Home / Input Output / cardano-js-sdk
Insights Pull Requests
Jun 16, 10-11 PM (0)
Jun 16, 11-12 AM (0)
Jun 17, 12-1 AM (0)
Jun 17, 1-2 AM (0)
Jun 17, 2-3 AM (0)
Jun 17, 3-4 AM (0)
Jun 17, 4-5 AM (0)
Jun 17, 5-6 AM (0)
Jun 17, 6-7 AM (0)
Jun 17, 7-8 AM (0)
Jun 17, 8-9 AM (0)
Jun 17, 9-10 AM (0)
Jun 17, 10-11 AM (1)
Jun 17, 11-12 PM (1)
Jun 17, 12-1 PM (0)
Jun 17, 1-2 PM (1)
Jun 17, 2-3 PM (2)
Jun 17, 3-4 PM (0)
Jun 17, 4-5 PM (0)
Jun 17, 5-6 PM (0)
Jun 17, 6-7 PM (0)
Jun 17, 7-8 PM (0)
Jun 17, 8-9 PM (0)
Jun 17, 9-10 PM (0)
Jun 17, 10-11 PM (1)
Jun 17, 11-12 AM (0)
Jun 18, 12-1 AM (0)
Jun 18, 1-2 AM (0)
Jun 18, 2-3 AM (0)
Jun 18, 3-4 AM (0)
Jun 18, 4-5 AM (0)
Jun 18, 5-6 AM (0)
Jun 18, 6-7 AM (0)
Jun 18, 7-8 AM (1)
Jun 18, 8-9 AM (2)
Jun 18, 9-10 AM (2)
Jun 18, 10-11 AM (0)
Jun 18, 11-12 PM (0)
Jun 18, 12-1 PM (13)
Jun 18, 1-2 PM (0)
Jun 18, 2-3 PM (0)
Jun 18, 3-4 PM (0)
Jun 18, 4-5 PM (0)
Jun 18, 5-6 PM (0)
Jun 18, 6-7 PM (0)
Jun 18, 7-8 PM (0)
Jun 18, 8-9 PM (0)
Jun 18, 9-10 PM (0)
Jun 18, 10-11 PM (2)
Jun 18, 11-12 AM (0)
Jun 19, 12-1 AM (0)
Jun 19, 1-2 AM (0)
Jun 19, 2-3 AM (0)
Jun 19, 3-4 AM (0)
Jun 19, 4-5 AM (0)
Jun 19, 5-6 AM (0)
Jun 19, 6-7 AM (0)
Jun 19, 7-8 AM (4)
Jun 19, 8-9 AM (1)
Jun 19, 9-10 AM (0)
Jun 19, 10-11 AM (0)
Jun 19, 11-12 PM (7)
Jun 19, 12-1 PM (1)
Jun 19, 1-2 PM (6)
Jun 19, 2-3 PM (6)
Jun 19, 3-4 PM (13)
Jun 19, 4-5 PM (0)
Jun 19, 5-6 PM (0)
Jun 19, 6-7 PM (0)
Jun 19, 7-8 PM (2)
Jun 19, 8-9 PM (0)
Jun 19, 9-10 PM (4)
Jun 19, 10-11 PM (2)
Jun 19, 11-12 AM (0)
Jun 20, 12-1 AM (0)
Jun 20, 1-2 AM (0)
Jun 20, 2-3 AM (0)
Jun 20, 3-4 AM (0)
Jun 20, 4-5 AM (7)
Jun 20, 5-6 AM (6)
Jun 20, 6-7 AM (0)
Jun 20, 7-8 AM (2)
Jun 20, 8-9 AM (0)
Jun 20, 9-10 AM (1)
Jun 20, 10-11 AM (0)
Jun 20, 11-12 PM (1)
Jun 20, 12-1 PM (6)
Jun 20, 1-2 PM (0)
Jun 20, 2-3 PM (6)
Jun 20, 3-4 PM (0)
Jun 20, 4-5 PM (0)
Jun 20, 5-6 PM (0)
Jun 20, 6-7 PM (0)
Jun 20, 7-8 PM (0)
Jun 20, 8-9 PM (0)
Jun 20, 9-10 PM (0)
Jun 20, 10-11 PM (0)
Jun 20, 11-12 AM (0)
Jun 21, 12-1 AM (0)
Jun 21, 1-2 AM (0)
Jun 21, 2-3 AM (0)
Jun 21, 3-4 AM (0)
Jun 21, 4-5 AM (0)
Jun 21, 5-6 AM (0)
Jun 21, 6-7 AM (0)
Jun 21, 7-8 AM (0)
Jun 21, 8-9 AM (0)
Jun 21, 9-10 AM (0)
Jun 21, 10-11 AM (0)
Jun 21, 11-12 PM (0)
Jun 21, 12-1 PM (0)
Jun 21, 1-2 PM (0)
Jun 21, 2-3 PM (0)
Jun 21, 3-4 PM (0)
Jun 21, 4-5 PM (0)
Jun 21, 5-6 PM (0)
Jun 21, 6-7 PM (0)
Jun 21, 7-8 PM (0)
Jun 21, 8-9 PM (0)
Jun 21, 9-10 PM (0)
Jun 21, 10-11 PM (0)
Jun 21, 11-12 AM (0)
Jun 22, 12-1 AM (0)
Jun 22, 1-2 AM (0)
Jun 22, 2-3 AM (0)
Jun 22, 3-4 AM (0)
Jun 22, 4-5 AM (0)
Jun 22, 5-6 AM (1)
Jun 22, 6-7 AM (0)
Jun 22, 7-8 AM (0)
Jun 22, 8-9 AM (3)
Jun 22, 9-10 AM (2)
Jun 22, 10-11 AM (0)
Jun 22, 11-12 PM (1)
Jun 22, 12-1 PM (2)
Jun 22, 1-2 PM (3)
Jun 22, 2-3 PM (0)
Jun 22, 3-4 PM (0)
Jun 22, 4-5 PM (0)
Jun 22, 5-6 PM (0)
Jun 22, 6-7 PM (0)
Jun 22, 7-8 PM (0)
Jun 22, 8-9 PM (0)
Jun 22, 9-10 PM (0)
Jun 22, 10-11 PM (0)
Jun 22, 11-12 AM (0)
Jun 23, 12-1 AM (0)
Jun 23, 1-2 AM (0)
Jun 23, 2-3 AM (0)
Jun 23, 3-4 AM (0)
Jun 23, 4-5 AM (0)
Jun 23, 5-6 AM (0)
Jun 23, 6-7 AM (0)
Jun 23, 7-8 AM (0)
Jun 23, 8-9 AM (0)
Jun 23, 9-10 AM (0)
Jun 23, 10-11 AM (0)
Jun 23, 11-12 PM (0)
Jun 23, 12-1 PM (0)
Jun 23, 1-2 PM (0)
Jun 23, 2-3 PM (0)
Jun 23, 3-4 PM (0)
Jun 23, 4-5 PM (0)
Jun 23, 5-6 PM (0)
Jun 23, 6-7 PM (0)
Jun 23, 7-8 PM (0)
Jun 23, 8-9 PM (0)
Jun 23, 9-10 PM (0)
Jun 23, 10-11 PM (0)
113 commits this week Jun 16, 2026 - Jun 23, 2026
lace-bot
lace-bot · · cardano-js-sdk
ci: publish packages [skip actions] 
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
a018c19d · master · 42/107 ++ 21 --
rhyslbw
rhyslbw · · cardano-js-sdk
fix(deps): pin protobufjs to 7.6.4 (CRITICAL ACE re-introduced by #1723) 
#1723 removed the protobufjs resolution as "redundant" — wrong. Without it the
tree resolves protobufjs 7.2.6 (via @trezor), vulnerable to GHSA-xq3m-2v4x-88gg
(CRITICAL arbitrary code execution, affects < 7.5.5) + 5 high + 4 medium.

This can't be fixed by a parent bump: @trezor/connect 9.7.3 (latest) still pins
@trezor/[email protected] + @trezor/[email protected] (both
latest), which declare @trezor/[email protected] -> protobufjs 7.4.0 (also < 7.5.5).
And even @trezor's patched @trezor/[email protected] only reaches protobufjs 7.5.5,
which still carries 10 open advisories — only 7.6.4 is fully clean, and no @trezor
release reaches it. Documented last-resort pin per the remediation policy.

Pin -> 7.6.4 (clean). Build green. Tracked in #1701 (remove once @trezor aligns).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
ba6a01cd · fix/restore-protobufjs-serialize-resolutions · 2/7 ++ 33 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): upgrade express 4 -> 5 (cardano-services) 
- express ^5.2.1, body-parser ^2.3.0, express-prom-bundle ^8, prom-client ^15,
  @types/express ^5 (cardano-services); express ^5 (cardano-services-client devDep)
- HttpServer.ts: assert express-prom-bundle v8 Opts (summary|histogram union) shape
- HttpServer.test.ts: body-parser v2 leaves bodyless req.body undefined (was {})
- util/http.ts: express 5's app.listen forwards bind errors to the listen callback
  (error-first) rather than only the 'error' event; make listenPromise reject on a
  failed bind for both express apps and raw http.Server (otherwise EADDRINUSE would
  silently resolve with an unbound server)

Collapses the express-4 stack onto the modern 2.x line. All routes static;
32/32 HttpServer + http-util tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
7b8d487d · chore/dep-bumps · 6/113 ++ 256 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): yarn dedupe (excluding @scure/base) 
Native Yarn dedupe over the full merged set (wdio v9 + resolutions +
express 5), collapsing ~192 redundant same-major duplicate copies
(411 -> 338 multi-version packages).

@scure/base is left split deliberately: deduping core's `^1.1.1` (1.1.7)
up to the `~1.1.6` line (1.1.9) tightens bech32.decode's parameter type
to `${string}1${string}`, which core's branded-string callers don't
satisfy -> breaks the build. Adopting the stricter types is a separate
change. Validated with a clean (no tsbuildinfo) full build.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
49876b55 · chore/dep-bumps · 1/117 ++ 1,293 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): yarn dedupe (excluding @scure/base) 
Native Yarn dedupe over the full merged set (wdio v9 + resolutions +
express 5), collapsing ~192 redundant same-major duplicate copies
(411 -> 338 multi-version packages).

@scure/base is left split deliberately: deduping core's `^1.1.1` (1.1.7)
up to the `~1.1.6` line (1.1.9) tightens bech32.decode's parameter type
to `${string}1${string}`, which core's branded-string callers don't
satisfy -> breaks the build. Adopting the stricter types is a separate
change. Validated with a clean (no tsbuildinfo) full build.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
66e981ff · chore/dep-bumps · 1/117 ++ 1,293 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): upgrade express 4 -> 5 (cardano-services) 
- express ^5.2.1, body-parser ^2.3.0, express-prom-bundle ^8, prom-client ^15,
  @types/express ^5 (cardano-services); express ^5 (cardano-services-client devDep)
- HttpServer.ts: assert express-prom-bundle v8 Opts (summary|histogram union) shape
- HttpServer.test.ts: body-parser v2 leaves bodyless req.body undefined (was {});
  production provider.ts already tolerates undefined

Collapses the express-4 stack (body-parser 1.x, finalhandler 1.x, send 0.19,
serve-static 1.x, path-to-regexp 0.1) onto the modern 2.x line. All routes are
static strings (no path-to-regexp v8 breakage); 29/29 HttpServer tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
deb431a8 · chore/dep-bumps · 5/107 ++ 255 --
dependabot[bot]
dependabot[bot] · · cardano-js-sdk
build: bump the non-breaking-version-updates group with 42 updates 
Bumps the non-breaking-version-updates group with 42 updates:

| Package | From | To |
| --- | --- | --- |
| [eslint-plugin-import](https://github.com/import-js/eslint-plugin-import) | `2.26.0` | `2.32.0` |
| [ts-node](https://github.com/TypeStrong/ts-node) | `10.9.1` | `10.9.2` |
| [tsc-alias](https://github.com/justkey007/tsc-alias) | `1.8.10` | `1.8.17` |
| [tsx](https://github.com/privatenumber/tsx) | `4.15.6` | `4.22.4` |
| [typedoc](https://github.com/TypeStrong/TypeDoc) | `0.23.24` | `0.28.19` |
| [axios](https://github.com/axios/axios) | `1.11.0` | `1.18.0` |
| [cors](https://github.com/expressjs/cors) | `2.8.5` | `2.8.6` |
| [@types/cors](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/cors) | `2.8.13` | `2.8.19` |
| [debug](https://github.com/debug-js/debug) | `4.3.4` | `4.4.3` |
| [fuse.js](https://github.com/krisk/Fuse) | `7.0.0` | `7.4.2` |
| [jsonschema](https://github.com/tdegrunt/jsonschema) | `1.4.1` | `1.5.0` |
| [pg](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg) | `8.10.0` | `8.22.0` |
| [@types/pg](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/pg) | `8.6.5` | `8.20.0` |
| [pg-connection-string](https://github.com/brianc/node-postgres/tree/HEAD/packages/pg-connection-string) | `2.5.0` | `2.14.0` |
| [reflect-metadata](https://github.com/rbuckton/reflect-metadata) | `0.1.13` | `0.2.2` |
| [rxjs](https://github.com/reactivex/rxjs) | `7.8.1` | `7.8.2` |
| [ts-custom-error](https://github.com/adriengibrat/ts-custom-error) | `3.2.2` | `3.3.1` |
| [@types/bunyan](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/bunyan) | `1.8.8` | `1.8.11` |
| [@types/death](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/death) | `1.1.2` | `1.1.5` |
| [@types/express-prometheus-middleware](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/express-prometheus-middleware) | `1.2.1` | `1.2.3` |
| [@types/lodash](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/lodash) | `4.14.186` | `4.17.24` |
| [axios-mock-adapter](https://github.com/ctimmerm/axios-mock-adapter) | `2.0.0` | `2.1.0` |
| [json-bigint-patch](https://github.com/ardatan/json-bigint-patch) | `0.0.8` | `0.0.9` |
| [class-validator](https://github.com/typestack/class-validator) | `0.14.0` | `0.15.1` |
| [@types/validator](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/validator) | `13.7.10` | `13.15.10` |
| [pbkdf2](https://github.com/browserify/pbkdf2) | `3.1.3` | `3.1.6` |
| [@types/blake2b](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/blake2b) | `2.1.0` | `2.1.3` |
| [@types/libsodium-wrappers-sumo](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/libsodium-wrappers-sumo) | `0.7.5` | `0.8.2` |
| [webextension-polyfill](https://github.com/mozilla/webextension-polyfill) | `0.8.0` | `0.12.0` |
| [@types/webextension-polyfill](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/webextension-polyfill) | `0.8.3` | `0.12.5` |
| [@emurgo/cardano-message-signing-nodejs](https://github.com/Emurgo/cardano-serialization-lib) | `1.0.1` | `1.1.0` |
| [optionator](https://github.com/gkz/optionator) | `0.9.1` | `0.9.4` |
| [@emurgo/cardano-message-signing-asmjs](https://github.com/Emurgo/cardano-serialization-lib) | `1.0.1` | `1.1.0` |
| [@types/convict](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/convict) | `6.1.2` | `6.1.6` |
| [crypto-browserify](https://github.com/browserify/crypto-browserify) | `3.12.0` | `3.12.1` |
| [@types/cli-progress](https://github.com/DefinitelyTyped/DefinitelyTyped/tree/HEAD/types/cli-progress) | `3.11.0` | `3.11.6` |
| [@ledgerhq/hw-transport](https://github.com/LedgerHQ/ledger-live) | `6.31.4` | `6.35.4` |
| [@ledgerhq/hw-transport-node-hid-noevents](https://github.com/LedgerHQ/ledger-live) | `6.30.5` | `6.35.4` |
| [@ledgerhq/hw-transport-webusb](https://github.com/LedgerHQ/ledger-live) | `6.29.4` | `6.34.4` |
| [@trezor/connect](https://github.com/trezor/trezor-suite) | `9.4.0` | `9.7.3` |
| [@trezor/connect-web](https://github.com/trezor/trezor-suite) | `9.4.0` | `9.7.3` |
| [bip39](https://github.com/bitcoinjs/bip39) | `3.0.4` | `3.1.0` |


Updates `eslint-plugin-import` from 2.26.0 to 2.32.0
- [Release notes](https://github.com/import-js/eslint-plugin-import/releases)
- [Changelog](https://github.com/import-js/eslint-plugin-import/blob/main/CHANGELOG.md)
- [Commits](https://github.com/import-js/eslint-plugin-import/compare/v2.26.0...v2.32.0)

