chore(release): v4.0.8

[igorls]

v4.0.8 — release prep into dev

Quick release bundling the changes merged to dev since 4.0.7, plus the open ws security advisory and a few safe dependency bumps. This PR targets dev — the publish step (merge dev→main + tag v4.0.8) is intentionally separate.

Version

4.0.7 → 4.0.8 (package.json — the only place the version is hardcoded).

CHANGELOG

Renamed Unreleased (dev) → ## 4.0.8 (2026-06-02) and documented the changes that were merged but not yet in the changelog:

Change	Type	Source
get_actions sort=asc mixed date/block bounds	Fix	#174
get_tokens missing balances / token-contract detection	Fix	#170
ds_pool dropped traces for unassigned contracts	Fix	#169
hyp-control indexer stop control_port=7002 fallback	Fix	—
Accurate sync accounts live progress	Improvement	#171
ws transitive advisory override	Security	this PR
Dependency bumps + CI-on-dev	Maintenance	#168

Security

• ws — Uninitialized memory disclosure (medium / Dependabot #214). Direct ws was already 8.20.1, but transitive deps still resolved ws@8.17.1 / 8.18.x. Added "overrides": { "ws": "8.20.1" } so the whole tree resolves to the patched version. Verified: a single runtime ws@8.20.1 in both bun.lock and package-lock.json, no nested old copy. (Clears #214 once this reaches main.)

Dependency bumps (safe)

nodemailer 8.0.7 → 8.0.10 (patch) · ioredis 5.10.1 → 5.11.0 (minor) · @types/node 25.5.0 → 25.9.1 (dev). Both lockfiles regenerated.

Deliberately deferred (not "quick release" material): @elastic/elasticsearch 8→9 and commander 14→15 (majors), @eosrio/node-abieos 4.1→4.2 (native). Also still open: 2 low-severity elliptic advisories with no upstream fix available — left as-is.

Verification

• tsc --noEmit — clean (confirms the @types/node bump doesn't break the build).
• bun test tests/unit — 106/106 pass.
• Lockfiles regenerated with bun install + npm install --package-lock-only; ws resolution confirmed.

After merge (publish checklist, separate)

1. Merge dev → main.
2. Tag v4.0.8 on main.
3. Confirm Dependabot #214 closes.

[gemini-code-assist]

Code Review

This pull request bumps the project version to 4.0.8, updates several dependencies including ioredis, nodemailer, and @types/node, and adds a dependency override to pin ws to version 8.20.1 to address a security advisory. The CHANGELOG.md is also updated to document these changes alongside recent fixes and improvements. There are no review comments, and I have no feedback to provide.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[Copilot]

Pull request overview

Release-prep PR for v4.0.8 on the dev branch, updating the project version, changelog, and lockfiles while ensuring the ws advisory is closed via a dependency-tree-wide override.

Changes:

• Bump version from 4.0.7 → 4.0.8 in package.json and package-lock.json.
• Add package.json.overrides to pin ws to 8.20.1 across transitive dependencies, and regenerate both bun.lock and package-lock.json.
• Finalize CHANGELOG.md entry for 4.0.8 (2026-06-02) documenting the fixes/improvements/security/maintenance items included in this release.

Reviewed changes

Copilot reviewed 2 out of 4 changed files in this pull request and generated no comments.

File	Description
package.json	Version bump to 4.0.8, dependency bumps, and ws override to 8.20.1.
package-lock.json	Lockfile regen reflecting bumped deps and a single resolved ws@8.20.1.
bun.lock	Lockfile regen reflecting bumped deps and overrides.ws = 8.20.1.
CHANGELOG.md	Rename “Unreleased (dev)” to 4.0.8 (2026-06-02) and document included changes.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.