Enhance IndexerStatus component to display network icon#178
Merged
Conversation
|
--- |
boundless-forest
approved these changes
May 24, 2025
fewensa
added a commit
that referenced
this pull request
Apr 14, 2026
Upgrade direct dependencies in packages/web: - next: 16.1.7 -> 16.2.3 (CVE: DoS with Server Components, high) - next-intl: 4.8.3 -> 4.9.1 (open redirect vulnerability, medium) Add pnpm.overrides in root package.json to force patched versions of transitive dependencies across all workspaces: - axios: >=1.15.0 (critical: SSRF via NO_PROXY bypass + cloud metadata exfiltration) - follow-redirects: >=1.16.0 (medium: auth header leak on cross-domain redirect) - hono: >=4.12.12 (high/medium: serveStatic arbitrary file access, cookie injection, XSS, cache deception, IP spoofing, prototype pollution, SSE injection, path traversal) - @hono/node-server: >=1.19.13 (high/medium: static path auth bypass via encoded slashes) - effect: >=3.20.0 (high: AsyncLocalStorage context contamination under concurrent RPC load) - lodash: >=4.18.0 (high/medium: code injection via template, prototype pollution via unset/omit) - xml2js: >=0.5.0 (medium: prototype pollution) Closes #160 #161 #162 #163 #164 #165 #166 #167 #168 #169 #170 #171 Closes #172 #173 #174 #175 #176 #177 #178 #179 #180 #181 #182 #183 Closes #184 #185
fewensa
added a commit
that referenced
this pull request
Apr 14, 2026
* fix(deps): remediate 26 open Dependabot security alerts Upgrade direct dependencies in packages/web: - next: 16.1.7 -> 16.2.3 (CVE: DoS with Server Components, high) - next-intl: 4.8.3 -> 4.9.1 (open redirect vulnerability, medium) Add pnpm.overrides in root package.json to force patched versions of transitive dependencies across all workspaces: - axios: >=1.15.0 (critical: SSRF via NO_PROXY bypass + cloud metadata exfiltration) - follow-redirects: >=1.16.0 (medium: auth header leak on cross-domain redirect) - hono: >=4.12.12 (high/medium: serveStatic arbitrary file access, cookie injection, XSS, cache deception, IP spoofing, prototype pollution, SSE injection, path traversal) - @hono/node-server: >=1.19.13 (high/medium: static path auth bypass via encoded slashes) - effect: >=3.20.0 (high: AsyncLocalStorage context contamination under concurrent RPC load) - lodash: >=4.18.0 (high/medium: code injection via template, prototype pollution via unset/omit) - xml2js: >=0.5.0 (medium: prototype pollution) Closes #160 #161 #162 #163 #164 #165 #166 #167 #168 #169 #170 #171 Closes #172 #173 #174 #175 #176 #177 #178 #179 #180 #181 #182 #183 Closes #184 #185 * fix(deps): upgrade prisma 7.3.0 -> 7.7.0 No breaking changes affect this project in the 7.3.0-7.7.0 range: - No @prisma/adapter-pg usage (pg CVE-2025-21494 in 7.5.0 does not apply) - No DbNull/JsonNull/queryRawTyped usage (type fixes in 7.7.0 are safe) - No upsert calls omitting create/update (additive change in 7.5.0) - No relationLoadStrategy usage (join fixes in 7.4.0-7.7.0 are safe) Notable improvements included: - 7.4.0: bug fixes for orderBy relations, PostgreSQL generated columns, TS type guards - 7.5.0: @prisma/adapter-pg security fix (CVE-2025-21494), aggregate functions in join strategy - 7.6.0: nullable relation filtering fix, $extends in edge environments, TS omit+include fix - 7.7.0: Prisma.DbNull/JsonNull null return type fix, $queryRawTyped on pg adapter fix, ESM import path fix Also resolves the transitive effect dependency: prisma 7.7.0 pulls @prisma/config@7.7.0 which requires effect@3.20.0, covered by the existing pnpm.overrides (>=3.20.0 -> resolves to 3.21.0). * fix(deps): constrain pnpm.overrides to current major with caret ranges Replace open-ended >= lower bounds with ^ (caret) ranges to prevent future lockfile refreshes from pulling in next-major versions (e.g. axios 2.x, hono 5.x) that could introduce unreviewed breaking changes unrelated to this security remediation. Resolved versions remain identical: axios 1.15.0, follow-redirects 1.16.0, hono 4.12.12, @hono/node-server 1.19.14, effect 3.21.0, lodash 4.18.1, xml2js 0.5.0 Addresses review feedback from Copilot and Codex. * test(indexer): add missing voteClockMode mock in two token-vote-power tests Two tests in token-vote-power.test.ts called storeDelegateVotesChanged without mocking voteClockMode, causing real RPC calls to https://rpc.example.invalid which trigger retry loops and a 5000ms timeout, or leave the handler in an unexpected state that causes a subsequent TypeError when decode() returns undefined. Fixed by adding: jest.spyOn(handler as any, 'voteClockMode') .mockResolvedValue(ClockMode.BlockNumber) to both affected it() blocks: - 'zeros the historical relation when a delegate change closes an old edge even if the stored row is stale' - 'does not let a zero-to-delegate transaction-local vote delta override the exact transfer-backed relation' All 95 tests pass locally after the fix.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.