Home / Input Output / cardano-js-sdk
Insights Pull Requests
Jun 13, 10-11 PM (0)
Jun 13, 11-12 AM (0)
Jun 14, 12-1 AM (0)
Jun 14, 1-2 AM (0)
Jun 14, 2-3 AM (0)
Jun 14, 3-4 AM (0)
Jun 14, 4-5 AM (0)
Jun 14, 5-6 AM (0)
Jun 14, 6-7 AM (0)
Jun 14, 7-8 AM (0)
Jun 14, 8-9 AM (0)
Jun 14, 9-10 AM (0)
Jun 14, 10-11 AM (0)
Jun 14, 11-12 PM (0)
Jun 14, 12-1 PM (0)
Jun 14, 1-2 PM (0)
Jun 14, 2-3 PM (0)
Jun 14, 3-4 PM (0)
Jun 14, 4-5 PM (0)
Jun 14, 5-6 PM (0)
Jun 14, 6-7 PM (0)
Jun 14, 7-8 PM (0)
Jun 14, 8-9 PM (0)
Jun 14, 9-10 PM (0)
Jun 14, 10-11 PM (0)
Jun 14, 11-12 AM (0)
Jun 15, 12-1 AM (0)
Jun 15, 1-2 AM (0)
Jun 15, 2-3 AM (0)
Jun 15, 3-4 AM (0)
Jun 15, 4-5 AM (0)
Jun 15, 5-6 AM (0)
Jun 15, 6-7 AM (0)
Jun 15, 7-8 AM (0)
Jun 15, 8-9 AM (0)
Jun 15, 9-10 AM (0)
Jun 15, 10-11 AM (0)
Jun 15, 11-12 PM (0)
Jun 15, 12-1 PM (0)
Jun 15, 1-2 PM (0)
Jun 15, 2-3 PM (0)
Jun 15, 3-4 PM (0)
Jun 15, 4-5 PM (0)
Jun 15, 5-6 PM (0)
Jun 15, 6-7 PM (0)
Jun 15, 7-8 PM (0)
Jun 15, 8-9 PM (0)
Jun 15, 9-10 PM (0)
Jun 15, 10-11 PM (0)
Jun 15, 11-12 AM (0)
Jun 16, 12-1 AM (0)
Jun 16, 1-2 AM (0)
Jun 16, 2-3 AM (0)
Jun 16, 3-4 AM (0)
Jun 16, 4-5 AM (0)
Jun 16, 5-6 AM (0)
Jun 16, 6-7 AM (0)
Jun 16, 7-8 AM (2)
Jun 16, 8-9 AM (0)
Jun 16, 9-10 AM (0)
Jun 16, 10-11 AM (0)
Jun 16, 11-12 PM (0)
Jun 16, 12-1 PM (0)
Jun 16, 1-2 PM (0)
Jun 16, 2-3 PM (0)
Jun 16, 3-4 PM (0)
Jun 16, 4-5 PM (0)
Jun 16, 5-6 PM (0)
Jun 16, 6-7 PM (0)
Jun 16, 7-8 PM (0)
Jun 16, 8-9 PM (0)
Jun 16, 9-10 PM (0)
Jun 16, 10-11 PM (0)
Jun 16, 11-12 AM (0)
Jun 17, 12-1 AM (0)
Jun 17, 1-2 AM (0)
Jun 17, 2-3 AM (0)
Jun 17, 3-4 AM (0)
Jun 17, 4-5 AM (0)
Jun 17, 5-6 AM (0)
Jun 17, 6-7 AM (0)
Jun 17, 7-8 AM (0)
Jun 17, 8-9 AM (0)
Jun 17, 9-10 AM (0)
Jun 17, 10-11 AM (1)
Jun 17, 11-12 PM (1)
Jun 17, 12-1 PM (0)
Jun 17, 1-2 PM (1)
Jun 17, 2-3 PM (2)
Jun 17, 3-4 PM (0)
Jun 17, 4-5 PM (0)
Jun 17, 5-6 PM (0)
Jun 17, 6-7 PM (0)
Jun 17, 7-8 PM (0)
Jun 17, 8-9 PM (0)
Jun 17, 9-10 PM (0)
Jun 17, 10-11 PM (1)
Jun 17, 11-12 AM (0)
Jun 18, 12-1 AM (0)
Jun 18, 1-2 AM (0)
Jun 18, 2-3 AM (0)
Jun 18, 3-4 AM (0)
Jun 18, 4-5 AM (0)
Jun 18, 5-6 AM (0)
Jun 18, 6-7 AM (0)
Jun 18, 7-8 AM (1)
Jun 18, 8-9 AM (2)
Jun 18, 9-10 AM (2)
Jun 18, 10-11 AM (0)
Jun 18, 11-12 PM (0)
Jun 18, 12-1 PM (13)
Jun 18, 1-2 PM (0)
Jun 18, 2-3 PM (0)
Jun 18, 3-4 PM (0)
Jun 18, 4-5 PM (0)
Jun 18, 5-6 PM (0)
Jun 18, 6-7 PM (0)
Jun 18, 7-8 PM (0)
Jun 18, 8-9 PM (0)
Jun 18, 9-10 PM (0)
Jun 18, 10-11 PM (2)
Jun 18, 11-12 AM (0)
Jun 19, 12-1 AM (0)
Jun 19, 1-2 AM (0)
Jun 19, 2-3 AM (0)
Jun 19, 3-4 AM (0)
Jun 19, 4-5 AM (0)
Jun 19, 5-6 AM (0)
Jun 19, 6-7 AM (0)
Jun 19, 7-8 AM (4)
Jun 19, 8-9 AM (1)
Jun 19, 9-10 AM (0)
Jun 19, 10-11 AM (0)
Jun 19, 11-12 PM (7)
Jun 19, 12-1 PM (1)
Jun 19, 1-2 PM (6)
Jun 19, 2-3 PM (6)
Jun 19, 3-4 PM (13)
Jun 19, 4-5 PM (0)
Jun 19, 5-6 PM (0)
Jun 19, 6-7 PM (0)
Jun 19, 7-8 PM (2)
Jun 19, 8-9 PM (0)
Jun 19, 9-10 PM (4)
Jun 19, 10-11 PM (2)
Jun 19, 11-12 AM (0)
Jun 20, 12-1 AM (0)
Jun 20, 1-2 AM (0)
Jun 20, 2-3 AM (0)
Jun 20, 3-4 AM (0)
Jun 20, 4-5 AM (7)
Jun 20, 5-6 AM (6)
Jun 20, 6-7 AM (0)
Jun 20, 7-8 AM (2)
Jun 20, 8-9 AM (0)
Jun 20, 9-10 AM (1)
Jun 20, 10-11 AM (0)
Jun 20, 11-12 PM (1)
Jun 20, 12-1 PM (6)
Jun 20, 1-2 PM (0)
Jun 20, 2-3 PM (6)
Jun 20, 3-4 PM (0)
Jun 20, 4-5 PM (0)
Jun 20, 5-6 PM (0)
Jun 20, 6-7 PM (0)
Jun 20, 7-8 PM (0)
Jun 20, 8-9 PM (0)
Jun 20, 9-10 PM (0)
Jun 20, 10-11 PM (0)
103 commits this week Jun 13, 2026 - Jun 20, 2026
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): remove obsolete qix blocklist + cluster pins (resolutions 28 -> 10) 
The Sept-2025 qix-hack lockdown is no longer needed: all 18 malicious
releases have been unpublished from npm (404: [email protected], [email protected],
[email protected], ...), so they can neither match a constraint nor be
resolved.

- .yarn/constraints.pro: dropped the ForbidMaliciousReleases blocklist,
  kept as a documented placeholder. The constraints plugin and the CI
  `yarn constraints` check are retained for future supply-chain rules.
- resolutions: removed the 18 color/ansi/debug cluster pins. Yarn now
  resolves them to clean current versions, verified to exclude every
  previously-blocked release (ansi-regex 6.2.2 not 6.2.1, debug 4.4.3
  not 4.4.2, ansi-styles 6.2.3 not 6.2.2).

Build green; yarn install --immutable clean; yarn constraints passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
788c5d0e · chore/wdio-9 · 3/227 ++ 85 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(e2e): upgrade WebdriverIO v7 -> v9 (drops 5 resolutions) 
WebdriverIO v9 self-manages browser drivers, so wdio-chromedriver-service
and the chromedriver package are removed; the legacy yarn-install dep is
dropped and mocha moves to 10.8.2 (patched nanoid/serialize-javascript/
diff), with cross-spawn 4.0.2 gone. The over-broad global chalk pin is
removed (v9 needs chalk 5 ESM; our CJS tools keep chalk 4 via their own
^4 ranges).

Includes the test migration v9 requires (caught by the strict tsc build):
- wdio.conf.js: autoCompileOpts (removed in v8) -> tsConfigPath; drop the
  'chromedriver' service entry
- tsconfig types: webdriverio/async -> @wdio/globals/types
- specs: toHaveTextContaining -> toHaveText(x, { containing: true }) /
  toContain; await $$(sel).length (now a Promise in v9)

Resolutions removed: chalk, nanoid, serialize-javascript, diff, cross-spawn.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
7b93d4ad · chore/wdio-9 · 8/1,864 ++ 1,230 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): remove obsolete qix blocklist + cluster pins (resolutions 28 -> 10) 
The Sept-2025 qix-hack lockdown is no longer needed: all 18 malicious
releases have been unpublished from npm (404: [email protected], [email protected],
[email protected], ...), so they can neither match a constraint nor be
resolved.

- .yarn/constraints.pro: dropped the ForbidMaliciousReleases blocklist,
  kept as a documented placeholder. The constraints plugin and the CI
  `yarn constraints` check are retained for future supply-chain rules.
- resolutions: removed the 18 color/ansi/debug cluster pins. Yarn now
  resolves them to clean current versions, verified to exclude every
  previously-blocked release (ansi-regex 6.2.2 not 6.2.1, debug 4.4.3
  not 4.4.2, ansi-styles 6.2.3 not 6.2.2).

Build green; yarn install --immutable clean; yarn constraints passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
4659e789 · chore/wdio-9 · 3/227 ++ 85 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(e2e): upgrade WebdriverIO v7 -> v9; drop 5 resolutions 
WebdriverIO v9 self-manages browser drivers, so the deprecated
wdio-chromedriver-service and the chromedriver package are removed.
Config migrated: autoCompileOpts (removed in v8) -> tsConfigPath;
the 'chromedriver' service entry dropped.

The v9 stack drops the legacy yarn-install dep and pulls mocha 10.8.2
(patched nanoid/serialize-javascript/diff). Combined with removing the
over-broad global chalk pin (v9 needs chalk 5 ESM; our CJS tools keep
chalk 4 via their own ^4 ranges; the qix blocklist lives in
.yarn/constraints.pro, not the pin), five resolutions can go:

  - chalk                (over-broad; constraints.pro still blocks 5.6.1)
  - nanoid               (mocha 10.8.2 dropped it; natural 3.3.13)
  - serialize-javascript (mocha -> ^6.0.2)
  - diff                 (mocha -> ^5.2.0; ts-node's 4.0.4 is clean)
  - cross-spawn          (yarn-install gone; natural 6.0.6 / 7.0.6)

Resolutions 33 -> 28. Web-extension wdio suite boots, compiles TS specs,
launches Chrome with the extension, and runs mocha under v9 locally;
backend-dependent assertions validate in CI E2E.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
e5e3347b · chore/wdio-9 · 4/1,842 ++ 1,208 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): drop on-headers & ip-address resolutions via in-range relock 
Both forced resolutions were removable without any manifest change — the
patched versions are reachable inside existing parent ranges:

- morgan 1.10.0 -> 1.11.0 (within @wdio/static-server-service's ^1.7.0),
  which declares on-headers ~1.1.0 -> resolves on-headers 1.1.0 naturally.
- socks deduped 2.8.3 -> 2.8.9 (within socks-proxy-agent's ^2.8.3),
  which declares ip-address ^10.1.1 -> drops the lingering ip-address 9.0.5.

Resolutions 15 -> 13. Dev/transitive-only; build + unit + e2e green.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
c1839ab7 · chore/dep-bumps · 2/8 ++ 29 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): resolve remaining transitive Dependabot alerts 
Closes every code-resolvable open alert the direct bumps left as PARTIAL —
vulnerable transitive copies pinned by dev/build tooling. Prefer real parent
bumps; fall back to resolutions only where a transitive has multiple/deep
parents (node-gyp, mocha, eslint, npm internals) that no single direct-dep
bump can dislodge.

Parent bumps (clear the copy outright):
- tsx ^4.15 -> ^4.22  => esbuild 0.21 -> 0.27/0.28
- wait-on ^6 -> ^9 (cardano-services, wallet) => drops transitive [email protected]
  (whole axios tree now 1.18.0)
- pkg (archived/EOL, no fix) -> maintained fork @yao-pkg/pkg ^6.20 in
  golden-test-generator; build targets node14 -> node22

Resolutions (transitive copies with no single bumpable parent):
nanoid, on-headers, tar-fs, @opentelemetry/core, cross-spawn,
serialize-javascript, diff, ip-address, js-yaml, tar, tmp, uuid, ws — each
forced to its patched version. base-x clears naturally. minimatch is fixed
with descriptor-scoped resolutions (globule ~3.0.2 -> 3.1.5, mocha 5.0.1 ->
5.1.9) so eslint's own minimatch (3.1.5) is untouched.

Validated: full `yarn build` green; tsx runs under esbuild 0.28; unit tests
green across core/util/crypto/ogmios/hardware-trezor/cardano-services-client/
governance/key-management/tx-construction/input-selection (~2200 tests).

