Skip to content

chore: bump @polkadot/util from 13.4.3 to 14.0.3#3314

Open
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/polkadot/util-14.0.3
Open

chore: bump @polkadot/util from 13.4.3 to 14.0.3#3314
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/polkadot/util-14.0.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps @polkadot/util from 13.4.3 to 14.0.3.

Release notes

Sourced from @​polkadot/util's releases.

v14.0.3

Changes:

  • Fix(hw-ledger): reset transport on operation errors and add explicit disconnect API (#2024)

v14.0.2

Changes:

  • Set headers to 2026 (#2021)

Contributed:

v14.0.1

Changes:

  • fix(x-randomvalues): prioritize native RN modules over polyfilled crypto (#2013)
  • sr25519: switch from wasm to micro-sr25519 (#1971)

v13.5.9

Changes:

  • Bump polkadot dependencies (#2011)

v13.5.8

Changes:

v13.5.7

Changes:

  • Revert "Set pbkdf2Encode rounds to default to 210,000" (#2007)

v13.5.6

Changes:

  • Set pbkdf2Encode rounds to default to 210,000 (#1983)
  • Bump @​polkadot/wasm deps (#2002)

Contributed:

  • Add DENTNet to generic Polkadot app supported chains (#1942)

v13.5.5

Changes:

  • Add ledger support for Mythos (#1969)

... (truncated)

Changelog

Sourced from @​polkadot/util's changelog.

14.0.3 Mar 23, 2026

Changes:

  • Fix(hw-ledger): reset transport on operation errors and add explicit disconnect API (#2024)

14.0.2 Mar 16, 2026

Changes:

  • Set headers to 2026 (#2021)

Contributed:

14.0.1 Dec 9, 2025

Changes:

  • fix(x-randomvalues): prioritize native RN modules over polyfilled crypto (#2013)
  • sr25519: switch from wasm to micro-sr25519 (#1971)

13.5.9 Nov 25, 2025

Changes:

  • Bump polkadot dependencies (#2011)

13.5.8 Nov 11, 2025

Changes:

13.5.7 Oct 13, 2025

Changes:

  • Revert "Set pbkdf2Encode rounds to default to 210,000" (#2007)

13.5.6 Aug 26, 2025

Changes:

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by paritytech-ci, a new releaser for @​polkadot/util since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [@polkadot/util](https://github.com/polkadot-js/common/tree/HEAD/packages/util) from 13.4.3 to 14.0.3.
- [Release notes](https://github.com/polkadot-js/common/releases)
- [Changelog](https://github.com/polkadot-js/common/blob/master/CHANGELOG.md)
- [Commits](https://github.com/polkadot-js/common/commits/v14.0.3/packages/util)

---
updated-dependencies:
- dependency-name: "@polkadot/util"
  dependency-version: 14.0.3
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🟠 Value Audit — better-approach-exists

Verdict better-approach-exists
Concerns 2 (2 strong-concern)
Heuristic 0.0s
Duplication 0.0s
Interrogation 120.2s (2 bridge agents)
Total 120.2s

💰 Value — better-approach-exists

Bumps @polkadot/util 13→14 in isolation while every sibling @PolkaDot package stays on v13, so the lock file now resolves two copies of util and the app's BN stops matching the one @polkadot/api returns — a coordinated full-set bump is the right way to cross a major in this ecosystem.

  • What it does: Single-line dependency bump in package.json:80 from "@polkadot/util": "^13.4.3" to "^14.0.3". No code changes. This is a MAJOR version jump (13→14) in the @polkadot-js/common util package. The v14 changelog ships: sr25519 switched from wasm to micro-sr25519 (v14.0.1), RN crypto prioritized over polyfill, Ledger transport reset + explicit disconnect API (v14.0.3), and a secp256k1Expand x/y getter f
  • Goals it achieves: Stated goal is routine dep freshness. Inferred from the code, the goal is negligible: the app imports only BN, BN_ZERO, bnMax, assert, u8aToHex/u8aToString, formatBalance (30 source files) — all unchanged across v13/v14. No v14-only feature is consumed, so the bump delivers no functional or security delta to this codebase.
  • Assessment: Fights the documented grain of the @polkadot-js ecosystem, which is version-coupled and ships as a coordinated set. The harm is concrete and verified in the lock file: @polkadot/util-crypto@13.4.3 (yarn.lock:9205) pins "@polkadot/util": "npm:13.4.3" exactly, and @polkadot/keyring/api/types all transitively require util@13. So after this bump yarn.lock resolves BOTH @polkadot/util@13.4.3 (line 9369
  • Better / existing approach: Searched package.json + yarn.lock for the sibling set and for how util is consumed. The materially better approach is a coordinated bump of the ENTIRE @PolkaDot set together — @polkadot/api (13.2.1), @polkadot/keyring (13.4.3), @polkadot/types (13.2.1), @polkadot/util-crypto (13.4.3), and @polkadot/util — to a common v14 line, then regenerate yarn.lock so only one util copy resolves and BN identit
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 2
  • Bridge warning: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content

🎯 Usefulness — better-approach-exists

Solo-bumping @polkadot/util 13→14 while the rest of the @polkadot/* suite stays at v13 creates a peer-dep violation and installs two copies of util (13.4.3 + 14.0.3), splitting the BN class across the v14 direct imports and the v13 api/keyring/types internals.

  • Integration: The bumped util IS reachable — 26 source files import BN/formatBalance/assert/u8aToHex from it (e.g. libs/tangle-shared-ui/src/utils/polkadot/balance.ts:1, libs/ui-components/src/utils/formatBn.ts:1). It wires in at the module-resolution level with no extra glue needed. But yarn.lock proves BOTH @polkadot/util@13.4.3 and @polkadot/util@14.0.3 are installed simultaneously, so 'integration' happens
  • Fit with existing patterns: Fights the codebase's established pattern. Every other @polkadot/* package in package.json:77-81 sits at v13 (api 13.2.1, types 13.2.1, keyring 13.4.3, util-crypto 13.4.3). The polkadot-js suite is explicitly designed to move in lockstep across majors — @polkadot/keyring@13.4.3 even pins @polkadot/util as an exact peer ('13.4.3', yarn.lock:8363). Bumping util alone to v14 breaks that invariant.
  • Real-world viability: Happy-path imports of BN/formatBalance compile and run. The failure mode is the dual-BN hazard: any BN flowing OUT of @polkadot/api (useBalances.ts, useStaking*.ts, useVaultRewards.ts results) is a v13 instance, while the v14 util's isBN()/instanceof checks and bnMax/formatBalance internals operate on v14 BN. Subtle runtime mismatches — not build errors — are the risk, which is exactly the failure
  • Model: opencode/zai-coding-plan/glm-5.2
  • Bridge attempts: 1

🎯 Usefulness Audit

🔴 Bump @polkadot/util in lockstep with the rest of the @polkadot/ suite, not alone* [problem-fit] ``

package.json bumps only @polkadot/util to ^14.0.3 while api/types/keyring/util-crypto remain on ^13.x. yarn.lock:9369 and yarn.lock:9399 show both util@13.4.3 and util@14.0.3 installed; yarn.lock:8362-8363 shows @polkadot/keyring@13.4.3 peer-pins @polkadot/util to exactly 13.4.3. This is a peer-dependency violation and installs two BN constructors — the v14 direct imports vs the v13 internals of api/keyring/types. The established codebase pattern is a unified v13 suite. Either revert util to ^13

💰 Value Audit

🔴 Single-package major bump splits the tightly-coupled @PolkaDot set and ships a duplicate util copy [against-grain] ``

package.json:80 bumps @polkadot/util to ^14.0.3 while package.json:73 (@polkadot/api ^13.2.1), package.json:77 (@polkadot/keyring ^13.4.3), package.json:79 (@polkadot/types ^13.2.1), and package.json:81 (@polkadot/util-crypto ^13.4.3) all remain on v13. The yarn.lock confirms the split: util-crypto@13.4.3 (yarn.lock:9205) hard-pins "@polkadot/util": "npm:13.4.3", so both @polkadot/util@13.4.3 (yarn.lock:9369) and @polkadot/util@14.0.3 (yarn.lock:9399) resolve. Result: app code uses v14's BN whil


What this audit checks

It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.

Pass What it asks
Heuristic Vague title? Whitespace-only or cruft-bearing diff? (content signals only)
Duplication Do added function/class names already exist elsewhere in the repo?
Value Audit What does it do? What goal does it achieve? Is it good? Better architecture or already-exists?
Usefulness Audit Does it integrate and fit? Will it hold up in real use and actually get used?

Findings are concerns, not blocks — the human reviewer decides what to do with them.

value-audit · 20260629T181837Z

@tangletools

Copy link
Copy Markdown
Contributor

❌ Needs Work — cf77d53a

Review health 100/100 · Reviewer score 70/100 · Confidence 70/100 · 1 finding (1 high)

deepseek: Correctness 70 · Security 70 · Testing 70 · Architecture 70

Reviewer score is advisory once the run is complete and the verdict has no blockers.

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Blocking

🔴 HIGH Orphaned @polkadot/util major bump — companion packages not upgraded — package.json

Line 80 bumps @polkadot/util from ^13.4.3 to ^14.0.3, but @polkadot/util-crypto (line 81, ^13.4.3), @polkadot/keyring (line 77, ^13.4.3), @polkadot/api (line 73, ^13.2.1), and @polkadot/types (line 79, ^13.2.1) are all left at v13. npm confirms: `@polka


tangletools · 2026-06-29T18:19:25Z · trace

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ 1 Blocking Finding — cf77d53a

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Summary comment for this run: full summary


tangletools · 2026-06-29T18:19:25Z · immutable trace

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant