Skip to content

chore: Synchronize Endo versions 2026-04#12618

Draft
kriskowal wants to merge 9 commits into
masterfrom
kriskowal-endo-sync-2026-04
Draft

chore: Synchronize Endo versions 2026-04#12618
kriskowal wants to merge 9 commits into
masterfrom
kriskowal-endo-sync-2026-04

Conversation

@kriskowal
Copy link
Copy Markdown
Member

@kriskowal kriskowal commented Apr 16, 2026
edited
Loading

Refs: #12527

Pull request #12527 was proposed by a bot that could not make itself recognized by the merge bot.

Copilot AI and others added 9 commits April 15, 2026 20:44
@kriskowal
chore: sync Endo versions and patches
f229fbc 
Co-authored-by: kriskowal <60294+kriskowal@users.noreply.github.com>
@turadg @kriskowal
chore(deps): update Endo packages and fix type regressions
76e8e54
@michaelfig @kriskowal
build(deps): ensure @endo/pass-style is patched
a20626f
@kriskowal @claude
chore(deps): deduplicate yarn.lock after Endo sync
8ca04c2 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriskowal @claude
fix(types): adapt to @endo/bundle-source load() returning unknown
607b3b7 
The new @endo/bundle-source types declare `load()` as returning
`Promise<unknown>` instead of a specific bundle type. Add casts
where needed to satisfy downstream type expectations.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriskowal @claude
chore(swingset-vat): increase meter allocation for Endo update
1a874a5 
Endo bump increased consumedByStartVat from ~7.5M to ~8.2M
computrons, causing metering tests to fail. Increase the
allocation from 7.5M to 8.5M to provide sufficient headroom.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriskowal @claude
chore(swingset-vat): update xsnap store test snapshots
5f1aeb9 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@turadg @kriskowal
chore(deps): refresh lockfiles
06ec284
@kriskowal @claude
fix(deps): patch @endo/compartment-mapper to strip __createdBy from b…
834acbd 
…undles

The new @endo/compartment-mapper@2.0.0 adds __createdBy metadata to
module configurations in digested compartment maps. This causes bundle
validation failures when bundles built with the new version are loaded
by older runtimes (e.g. a3p pre-upgrade proposals) that reject unknown
properties. Strip __createdBy from digest output for compatibility.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@kriskowal kriskowal force-pushed the kriskowal-endo-sync-2026-04 branch from 9012801 to 834acbd Compare April 16, 2026 03:44
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 16, 2026

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Critical
Critical CVE: npm form-data uses unsafe random function in form-data for choosing boundary

CVE: GHSA-fjxv-7rqg-78g4 form-data uses unsafe random function in form-data for choosing boundary (CRITICAL)

Affected versions: < 2.5.4; >= 3.0.0 < 3.0.4; >= 4.0.0 < 4.0.4

Patched version: 4.0.4

From: ?npm/agoric@0.21.2-dev-ee18609.0npm/form-data@4.0.2

ℹ Read more on: This package | This alert | What is a critical CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/form-data@4.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@kriskowal @turadg @michaelfig