chore(dapi): cleanup — drop unused deps, inline winston/fetch/promisify shims

[PastaPastaPasta]

Summary

Non-breaking cleanup pass on @dashevo/dapi-client and the browser path of @dashevo/dapi-grpc. Package stays CJS, public API unchanged, no consumer changes required.

This is PR 1 of 5 in a stacked series that incrementally makes dapi-client browser-native and ESM. Each PR is independently shippable and leaves the monorepo green.

What changes

@dashevo/dapi-client

• Replace winston with a ~30-line console-backed logger that preserves the same API (.error/.warn/.info/.verbose/.debug/.silly/.getForId).
• Drop node-fetch and the fetch-polyfill (Node 18+ has global fetch).
• Drop setimmediate (require in karma bootstrap + devDep). Test helper in BlockHeadersReader.spec.js already has a setTimeout fallback that handles browsers without setImmediate.
• Switch the self-signed-HTTPS path in requestJsonRpc from node-fetch's https.Agent to undici's Agent as the dispatcher option on Node 18+ built-in fetch. Behavior preserved for regtest/local; flag is still a no-op in browsers (TLS bypass is not programmatically possible there). undici is added as a dependency (Node 18+ ships it internally; declaring it explicitly is required under Yarn PnP). The import is hidden from bundler static analysis via eval('require') so undici is not pulled into browser bundles.
• Inline lodash/sample in ListDAPIAddressProvider (one call site).
• Add engines.node >= 18.18.
• Remove unused deps: winston, node-fetch, lodash, bs58, node-inspect-extracted, setimmediate.

@dashevo/dapi-grpc

• Inline a 5-line promisify shim in clients/core/v0/web/CorePromiseClient.js and clients/platform/v0/web/PlatformPromiseClient.js, removing the require('util') from the browser bundle path. Both files document the shim so a future codegen regen does not silently reintroduce require('util').

Test plan

• yarn workspace @dashevo/dapi-client run test:unit — 316 passing (adds a test that asserts the undici dispatcher is set when selfSigned=true, and another that asserts it is NOT set when selfSigned=false)
• yarn workspace @dashevo/dapi-client run lint — 0 errors, 73 pre-existing warnings
• yarn workspace @dashevo/wallet-lib run test:unit — no regression
• yarn workspace dash run test:unit — no regression

Breaking changes

• engines.node >= 18.18 (was unspecified; older Node lacks global fetch and undici).

Stack

• ➡️ PR 1 — Cleanup (this PR)
• PR 2 — Buffer → Uint8Array in dapi-client public surface (refactor(dapi)!: expose Uint8Array instead of Buffer in public API of dapi-client #3680)
• PR 3 — @dashevo/dapi-client → ESM (refactor(dapi)!: convert dapi-client to ESM, drop webpack/karma #3681)
• PR 4 — @dashevo/wallet-lib → ESM (refactor(wallet-lib)!: convert to ESM, consume ESM dapi-client #3682)
• PR 5 — @dashevo/js-dash-sdk + @dashevo/platform-test-suite → ESM (refactor(sdk,test-suite)!: convert to ESM, consume ESM dapi-client and wallet-lib #3683)

Summary by CodeRabbit

• Breaking Changes

  • Minimum Node.js version raised to 18.18
  • Fetch polyfill removed; module no longer injects a global fetch
  • Logger replaced with threshold-based console logger; getForId now accepts an optional override level

• Bug Fixes

  • Improved Node TLS handling for self-signed HTTPS using a shared agent/dispatcher reused across requests

• New Features

  • Local lightweight shims replace some external helpers to reduce runtime polyfills

• Chores

  • Removed several unused dependencies and trimmed package footprint

• Tests

  • Updated/added Node-only tests validating TLS/dispatcher behavior

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 36818c11-a9f8-469f-824f-5766c1f325b3

📥 Commits

Reviewing files that changed from the base of the PR and between d579034 and b219e27.

📒 Files selected for processing (1)

• packages/js-dapi-client/package.json

---

📝 Walkthrough

Walkthrough

Removes Node-only dependencies and polyfills, inlines small helper shims, updates package metadata and Yarn PnP mappings (adds undici, adjusts node-fetch virtual ID), replaces Winston with a console-threshold logger, and adapts gRPC and transport code to avoid Node-only modules (util, https).

Changes

Reduce Node dependencies and enable browser compatibility

Layer / File(s)	Summary
Dependency cleanup and Yarn PnP updates .pnp.cjs, packages/js-dapi-client/package.json	Remove runtime/dev dependencies (bs58, lodash, node-fetch, node-inspect-extracted, winston, setimmediate), add undici, set engines.node: ">=18.18", remove polyfills from published files, and update Yarn PnP virtual mappings (node-fetch virtual ID change and undici entry).
Remove fetch polyfill imports and initialization packages/js-dapi-client/lib/index.js, packages/js-dapi-client/lib/test/karma/bootstrap.js	Delete top-level requires that loaded the fetch polyfill and setimmediate from library and Karma test bootstrap.
Replace Winston logger with console threshold logger packages/js-dapi-client/lib/logger/index.js	Replace Winston with a lightweight threshold-based console logger factory (build(level, prefix)), add numeric LEVELS map, cached getForId(id, overrideLevel), and export the default built logger.
Remove Node util dependency from gRPC clients packages/dapi-grpc/clients/core/v0/web/CorePromiseClient.js, packages/dapi-grpc/clients/platform/v0/web/PlatformPromiseClient.js	Remove util.promisify import and add a local promisify(fn) shim used to convert callback-style gRPC unary methods into Promise-returning functions.
Transport changes, sampling, and tests packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js, packages/js-dapi-client/lib/dapiAddressProvider/ListDAPIAddressProvider.js, packages/js-dapi-client/test/unit/transport/JsonRpcTransport/requestJsonRpc.spec.js	Remove top-level https import; when protocol === 'https' and selfSigned is true in Node, dynamically require undici and set requestOptions.dispatcher to an Agent with rejectUnauthorized: false; replace lodash/sample with local sample(arr); update tests to assert dispatcher presence when selfSigned is true and absence when false.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested reviewers

• QuantumExplorer

Poem

🐇 I swapped out heavy shims today,
Inline helpers hop and play,
Winston sleeps while console sings,
Undici spins with lighter strings,
Builds now bounce in brighter ways.

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 75.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: dropping unused dependencies and inlining helper functions (winston, fetch, promisify shims) to reduce external dependencies.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch claude/esm-1-cleanup

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ DashSDKFFI.xcframework built for this PR.

• Workflow run: https://github.com/dashpay/platform/actions/runs/26277915063
• Artifacts: DashSDKFFI.xcframework (folder), DashSDKFFI.xcframework.zip, xc_checksum.txt

SwiftPM (host the zip at a stable URL, then use):

.binaryTarget(
  name: "DashSDKFFI",
  url: "https://your.cdn.example/DashSDKFFI.xcframework.zip",
  checksum: "1a89265fcbf7dca1f2addd0833e6cf1fb73467cbd5fa7ad050bb94e5f1606a98"
)

Xcode manual integration:

• Download 'DashSDKFFI.xcframework' artifact from the run link above.
• Drag it into your app target (Frameworks, Libraries & Embedded Content) and set Embed & Sign.
• If using the Swift wrapper package, point its binaryTarget to the xcframework location or add the package and place the xcframework at the expected path.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/js-dapi-client/lib/logger/index.js`:
- Around line 12-26: The prefixed logger currently passes the prefix as a
separate console argument (fmt), which breaks printf-style interpolation for
methods returned by getForId/build; change fmt so that when a prefix exists it
merges the prefix into the first argument if that first arg is a string (e.g.
transform (first, ...rest) => [prefix + ' ' + first, ...rest]) and otherwise
inserts the prefix before the first value (e.g. [prefix, first, ...rest]);
update the fmt helper used by logger.error/warn/info/verbose/debug/silly and the
getForId/build usage to use this new behavior so %s/%d formatting is preserved.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 56b6e1b7-0224-44e7-9c04-294c54bd62cf