Updates `ts-node` from 10.9.1 to 10.9.2
- [Release notes](https://github.com/TypeStrong/ts-node/releases)
- [Changelog](https://github.com/TypeStrong/ts-node/blob/main/development-docs/release-template.md)
- [Commits](https://github.com/TypeStrong/ts-node/compare/v10.9.1...v10.9.2)

Updates `tsc-alias` from 1.8.10 to 1.8.17
- [Release notes](https://github.com/justkey007/tsc-alias/releases)
- [Commits](https://github.com/justkey007/tsc-alias/compare/v1.8.10...v1.8.17)

Updates `tsx` from 4.15.6 to 4.22.4
- [Release notes](https://github.com/privatenumber/tsx/releases)
- [Changelog](https://github.com/privatenumber/tsx/blob/master/release.config.cjs)
- [Commits](https://github.com/privatenumber/tsx/compare/v4.15.6...v4.22.4)

Updates `typedoc` from 0.23.24 to 0.28.19
- [Release notes](https://github.com/TypeStrong/TypeDoc/releases)
- [Changelog](https://github.com/TypeStrong/typedoc/blob/master/CHANGELOG.md)
- [Commits](https://github.com/TypeStrong/TypeDoc/compare/v0.23.24...v0.28.19)

Updates `axios` from 1.11.0 to 1.18.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.11.0...v1.18.0)

Updates `cors` from 2.8.5 to 2.8.6
- [Release notes](https://github.com/expressjs/cors/releases)
- [Changelog](https://github.com/expressjs/cors/blob/master/HISTORY.md)
- [Commits](https://github.com/expressjs/cors/compare/v2.8.5...v2.8.6)

Updates `@types/cors` from 2.8.13 to 2.8.19
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/cors)

Updates `debug` from 4.3.4 to 4.4.3
- [Release notes](https://github.com/debug-js/debug/releases)
- [Commits](https://github.com/debug-js/debug/compare/4.3.4...4.4.3)

Updates `fuse.js` from 7.0.0 to 7.4.2
- [Release notes](https://github.com/krisk/Fuse/releases)
- [Changelog](https://github.com/krisk/Fuse/blob/main/CHANGELOG.md)
- [Commits](https://github.com/krisk/Fuse/compare/v7.0.0...v7.4.2)

Updates `jsonschema` from 1.4.1 to 1.5.0
- [Commits](https://github.com/tdegrunt/jsonschema/commits)

Updates `pg` from 8.10.0 to 8.22.0
- [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md)
- [Commits](https://github.com/brianc/node-postgres/commits/[email protected]/packages/pg)

Updates `@types/pg` from 8.6.5 to 8.20.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/pg)

Updates `pg-connection-string` from 2.5.0 to 2.14.0
- [Changelog](https://github.com/brianc/node-postgres/blob/master/CHANGELOG.md)
- [Commits](https://github.com/brianc/node-postgres/commits/[email protected]/packages/pg-connection-string)

Updates `reflect-metadata` from 0.1.13 to 0.2.2
- [Release notes](https://github.com/rbuckton/reflect-metadata/releases)
- [Commits](https://github.com/rbuckton/reflect-metadata/commits)

Updates `rxjs` from 7.8.1 to 7.8.2
- [Release notes](https://github.com/reactivex/rxjs/releases)
- [Changelog](https://github.com/ReactiveX/rxjs/blob/7.8.2/CHANGELOG.md)
- [Commits](https://github.com/reactivex/rxjs/compare/7.8.1...7.8.2)

Updates `ts-custom-error` from 3.2.2 to 3.3.1
- [Release notes](https://github.com/adriengibrat/ts-custom-error/releases)
- [Changelog](https://github.com/adriengibrat/ts-custom-error/blob/main/CHANGELOG.md)
- [Commits](https://github.com/adriengibrat/ts-custom-error/compare/v3.2.2...v3.3.1)

Updates `@types/bunyan` from 1.8.8 to 1.8.11
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/bunyan)

Updates `@types/cors` from 2.8.13 to 2.8.19
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/cors)

Updates `@types/death` from 1.1.2 to 1.1.5
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/death)

Updates `@types/express-prometheus-middleware` from 1.2.1 to 1.2.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/express-prometheus-middleware)

Updates `@types/lodash` from 4.14.186 to 4.17.24
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/lodash)

Updates `@types/pg` from 8.6.5 to 8.20.0
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/pg)

Updates `axios-mock-adapter` from 2.0.0 to 2.1.0
- [Release notes](https://github.com/ctimmerm/axios-mock-adapter/releases)
- [Changelog](https://github.com/ctimmerm/axios-mock-adapter/blob/master/CHANGELOG.md)
- [Commits](https://github.com/ctimmerm/axios-mock-adapter/compare/v2.0.0...v2.1.0)

Updates `json-bigint-patch` from 0.0.8 to 0.0.9
- [Commits](https://github.com/ardatan/json-bigint-patch/commits)

Updates `class-validator` from 0.14.0 to 0.15.1
- [Release notes](https://github.com/typestack/class-validator/releases)
- [Changelog](https://github.com/typestack/class-validator/blob/develop/CHANGELOG.md)
- [Commits](https://github.com/typestack/class-validator/compare/v0.14.0...v0.15.1)

Updates `@types/validator` from 13.7.10 to 13.15.10
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/validator)

Updates `pbkdf2` from 3.1.3 to 3.1.6
- [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md)
- [Commits](https://github.com/browserify/pbkdf2/compare/v3.1.3...v3.1.6)

Updates `@types/blake2b` from 2.1.0 to 2.1.3
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/blake2b)

Updates `@types/libsodium-wrappers-sumo` from 0.7.5 to 0.8.2
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/libsodium-wrappers-sumo)

Updates `webextension-polyfill` from 0.8.0 to 0.12.0
- [Release notes](https://github.com/mozilla/webextension-polyfill/releases)
- [Commits](https://github.com/mozilla/webextension-polyfill/compare/0.8.0...0.12.0)

Updates `@types/webextension-polyfill` from 0.8.3 to 0.12.5
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/webextension-polyfill)

Updates `@emurgo/cardano-message-signing-nodejs` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/Emurgo/cardano-serialization-lib/releases)
- [Commits](https://github.com/Emurgo/cardano-serialization-lib/compare/1.0.1...1.1.0)

Updates `optionator` from 0.9.1 to 0.9.4
- [Changelog](https://github.com/gkz/optionator/blob/master/CHANGELOG.md)
- [Commits](https://github.com/gkz/optionator/commits)

Updates `@emurgo/cardano-message-signing-asmjs` from 1.0.1 to 1.1.0
- [Release notes](https://github.com/Emurgo/cardano-serialization-lib/releases)
- [Commits](https://github.com/Emurgo/cardano-serialization-lib/compare/1.0.1...1.1.0)

Updates `@types/convict` from 6.1.2 to 6.1.6
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/convict)

Updates `crypto-browserify` from 3.12.0 to 3.12.1
- [Commits](https://github.com/browserify/crypto-browserify/compare/v3.12.0...v3.12.1)

Updates `@types/cli-progress` from 3.11.0 to 3.11.6
- [Release notes](https://github.com/DefinitelyTyped/DefinitelyTyped/releases)
- [Commits](https://github.com/DefinitelyTyped/DefinitelyTyped/commits/HEAD/types/cli-progress)

Updates `@ledgerhq/hw-transport` from 6.31.4 to 6.35.4
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/compare/@ledgerhq/[email protected]...@ledgerhq/[email protected])

Updates `@ledgerhq/hw-transport-node-hid-noevents` from 6.30.5 to 6.35.4
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/compare/@ledgerhq/[email protected]...@ledgerhq/[email protected])

Updates `@ledgerhq/hw-transport-webusb` from 6.29.4 to 6.34.4
- [Release notes](https://github.com/LedgerHQ/ledger-live/releases)
- [Commits](https://github.com/LedgerHQ/ledger-live/compare/@ledgerhq/[email protected]...@ledgerhq/[email protected])

Updates `@trezor/connect` from 9.4.0 to 9.7.3
- [Release notes](https://github.com/trezor/trezor-suite/releases)
- [Commits](https://github.com/trezor/trezor-suite/commits)

Updates `@trezor/connect-web` from 9.4.0 to 9.7.3
- [Release notes](https://github.com/trezor/trezor-suite/releases)
- [Commits](https://github.com/trezor/trezor-suite/commits)

