v24.3.0-beta.7

BETA

Since 24.2.0, Taquito has focused on network reliability, testnet turnover, wallet integration hardening, and internal modernization.

Breaking changes

• Node.js >=22 is now required. Node 20 reaches EOL April 2026; Node 22 ships with native globalThis.fetch, which enabled us to drop node-fetch.
• TypeScript upgraded from 5.5.4 to 5.9.3. The compilation target moved from es6 to es2020, and useUnknownInCatchVariables is now enabled. Consumers importing Taquito's types should check for compatibility.
• Estimation gas/fee output may change. See the gas patching section below.
• @taquito/sapling no longer runs a networked postinstall hook. Proving parameters are vendored into the published package and verified by SHA-256 + byte length. Installs are self-contained and reproducible, at the cost of a larger tarball. Maintainers can refresh the vendored modules via the refresh:sapling-params script (which honors SAPLING_PARAMS_SOURCE_DIR for mirrored regeneration). (#3380)
• @taquito/sapling now depends on @taquito/sapling-wasm@0.1.1 instead of @airgap/sapling-wasm. New tests pin the shield, unshield, and sapling-transfer bound-data semantics. (#3389)
• bignumber.js upgraded to v10. v10 is stricter about invalid numeric input. Taquito normalizes this at its own API boundary so encoders return validation errors instead of leaking raw bignumber.js exceptions, but applications that previously relied on bignumber's permissive behavior via Taquito inputs should revalidate. (#3383)
• Typed consumers should depend directly on bignumber.js@^10 when they name BigNumber in their own type signatures. Taquito now types against v10, and TypeScript can treat different installed majors as incompatible class types because of private fields. If your app annotates Taquito-returned values with BigNumber, add a direct bignumber.js@^10 dependency or infer the type from the Taquito API instead of relying on a transitive copy.
• @taquito/wallet-connect and WalletProvider have TypeScript surface changes. getAllExistingSessionKeys() and configureWithExistingSessionKey() are now synchronous in the published type surface, and WalletProvider now requires the mapper methods used by Taquito's wallet pipeline. Runtime code that still uses await may continue to work, but typed consumers with custom wallet providers, local declaration shims, or assumptions about the older async signatures should update those definitions.

Estimation gas patching now aligns with protocol semantics

Taquito's estimation gas patching was reworked to match protocol and octez-client behavior. For batch estimation, Taquito now patches only operations missing gas limits, subtracts explicitly provided gas first, reserves reveal gas when a reveal will be prepended, and divides remaining block gas across the rest. This also fixes implicit-reveal estimation on networks where per-operation and per-block gas limits are equal (i.e. mainnet, shadownet).

This bug was historically masked because our long-running integration coverage ran against tallinnnet, which had hard_gas_limit_per_block (1_386_666) greater than hard_gas_limit_per_operation (1_040_000). Mainnet and shadownet use equal limits (1_040_000), so the faulty gas division would exceed limits there. Once CI moved to shadownet, the issue became visible.

User impact: exact estimated gas and fee values may change, especially for mixed batches and unrevealed accounts. Applications that added custom workarounds or brittle assertions around previous estimate values should revalidate those flows after upgrading. Most users should see more reliable estimation on mainnet-like networks.

Public references: #3352, #3353

RPC read consistency semantics finalized

The broader consistency hardening earlier in this series over-pinned ordinary contract handles, making op.contract() and at(..., block) behave like exact historical snapshots. Beta.3 settles the intended semantics:

• atExactBlock(...) keeps persistent pinning and exact historical reads.
• at(..., block) and op.contract() use the block only to bootstrap reliably, then return live head-tracking abstractions, preserving existing Taquito contract semantics.

Exact read context is propagated through contract, big map, sapling, and TZIP-16 read paths. Shadownet secret-key integration runs have also been normalized to the same rolling RPC as the ephemeral shadownet config. (#3381)

Network and testnet updates

• Ghostnet has been retired 👻. Shadownet 🧛 succeeds it, which is mildly funny.
• Papers-operated Matrix relay defaults have been removed from Taquito's wallet stack.
• Taquito's default relay configuration now points to nodes operated by Trilitech on the octez.io domain.
• If dApps still see wallet connection failures at the relay layer, those issues should be directed to octez.connect: https://github.com/trilitech/octez.connect/issues

Reliability and correctness

• Tezos X/Tezlink fee estimation was updated to use the live fee parameters exposed by mempool/filter, rather than relying on L1-style defaults. Tezos X pricing includes a higher per-byte data-availability cost and a congestion-sensitive gas price, so older L1-style assumptions can underprice operations.
• Simulation retries and origination reads were hardened around RPC edge cases.
• Wallet confirmation handling was fixed to avoid hanging indefinitely after a timeout.
• Subscription polling was fixed to avoid canceling in-flight RPC requests.
• The TZIP-16 metadata URI parser was rewritten to eliminate a CodeQL-flagged ReDoS pattern. (#3385)
• @taquito/beacon-wallet package exports conditions were reordered to fix bundler resolution. (#3390)

Transport and dependency modernization

• HTTP transport was migrated to native fetch, with exponential backoff, injection retries, and structured transport error classification.
• Parts of the crypto stack were modernized toward @noble/* (blake2b, ed25519, hmac, sha512), and mnemonic handling moved from bip39 to @scure/bip39.
• Bundler and package compatibility improved, especially around Vite, esbuild, ESM resolution, and dependency declarations. The install-time Angular patch was removed, simplifying package installation.
• The shipped-package toolchain was refreshed across Rollup, Vitest, Ledger transport, and related build helpers. Several unused transitive dependencies (whatwg-url, request, tmp, lodash paths) were dropped from the root lockfile, and legacy signature.json files were removed from published package manifests. (#3379, #3386, #3387)
• Beacon fork pinned to @ecadlabs/beacon-* 4.8.1-ecad.4. (#3390)

Wallet integration improvements

• @taquito/wallet-connect was updated to the current WalletConnect sign stack.
• Session handling in @taquito/wallet-connect is now stricter and more resilient, especially around restored, updated, expired, and deleted sessions. Restored sessions are validated before being accepted, and local active-account and network state are reconciled more consistently as sessions change.
• WalletConnect docs were refreshed to match the current runtime behavior and modal plan.

Tooling and docs

• The repo is moving from Jest to Vitest.
• TypeDoc upgraded from 0.26 to 0.28, with 807 doc warnings fixed.
• Release version-sync now only rewrites dependency ranges for actual workspace packages, preserving external scoped packages like @taquito/sapling-wasm. Release and rehearsal workflows install the stamped graph before version-stamp, build, test, and publish. (#3391)
• Documentation and website content received a broad cleanup pass, including SECURITY.md, root README.md, and website doc drift. Security reporting now routes through GitHub private vulnerability reporting with email fallback. A repository CODEOWNERS file was added for @ecadlabs/taquito-team. (#3386, #3388)
• Integration and CI coverage have shifted toward Shadownet, with sharded runs, updated keygen flows, and hardening for live-state behavior on current testnets.