@openzeppelin/subgraphs": "0.1.8-5",
     "hardhat": "2.26.0",
     "solhint": "5.2.0",