📥 Commits

Reviewing files that changed from the base of the PR and between 6a3b904 and 2d952ac.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (11)

• .pnp.cjs
• packages/dapi-grpc/clients/core/v0/web/CorePromiseClient.js
• packages/dapi-grpc/clients/platform/v0/web/PlatformPromiseClient.js
• packages/js-dapi-client/lib/dapiAddressProvider/ListDAPIAddressProvider.js
• packages/js-dapi-client/lib/index.js
• packages/js-dapi-client/lib/logger/index.js
• packages/js-dapi-client/lib/test/bootstrap.js
• packages/js-dapi-client/lib/test/karma/bootstrap.js
• packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js
• packages/js-dapi-client/package.json
• packages/js-dapi-client/polyfills/fetch-polyfill.js

💤 Files with no reviewable changes (5)

• packages/js-dapi-client/lib/index.js
• packages/js-dapi-client/lib/test/bootstrap.js
• packages/js-dapi-client/lib/test/karma/bootstrap.js
• packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js
• packages/js-dapi-client/polyfills/fetch-polyfill.js

[thepastaclaw]

Code Review

PR is a JS cleanup pass on @dashevo/dapi-client and dapi-grpc browser build. Three carried-over findings are still valid at 2d952ac: one blocking behavioral regression where the selfSigned parameter is accepted/propagated end-to-end but no longer has any effect (breaking regtest/local 127.0.0.1 self-signed flows that DAPIAddressProvider explicitly opts into), plus a stale test that no longer guards distinct behavior and a stale setimmediate devDependency that contradicts the PR description.

🔴 1 blocking | 🟡 1 suggestion(s) | 💬 1 nitpick(s)

3 additional finding(s)

blocking: `selfSigned` parameter is dead but still propagated, silently breaking regtest TLS

packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js (line 14)

requestJsonRpc still accepts selfSigned (line 14), copies it into requestInfo (line 28), and is called with address.isSelfSignedCertificateAllowed() by JsonRpcTransport.request(). The previous Node-only https.Agent({rejectUnauthorized: false}) branch is gone, so fetch(url, requestOptions) at line 49 ignores the flag entirely. This is not a theoretical issue: ListDAPIAddressProvider.getLiveAddress() rewrites local/regtest addresses to https://127.0.0.1 with allowSelfSignedCertificate = true. Under Node, JSON-RPC calls against the built-in local network config will now fail certificate validation where they previously succeeded. Because the API surface still advertises and emits selfSigned, this is a silent behavioral regression rather than an explicit breaking change. Either restore Node-side self-signed handling for the regtest path, or drop the parameter from the function signature, requestInfo, all callers (JsonRpcTransport, DAPIAddress, both address providers, and corresponding tests), and document the removed regtest support.

suggestion: Self-signed HTTPS test no longer exercises any distinct behavior

packages/js-dapi-client/test/unit/transport/JsonRpcTransport/requestJsonRpc.spec.js (line 76)

This test sets selfSigned = true, but with the https.Agent branch removed, its call path is identical to the plain HTTPS test on lines 52-74. Since globalThis.fetch is fully stubbed, the assertion only confirms the stub resolves to 'passed' — it can stay green while the production self-signed path is broken (which is exactly what is happening at this SHA). Either delete the test along with the selfSigned parameter, or rework it to assert on whatever mechanism actually controls TLS verification once that path is restored.

nitpick: `setimmediate` devDependency contradicts the cleanup description

packages/js-dapi-client/package.json (line 64)

The PR description/commit message states setimmediate was removed, but it is still listed as a devDependency here and is still required by lib/test/karma/bootstrap.js:1. The code and metadata are internally consistent (the require resolves), but the dependency-removal claim in the PR description is incorrect. Either fully drop the polyfill (require + devDependency) or update the description to reflect that it was retained for the karma browser bootstrap.

