chore: bump @polkadot/util from 13.4.3 to 14.0.3#3314
Conversation
Bumps [@polkadot/util](https://github.com/polkadot-js/common/tree/HEAD/packages/util) from 13.4.3 to 14.0.3. - [Release notes](https://github.com/polkadot-js/common/releases) - [Changelog](https://github.com/polkadot-js/common/blob/master/CHANGELOG.md) - [Commits](https://github.com/polkadot-js/common/commits/v14.0.3/packages/util) --- updated-dependencies: - dependency-name: "@polkadot/util" dependency-version: 14.0.3 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
tangletools
left a comment
There was a problem hiding this comment.
🟠 Value Audit — better-approach-exists
| Verdict | better-approach-exists |
| Concerns | 2 (2 strong-concern) |
| Heuristic | 0.0s |
| Duplication | 0.0s |
| Interrogation | 120.2s (2 bridge agents) |
| Total | 120.2s |
💰 Value — better-approach-exists
Bumps @polkadot/util 13→14 in isolation while every sibling @PolkaDot package stays on v13, so the lock file now resolves two copies of util and the app's BN stops matching the one @polkadot/api returns — a coordinated full-set bump is the right way to cross a major in this ecosystem.
- What it does: Single-line dependency bump in package.json:80 from "@polkadot/util": "^13.4.3" to "^14.0.3". No code changes. This is a MAJOR version jump (13→14) in the @polkadot-js/common util package. The v14 changelog ships: sr25519 switched from wasm to micro-sr25519 (v14.0.1), RN crypto prioritized over polyfill, Ledger transport reset + explicit disconnect API (v14.0.3), and a secp256k1Expand x/y getter f
- Goals it achieves: Stated goal is routine dep freshness. Inferred from the code, the goal is negligible: the app imports only BN, BN_ZERO, bnMax, assert, u8aToHex/u8aToString, formatBalance (30 source files) — all unchanged across v13/v14. No v14-only feature is consumed, so the bump delivers no functional or security delta to this codebase.
- Assessment: Fights the documented grain of the @polkadot-js ecosystem, which is version-coupled and ships as a coordinated set. The harm is concrete and verified in the lock file: @polkadot/util-crypto@13.4.3 (yarn.lock:9205) pins "@polkadot/util": "npm:13.4.3" exactly, and @polkadot/keyring/api/types all transitively require util@13. So after this bump yarn.lock resolves BOTH @polkadot/util@13.4.3 (line 9369
- Better / existing approach: Searched package.json + yarn.lock for the sibling set and for how util is consumed. The materially better approach is a coordinated bump of the ENTIRE @PolkaDot set together — @polkadot/api (13.2.1), @polkadot/keyring (13.4.3), @polkadot/types (13.2.1), @polkadot/util-crypto (13.4.3), and @polkadot/util — to a common v14 line, then regenerate yarn.lock so only one util copy resolves and BN identit
- Model: opencode/zai-coding-plan/glm-5.2
- Bridge attempts: 2
- Bridge warning: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content
🎯 Usefulness — better-approach-exists
Solo-bumping @polkadot/util 13→14 while the rest of the @polkadot/* suite stays at v13 creates a peer-dep violation and installs two copies of util (13.4.3 + 14.0.3), splitting the BN class across the v14 direct imports and the v13 api/keyring/types internals.
- Integration: The bumped util IS reachable — 26 source files import BN/formatBalance/assert/u8aToHex from it (e.g. libs/tangle-shared-ui/src/utils/polkadot/balance.ts:1, libs/ui-components/src/utils/formatBn.ts:1). It wires in at the module-resolution level with no extra glue needed. But yarn.lock proves BOTH @polkadot/util@13.4.3 and @polkadot/util@14.0.3 are installed simultaneously, so 'integration' happens
- Fit with existing patterns: Fights the codebase's established pattern. Every other @polkadot/* package in package.json:77-81 sits at v13 (api 13.2.1, types 13.2.1, keyring 13.4.3, util-crypto 13.4.3). The polkadot-js suite is explicitly designed to move in lockstep across majors — @polkadot/keyring@13.4.3 even pins @polkadot/util as an exact peer ('13.4.3', yarn.lock:8363). Bumping util alone to v14 breaks that invariant.
- Real-world viability: Happy-path imports of BN/formatBalance compile and run. The failure mode is the dual-BN hazard: any BN flowing OUT of @polkadot/api (useBalances.ts, useStaking*.ts, useVaultRewards.ts results) is a v13 instance, while the v14 util's isBN()/instanceof checks and bnMax/formatBalance internals operate on v14 BN. Subtle runtime mismatches — not build errors — are the risk, which is exactly the failure
- Model: opencode/zai-coding-plan/glm-5.2
- Bridge attempts: 1
🎯 Usefulness Audit
🔴 Bump @polkadot/util in lockstep with the rest of the @polkadot/ suite, not alone* [problem-fit] ``
package.json bumps only @polkadot/util to ^14.0.3 while api/types/keyring/util-crypto remain on ^13.x. yarn.lock:9369 and yarn.lock:9399 show both util@13.4.3 and util@14.0.3 installed; yarn.lock:8362-8363 shows @polkadot/keyring@13.4.3 peer-pins @polkadot/util to exactly 13.4.3. This is a peer-dependency violation and installs two BN constructors — the v14 direct imports vs the v13 internals of api/keyring/types. The established codebase pattern is a unified v13 suite. Either revert util to ^13
💰 Value Audit
🔴 Single-package major bump splits the tightly-coupled @PolkaDot set and ships a duplicate util copy [against-grain] ``
package.json:80 bumps @polkadot/util to ^14.0.3 while package.json:73 (@polkadot/api ^13.2.1), package.json:77 (@polkadot/keyring ^13.4.3), package.json:79 (@polkadot/types ^13.2.1), and package.json:81 (@polkadot/util-crypto ^13.4.3) all remain on v13. The yarn.lock confirms the split: util-crypto@13.4.3 (yarn.lock:9205) hard-pins "@polkadot/util": "npm:13.4.3", so both @polkadot/util@13.4.3 (yarn.lock:9369) and @polkadot/util@14.0.3 (yarn.lock:9399) resolve. Result: app code uses v14's BN whil
What this audit checks
It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.
| Pass | What it asks |
|---|---|
| Heuristic | Vague title? Whitespace-only or cruft-bearing diff? (content signals only) |
| Duplication | Do added function/class names already exist elsewhere in the repo? |
| Value Audit | What does it do? What goal does it achieve? Is it good? Better architecture or already-exists? |
| Usefulness Audit | Does it integrate and fit? Will it hold up in real use and actually get used? |
Findings are concerns, not blocks — the human reviewer decides what to do with them.
❌ Needs Work —
|
tangletools
left a comment
There was a problem hiding this comment.
❌ 1 Blocking Finding — cf77d53a
Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.
Full immutable report for this review: trace
Summary comment for this run: full summary
tangletools · 2026-06-29T18:19:25Z · immutable trace
Bumps @polkadot/util from 13.4.3 to 14.0.3.
Release notes
Sourced from @polkadot/util's releases.
... (truncated)
Changelog
Sourced from @polkadot/util's changelog.
... (truncated)
Commits
9281daa[CI Skip] release/stable 14.0.3c7ed69f14.0.3 (#2025)22a1246[CI Skip] bump/beta 14.0.3-0-x152d460[CI Skip] release/stable 14.0.24ab957e14.0.2 (#2023)610c8bb[CI Skip] bump/beta 14.0.2-1-xa8732a9[CI Skip] bump/beta 14.0.2-0-x8d3cb0eSet headers to 2026 (#2021)fe0886b[CI Skip] release/stable 14.0.1bac357a14.0.1 (#2014)Maintainer changes
This version was pushed to npm by paritytech-ci, a new releaser for
@polkadot/utilsince your current version.Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)