Skip to content

Upgrade stellar-sdk and make signing key required#233

Merged
CassioMG merged 3 commits intorelease/2.0.0from
cg-upgrade-stellar-sdk
Feb 26, 2026
Merged

Upgrade stellar-sdk and make signing key required#233
CassioMG merged 3 commits intorelease/2.0.0from
cg-upgrade-stellar-sdk

Conversation

@CassioMG
Copy link
Copy Markdown
Contributor

@CassioMG CassioMG commented Feb 26, 2026

Summary

Upgrades @stellar/stellar-sdk from 13.0.0-beta.1 to 14.5.0 across all three packages, bumps the minimum Node version from 18 to 20, and makes the server's signingKey required for SEP-10 authentication.

Changes

Stellar SDK upgrade (13.0.0-beta.114.5.0)

  • Updated @stellar/stellar-sdk dependency in all 3 package.json files
  • Fixed Hash/Buffer type mismatch in typescript-wallet-sdk-soroban by replacing StrKey.encodeContract(contractId()) with Address.fromScAddress(contractAddress()).toString() (3 files)
  • Updated error message assertions in keyManager.test.ts — SDK v14 throws plain Error instead of InvalidChallengeError (4 tests)

Node 18 → 20

  • Updated engines.node from >=18 to >=20 in all 3 package.json files
  • Updated node-version from 18 to 20 in all 10 GitHub Actions workflows
  • Updated prerequisite in README.md
  • Set targets: { node: "20" } in babel.config.js so @babel/preset-env no longer transpiles BigInt ** to Math.pow() (which crashes at runtime)
  • Added output.environment.bigIntLiteral: true to webpack.config.js so webpack knows the target environment supports BigInt literals

SEP-10 signing key

  • Auth/index.ts: Made serverSigningKey required in Sep10Params and the class. Removed the if/else branching — now always delegates to WebAuth.readChallengeTx(). Deleted local readChallengeTx fallback function.
  • Exceptions/index.ts: Added MissingSigningKeyError for when an anchor's TOML doesn't publish SIGNING_KEY.
  • Anchor/index.ts: sep10() now throws MissingSigningKeyError if the TOML lacks SIGNING_KEY.
  • Types/recovery.ts: Made RecoveryServer.signingKey required.
  • Recovery/index.ts: Simplified sep10Auth() — passes server.signingKey directly instead of conditional spread.

Breaking Changes

  • Minimum Node version is now 20 (was 18).
  • @stellar/stellar-sdk upgraded from 13.0.0-beta.1 to 14.5.0 — a major version bump that may affect consumers depending on SDK types directly.
  • Sep10 constructor now requires serverSigningKey — callers that previously omitted it will get a compile-time error.
  • Anchor.sep10() now throws MissingSigningKeyError if the anchor's stellar.toml does not publish a SIGNING_KEY.
  • RecoveryServer.signingKey is now required — all recovery server configurations must include a signingKey.

@socket-security
Copy link
Copy Markdown

socket-security bot commented Feb 26, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​stellar/​stellar-sdk@​13.0.0-beta.1 ⏵ 14.5.099 +1100100 +196100

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Feb 26, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm @stellar/stellar-sdk

Location: Package overview

From: @stellar/typescript-wallet-sdk-km/package.jsonnpm/@stellar/stellar-sdk@14.5.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@stellar/stellar-sdk@14.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
License policy violation: npm sha.js under BSD-3-Clause AND MIT

Location: Package overview

From: ?npm/@stellar/stellar-sdk@14.5.0npm/sha.js@2.4.12

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot AI reviewed Feb 26, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades the Stellar SDK from version 13.0.0-beta.1 to 14.5.0, bumps the minimum Node.js requirement from 18 to 20, and enforces that the server signing key is required for SEP-10 authentication. The changes address API compatibility issues introduced by the major version upgrade and improve the security posture by requiring explicit signing key validation.

