3,157 commits this week - Cardano Updates

Jun 12, 10-11 PM (30)

Jun 12, 11-12 AM (6)

Jun 13, 12-1 AM (6)

Jun 13, 1-2 AM (2)

Jun 13, 2-3 AM (0)

Jun 13, 3-4 AM (3)

Jun 13, 4-5 AM (0)

Jun 13, 5-6 AM (3)

Jun 13, 6-7 AM (7)

Jun 13, 7-8 AM (5)

Jun 13, 8-9 AM (6)

Jun 13, 9-10 AM (14)

Jun 13, 10-11 AM (12)

Jun 13, 11-12 PM (2)

Jun 13, 12-1 PM (23)

Jun 13, 1-2 PM (21)

Jun 13, 2-3 PM (8)

Jun 13, 3-4 PM (1)

Jun 13, 4-5 PM (4)

Jun 13, 5-6 PM (4)

Jun 13, 6-7 PM (3)

Jun 13, 7-8 PM (3)

Jun 13, 8-9 PM (7)

Jun 13, 9-10 PM (16)

Jun 13, 10-11 PM (19)

Jun 13, 11-12 AM (24)

Jun 14, 12-1 AM (18)

Jun 14, 1-2 AM (0)

Jun 14, 2-3 AM (0)

Jun 14, 3-4 AM (0)

Jun 14, 4-5 AM (2)

Jun 14, 5-6 AM (0)

Jun 14, 6-7 AM (2)

Jun 14, 7-8 AM (3)

Jun 14, 8-9 AM (0)

Jun 14, 9-10 AM (1)

Jun 14, 10-11 AM (2)

Jun 14, 11-12 PM (10)

Jun 14, 12-1 PM (8)

Jun 14, 1-2 PM (4)

Jun 14, 2-3 PM (8)

Jun 14, 3-4 PM (2)

Jun 14, 4-5 PM (1)

Jun 14, 5-6 PM (1)

Jun 14, 6-7 PM (0)

Jun 14, 7-8 PM (11)

Jun 14, 8-9 PM (1)

Jun 14, 9-10 PM (13)

Jun 14, 10-11 PM (29)

Jun 14, 11-12 AM (23)

Jun 15, 12-1 AM (8)

Jun 15, 1-2 AM (10)

Jun 15, 2-3 AM (4)

Jun 15, 3-4 AM (4)

Jun 15, 4-5 AM (1)

Jun 15, 5-6 AM (4)

Jun 15, 6-7 AM (6)

Jun 15, 7-8 AM (41)

Jun 15, 8-9 AM (26)

Jun 15, 9-10 AM (11)

Jun 15, 10-11 AM (35)

Jun 15, 11-12 PM (25)

Jun 15, 12-1 PM (40)

Jun 15, 1-2 PM (26)

Jun 15, 2-3 PM (21)

Jun 15, 3-4 PM (24)

Jun 15, 4-5 PM (21)

Jun 15, 5-6 PM (13)

Jun 15, 6-7 PM (13)

Jun 15, 7-8 PM (7)

Jun 15, 8-9 PM (26)

Jun 15, 9-10 PM (20)

Jun 15, 10-11 PM (22)

Jun 15, 11-12 AM (39)

Jun 16, 12-1 AM (11)

Jun 16, 1-2 AM (5)

Jun 16, 2-3 AM (1)

Jun 16, 3-4 AM (9)

Jun 16, 4-5 AM (6)

Jun 16, 5-6 AM (1)

Jun 16, 6-7 AM (16)

Jun 16, 7-8 AM (81)

Jun 16, 8-9 AM (18)

Jun 16, 9-10 AM (28)

Jun 16, 10-11 AM (22)

Jun 16, 11-12 PM (31)

Jun 16, 12-1 PM (37)

Jun 16, 1-2 PM (49)

Jun 16, 2-3 PM (34)

Jun 16, 3-4 PM (28)

Jun 16, 4-5 PM (37)

Jun 16, 5-6 PM (17)

Jun 16, 6-7 PM (26)

Jun 16, 7-8 PM (9)

Jun 16, 8-9 PM (11)

Jun 16, 9-10 PM (4)

Jun 16, 10-11 PM (31)

Jun 16, 11-12 AM (9)

Jun 17, 12-1 AM (8)

Jun 17, 1-2 AM (8)

Jun 17, 2-3 AM (11)

Jun 17, 3-4 AM (4)

Jun 17, 4-5 AM (1)

Jun 17, 5-6 AM (6)

Jun 17, 6-7 AM (99)

Jun 17, 7-8 AM (33)

Jun 17, 8-9 AM (22)

Jun 17, 9-10 AM (56)

Jun 17, 10-11 AM (18)

Jun 17, 11-12 PM (19)

Jun 17, 12-1 PM (57)

Jun 17, 1-2 PM (28)

Jun 17, 2-3 PM (37)

Jun 17, 3-4 PM (26)

Jun 17, 4-5 PM (19)

Jun 17, 5-6 PM (16)

Jun 17, 6-7 PM (10)

Jun 17, 7-8 PM (14)

Jun 17, 8-9 PM (12)

Jun 17, 9-10 PM (37)

Jun 17, 10-11 PM (29)

Jun 17, 11-12 AM (14)

Jun 18, 12-1 AM (12)

Jun 18, 1-2 AM (8)

Jun 18, 2-3 AM (5)

Jun 18, 3-4 AM (11)

Jun 18, 4-5 AM (11)

Jun 18, 5-6 AM (11)

Jun 18, 6-7 AM (9)

Jun 18, 7-8 AM (19)

Jun 18, 8-9 AM (83)

Jun 18, 9-10 AM (45)

Jun 18, 10-11 AM (51)

Jun 18, 11-12 PM (23)

Jun 18, 12-1 PM (67)

Jun 18, 1-2 PM (14)

Jun 18, 2-3 PM (53)

Jun 18, 3-4 PM (44)

Jun 18, 4-5 PM (64)

Jun 18, 5-6 PM (24)

Jun 18, 6-7 PM (21)

Jun 18, 7-8 PM (13)

Jun 18, 8-9 PM (17)

Jun 18, 9-10 PM (23)

Jun 18, 10-11 PM (30)

Jun 18, 11-12 AM (26)

Jun 19, 12-1 AM (13)

Jun 19, 1-2 AM (9)

Jun 19, 2-3 AM (5)

Jun 19, 3-4 AM (2)

Jun 19, 4-5 AM (11)

Jun 19, 5-6 AM (4)

Jun 19, 6-7 AM (92)

Jun 19, 7-8 AM (18)

Jun 19, 8-9 AM (37)

Jun 19, 9-10 AM (39)

Jun 19, 10-11 AM (27)

Jun 19, 11-12 PM (30)

Jun 19, 12-1 PM (53)

Jun 19, 1-2 PM (66)

Jun 19, 2-3 PM (32)

Jun 19, 3-4 PM (61)

Jun 19, 4-5 PM (9)

Jun 19, 5-6 PM (4)

Jun 19, 6-7 PM (17)

Jun 19, 7-8 PM (16)

Jun 19, 8-9 PM (1)

Jun 19, 9-10 PM (8)

Jun 19, 10-11 PM (2)

3,157 commits this week Jun 12, 2026 - Jun 19, 2026

rhyslbw · Fri, 19 Jun 26 23:24:43 +0000 · cardano-js-sdk

docs(security): audit the post-Node-22 direct dependency bumps

Records the follow-up wave (uuid, ip-address, axios, express-openapi-validator/
multer) against the dependency-vulnerability audit: OSV.dev clean for every
resolved version, 0 residual advisories in CISA KEV, production closure clean,
no lockfile downgrades, and the lone publisher transition (multer linusu ->
ulisesgascon) annotated as a known maintenance handoff. Resolves the interim
uuid PARTIAL recorded in section A.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

f9648958 · chore/dep-bumps · 1/16 ++ 0 --

rhyslbw · Fri, 19 Jun 26 23:17:48 +0000 · cardano-js-sdk

chore(deps): bump uuid, ip-address, axios & express-openapi-validator

Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

83f701c5 · chore/dep-bumps · 10/133 ++ 138 --

yHSJ · Fri, 19 Jun 26 22:46:23 +0000 · amaru

Merge pull request #959 from pragma-org/null-length-eras

allow null-length era params (for custom testnets)

c3f5e2f4 · main · 4/62 ++ 0 --

yHSJ · Fri, 19 Jun 26 22:21:53 +0000 · amaru

chore: add changelog

Signed-off-by: yHSJ <[email protected]>

c81b0d3e · main · 2/3 ++ 1 --

noonio · Fri, 19 Jun 26 22:17:38 +0000 · hydra-poc

More agda tidying

eb73165e · typst-agda-spec · 13/553 ++ 181 --

rhyslbw · Fri, 19 Jun 26 22:15:39 +0000 · cardano-js-sdk

chore(deps): bump express-openapi-validator to ^5.6.2 (pulls multer 2.x)

Bumps express-openapi-validator in cardano-services from ^4.13.8 to ^5.6.2,
which depends on multer ^2.0.2 — clearing the multer high-severity advisory
(< 2.x). The validation middleware options we pass (apiSpec, ignoreUndocumented,
validateRequests, validateResponses) are unchanged in v5.

v5 type rename fix: OpenAPIV3.Document -> OpenAPIV3.DocumentV3 (src + test).

Validated: cardano-services builds clean; openApi unit test passes; no new test
failures (the StakePoolBuilder DB test and TxSubmit are the pre-existing Node 22
baseline, unrelated). HTTP request/response validation behaviour is exercised by
CI's cardano-services HTTP suite.

Resolves #1705.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

4f844fa8 · chore/bump-multer · 4/98 ++ 102 --

rhyslbw · Fri, 19 Jun 26 22:15:37 +0000 · cardano-js-sdk

chore(deps): relock axios to 1.18.0

Refreshes the lockfile so the `^1.7.4` axios consumers (cardano-services,
cardano-services-client, util-dev) resolve to 1.18.0 — clears the axios 1.x
advisories (SSRF/credential-leak/DoS family, < 1.16.x). In-range relock, no
manifest change. Now viable on the Node 22 base (#1719).

A legacy axios `0.25.0` copy remains via an old transitive (axios 0.x -> 1.x is
a major for that parent) — tracked in #1704.

Validated: full clean build green on axios 1.18 (type-level). HTTP runtime
behaviour (HttpProvider) is exercised by CI; the local sandbox can't run the
in-process socket tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

60297a50 · chore/bump-axios · 1/16 ++ 8 --

rhyslbw · Fri, 19 Jun 26 22:15:26 +0000 · cardano-js-sdk

chore(deps): bump ip-address to ^10.2.0 in core

Bumps the direct `ip-address` dependency in @cardano-sdk/core from ^9.0.5 to
^10.2.0 (advisory GHSA for ip-address < 10.1.1; ip-address@10 requires only
node >= 12). core's usage (Address4/Address6 isValid, toUnsignedByteArray,
fromUnsignedByteArray, canonicalForm in ipUtils) is unchanged across the major.

Closes the core direct-manifest alert. A transitive `[email protected]` remains
via `socks` (build/dev tooling: chromedriver/webdriverio proxy chain) and would
need that parent bumped — build-context only, tracked in #1707.

Validated: core builds; core suite 992/992 (covers ipUtils).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

268647bd · chore/bump-ip-address · 2/9 ++ 2 --

rhyslbw · Fri, 19 Jun 26 22:14:09 +0000 · cardano-js-sdk

chore: target Node 22 LTS (drop EOL Node 18) + required compat fixes

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · engines.node: >=22 (all manifests)
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer + projection/e2e tests: type interval handles as
  NodeJS.Timeout (setInterval no longer returns the legacy NodeJS.Timer)
- e2e measurement-util (src + test): PerformanceEntry no longer carries `detail`
- shared jest base config: fakeTimers `doNotFake: ['performance']` (Node 22's
  read-only global `performance` can't be replaced by the fake-timers impl), and
  a setupFile disabling http(s).globalAgent keepAlive — Node 19+ defaults it to
  true, so HTTP tests that restart servers between cases reused stale sockets
  ("socket hang up" / AxiosError in HttpProvider + TxSubmit suites)
- cardano-services-client test: --runInBand (avoids a jest-worker circular-JSON
  IPC crash on a follow-redirects object)
- TypeormStakePoolProvider util test: assert toThrow(SyntaxError) (V8 JSON
  message wording differs across Node versions)

Docker: NODEJS_MAJOR_VERSION=22, plus a multi-stage `deps-builder` that installs
the build toolchain (build-essential/python3/libudev-dev/libusb/pkg-config) to
compile native modules — Node 22 has no prebuilds for some older native deps
(cpu-features, chacha-native, node-hid/usb). Toolchain stays in the builder;
runtime images copy the compiled node_modules and stay lean.

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

77ca3a72 · chore/bump-axios · 42/105 ++ 54 --

yHSJ · Fri, 19 Jun 26 22:10:18 +0000 · amaru

feat: introduce proposal state and wire it up

Signed-off-by: yHSJ <[email protected]>

07ca9ce9 · josh/read-volatile-state · 18/339 ++ 45 --

yHSJ · Fri, 19 Jun 26 21:13:23 +0000 · amaru

feat: introduce committee state and wire it up

Signed-off-by: yHSJ <[email protected]>

42a41210 · josh/read-volatile-state · 18/429 ++ 33 --

tripura-repalle · Fri, 19 Jun 26 20:59:14 +0000 · tx-submit-api

chore: trigger CI

Signed-off-by: Tripura Repalle <[email protected]>

502f2f09 · feat/add-reuseable-workflows · 1/1 ++ 0 --

rhyslbw · Fri, 19 Jun 26 20:55:12 +0000 · cardano-js-sdk

chore: target Node 22 LTS (drop EOL Node 18) + required compat fixes

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · engines.node: >=22 (all manifests)
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer + projection/e2e tests: type interval handles as
  NodeJS.Timeout (setInterval no longer returns the legacy NodeJS.Timer)
- e2e measurement-util (src + test): PerformanceEntry no longer carries `detail`
- shared jest base config: fakeTimers `doNotFake: ['performance']` — Node 22's
  read-only global `performance` cannot be replaced by the fake-timers impl
- TypeormStakePoolProvider util test: assert toThrow(SyntaxError) (V8 JSON
  message wording differs across Node versions)

Docker: NODEJS_MAJOR_VERSION=22, and a multi-stage `deps-builder` that installs
the build toolchain (build-essential/python3/libudev-dev/libusb/pkg-config) to
compile native modules from source — Node 22 has no prebuilds for some older
native deps (cpu-features, chacha-native, node-hid/usb). The toolchain stays in
the builder; the runtime images copy the compiled node_modules and remain lean.

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

b68f66f7 · chore/bump-node-22 · 40/92 ++ 52 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:40 +0000 · tx-submit-api

chore: central update of update-issue-on-close.yml

7b4f3707 · main · 1/13 ++ 34 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:39 +0000 · tx-submit-api

chore: central update of test-issue-on-close.yml

770bc19c · main · 1/10 ++ 19 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:37 +0000 · tx-submit-api

chore: central update of publish.yml

a0b3cfae · main · 1/21 ++ 173 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:36 +0000 · tx-submit-api

chore: central update of ci-docker.yml

91257ca3 · main · 1/15 ++ 32 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:35 +0000 · tx-submit-api

chore: central update of nilaway.yml

c8b33b1a · main · 1/10 ++ 21 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:34 +0000 · tx-submit-api

chore: central update of golangci-lint.yml

6a22bf9d · main · 1/8 ++ 17 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:33 +0000 · tx-submit-api

chore: central update of go-test.yml

6cd80f3c · main · 1/7 ++ 21 --

blinklabs-governance[bot] · Fri, 19 Jun 26 20:50:32 +0000 · tx-submit-api

chore: central update of conventional-commits.yml

97657490 · main · 1/4 ++ 12 --

fmaste · Fri, 19 Jun 26 20:47:41 +0000 · cardano-node

WIP SQUASH

c25aeaf2 · bench/genesis · 1/35 ++ 7 --

noonio · Fri, 19 Jun 26 20:27:31 +0000 · hydra-poc

significant agda work

00c934ec · typst-agda-spec · 24/2,250 ++ 265 --

scarmuega · Fri, 19 Jun 26 20:20:57 +0000 · dolos

fix(cli): download snapshots via ranged ring buffer (#1025)

0452ec2c · main · 3/468 ++ 1 --

rhyslbw · Fri, 19 Jun 26 20:18:45 +0000 · cardano-js-sdk

chore: target Node 22 LTS (drop EOL Node 18) + required compat fixes

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · Dockerfile: NODEJS_MAJOR_VERSION=22
- engines.node: >=22 across root + every workspace manifest
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer: type heartbeat/stake intervals as NodeJS.Timeout
  (setInterval no longer returns the legacy NodeJS.Timer; clearInterval rejects it)
- e2e measurement-util: PerformanceEntry no longer carries `detail` (now on
  PerformanceMark/Measure) — cast the entry and narrow the mark filter
- shared jest base config: fakeTimers `doNotFake: ['performance']` — Node 22's
  read-only global `performance` cannot be replaced by the fake-timers impl
  (was crashing many suites across cardano-services/ogmios/web-extension/etc.)
- TypeormStakePoolProvider util test: assert `toThrow(SyntaxError)` instead of a
  V8 JSON.parse message string that differs across Node versions

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Validated: clean full build green on @types/node 22 (all 21 workspaces);
core/crypto/key-management + cardano-services unit suites green except
DB-backed tests (no local DB) and the in-process HTTP TxSubmit tests (local
sockets) — both validated by CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

9920c086 · chore/bump-node-22 · 38/65 ++ 42 --

Show more commits

Showing 25 of 3157 recent commits.

Yesterday's Report

New Repo Discovered

New Releases