From bdecedb3b0c8c859d4b727150344c1f0bf4a528c Mon Sep 17 00:00:00 2001 From: "L3-37@Decentraliser" Date: Wed, 13 May 2026 04:06:46 +0000 Subject: [PATCH 1/2] =?UTF-8?q?chore(security):=20npm=20supply-chain=20coo?= =?UTF-8?q?ldown=20=E2=80=94=20pin=20deps=20+=20.npmrc=20release-age?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Hardening against the Shai-Hulud / TanStack npm+PyPI supply-chain wave. - add .npmrc: minimum-release-age=10080 (7d cooldown) + save-exact - pin all 13 third-party direct deps to exact resolved versions; kept @emblemvault/* deps as ranges - regenerate package-lock.json (synced) - npm audit: 5 pre-existing transitive advisories (2 high) — left for a separate pass L3-37 Claude --- .npmrc | 3 +++ package-lock.json | 26 +++++++++++++------------- package.json | 26 +++++++++++++------------- 3 files changed, 29 insertions(+), 26 deletions(-) create mode 100644 .npmrc diff --git a/.npmrc b/.npmrc new file mode 100644 index 0000000..4db4d7c --- /dev/null +++ b/.npmrc @@ -0,0 +1,3 @@ +; npm supply-chain cooldown — added 2026-05-13 (Shai-Hulud / TanStack incident) +minimum-release-age=10080 +save-exact=true diff --git a/package-lock.json b/package-lock.json index 2e14ccb..12abd4d 100644 --- a/package-lock.json +++ b/package-lock.json @@ -9,25 +9,25 @@ "version": "3.3.0", "license": "MIT", "dependencies": { - "@dotenvx/dotenvx": "^1.52.0", + "@dotenvx/dotenvx": "1.52.0", "@emblemvault/auth-sdk": "^2.3.18", - "@x402/core": "^2.8.0", - "@x402/evm": "^2.8.0", - "@x402/svm": "^2.8.0", - "blessed": "^0.1.81", - "chalk": "^5.3.0", - "dotenv": "^16.3.1", - "hustle-incognito": "^1.1.2", - "mppx": "^0.5.0", - "viem": "^2.47.6" + "@x402/core": "2.9.0", + "@x402/evm": "2.9.0", + "@x402/svm": "2.9.0", + "blessed": "0.1.81", + "chalk": "5.6.2", + "dotenv": "16.6.1", + "hustle-incognito": "1.1.2", + "mppx": "0.5.0", + "viem": "2.47.6" }, "bin": { "emblemai": "emblemai.js" }, "devDependencies": { - "@types/node": "^24.0.0", - "c8": "^11.0.0", - "typescript": "^5.7.0" + "@types/node": "24.12.0", + "c8": "11.0.0", + "typescript": "5.9.3" }, "engines": { "node": ">=20.18.0" diff --git a/package.json b/package.json index 3245686..0568bef 100644 --- a/package.json +++ b/package.json @@ -17,22 +17,22 @@ "typecheck": "tsc --project tsconfig.json" }, "devDependencies": { - "@types/node": "^24.0.0", - "c8": "^11.0.0", - "typescript": "^5.7.0" + "@types/node": "24.12.0", + "c8": "11.0.0", + "typescript": "5.9.3" }, "dependencies": { - "@dotenvx/dotenvx": "^1.52.0", + "@dotenvx/dotenvx": "1.52.0", "@emblemvault/auth-sdk": "^2.3.18", - "@x402/core": "^2.8.0", - "@x402/evm": "^2.8.0", - "@x402/svm": "^2.8.0", - "blessed": "^0.1.81", - "chalk": "^5.3.0", - "dotenv": "^16.3.1", - "hustle-incognito": "^1.1.2", - "mppx": "^0.5.0", - "viem": "^2.47.6" + "@x402/core": "2.9.0", + "@x402/evm": "2.9.0", + "@x402/svm": "2.9.0", + "blessed": "0.1.81", + "chalk": "5.6.2", + "dotenv": "16.6.1", + "hustle-incognito": "1.1.2", + "mppx": "0.5.0", + "viem": "2.47.6" }, "keywords": [ "ai", From b0c02bd95062a634c13feb5171bde856e41e2c2b Mon Sep 17 00:00:00 2001 From: "L3-37@Decentraliser" Date: Wed, 13 May 2026 10:43:20 +0000 Subject: [PATCH 2/2] =?UTF-8?q?chore(release):=203.3.1=20=E2=80=94=20suppl?= =?UTF-8?q?y-chain=20cooldown?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit L3-37 Claude --- package-lock.json | 4 ++-- package.json | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/package-lock.json b/package-lock.json index 12abd4d..9abf332 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@emblemvault/agentwallet", - "version": "3.3.0", + "version": "3.3.1", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@emblemvault/agentwallet", - "version": "3.3.0", + "version": "3.3.1", "license": "MIT", "dependencies": { "@dotenvx/dotenvx": "1.52.0", diff --git a/package.json b/package.json index 0568bef..daec19e 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@emblemvault/agentwallet", - "version": "3.3.0", + "version": "3.3.1", "description": "CLI for EmblemAI - autonomous crypto wallet management with browser auth, streaming, and plugins", "main": "emblemai.js", "type": "module",