Updates `bip39` from 3.0.4 to 3.1.0
- [Changelog](https://github.com/bitcoinjs/bip39/blob/master/CHANGELOG.md)
- [Commits](https://github.com/bitcoinjs/bip39/compare/v3.0.4...v3.1.0)

---
updated-dependencies:
- dependency-name: eslint-plugin-import
  dependency-version: 2.32.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: ts-node
  dependency-version: 10.9.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: tsc-alias
  dependency-version: 1.8.17
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: tsx
  dependency-version: 4.22.4
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: typedoc
  dependency-version: 0.28.19
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: axios
  dependency-version: 1.18.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: cors
  dependency-version: 2.8.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/cors"
  dependency-version: 2.8.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: debug
  dependency-version: 4.4.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: fuse.js
  dependency-version: 7.4.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: jsonschema
  dependency-version: 1.5.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: pg
  dependency-version: 8.22.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: pg-connection-string
  dependency-version: 2.14.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: reflect-metadata
  dependency-version: 0.2.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: rxjs
  dependency-version: 7.8.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: ts-custom-error
  dependency-version: 3.3.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/bunyan"
  dependency-version: 1.8.11
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/cors"
  dependency-version: 2.8.19
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/death"
  dependency-version: 1.1.5
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/express-prometheus-middleware"
  dependency-version: 1.2.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/lodash"
  dependency-version: 4.17.24
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/pg"
  dependency-version: 8.20.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: axios-mock-adapter
  dependency-version: 2.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: json-bigint-patch
  dependency-version: 0.0.9
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: class-validator
  dependency-version: 0.15.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/validator"
  dependency-version: 13.15.10
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: pbkdf2
  dependency-version: 3.1.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/blake2b"
  dependency-version: 2.1.3
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/libsodium-wrappers-sumo"
  dependency-version: 0.8.2
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: webextension-polyfill
  dependency-version: 0.12.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/webextension-polyfill"
  dependency-version: 0.12.5
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@emurgo/cardano-message-signing-nodejs"
  dependency-version: 1.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: optionator
  dependency-version: 0.9.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@emurgo/cardano-message-signing-asmjs"
  dependency-version: 1.1.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/convict"
  dependency-version: 6.1.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: crypto-browserify
  dependency-version: 3.12.1
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@types/cli-progress"
  dependency-version: 3.11.6
  dependency-type: direct:development
  update-type: version-update:semver-patch
  dependency-group: non-breaking-version-updates
- dependency-name: "@ledgerhq/hw-transport"
  dependency-version: 6.35.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@ledgerhq/hw-transport-node-hid-noevents"
  dependency-version: 6.35.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@ledgerhq/hw-transport-webusb"
  dependency-version: 6.34.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@trezor/connect"
  dependency-version: 9.7.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: "@trezor/connect-web"
  dependency-version: 9.7.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
- dependency-name: bip39
  dependency-version: 3.1.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: non-breaking-version-updates
...

Signed-off-by: dependabot[bot] <[email protected]>
a0c07031 · dependabot/npm_and_yarn/non-breaking-version-updates-2f1ecb1f78 · 12/2,761 ++ 1,136 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): remove obsolete qix blocklist + cluster pins (resolutions 28 -> 10) 
The Sept-2025 qix-hack lockdown is no longer needed: all 18 malicious
releases have been unpublished from npm (404: [email protected], [email protected],
[email protected], ...), so they can neither match a constraint nor be
resolved.

- .yarn/constraints.pro: dropped the ForbidMaliciousReleases blocklist,
  kept as a documented placeholder. The constraints plugin and the CI
  `yarn constraints` check are retained for future supply-chain rules.
- resolutions: removed the 18 color/ansi/debug cluster pins. Yarn now
  resolves them to clean current versions, verified to exclude every
  previously-blocked release (ansi-regex 6.2.2 not 6.2.1, debug 4.4.3
  not 4.4.2, ansi-styles 6.2.3 not 6.2.2).

