chore(deps): bump actions/setup-node from 4 to 6#2
Closed
dependabot[bot] wants to merge 35 commits into
Closed
Conversation
ChainId union (5 EVM chains), NetworkConfig, PaymentProof, PaymentRequiredResponse, FrameContext, FrameState. Zero runtime deps. pnpm build produces dist/ with .js + .d.ts. npm pack --dry-run clean.
… (T-3) Pins rust-toolchain to 1.85.0 (minimum for edition 2024; 1.84.1 from previous dispatch was incompatible). cargo build --release + cargo test (1/1) both green. npm pack --dry-run succeeds.
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
…confirmed Corpus: 20 synthetic invoices via TS reference codec (140–564 B uncompressed, median 193 B). Brotli-wasm q=11 median compressed: 185 B — Plan-C NOT triggered. WASM blob measurements (wasm-pack 0.13.1 + wasm-opt -Oz, Rust 1.85.0): A (brotli-decompressor decoder-only): ~196 KB blob / ~201 KB pkg total B (brotli v7 full encoder+decoder): ~953 KB blob / ~959 KB pkg total C (brotli v7 no-stdlib): ≈ B — no decoder-only feature gate in v7 Verdict: B-i RULED OUT. B-iv CONFIRMED — Rust ships brotli-decompressor only; encode-wire is native JS-side. Matches Ignat pre-decision. Cargo.toml unchanged (T-P2-1 owns deps).
…th (T-P2-0b follow-up)
…eplan T-P2-7 deleted. B-iv (decode in Rust) measured at ~196 KB WASM blob vs the 80 KB hard cap. brotli-decompressor mandates a ~120 KB static dictionary with no decoder-only feature gate. B-v LOCKED: WASM ships TLV+keccak core only. Both compress and decompress live in the JS shim layer over brotli-wasm peerDep. Wire bytes unchanged (brotli-wasm q11 = same compressor as TS codec). Removes: brotli-decompressor v4.0.3, alloc-stdlib v0.2.2, alloc-no-stdlib v2.0.4 Cargo.lock staged with Cargo.toml per Phase 1 rule F-3.
Replace `map(|b| format!("{b:02x}")).collect::<String>()` with
`fold + write!` pattern in arb_wallet_address and arb_invoice.
cargo clippy --all-targets --all-features -- -D warnings now exits 0.
Implements the canonical-only Rust surface per B-v replan: - encode_invoice_canonical → TLV bytes, COMPRESSED_FLAG never set - decode_invoice_canonical → Invoice from canonical bytes, rejects 0x80 - lib.rs: exports 2 canonical fns + compute_content_hash; no wire variants - wasm.rs: exactly 2 #[wasm_bindgen] exports (encodeInvoiceCanonical / decodeInvoiceCanonical); BigInt-safe via serde_large_number_types_as_bigints - invoice.rs: Invoice/InvoiceFrom/InvoiceClient/InvoiceItem with Tsify + serde - encode.rs: TLV type registry, phf dict, mantissa/LEB128 encoding, domain sep - decode.rs: full TLV decode, domain separator verify, BigInt-safe mantissa No brotli dep in Rust. Wire compression lives in JS shim (src/index.ts).
Removed tsify (gloo-utils, web-sys, serde_json) and serde_json from [dependencies] — not needed since wasm.rs uses JsValue + serde_wasm_bindgen directly. Invoice structs keep Serialize+Deserialize for serde_wasm_bindgen. WASM blob after wasm-pack release build: 163 KB (hard cap 80 KB exceeded). Size checkpoint FAILED — see T-P2-7-alt final report for Kai escalation.
…7-alt) - src/index.ts: 4-name public API — encodeInvoiceCanonical/decodeInvoiceCanonical re-exported from WASM, encodeInvoiceWire/decodeInvoiceWire over brotli-wasm peerDep (COMPRESSED_FLAG + expand-fallback mirror reference compressPayload) - vitest.config.ts: vite-plugin-wasm + top-level-await; brotli-wasm aliased to the CJS node build for the Node test env - package.json: dist/ shim is the main entry (was raw WASM pkg); build runs wasm-pack then tsc, strips wasm-pack's pkg/.gitignore so pkg/ ships - 6 shim tests green (canonical + wire roundtrip, COMPRESSED_FLAG set/clear)
Iris Gate A2 flagged cargo fmt --check failures across 5 files (purely stylistic — line wrapping, import ordering, no logic change). fmt now clean; 81 Rust tests still green.
- wasm.rs: #[wasm_bindgen(js_name = receiptHash)] export - wasm_boundary.rs: boundary test (32-byte digest, deterministic) - index.ts: re-export receiptHash - Decision: receipt_hash ships in Phase 2 (plan-2c C6, Ignat 2026-05-20)
… (T-P2-9c) - proptest -> [target.'cfg(not(target_arch = "wasm32"))'.dev-dependencies] - getrandom 0.3 / wait-timeout don't build for wasm32; proptest must leave the wasm32 test graph - cfg-gate proptest-using test files to cfg(not(wasm32)) - wasm-pack test --node now compiles -> AC-9 boundary tests executable - see spec 056 plan-2c C8
…2-9b-fix) - drop #[wasm_bindgen(module = "/pkg/...")] extern block — a wasm_bindgen_test must not re-import the built JS bundle - call void_layer_codec::compute_content_hash directly, like bigint_boundary.rs - add receiptHash JS-export coverage to index.test.ts - fix pre-existing TS18046 errors on decoded: unknown (add DecodedInvoice cast) - fixes ERR_MODULE_NOT_FOUND under wasm-pack test --node
- codec build script invokes `wasm-pack build` since B-v (a1e6753); lint-and-build ran `pnpm -r build` without wasm-pack on the runner - pin wasm-pack 0.14.1 per Phase 1 D-A5 - add explicit `rustup target add wasm32-unknown-unknown` before install - fixes CI run 26179858633 'wasm-pack: not found'
- mantissa_bytes parses amounts as U256 (ruint) — matches the TS BigInt reference; covers the on-chain uint256 domain - decode reconstructs U256; removes the silent u128::MAX saturation bug - InvalidAmount error variant replaces miscategorised CompressionFailed - byte-identical output for amounts <= u128::MAX (parity preserved) - decision: codec amount domain = U256 (Ignat 2026-05-20)
- 1 minimal + 5 chain-selectors + 4 bigint-edges + 3 extensions + 4 malformed - bigint edges: 0, 1, uint256-max (encodes), over-u256 (InvalidAmount) - TS generator over the U256 codec; Kai-reviewed (2 rounds) - two malformed subtypes: decode-input (hex) + encode-input (payload) - generator excluded from `pnpm test` (vitest scripts/** exclude) - append-only forever; schema_version locked at 1 per D-R6.1 Co-Authored-By: kai-cto <kai@void-layer.local>
…12 follow-up) - malformed-varint-overflow relabelled: the old hex triggers ChecksumMismatch (no valid domain-separator TLV), not VarintOverflow -> kept as new vector `malformed-checksum-mismatch` - new `malformed-varint-overflow`: overflow moved into the TLV length-varint, hit during structural decode before the checksum check -> genuinely yields VarintOverflow (Kai-reviewed) - 18 golden vectors total - pnpm-lock.yaml: @types/node lockfile entry missed by e7b0340
- parity.test.ts: TS/JS surface, canonical + wire, both directions - parity.rs: Rust surface, canonical only (no wire encoder per B-v C3) - ci.yml: vector-parity job - 18/18 golden vectors pass parity on both surfaces - malformed vectors assert expected CodecError variant
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@v4...v6) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/github_actions/actions/setup-node-6
branch
from
c9c573b to
bf48717
Compare
Contributor
|
Закрыт: base main перемотан на commit #0 для полного project-review PR. Dependabot пересоздаст после мерджа #7. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
ignromanov
added a commit
that referenced
this pull request
May 22, 2026
…s overflow, drop URL cap - write_quantity: reject negative finite quantity (was saturating to 0 via as u64) - encode: reject due_at < issued_at (was collapsing to zero delta) - mantissa_bytes: widen trailing-zeros accumulator to usize, error if > 77 (U256 domain max) - encode: drop MAX_PAYLOAD_SIZE check — URL budget is post-compression (JS shim), wrong layer; const removed Tests: write_quantity_negative_errors, mantissa_bytes_max_trailing_zeros, encode_rejects_due_at_before_issued_at, encode_accepts_due_at_equal_issued_at, encode_accepts_canonical_over_url_budget. Addresses PR #7 review #2/#3/#7/#10.
ignromanov
added a commit
that referenced
this pull request
May 22, 2026
Add varint::read_bounded_len — a shared length-style varint reader that rejects values exceeding a caller-supplied max BEFORE narrowing to usize, guarding wasm32 32-bit usize truncation. Returns (len, bytes_consumed). - #12 unpack_items: route count + desc_len through read_bounded_len and use checked_add for offset + desc_len, preventing usize overflow and the resulting slice panic on hostile input. - #8 decode_chain_id: 0x01 raw-varint branch now uses u32::try_from instead of `as u32`, rejecting chain IDs > u32::MAX. - #2 decode_mantissa / unpack_items rate: raise trailing-zero cap from 30 to 77 (MAX_TRAILING_ZEROS) — decode must accept any zero count a valid U256 can produce; the lower cap rejected valid encodings. 18 hostile-input #[test]s added (varint bounds, desc_len/count overflow, chain-id u32 overflow, mantissa zero range) asserting Err, not panic.
ignromanov
added a commit
that referenced
this pull request
May 25, 2026
Eliminates parallel encode/decode hardcoded slices; adds keccak lock-hash test mirroring chain_dict_locked pattern. Per Audit A #2 + Audit B extract intra-codec.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps actions/setup-node from 4 to 6.
Release notes
Sourced from actions/setup-node's releases.
... (truncated)
Commits
48b55a0Update Node.js versions in versions.yml and bump package to v6.4.0 (#1533)ab72c7eUpgrade@actionsdependencies (#1525)53b8394Bump minimatch from 3.1.2 to 3.1.5 (#1498)54045abScope test lockfiles by package manager and update cache tests (#1495)c882bffReplace uuid with crypto.randomUUID() (#1378)774c1d6feat(node-version-file): support parsingdevEnginesfield (#1283)efcb663fix: remove hardcoded bearer (#1467)d02c89dFix npm audit issues (#1491)6044e13Docs: bump actions/checkout from v5 to v6 (#1468)8e49463Fix README typo (#1226)