🤖 Prompt for all review comments with AI agents

These findings are from an automated code review. Verify each finding against the current code and only fix it if needed.

- [BLOCKING] In `packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js`:14-49: `selfSigned` parameter is dead but still propagated, silently breaking regtest TLS
  `requestJsonRpc` still accepts `selfSigned` (line 14), copies it into `requestInfo` (line 28), and is called with `address.isSelfSignedCertificateAllowed()` by `JsonRpcTransport.request()`. The previous Node-only `https.Agent({rejectUnauthorized: false})` branch is gone, so `fetch(url, requestOptions)` at line 49 ignores the flag entirely. This is not a theoretical issue: `ListDAPIAddressProvider.getLiveAddress()` rewrites `local`/regtest addresses to `https://127.0.0.1` with `allowSelfSignedCertificate = true`. Under Node, JSON-RPC calls against the built-in local network config will now fail certificate validation where they previously succeeded. Because the API surface still advertises and emits `selfSigned`, this is a silent behavioral regression rather than an explicit breaking change. Either restore Node-side self-signed handling for the regtest path, or drop the parameter from the function signature, `requestInfo`, all callers (`JsonRpcTransport`, `DAPIAddress`, both address providers, and corresponding tests), and document the removed regtest support.
- [SUGGESTION] In `packages/js-dapi-client/test/unit/transport/JsonRpcTransport/requestJsonRpc.spec.js`:76-99: Self-signed HTTPS test no longer exercises any distinct behavior
  This test sets `selfSigned = true`, but with the `https.Agent` branch removed, its call path is identical to the plain HTTPS test on lines 52-74. Since `globalThis.fetch` is fully stubbed, the assertion only confirms the stub resolves to `'passed'` — it can stay green while the production self-signed path is broken (which is exactly what is happening at this SHA). Either delete the test along with the `selfSigned` parameter, or rework it to assert on whatever mechanism actually controls TLS verification once that path is restored.
- [NITPICK] In `packages/js-dapi-client/package.json`:64-64: `setimmediate` devDependency contradicts the cleanup description
  The PR description/commit message states `setimmediate` was removed, but it is still listed as a devDependency here and is still required by `lib/test/karma/bootstrap.js:1`. The code and metadata are internally consistent (the require resolves), but the dependency-removal claim in the PR description is incorrect. Either fully drop the polyfill (require + devDependency) or update the description to reflect that it was retained for the karma browser bootstrap.

Inline posting hit GitHub HTTP 422, so I posted the same verified findings as a top-level review body.

[thepastaclaw]

Code Review

Cleanup PR drops unused deps and inlines small shims for @dashevo/dapi-client and the browser path of @dashevo/dapi-grpc. The three prior findings (self-signed HTTPS path, missing dispatcher test, stale setimmediate) are all resolved at f8432f9: an undici Agent dispatcher restores TLS-bypass behavior in Node, the spec asserts on it, and setimmediate is gone from karma bootstrap and package.json. No new correctness, security, or architectural issues verified.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js`:
- Around line 54-61: The code creates a new undici Agent per self-signed HTTPS
request (see the Agent allocation and requestOptions.dispatcher) but never
closes it, leaking sockets; fix by replacing per-request Agent creation with a
single shared module-level Agent (e.g., sharedUndiciAgent) that is instantiated
once when needed and assigned to requestOptions.dispatcher, or if you must
create per-request dispatchers ensure you call dispatcher.destroy() /
dispatcher.close() after the request completes; update the code paths that set
requestOptions.dispatcher and add cleanup (destroy/close) or the shared Agent
instantiation so sockets are not leaked.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 81b75deb-a89b-4428-be81-60dfa6c8d3a8

📥 Commits

Reviewing files that changed from the base of the PR and between f8432f9 and d0185fb.

⛔ Files ignored due to path filters (2)

• .yarn/cache/undici-npm-6.25.0-6002e70879-a475e45da3.zip is excluded by !**/.yarn/**, !**/*.zip
• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (12)

• .pnp.cjs
• packages/dapi-grpc/clients/core/v0/web/CorePromiseClient.js
• packages/dapi-grpc/clients/platform/v0/web/PlatformPromiseClient.js
• packages/js-dapi-client/lib/dapiAddressProvider/ListDAPIAddressProvider.js
• packages/js-dapi-client/lib/index.js
• packages/js-dapi-client/lib/logger/index.js
• packages/js-dapi-client/lib/test/bootstrap.js
• packages/js-dapi-client/lib/test/karma/bootstrap.js
• packages/js-dapi-client/lib/transport/JsonRpcTransport/requestJsonRpc.js
• packages/js-dapi-client/package.json
• packages/js-dapi-client/polyfills/fetch-polyfill.js
• packages/js-dapi-client/test/unit/transport/JsonRpcTransport/requestJsonRpc.spec.js

💤 Files with no reviewable changes (4)

• packages/js-dapi-client/lib/index.js
• packages/js-dapi-client/lib/test/karma/bootstrap.js
• packages/js-dapi-client/polyfills/fetch-polyfill.js
• packages/js-dapi-client/lib/test/bootstrap.js

✅ Files skipped from review due to trivial changes (2)

• packages/js-dapi-client/lib/dapiAddressProvider/ListDAPIAddressProvider.js
• .pnp.cjs

🚧 Files skipped from review as they are similar to previous changes (5)

• packages/dapi-grpc/clients/core/v0/web/CorePromiseClient.js
• packages/dapi-grpc/clients/platform/v0/web/PlatformPromiseClient.js
• packages/js-dapi-client/package.json
• packages/js-dapi-client/test/unit/transport/JsonRpcTransport/requestJsonRpc.spec.js
• packages/js-dapi-client/lib/logger/index.js

[thepastaclaw]

Code Review

Verified at d0185fb: undici Agent dispatcher for self-signed HTTPS is in place at requestJsonRpc.js:54-62 with corresponding spec assertions (positive and negative cases), and setimmediate plus other dropped deps are absent from js-dapi-client / dapi-grpc. Both reviewers converged on zero findings and I confirmed nothing new in the cumulative diff.

[thepastaclaw]

Code Review

Both Claude and Codex independently verified the cumulative changes at c2b4925 and found no outstanding issues. The two follow-up fixes since d0185fb (module-level cached undici Agent for self-signed TLS, and merging the logger prefix into the printf format string to preserve %s/%d/%o interpolation) are correct and address prior findings. No blocking, suggestion, or nitpick findings were verified in the current changeset.

[thepastaclaw]

Code Review

PR head d579034 adds a single test-only change: two undici dispatcher specs in requestJsonRpc.spec.js are wrapped in nodeOnlyIt so they skip under Karma/browsers, mirroring the Node-only guard around the dispatcher branch in requestJsonRpc.js:59-70. Node coverage of the self-signed HTTPS path is preserved, and the browser-side negative assertions remain unchanged. Prior carried-forward findings (dispatcher attachment, reuse assertion, removed setimmediate) remain resolved at this SHA, and no new issues were verified.

[PastaPastaPasta]

CI failure is unrelated to this PR

[thepastaclaw]

Code Review

PR head b219e27 merges the updated v3.1-dev base and leaves this PR's effective diff as the DAPI JS/browser cleanup plus package-version bumps. Carried-forward prior findings from the immediately previous d579034 review: none; I reconciled the earlier self-signed HTTPS / dispatcher-test / setimmediate findings and they remain resolved at this head. The latest delta was inspected with git diff d579034b37db160a30d7424614809d352b0a596c..b219e2748ff75ee709d3f25ca4cd63719560447a, and no new actionable issues were verified.