Build green; yarn install --immutable clean; yarn constraints passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
788c5d0e · chore/wdio-9 · 3/227 ++ 85 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(e2e): upgrade WebdriverIO v7 -> v9 (drops 5 resolutions) 
WebdriverIO v9 self-manages browser drivers, so wdio-chromedriver-service
and the chromedriver package are removed; the legacy yarn-install dep is
dropped and mocha moves to 10.8.2 (patched nanoid/serialize-javascript/
diff), with cross-spawn 4.0.2 gone. The over-broad global chalk pin is
removed (v9 needs chalk 5 ESM; our CJS tools keep chalk 4 via their own
^4 ranges).

Includes the test migration v9 requires (caught by the strict tsc build):
- wdio.conf.js: autoCompileOpts (removed in v8) -> tsConfigPath; drop the
  'chromedriver' service entry
- tsconfig types: webdriverio/async -> @wdio/globals/types
- specs: toHaveTextContaining -> toHaveText(x, { containing: true }) /
  toContain; await $$(sel).length (now a Promise in v9)

Resolutions removed: chalk, nanoid, serialize-javascript, diff, cross-spawn.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
7b93d4ad · chore/wdio-9 · 8/1,864 ++ 1,230 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): remove obsolete qix blocklist + cluster pins (resolutions 28 -> 10) 
The Sept-2025 qix-hack lockdown is no longer needed: all 18 malicious
releases have been unpublished from npm (404: [email protected], [email protected],
[email protected], ...), so they can neither match a constraint nor be
resolved.

- .yarn/constraints.pro: dropped the ForbidMaliciousReleases blocklist,
  kept as a documented placeholder. The constraints plugin and the CI
  `yarn constraints` check are retained for future supply-chain rules.
- resolutions: removed the 18 color/ansi/debug cluster pins. Yarn now
  resolves them to clean current versions, verified to exclude every
  previously-blocked release (ansi-regex 6.2.2 not 6.2.1, debug 4.4.3
  not 4.4.2, ansi-styles 6.2.3 not 6.2.2).

Build green; yarn install --immutable clean; yarn constraints passes.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
4659e789 · chore/wdio-9 · 3/227 ++ 85 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(e2e): upgrade WebdriverIO v7 -> v9; drop 5 resolutions 
WebdriverIO v9 self-manages browser drivers, so the deprecated
wdio-chromedriver-service and the chromedriver package are removed.
Config migrated: autoCompileOpts (removed in v8) -> tsConfigPath;
the 'chromedriver' service entry dropped.

The v9 stack drops the legacy yarn-install dep and pulls mocha 10.8.2
(patched nanoid/serialize-javascript/diff). Combined with removing the
over-broad global chalk pin (v9 needs chalk 5 ESM; our CJS tools keep
chalk 4 via their own ^4 ranges; the qix blocklist lives in
.yarn/constraints.pro, not the pin), five resolutions can go:

  - chalk                (over-broad; constraints.pro still blocks 5.6.1)
  - nanoid               (mocha 10.8.2 dropped it; natural 3.3.13)
  - serialize-javascript (mocha -> ^6.0.2)
  - diff                 (mocha -> ^5.2.0; ts-node's 4.0.4 is clean)
  - cross-spawn          (yarn-install gone; natural 6.0.6 / 7.0.6)

Resolutions 33 -> 28. Web-extension wdio suite boots, compiles TS specs,
launches Chrome with the extension, and runs mocha under v9 locally;
backend-dependent assertions validate in CI E2E.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
e5e3347b · chore/wdio-9 · 4/1,842 ++ 1,208 --
rhyslbw
rhyslbw · · cardano-js-sdk
chore(deps): drop on-headers & ip-address resolutions via in-range relock 
Both forced resolutions were removable without any manifest change — the
patched versions are reachable inside existing parent ranges:

- morgan 1.10.0 -> 1.11.0 (within @wdio/static-server-service's ^1.7.0),
  which declares on-headers ~1.1.0 -> resolves on-headers 1.1.0 naturally.
- socks deduped 2.8.3 -> 2.8.9 (within socks-proxy-agent's ^2.8.3),
  which declares ip-address ^10.1.1 -> drops the lingering ip-address 9.0.5.

Resolutions 15 -> 13. Dev/transitive-only; build + unit + e2e green.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>
c1839ab7 · chore/dep-bumps · 2/8 ++ 29 --
Showing 25 of 113 recent commits. Check out Input Output on GitHub to see more.