Skip to content

chore: update reported packages#17

Merged
maxim-inj merged 1 commit into
mainfrom
chore/update-pkgs
Jul 11, 2026
Merged

chore: update reported packages#17
maxim-inj merged 1 commit into
mainfrom
chore/update-pkgs

Conversation

@maxim-inj

@maxim-inj maxim-inj commented Jul 11, 2026

Copy link
Copy Markdown
Contributor

Updated dependencies and lockfile, keeping Vite on 8.1.4 and setting node >=24.0.0. Added overrides for vulnerable transitive packages, including CosmJS, ws, axios, hono, vite, etc. Also adjusted the EIP-712 test mocks in so they work with Vitest 4 constructor mocking.

Verification:

  • socket npm i: passed, “found no new risks”
  • npm audit --json: 0 vulnerabilities

Updated dependencies and lockfile, keeping Vite on 8.1.4 and setting node >=24.0.0 in package.json:61. Added overrides for vulnerable transitive packages, including CosmJS, ws, axios, hono, vite, etc. Also adjusted the EIP-712 test mocks in src/evm/eip712.test.ts:78 so
  they work with Vitest 4 constructor mocking.

  Verification:

  - socket npm i: passed, “found no new risks”
  - npm audit --json: 0 vulnerabilities
@maxim-inj
maxim-inj requested review from ckhbtc and Copilot July 11, 2026 03:30
@maxim-inj maxim-inj self-assigned this Jul 11, 2026
@coderabbitai

coderabbitai Bot commented Jul 11, 2026

Copy link
Copy Markdown

Review Change Stack

📝 Walkthrough

Walkthrough

Changes

Toolchain and EVM test updates

Layer / File(s) Summary
Dependency and runtime requirements
package.json
Runtime, development, and override package versions were refreshed, and the minimum Node.js version was raised to 24.
EVM test mock declarations
src/evm/eip712.test.ts
SDK and ethers mocks now use function declarations while preserving their mocked payloads and return values.

Estimated code review effort: 2 (Simple) | ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title is concise and accurately reflects the dependency and package override updates in the pull request.
✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/update-pkgs

Comment @coderabbitai help to get the list of available commands.

@maxim-inj maxim-inj added the enhancement New feature or request label Jul 11, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedvitest@​2.1.9 ⏵ 4.1.1098 +1100 +7579 +199100
Updated@​types/​node@​22.7.9 ⏵ 24.13.310010081 +196 +1100
Updated@​injectivelabs/​networks@​1.17.8 ⏵ 1.20.239910085100 +1100
Updated@​injectivelabs/​utils@​1.17.8 ⏵ 1.20.2399 +110087 +1100 +1100
Updated@​modelcontextprotocol/​sdk@​1.26.0 ⏵ 1.29.09910010092100
Updated@​injectivelabs/​sdk-ts@​1.17.8 ⏵ 1.20.2398 +110095 +1100 +1100

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm @emnapi/runtime is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/vitest@4.1.10npm/@emnapi/runtime@1.11.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/runtime@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm @injectivelabs/core-proto-ts-v2 is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package-lock.jsonnpm/@injectivelabs/sdk-ts@1.20.23npm/@injectivelabs/core-proto-ts-v2@1.20.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@injectivelabs/core-proto-ts-v2@1.20.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@maxim-inj
maxim-inj merged commit f5af393 into main Jul 11, 2026
4 checks passed
@maxim-inj
maxim-inj deleted the chore/update-pkgs branch July 11, 2026 03:32

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR refreshes the project’s dependency set (and lockfile) to newer versions, adds npm overrides to pin vulnerable transitive packages, and updates EIP-712 unit test mocks to remain compatible with Vitest 4’s constructor-mocking behavior.

Changes:

  • Bumped runtime and dev dependencies (notably @injectivelabs/*, @modelcontextprotocol/sdk, typescript, vitest).
  • Added overrides to pin specific transitive package versions (e.g., CosmJS, axios, ws, hono, vite).
  • Updated src/evm/eip712.test.ts mocks to use function constructors (instead of arrow/mockImplementation) for classes instantiated via new.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated no comments.

File Description
src/evm/eip712.test.ts Adjusts mocked constructors (Wallet, ChainRest*Api) to work with Vitest 4 when code calls them with new.
package.json Updates dependency versions, adds overrides, and bumps Node engine requirement to >=24.0.0.
package-lock.json Reflects the updated dependency graph and the new pinned transitive versions from overrides.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

enhancement New feature or request

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants