bump @cosmjs/* packages to latest version

[stalniy]

Why

comsjs < 0.34 has security vulnerability introduced by elliptic package. cosmos/cosmjs#1272. Fixes #576

[pyramation]

thanks for the PR! Looks like one dependency is missing?

$ jest
FAIL __tests__/bases/chain-wallet.test.ts
  ● Test suite failed to run

    Cannot find module '@noble/hashes/legacy' from '../../node_modules/@cosmjs/crypto/build/ripemd.js'

[webmaster128]

Heyhey. You found a bug in CosmJS there. The min version of @noble/hashes we need is 1.8.0. See cosmos/cosmjs#1884

You can fix this by manually deleting the block

"@noble/[email protected]", "@noble/hashes@^1", "@noble/hashes@^1.2.0", "@noble/hashes@^1.4.0", "@noble/hashes@^1.5.0":
  version "1.7.0"
  resolved "https://registry.yarnpkg.com/@noble/hashes/-/hashes-1.7.0.tgz#5d9e33af2c7d04fee35de1519b80c958b2e35e39"
  integrity sha512-HXydb0DgzTpDPwbVeDGCG1gIu7X6+AuU6Zl6av/E/KG8LMsvPntvq+w17CHRpKBmN6Ybdrt1eP3k4cj8DJa78w==

and then run yarn install again. This then uses only 1.8.0 for all the listed dependencies.

[stalniy]

@webmaster128 Thank you for commenting here!

I think the fix you suggest won't work when users install cosmos-kit in their apps, right? I've been looking at your recent changes and I see that v0.37-rc0 contains the fix for .js extension in @noble/hashes/legacy.js import. Do you have ETA for stable v0.37 version? or does it make sense to backport that fix into v0.36.x?

[stalniy]

@pyramation I've been trying to fix it locally but it seems that this is not fixable without a new cosmjs release. There are also dependencies like @leapwallet/cosmos-snap-provider which depend on old version of cosmjs/amino or cosmjs/proto-signing which ideally also should be updated.

For example:

% yarn list @cosmjs/amino 
yarn list v1.22.22

├─ @cosmjs/[email protected]
├─ @cosmjs/[email protected]
│  └─ @cosmjs/[email protected]
├─ @cosmjs/[email protected]
│  └─ @cosmjs/[email protected]
├─ @cosmjs/[email protected]
│  └─ @cosmjs/[email protected]
├─ @cosmos-kit/[email protected]
│  └─ @cosmjs/[email protected]
└─ @leapwallet/[email protected] // <----------
   └─ @cosmjs/[email protected]
✨  Done in 0.27s.

and

├─ @cosmjs/[email protected]
│  └─ @cosmjs/[email protected]
├─ @cosmjs/[email protected]
├─ @leapwallet/[email protected]
│  └─ @cosmjs/[email protected]
└─ @leapwallet/[email protected] // <------
   └─ @cosmjs/[email protected]

and @cosmsnap/snapper depends on "@cosmjs/amino": "^0.31.3"

[webmaster128]

I think the fix you suggest won't work when users install cosmos-kit in their apps, right?

When a user newly installs cosmos-kit they always install the latest version 1.8.0. Then that case they have no problem. The only issue is old existing lockfiles where earlier versions are locked.

That being said, I just released 0.36.2 which contains the fix from the PR I linked above.

[webmaster128]

contains the fix for .js extension in @noble/hashes/legacy.js import

@noble/hashes ^1.8.0 supports imports with and without extension. So that's not an issue anymore once you have ^1.8.0 as the required version range.

[stalniy]

Thank you @webmaster128 for assistance and responsiveness!

[stalniy]

@pyramation I updated gha to run all available tests in repo, also fixed some issues in other packages. Could you please take a look and run gha again?

 % npx --yes lerna@7 run test -- --passWithNoTests
lerna notice cli v7.1.1
lerna info versioning independent
 
    ✔  @cosmos-kit/core:test (5s)
    ✔  @cosmos-kit/walletconnect:test (861ms)
    ✔  @cosmos-kit/ins:test (6s)
    ✔  @cosmos-kit/gatewallet-extension:test (984ms)
    ✔  @cosmos-kit/bitgetwallet-extension:test (1s)
    ✔  @cosmos-kit/keplr-extension:test (1s)
    ✔  @cosmos-kit/okxwallet-extension:test (1s)
    ✔  @cosmos-kit/leap-metamask-cosmos-snap:test (1s)
    ✔  @cosmos-kit/leap-extension:test (2s)
    ✔  @cosmos-kit/fin-extension:test (2s)
    ✔  @cosmos-kit/cdcwallet-extension:test (2s)
    ✔  @cosmos-kit/coin98-extension:test (2s)
    ✔  @cosmos-kit/ctrl-extension:test (2s)
    ✔  @cosmos-kit/cosmostation-extension:test (2s)
    ✔  @cosmos-kit/tailwind-extension:test (2s)
    ✔  @cosmos-kit/leap-mobile:test (2s)
    ✔  @cosmos-kit/shell-extension:test (2s)
    ✔  @cosmos-kit/owallet-extension:test (2s)
    ✔  @cosmos-kit/cosmostation-mobile:test (2s)
    ✔  @cosmos-kit/keplr-mobile:test (2s)
    ✔  @cosmos-kit/owallet-mobile:test (2s)
    ✔  @cosmos-kit/compass-extension:test (2s)
    ✔  @cosmos-kit/galaxy-station-extension:test (2s)
    ✔  @cosmos-kit/exodus-extension:test (2s)
    ✔  @cosmos-kit/ledger:test (2s)
    ✔  @cosmos-kit/galaxy-station-mobile:test (2s)
    ✔  @cosmos-kit/trust-extension:test (2s)
    ✔  @cosmos-kit/omni-mobile:test (2s)
    ✔  @cosmos-kit/keplr:test (2s)
    ✔  @cosmos-kit/coin98:test (2s)
    ✔  @cosmos-kit/trust-mobile:test (2s)
    ✔  @cosmos-kit/cdcwallet:test (2s)
    ✔  @cosmos-kit/leap:test (2s)
    ✔  @cosmos-kit/fin:test (3s)
    ✔  @cosmos-kit/react-lite:test (6s)
    ✔  @cosmos-kit/ctrl:test (2s)
    ✔  @cosmos-kit/foxwallet-extension:test (2s)
    ✔  @cosmos-kit/cosmostation:test (2s)
    ✔  @cosmos-kit/tailwind:test (2s)
    ✔  @cosmos-kit/owallet:test (2s)
    ✔  @cosmos-kit/station-extension:test (2s)
    ✔  @cosmos-kit/shell:test (2s)
    ✔  @cosmos-kit/vectis-extension:test (2s)
    ✔  @cosmos-kit/compass:test (2s)
    ✔  @cosmos-kit/exodus:test (2s)
    ✔  @cosmos-kit/galaxy-station:test (2s)
    ✔  @cosmos-kit/omni:test (2s)
    ✔  @cosmos-kit/trust:test (2s)
    ✔  @cosmos-kit/aria-extension:test (2s)
    ✔  @cosmos-kit/frontier-extension:test (2s)
    ✔  @cosmos-kit/imtoken-extension:test (2s)
    ✔  @cosmos-kit/initia-extension:test (2s)
    ✔  @cosmos-kit/ninji-extension:test (2s)
    ✔  @cosmos-kit/arculus-mobile:test (2s)
    ✔  @cosmos-kit/figure-markets-mobile:test (2s)
    ✔  @cosmos-kit/aria-mobile:test (2s)
    ✔  @cosmos-kit/leap-capsule-social-login:test (2s)
    ✔  @cosmos-kit/web3auth:test (1s)
    ✔  @cosmos-kit/react:test (2s)
    ✔  @cosmos-kit/station:test (1s)
    ✔  @cosmos-kit/foxwallet:test (2s)
    ✔  @cosmos-kit/vectis:test (2s)
    ✔  @cosmos-kit/bitgetwallet:test (1s)
    ✔  @cosmos-kit/cosmos-extension-metamask:test (2s)
    ✔  @cosmos-kit/okto-extension:test (2s)
    ✔  @cosmos-kit/okxwallet:test (2s)
    ✔  @cosmos-kit/gatewallet:test (2s)
    ✔  @cosmos-kit/imtoken:test (1s)
    ✔  @cosmos-kit/frontier:test (2s)
    ✔  @cosmos-kit/initia:test (2s)
    ✔  @cosmos-kit/figure-markets:test (2s)
    ✔  @cosmos-kit/ninji:test (2s)
    ✔  @cosmos-kit/arculus:test (2s)
    ✔  @cosmos-kit/aria:test (2s)
    ✔  cosmos-kit:test (3s)

 —————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————————

 >  Lerna (powered by Nx)   Successfully ran target test for 75 projects (16s)
 
         With additional flags:
           --passWithNoTests=true
 

[webmaster128]

Why do you think this addition is needed? TextEncoder is widely adopted for a long time. Would be really strange if your JS envirnment does not have it.

https://developer.mozilla.org/en-US/docs/Web/API/TextEncoder

[stalniy]

Yes, I know. I use [email protected] but probably the issue is in jest env. Tests failed with the error that this stuff is not available

[stalniy]

I’ll double check a bit later whether the issue is in env. Because jsdom doesn’t even provide fetch api which is also widely available.

[webmaster128]

Okay I am not at all familiar with those. But I think we should adapt the comment a bit to highlight where the limitation is (and when we can remove the polyfill).

[stalniy]

related issue in jsdom-> jsdom/jsdom#2524