cannon icon indicating copy to clipboard operation
cannon copied to clipboard

Published 20 hours ago verified publisher icon usecannon

chore: update deps

Open dbeal-eth opened this issue 1 month ago • 4 comments

dbeal-eth avatar Oct 23 '25 03:10 dbeal-eth

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​diff@​8.0.0991003981100
Added@​synthetixio/​core-contracts@​3.13.0681005489100
Added@​types/​deep-freeze@​0.1.51001006478100
Updated@​radix-ui/​react-label@​2.1.2 ⏵ 2.1.710010066 -3100100
Updated@​radix-ui/​react-separator@​1.1.2 ⏵ 1.1.710010067 -3100100
Updated@​radix-ui/​react-aspect-ratio@​1.1.2 ⏵ 1.1.710010067 -3100100
Updated@​radix-ui/​react-toggle@​1.1.9 ⏵ 1.1.109910067100100
Added@​taplo/​lsp@​0.8.0741006979100
Updated@​radix-ui/​react-switch@​1.1.3 ⏵ 1.2.69910070 -3100100
Updated@​radix-ui/​react-collapsible@​1.1.3 ⏵ 1.1.129910070 -3100100
Updated@​radix-ui/​react-toggle-group@​1.1.10 ⏵ 1.1.119910070100100
Updated@​radix-ui/​react-tabs@​1.1.3 ⏵ 1.1.139910070 -3100100
Added@​tsconfig/​node22@​22.0.21001007081100
Added@​types/​express@​5.0.41001007192100
Added@​types/​express@​4.17.241001007192100
Updated@​radix-ui/​react-checkbox@​1.1.4 ⏵ 1.3.399 +110071 -2100100
Updated@​radix-ui/​react-dropdown-menu@​2.1.6 ⏵ 2.1.169910071 -3100100
Updated@​radix-ui/​react-popover@​1.1.6 ⏵ 1.1.159910071 -3100100
Updated@​radix-ui/​react-accordion@​1.2.3 ⏵ 1.2.129910071 -3100100
Updated@​radix-ui/​react-dialog@​1.1.6 ⏵ 1.1.159910071 -3100100
Added@​types/​connect-busboy@​1.0.3821007276100
Added@​types/​busboy@​1.5.41001007278100
Updated@​radix-ui/​react-tooltip@​1.2.4 ⏵ 1.2.89910072100 +5100
Updated@​babel/​plugin-transform-private-property-in-object@​7.25.9 ⏵ 7.27.11001007292100
Added@​tanstack/​react-table@​8.21.31001007382100
Updated@​radix-ui/​react-scroll-area@​1.2.3 ⏵ 1.2.109910073 -2100100
Updated@​babel/​preset-typescript@​7.24.7 ⏵ 7.28.51001007394100
Added@​types/​big.js@​6.2.21001007378100
Updated@​radix-ui/​react-select@​2.1.6 ⏵ 2.2.69910074 -2100100
Added@​types/​adm-zip@​0.5.71001007479100
Updated@​babel/​plugin-transform-runtime@​7.25.4 ⏵ 7.28.5991007495 -1100
Added@​types/​fs-extra@​11.0.41001007578100
See 32 more rows in the dashboard

View full report

socket-security[bot] avatar Oct 23 '25 03:10 socket-security[bot]

Code Review: PR #1844 - Dependency Updates

Overview

This PR updates project dependencies with a version bump from 2.24.0 to 2.25.0. The changes include major version updates to dev tooling and security-related package overrides.

✅ Positive Aspects

  1. Security Improvements: The PR adds extensive security overrides in pnpm-workspace.yaml addressing multiple CVEs including:

    • elliptic@<6.6.0>=6.6.1 (CVE fixes for elliptic curve cryptography)
    • ws vulnerabilities across multiple version ranges
    • vite security patches
    • form-data@<2.5.4>=2.5.4
    • Several other critical vulnerability patches

  2. Code Quality Improvements:

    • Type Safety Enhancement (packages/hardhat-cannon/src/utils/index.ts:18): Added explicit return type to getContract() function: 
      export function getContract(contractName: string): Pick<ContractData, 'address' | 'abi'>
      This improves type safety and makes the API contract clearer.

  3. Browser Compatibility Fix (packages/builder/src/ipfs.ts:78): Better handling of Buffer → Blob conversion:

    const content = typeof window !== 'undefined' && typeof Blob !== 'undefined' 
  ? new Blob([new Uint8Array(data)]) 
  : data;

    The addition of new Uint8Array(data) wrapper ensures proper data conversion in browser environments.

  4. Modern Tooling: Updates to latest stable versions:

    • ESLint v8 → v9
    • TypeScript v5.8.3 → v5.9.3
    • Prettier v2 → v3
    • React v18 → v19
    • Lerna v8 → v9

⚠️ Issues & Concerns

Critical: Lint Failures

The CI shows lint job is FAILING. This must be addressed before merge:

  • The ESLint major version update (v8 → v9) likely introduced breaking changes
  • ESLint v9 has a new flat config system and different plugin API
  • Migration may require .eslintrc.*eslint.config.js conversion

Recommendation: Check lint errors and update ESLint configuration for v9 compatibility.

Vercel Deployment Failure

The Vercel build check is showing FAILURE status. This needs investigation:

  • Could be related to React 19 upgrade
  • May need Next.js version compatibility check
  • Possible build configuration adjustments needed

🔍 Potential Breaking Changes

  1. ESLint v9 Migration

    • Breaking: New flat config system
    • Plugin system changes may break existing custom rules
    • TypeScript ESLint parser upgraded from v5 → v8 (major changes)

  2. Prettier v3

    • May have different default formatting rules
    • Plugin API changes could affect prettier-plugin-solidity

  3. React v19

    • Major version with potential breaking changes
    • May affect website and any React-dependent packages
    • Should verify all React components still work correctly

  4. Babel Plugin Rename

    • @babel/plugin-proposal-private-property-in-object@babel/plugin-transform-private-property-in-object
    • Proposal → Transform indicates the feature is now stable
    • Should verify Babel config references the new package name

📋 Security Review

Good: Extensive security overrides added. Key patches include:

  • ✅ Elliptic curve crypto vulnerabilities
  • ✅ WebSocket DOS vulnerabilities
  • ✅ XML parser vulnerabilities
  • ✅ Path traversal fixes (tar, tmp)
  • ✅ ReDoS vulnerabilities (brace-expansion, path-to-regexp)
  • ✅ Cookie security issues

Socket Security Report: Shows neutral/success status - no major security concerns from dependency scanner.

🧪 Testing Considerations

  1. Unit Tests: Currently running - should verify all pass with updated dependencies
  2. E2E Tests: Currently running - critical for catching integration issues
  3. Manual Testing Recommended:
    • Test CLI commands with updated dependencies
    • Verify hardhat-cannon plugin functionality
    • Test website build and runtime
    • Verify IPFS operations (changed code in ipfs.ts)

📝 Recommendations

Before Merge:

  1. Fix lint failures - Update ESLint config for v9 compatibility
  2. Fix Vercel deployment - Investigate build failures
  3. Wait for CI - Ensure all tests pass (unit, e2e, cypress)
  4. Add changelog entry - Document breaking changes for consumers
  5. Test locally: 
    pnpm clean
pnpm i
pnpm build
pnpm test
pnpm lint

Post-Merge Considerations:

  1. Monitor for runtime issues with React 19 in production
  2. Watch for ESLint v9 edge cases in development
  3. Document any migration steps needed for contributors

🎯 Code Quality Score

Aspect Score Notes
Security ⭐⭐⭐⭐⭐ Excellent - addresses multiple CVEs
Type Safety ⭐⭐⭐⭐⭐ Improved with explicit types
Browser Compat ⭐⭐⭐⭐⭐ Better Buffer handling
CI Status ⭐⭐ Failing - needs fixes
Breaking Changes ⭐⭐⭐ Major updates need careful testing

✏️ Minor Suggestions

  1. Consider adding a migration guide for the ESLint v9 changes
  2. Document any new linting rules that developers should be aware of
  3. Test the form-data update thoroughly for IPFS uploads
  4. Verify all transitive dependency security overrides are actually being applied

Overall Assessment: This is a valuable security and modernization update, but should not be merged until lint and build failures are resolved. The code changes themselves are good, but the tooling migration needs completion.

