feat!: demote auth registry to non-protocol contract

[dbanks12]

Demotes auth_registry from protocol contract. Introduces canonical_addresses Noir crate and @aztec/canonical-contracts TS package.

Stacked on #23216.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​vite@​7.3.1
	npm/​bn.js@​4.12.0
	npm/​@​aztec/​standard-contracts@​0.0.0-use.local

View full report

[dbanks12]

Warning

This pull request is not mergeable via GitHub because a downstack PR is open. Once all requirements are satisfied, merge this PR as a stack on Graphite.
Learn more

• feat!: demote multi_call_entrypoint to non-protocol contract #23197 : 2 dependent PRs (#23199 , #23218 )
• feat!: demote public_checks to non-protocol contract #23217
• feat!: demote auth registry to non-protocol contract #23106 👈 (View in Graphite)
• refactor: move public_checks caller helpers into aztec-nr #23215
• merge-train/fairies

This stack of pull requests is managed by Graphite. Learn more about stacking.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Medium CVE: npm bn.js affected by an infinite loop CVE: GHSA-378v-28hj-76wf bn.js affected by an infinite loop (MODERATE) Affected versions: < 4.12.3; >= 5.0.0 < 5.2.3 Patched version: 4.12.3 From: yarn-project/foundation/package.json → npm/bn.js@4.12.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bn.js@4.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm bn.js affected by an infinite loop CVE: GHSA-378v-28hj-76wf bn.js affected by an infinite loop (MODERATE) Affected versions: < 4.12.3; >= 5.0.0 < 5.2.3 Patched version: 5.2.3 From: ? → npm/@aztec/foundation@0.0.0-use.local → npm/crypto-browserify@3.12.1 → npm/@ethersproject/wallet@5.8.0 → npm/bn.js@5.2.1 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bn.js@5.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm bn.js affected by an infinite loop CVE: GHSA-378v-28hj-76wf bn.js affected by an infinite loop (MODERATE) Affected versions: < 4.12.3; >= 5.0.0 < 5.2.3 Patched version: 5.2.3 From: ? → npm/@nethermindeth/discv5@9.0.0-backport-306-v4 → npm/@nethermindeth/enr@3.0.0-backport-306-v4 → npm/bn.js@5.2.2 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bn.js@5.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono has CSS Declaration Injection via Style Object Values in JSX SSR CVE: GHSA-qp7p-654g-cw7p Hono has CSS Declaration Injection via Style Object Values in JSX SSR (MODERATE) Affected versions: < 4.12.18 Patched version: 4.12.18 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage CVE: GHSA-p77w-8qqv-26rm Hono's Cache Middleware ignores Vary: Authorization / Vary: Cookie leading to cross-user cache leakage (MODERATE) Affected versions: < 4.12.18 Patched version: 4.12.18 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection CVE: GHSA-69xw-7hcm-h432 hono/jsx has Unvalidated JSX Tag Names that May Allow HTML Injection (MODERATE) Affected versions: < 4.12.16 Patched version: 4.12.16 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono: bodyLimit() can be bypassed for chunked / unknown-length requests CVE: GHSA-9vqf-7f2p-gf9v Hono: bodyLimit() can be bypassed for chunked / unknown-length requests (MODERATE) Affected versions: < 4.12.16 Patched version: 4.12.16 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR CVE: GHSA-458j-xx4x-4375 hono Improperly Handles JSX Attribute Names Allows HTML Injection in hono/jsx SSR (MODERATE) Affected versions: < 4.12.14 Patched version: 4.12.14 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono vulnerable to Prototype Pollution possible through __proto__ key allowed in parseBody({ dot: true }) CVE: GHSA-v8w9-8mx6-g223 Hono vulnerable to Prototype Pollution possible through proto key allowed in parseBody({ dot: true }) (MODERATE) Affected versions: < 4.12.7 Patched version: 4.12.7 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono missing validation of cookie name on write path in setCookie() CVE: GHSA-26pp-8wgv-hjvm Hono missing validation of cookie name on write path in setCookie() (MODERATE) Affected versions: < 4.12.12 Patched version: 4.12.12 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() CVE: GHSA-r5rp-j6wh-rvv4 Hono: Non-breaking space prefix bypass in cookie name handling in getCookie() (MODERATE) Affected versions: < 4.12.12 Patched version: 4.12.12 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono: Middleware bypass via repeated slashes in serveStatic CVE: GHSA-wmmm-f939-6g9c Hono: Middleware bypass via repeated slashes in serveStatic (MODERATE) Affected versions: < 4.12.12 Patched version: 4.12.12 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses CVE: GHSA-xpcf-pg52-r92g Hono has incorrect IP matching in ipRestriction() for IPv4-mapped IPv6 addresses (MODERATE) Affected versions: < 4.12.12 Patched version: 4.12.12 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Hono: Path traversal in toSSG() allows writing files outside the output directory CVE: GHSA-xf4j-xp2r-rqqx Hono: Path traversal in toSSG() allows writing files outside the output directory (MODERATE) Affected versions: >= 4.0.0 < 4.12.12 Patched version: 4.12.12 From: ? → npm/eslint@9.26.0 → npm/hono@4.12.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hono@4.12.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Vite Vulnerable to Path Traversal in Optimized Deps .map Handling CVE: GHSA-4w7w-66w2-5vf9 Vite Vulnerable to Path Traversal in Optimized Deps .map Handling (MODERATE) Affected versions: >= 8.0.0 < 8.0.5; >= 7.0.0 < 7.3.2; < 6.4.2 Patched version: 7.3.2 From: yarn-project/docs/package.json → npm/vite@7.3.1 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@7.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report