Changes:

  • Upgraded @stellar/stellar-sdk dependency from 13.0.0-beta.1 to 14.5.0 across all three packages
  • Updated minimum Node.js version from 18 to 20 in all package.json files and CI workflows
  • Made serverSigningKey required for SEP-10 authentication and removed fallback validation logic
  • Fixed Soroban contract address encoding to use Address.fromScAddress() instead of deprecated StrKey.encodeContract()
  • Updated build configuration (Babel and webpack) to target Node 20 and support BigInt literals
  • Added MissingSigningKeyError exception for when an anchor's TOML lacks the required SIGNING_KEY

Reviewed changes

Copilot reviewed 27 out of 28 changed files in this pull request and generated no comments.

Show a summary per file
File Description
yarn.lock Updated stellar-sdk dependencies and transitive dependencies; added @noble/curves and @noble/hashes
babel.config.js Configured @babel/preset-env to target Node 20
README.md Updated prerequisite from Node >=18 to Node >=20
@stellar/typescript-wallet-sdk/webpack.config.js Added bigIntLiteral: true to output environment config
@stellar/typescript-wallet-sdk/test/integration/recovery.test.ts Added required signingKey fields to recovery server test configurations
@stellar/typescript-wallet-sdk/test/auth.test.ts Removed local readChallengeTx tests and made serverSigningKey required in test setup
@stellar/typescript-wallet-sdk/src/walletSdk/Types/recovery.ts Changed signingKey from optional to required in RecoveryServer type
@stellar/typescript-wallet-sdk/src/walletSdk/Recovery/index.ts Simplified sep10Auth to pass signingKey directly without conditional spread
@stellar/typescript-wallet-sdk/src/walletSdk/Exceptions/index.ts Added MissingSigningKeyError class
@stellar/typescript-wallet-sdk/src/walletSdk/Auth/index.ts Made serverSigningKey required; removed local readChallengeTx fallback and conditional logic
@stellar/typescript-wallet-sdk/src/walletSdk/Anchor/index.ts Added validation to throw MissingSigningKeyError when TOML lacks SIGNING_KEY
@stellar/typescript-wallet-sdk/package.json Updated stellar-sdk to 14.5.0 and node engine to >=20
@stellar/typescript-wallet-sdk-soroban/src/Helpers/scValByType.ts Replaced StrKey.encodeContract with Address.fromScAddress for contract addresses
@stellar/typescript-wallet-sdk-soroban/src/Helpers/getTokenInvocationArgs.ts Replaced StrKey.encodeContract with Address.fromScAddress for contract addresses
@stellar/typescript-wallet-sdk-soroban/src/Helpers/getInvocationDetails.ts Replaced StrKey.encodeContract with Address.fromScAddress; removed unused StrKey import
@stellar/typescript-wallet-sdk-soroban/package.json Updated stellar-sdk to 14.5.0 and node engine to >=20
@stellar/typescript-wallet-sdk-km/test/keyManager.test.ts Updated error message assertions to remove InvalidChallengeError prefix (SDK v14 throws plain Error)
@stellar/typescript-wallet-sdk-km/package.json Updated stellar-sdk to 14.5.0 and node engine to >=20
.github/workflows/*.yml Updated all 10 workflows from node-version 18 to 20

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@CassioMG CassioMG self-assigned this Feb 26, 2026
@CassioMG CassioMG merged commit 1a6ef58 into release/2.0.0 Feb 26, 2026
6 checks passed
@CassioMG CassioMG deleted the cg-upgrade-stellar-sdk branch February 26, 2026 21:40
@CassioMG CassioMG mentioned this pull request Feb 26, 2026
Merged
CassioMG added a commit that referenced this pull request Feb 27, 2026
@CassioMG
Release/2.0.0 (#235)
43f7e32 
* Upgrade stellar-sdk and make signing key required (#233)

* Upgrade stellar-sdk and node

* Make Sep-10 Signing Key required

* Fix anchor platform tests

* Major bump version to v2.0.0 + Changelogs (#234)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@piyalbasu piyalbasu piyalbasu approved these changes

Assignees

@CassioMG CassioMG

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@CassioMG @piyalbasu