No upstream fix (deep transitives) — dismissed on GitHub with documented
rationale: elliptic (#203), bigint-buffer (#152).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
e313d104 · chore/dep-bumps · 5/1,763 ++ 848 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): bump uuid, ip-address, axios & express-openapi-validator 
Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9/10 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md
(follow-up section): OSV.dev clean for every resolved version, 0 residual
advisories in CISA KEV, production closure clean, no lockfile downgrades,
per-tier blast-radius diagrams, and the lone publisher transition (multer
linusu -> ulisesgascon) annotated as a known maintenance handoff.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
d42a2400 · chore/dep-bumps · 10/186 ++ 137 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore: stop tracking gitignored tsconfig.tsbuildinfo 
This TypeScript incremental-build cache has been committed since
1dcb0993c84 (2021-10-04) but was only added to .gitignore later in
f0a8724593b (2022-06-14). Git keeps already-tracked files even once
ignored, so it lingered in the tree — churning on every build and
showing up as spurious diffs. Remove it from version control (the file
stays locally; tsc regenerates it).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
7ae9130b · chore/dep-bumps · 1/0 ++ 1 --
rhyslbw
rhyslbw · · cardano-js-sdk
refactor(core): replace ip-address with a local IPv4/IPv6 parser 
ip-address was used in exactly one place — pool-relay address (de)serialization
in ipUtils.ts (Address4/Address6 validation, IPv6 expansion to bytes, and
canonical formatting). Vendor a ~50-line functional parser (RFC 4291: `::`
zero-compression and trailing IPv4-mapped suffixes) and drop the dependency.

Because this feeds consensus-affecting serialization, the local implementation
was proven byte-for-byte identical to ip-address across a 26-case corpus
(validation, expansion, canonical formatting; valid/edge/invalid) before removal,
then locked in with vector-based unit tests.

Removes ip-address from core's production closure (no consumer pulls it via core
any longer). Full core suite (1018 tests) green.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
7044e2de · pull/1725/head~1 · 4/150 ++ 22 --
rhyslbw
rhyslbw · · cardano-js-sdk
refactor(core): replace @foxglove/crc with a local crc32 
@foxglove/crc was used in exactly one place — the Byron-era address
checksum. CRC-32 (IEEE 802.3 / zlib variant) is ~15 lines, so vendor a
local implementation and drop the dependency from core's closure.

Adds a dedicated crc32 unit test pinning the implementation bit-for-bit to
the canonical CRC-32 vectors (123456789 -> 0xCBF43926, empty -> 0, the
"quick brown fox" -> 0x414FA339, 0..255 -> 0x29058C73), so it provably
matches the variant @foxglove/crc provided. Byron address round-trips
(Address/PaymentAddress suites) cover the integration path.

Part of the core dependency-minimisation effort.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
b64c5c1e · pull/1725/head~2 · 5/68 ++ 10 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(eslint): disable unicorn/number-literal-case globally 
The rule wants uppercase hex digits, which conflicts head-on with the repo's
enforced Prettier config (lowercase) — making it unsatisfiable for any hex
literal containing a-f. It had accumulated `/* eslint-disable */` directives in
16 files as a workaround. Disable it once in the shared config (as no-bitwise
already is) and drop the redundant per-file directives.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
bb9f5219 · pull/1725/head~3 · 13/2 ++ 12 --
rhyslbw
rhyslbw · · cardano-js-sdk
refactor(core): drop redundant web-encoding polyfill for global TextDecoder 
web-encoding polyfilled TextDecoder for environments lacking it. TextDecoder
has been a Node.js global since v11 — so it was already available under the
previous >=16.20.2 engine, independent of the Node 22 bump — and is native in
all bundler-targeted modern browsers, making the polyfill (and its ~8MB
@zxing/text-encoding dependency) dead weight. Both decode sites only use
`new TextDecoder('utf8', { fatal: true })` + `.decode()`, fully covered by the
global.

Removes ~9.5MB from core's node_modules closure. Behaviour unchanged; full core
suite (992 tests) green. Part of the core dependency-minimisation effort.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
b935666a · pull/1725/head~4 · 4/2 ++ 26 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): bump uuid, ip-address, axios & express-openapi-validator 
Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9/10 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md
(follow-up section): OSV.dev clean for every resolved version, 0 residual
advisories in CISA KEV, production closure clean, no lockfile downgrades,
per-tier blast-radius diagrams, and the lone publisher transition (multer
linusu -> ulisesgascon) annotated as a known maintenance handoff.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
ea71b273 · chore/dep-bumps · 10/273 ++ 137 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore: stop tracking gitignored tsconfig.tsbuildinfo 
This TypeScript incremental-build cache has been committed since
1dcb0993c84 (2021-10-04) but was only added to .gitignore later in
f0a8724593b (2022-06-14). Git keeps already-tracked files even once
ignored, so it lingered in the tree — churning on every build and
showing up as spurious diffs. Remove it from version control (the file
stays locally; tsc regenerates it).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
b1e12af6 · chore/dep-bumps · 1/0 ++ 1 --
Showing 25 of 103 recent commits. Check out Input Output on GitHub to see more.