Skip to content

Commit 3c83675

Browse files
chore: update SDK dependencies and require Node 26
Rebase PR #808 onto current main, resolve conflicts, and squash dependency-update history into one signed commit.
1 parent 19b7c1b commit 3c83675

24 files changed

Lines changed: 616 additions & 319 deletions

File tree

.agents/personas/ci-release-security.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7,8 +7,8 @@ out-of-scope:
77
- Code quality of build/test scripts themselves — see code-quality, style-conventions.
88
- JSDoc on any exported symbols touched by a CI script — see documentation.
99
- Test coverage of the publish flow — see test-coverage.
10-
focus: GitHub Actions workflow injection, action pinning, workflow permissions, secret exposure, publish-flow integrity, Changesets/release-bot wiring, lockfile drift, dependency hygiene, .npmrc and pnpm-workspace settings.
11-
severity-guidance: Workflow injection → critical. Floating action tags or wide default permissions → high. Lockfile drift without justification → high (runtime/peer dep) or medium (devDep only). Provenance opt-out → medium.
10+
focus: GitHub Actions workflow injection, action pinning, workflow permissions, secret exposure, publish-flow integrity, Changesets/release-bot wiring, lockfile drift, dependency hygiene, .npmrc and pnpm-workspace settings, pnpm minimum-release-age bypasses.
11+
severity-guidance: Workflow injection → critical. Floating action tags or wide default permissions → high. Lockfile drift without justification → high (runtime/peer dep) or medium (devDep only). Provenance opt-out → medium. Dependency-age bypass → high unless explicitly approved and temporary.
1212
---
1313

1414
# CI / Release Security
@@ -87,6 +87,7 @@ Per AGENTS.md §10 — release commits and annotated tags MUST have a valid sign
8787
- Registry changes (`registry=` or `@scope:registry=`) — flag any non-`registry.npmjs.org` URL for explicit human review.
8888
- `always-auth=true` or `_authToken=` committed to the repo — **critical** (credential leak).
8989
- New `auto-install-peers` / `strict-peer-dependencies` flips — flag as **medium**, surface impact on consumer install behavior.
90+
- New `minimumReleaseAgeExclude` entries or equivalent pnpm minimum-release-age bypasses — flag as **high** unless the PR includes explicit maintainer approval, a narrowly-scoped emergency reason, and removal before merge. Removing `minimumReleaseAgeStrict` is also **high**. Dependency bump PRs should wait for the configured `minimumReleaseAge` window or pin to the latest eligible version.
9091

9192
## Output expectations
9293

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
"@morpho-org/wdk-protocol-lending-morpho-evm": patch
3+
---
4+
5+
Refresh non-deprecated SDK dependencies.
6+
7+
- Update runtime dependencies in `@morpho-org/wdk-protocol-lending-morpho-evm`.

.github/workflows/build.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -12,11 +12,11 @@ jobs:
1212
runs-on: ubuntu-latest
1313

1414
steps:
15-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
15+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
1616
with:
1717
persist-credentials: false
1818

19-
- uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8
19+
- uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9
2020

2121
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
2222
with:

.github/workflows/lint.yml

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -11,11 +11,11 @@ jobs:
1111
runs-on: ubuntu-latest
1212

1313
steps:
14-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
14+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
1515
with:
1616
persist-credentials: false
1717

18-
- uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8
18+
- uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9
1919

2020
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
2121
with:

.github/workflows/publish.yml

Lines changed: 5 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -20,13 +20,13 @@ jobs:
2020
TARGET_BRANCH: ${{ github.ref_name }}
2121

2222
steps:
23-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
23+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
2424
with:
2525
ref: ${{ github.sha }}
2626
fetch-depth: 0
2727
persist-credentials: false
2828

29-
- uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8
29+
- uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9
3030

3131
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
3232
with:
@@ -35,9 +35,8 @@ jobs:
3535
registry-url: https://registry.npmjs.org
3636
scope: '@morpho-org'
3737

38-
# Trusted publishing requires npm >= 11.5.1, but Node 22.22.2's bundled npm 10.9.7
39-
# currently fails to self-upgrade directly to npm@latest with MODULE_NOT_FOUND
40-
# (missing promise-retry). Pin a known-good npm 11 release instead.
38+
# Trusted publishing requires npm >= 11.5.1. Pin a known-good npm 11 release
39+
# so hosted-runner npm bundle changes do not affect release provenance.
4140
- run: npm install -g npm@11.11.0
4241

4342
- name: Record privileged-step baseline
@@ -383,7 +382,7 @@ jobs:
383382
TARGET_BRANCH: ${{ github.ref_name }}
384383

385384
steps:
386-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
385+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
387386
with:
388387
ref: ${{ github.sha }}
389388
persist-credentials: false

.github/workflows/test.yml

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -18,19 +18,19 @@ jobs:
1818
runs-on: ubuntu-latest
1919

2020
steps:
21-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
21+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
2222
with:
2323
persist-credentials: false
2424

25-
- uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8
25+
- uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9
2626

2727
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
2828
with:
2929
node-version-file: .nvmrc
3030
cache: pnpm
3131

3232
- name: Restore Foundry cache
33-
uses: actions/cache/restore@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
33+
uses: actions/cache/restore@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6
3434
with:
3535
path: ~/.foundry/cache/rpc
3636
key: foundry-${{ github.job }}-${{ github.sha }}
@@ -51,7 +51,7 @@ jobs:
5151

5252
- name: Save Foundry cache
5353
if: always()
54-
uses: actions/cache/save@27d5ce7f107fe9357f9df03efb73ab90386fccae # v5
54+
uses: actions/cache/save@2c8a9bd7457de244a408f35966fab2fb45fda9c8 # v6
5555
with:
5656
path: ~/.foundry/cache/rpc
5757
key: foundry-${{ github.job }}-${{ github.sha }}

.github/workflows/version-pr.yml

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -24,13 +24,13 @@ jobs:
2424
TARGET_BRANCH: ${{ github.ref_name }}
2525

2626
steps:
27-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
27+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
2828
with:
2929
ref: ${{ github.sha }}
3030
fetch-depth: 0
3131
persist-credentials: false
3232

33-
- uses: pnpm/action-setup@d15e628ca66d93ee5f352c71671a7bc6a97af5c9 # v6.0.8
33+
- uses: pnpm/action-setup@008330803749db0355799c700092d9a85fd074e9 # v6.0.9
3434

3535
- uses: actions/setup-node@48b55a011bda9f5d6aeb4c2d9c7362e8dae4041e # v6
3636
with:
@@ -103,7 +103,7 @@ jobs:
103103
RELEASE_BRANCH: changeset-release/${{ github.ref_name }}
104104

105105
steps:
106-
- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
106+
- uses: actions/checkout@9c091bb21b7c1c1d1991bb908d89e4e9dddfe3e0 # v7
107107
with:
108108
ref: ${{ github.sha }}
109109
fetch-depth: 0

.nvmrc

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1 +1 @@
1-
22
1+
26

AGENTS.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -164,14 +164,15 @@ A scannable list of patterns reviewers reject. Most are review-only today (per t
164164
- **Migration guides on every major**, with codemods where mechanical.
165165
- **Cantina audit on every major release**, with the public report linked from the CHANGELOG entry. Critical CVEs trigger out-of-band patches.
166166
- **Pre-release dogfood on every minor:** at least one internal app and one external partner before the `latest` tag flips.
167+
- **Respect pnpm minimum release age when bumping releases.** Keep `minimumReleaseAgeStrict` enabled and do not add `minimumReleaseAgeExclude` (or equivalent bypasses) to force freshly-published dependencies through dependency bump PRs. If a dependency is too new, wait for the configured `minimumReleaseAge` window or pin to the latest eligible version; emergency bypasses require explicit maintainer approval and must be removed before merge.
167168

168169
> Applied by personas: [`style-conventions`](./.agents/personas/style-conventions.md) (changeset relevance), [`morpho-protocol`](./.agents/personas/morpho-protocol.md) (pinned ABI/address release contract), [`ci-release-security`](./.agents/personas/ci-release-security.md) (publish-flow integrity, conditional).
169170
170171
---
171172

172173
## 8. Code style & tooling
173174

174-
- pnpm + Node ≥22. Root checks: `pnpm lint` and `pnpm test`.
175+
- pnpm + Node ≥26. Root checks: `pnpm lint` and `pnpm test`.
175176
- Biome owns style: 2-space indent, organized imports, no unused imports or variables.
176177
- NodeNext module resolution; relative imports include `.js` (`export * from "./market/index.js"`).
177178
- Type-only imports where possible (`import type { Address } from "viem"`).
@@ -243,5 +244,6 @@ These are the rules `ci-release-security` enforces. They live here as source of
243244
- **Dependency hygiene.** New deps in `dependencies` or `peerDependencies` of a published package default to **high** for review. Flag unpinned semver ranges (`^`/`~`) on runtime deps, names that resemble typosquats of known packages, and deps whose registry metadata declares `postinstall` / `preinstall` / `install` scripts.
244245
- **`.npmrc` hardening.** `always-auth=true` or `_authToken=` committed to the repo is **critical** — credential leak. Non-`registry.npmjs.org` `registry=` or `@scope:registry=` lines require explicit human review (could redirect to a malicious registry).
245246
- **Workspace install behavior.** Flips of `auto-install-peers` or `strict-peer-dependencies` in `.npmrc` or `pnpm-workspace.yaml` are **medium** — surface the impact on consumer install behavior in the review comment.
247+
- **pnpm minimum-release-age bypasses.** `minimumReleaseAgeExclude` (or equivalent age-check bypasses) in `.npmrc` or `pnpm-workspace.yaml` are **high** unless the PR includes explicit maintainer approval, a narrowly-scoped emergency reason, and removal before merge. Removing `minimumReleaseAgeStrict` is also **high**. Dependency bump PRs should wait for the configured `minimumReleaseAge` window or pin to the latest eligible version.
246248

247249
> Applied by persona: [`ci-release-security`](./.agents/personas/ci-release-security.md).

CONTRIBUTING.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,8 +6,8 @@ This monorepo contains the TypeScript SDK packages used to interact with the Mor
66

77
### Prerequisites
88

9-
- Node.js `>=22`
10-
- pnpm `10`, declared by the root `packageManager` field
9+
- Node.js `>=26 <27`
10+
- pnpm `11`, declared by the root `packageManager` field
1111
- Git
1212
- An Ethereum mainnet RPC URL for fork-backed tests
1313

0 commit comments

Comments
 (0)