The changes align with Cannon's development standards and improve overall code quality once CI issues are addressed.

claude[bot] avatar Oct 23 '25 03:10 claude[bot]

Pull Request Review: Dependency Updates

Summary

This PR updates numerous dependencies across the monorepo, with 176 files changed (+8,939/-13,984 lines). The changes primarily consist of:

  • Major version bumps for build tools (Babel, ESLint, TypeScript)
  • Type definition updates throughout the codebase
  • Solidity compiler file removal
  • Configuration adjustments

Key Changes Reviewed

1. Root Package Dependencies

  • Babel ecosystem: Upgraded from v7.16-7.22 to v7.27-7.28
  • ESLint: Upgraded from v8.10 to v9.38 (major version bump)
  • TypeScript ESLint: Upgraded from v5.13 to v8.46 (major version bump)
  • Added: type module to root package.json
  • Memory fix: Added NODE_OPTIONS for 8GB heap to lint scripts (good for large monorepos)

2. Code Quality Observations

POSITIVES:

  • Systematic update approach across all packages
  • Removed deprecated Babel plugin in favor of current one
  • Cleaned up unused soljson-latest.js file (3,354 lines removed)
  • Removed obsolete .eslintignore file
  • Added compiler version to Prettier Solidity config

CONCERNS:

  1. ESLint Major Version Jump (v8 to v9)

    • This is a major breaking change with new flat config system
    • Need to verify ESLint config has been properly migrated
    • Recommend testing lint commands extensively

  2. TypeScript-ESLint Major Version Jump (v5 to v8)

    • Skipped v6 and v7 entirely
    • May have rule changes or new strictness
    • Could introduce new linting errors in CI

  3. Type Import Changes Throughout Codebase

    • Many files show changes from direct imports to type imports
    • While correct, this is a large-scale refactor that should be tested

  4. Test File Changes

    • Test assertion changes observed
    • Need to verify all tests still pass

3. Security and Performance

GOOD:

  • Dependency updates generally improve security
  • Memory limit increase helps with large codebases

REVIEW NEEDED:

  • With 176 files changed, thorough testing is critical
  • Type changes could hide runtime issues if tests do not have full coverage

4. Breaking Change Potential

HIGH RISK AREAS:

  • ESLint v9 uses flat config (incompatible with v8)
  • type module in package.json changes module resolution
  • Major version jumps in core build tools

Recommendations

  1. Before Merge:

    • Run full test suite: pnpm test
    • Run lint checks: pnpm lint
    • Test build process: pnpm build
    • Verify CLI works
    • Test website build: pnpm build:website

  2. Documentation:

    • Consider adding a migration note in CHANGELOG if ESLint config changed
    • Document the type module change if it affects usage

  3. CI/CD:

    • Ensure CI passes all checks before merge
    • Watch for any new lint errors from stricter rules

  4. Post-Merge:

    • Monitor for any runtime issues related to type changes
    • Be ready to fix any issues discovered by users

Test Coverage Verification

Given the scope of changes, please confirm:

  • All existing tests pass
  • No new type errors introduced
  • Build succeeds for all packages
  • E2E tests pass (especially for CLI)

Overall Assessment

Scope: Large-scale dependency update Risk Level: Medium-High (due to major version jumps) Code Quality: Changes appear systematic and well-structured Recommendation: APPROVE WITH CONDITIONS - merge after confirming all tests pass

The dependency updates are necessary for security and keeping the project modern. The systematic approach is good, but the major version jumps (especially ESLint v9 and TypeScript-ESLint v8) require careful verification.

claude[bot] avatar Oct 23 '25 04:10 claude[bot]

Pull Request Review: chore: update deps

Summary

This PR updates project dependencies and applies automated code formatting across 176 files with 8,939 additions and 13,984 deletions. The changes are primarily:

  • Dependency updates (major version bumps for tooling)
  • Automated code formatting (trailing commas, spacing)
  • Version bump from 2.24.0 to 2.25.0

Code Quality & Best Practices

Positive Observations:

  1. Consistent Formatting: The PR applies consistent code style across the entire codebase with prettier/eslint
  2. Following Project Standards: Changes align with the project's commitment to code quality mentioned in CLAUDE.md
  3. Test Updates: 31 test files were updated to maintain consistency
  4. Memory Management: Added NODE_OPTIONS memory limit to lint scripts to handle large codebases

Configuration Changes:

  • Deleted .eslintignore (ESLint 9 uses different ignore system)
  • Added "type": "module" to root package.json
  • Updated Prettier Solidity compiler version to 0.8.30
  • Version bump in lerna.json (2.24.0 to 2.25.0)

Potential Issues & Concerns

Breaking Changes:

  1. ESLint 9.x Migration (v8.10.0 to v9.38.0)

    • ESLint 9 has breaking changes in configuration format (flat config)
    • Need to verify all eslint configs are compatible
    • The removal of .eslintignore suggests migration to new ignore system

  2. TypeScript-ESLint (v5.x to v8.x)

    • Major version jump with breaking changes
    • Some rules may behave differently or be deprecated

  3. Prettier 3.x (v2.5.1 to v3.6.2)

    • Prettier 3 dropped Node 12/14 support (project requires Node 18+, so OK)
    • May have subtle formatting changes

  4. React 19 (v18.2.0 to v19.2.0)

    • Major version upgrade
    • While this is a devDep, ensure website/examples are tested

  5. Lerna 9 (v8.0.2 to v9.0.0)

    • Major version change for monorepo tooling
    • Verify publish workflows still function correctly

Missing Items:

  1. No ESLint Configuration Update: I don't see updates to eslint config files to support ESLint 9's flat config format. This could cause linting to fail.
  2. No Migration Guide Reference: PR description is empty - should document the breaking changes
  3. Package Lock Files: Ensure pnpm-lock.yaml is updated (not visible in diff)

Security Concerns

Good:

  • All dependency updates follow semantic versioning with ^ ranges
  • Using pnpm which has better security than npm
  • engineStrict: true enforces Node/pnpm versions

To Verify:

  • Run pnpm audit to check for vulnerabilities in updated dependencies
  • Verify the large soljson-latest.js file changes (appears to be auto-generated, but worth checking)

Performance Considerations

Positive:

  • Added memory limit flag for lint commands handles large monorepo
  • Updated to latest tooling versions should have performance improvements

Concerns:

  • ESLint 9 and TypeScript-ESLint 8 may have different performance characteristics
  • Recommend running benchmarks on lint times

Test Coverage

Good:

  • 31 test files updated with formatting changes
  • Test logic appears unchanged (only formatting)
  • No test files were deleted

Recommendations:

  1. Run Full Test Suite: Ensure all tests pass with updated dependencies
  2. E2E Testing: Run end-to-end tests, especially for CLI and website
  3. Integration Tests: Test the Hardhat plugin with updated dependencies
  4. Verify Build: Run pnpm build to ensure TypeScript compilation works

Recommendations

Critical (Should Address Before Merge):

  1. Add ESLint 9 Configuration: Create/update eslint.config.js with flat config format
  2. Test Build Pipeline: Verify all builds, tests, and linting pass in CI
  3. Document Breaking Changes: Add migration notes to PR description

Recommended:

  1. Test Publish Workflow: Verify Lerna 9 publish commands work correctly
  2. Update CI Configuration: Ensure CI uses compatible Node version (18+)
  3. Test Website Build: Verify React 19 doesn't break the website
  4. Add Changeset: Run pnpm changeset to document the dependency updates per project conventions

Nice to Have:

  1. Split PR: Consider separating dependency updates from code formatting
  2. Gradual Updates: Stage major version updates separately for easier troubleshooting
  3. Add Tests: Add a test to verify the formatting rules are maintained

Verdict

Recommendation: REQUEST CHANGES

While the code formatting is excellent and dependency updates are generally good, the missing ESLint 9 configuration and lack of verification testing make this PR risky to merge as-is.

Action Items:

  1. Add/update ESLint configuration for v9 compatibility
  2. Verify all CI checks pass
  3. Run manual testing for critical workflows (build, test, publish)
  4. Document breaking changes in PR description
  5. Consider running on a test branch first

Once these items are addressed, this will be a great modernization update for the codebase!

claude[bot] avatar Oct 23 '25 04:10 claude[bot]