[codex] refresh dependency and toolchain versions#205
Conversation
Co-authored-by: codex <codex@users.noreply.github.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Warning Review limit reached
More reviews will be available in 26 minutes and 10 seconds. Learn how PR review limits work. Your organization has run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available. Please see our Fair Usage Limits Policy for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughPins Go/Bun/Rust toolchains and updates Docker base images, bumps JS/Rust/Go dependencies and package manifests, upgrades GitHub Actions checkout to v6, switches a cache integration test to miniredis, and adds two negative signature verification tests. ChangesUnified Toolchain and Dependency Upgrades
🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Suggested labels
Poem
🚥 Pre-merge checks | ✅ 3 | ❌ 2❌ Failed checks (2 warnings)
✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
github-actions
Bot
added
documentation
|
@codex review the pr |
Co-authored-by: codex <codex@users.noreply.github.com>
github-actions
Bot
added
the
type:testing
|
Codex Review: Didn't find any major issues. 🚀 ℹ️ About Codex in GitHubYour team has set up Codex to review pull requests in this repo. Reviews are triggered when you
If Codex has suggestions, it will comment; otherwise it will react with 👍. Codex can also answer questions or update the PR. Try commenting "@codex address that feedback". |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (2)
web/Dockerfile (1)
25-25: ⚖️ Poor tradeoffConsider running the runtime stage as a non-root user.
The static analysis tool flagged that the container runs as root, which increases the attack surface if the container is compromised. While common in Node/Bun containers, adding a
USERdirective with a non-privileged account improves the security posture.🔒 Example non-root user setup
FROM oven/bun:1.3.14 AS runtime WORKDIR /app +RUN addgroup --system --gid 1001 nodejs && \ + adduser --system --uid 1001 nextjs && \ + chown -R nextjs:nodejs /app ENV NODE_ENV=production ENV NEXT_TELEMETRY_DISABLED=1 ENV PORT=3001 COPY --from=deps /app/package.json /app/bun.lock* ./ COPY --from=deps /app/node_modules /app/node_modules COPY --from=build /app/.next /app/.next COPY --from=build /app/public /app/public +USER nextjs EXPOSE 3001 CMD ["bun", "start"]🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@web/Dockerfile` at line 25, The runtime stage in the Dockerfile currently uses the oven/bun base as root; create and switch to a non-root user in that stage (e.g., create a dedicated uid/gid, set ownership on runtime assets, and add a USER directive) so the container does not run as root at runtime. Locate the runtime stage labeled "AS runtime" in the Dockerfile, add commands to create a non-privileged user/group, chown the app/build/static directories and any needed runtime files to that user, and then add USER <username> (or UID:GID) before the final CMD/ENTRYPOINT to ensure the process runs unprivileged.Source: Linters/SAST tools
web/package.json (1)
20-20: Update dependency guidance: Next.js 16.2.7 exists and matches React 19.2.7
- Next.js v16.2.7 is a stable release (released June 1, 2026) and works with React 19.2.7.
- For the upgrade 16.1.1 → 16.2.7, still check the 16.2.7 release notes for any breaking changes, and ensure any referenced Next.js 15 documentation/guides still apply to this version (e.g., for
@next/mdxusage).🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@web/package.json` at line 20, Update the "`@next/mdx`" dependency to "16.2.7" in package.json (replace the older 16.1.1 version), run your package manager to install, and run the app's build/test suite to catch regressions; after upgrading, read the Next.js 16.2.7 release notes for breaking changes and verify any code or docs that reference Next.js 15 (particularly MDX usage) are still correct and compatible with React 19.2.7.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In @.github/workflows/claude.yml:
- Line 30: The checkout step currently uses the mutable tag "uses:
actions/checkout@v6"; update that to pin to the exact commit SHA or digest for
the v6 release (e.g., "uses: actions/checkout@<full-commit-sha>") to prevent
supply-chain drift—locate the Checkout repository step in
.github/workflows/claude.yml where "actions/checkout@v6" is referenced and
replace the tag with the canonical commit SHA from the actions/checkout v6
release page (or use the verified digest form) so the workflow uses an immutable
reference.
In `@gateway/go.mod`:
- Line 9: The upgrade to go-ethereum v1.17.3 enforces a 32-byte hash check in
crypto.VerifySignature; update the gateway signing/verification flow to always
pass a 32-byte digest (use crypto.Keccak256Hash output or explicitly
hash/truncate/pad to 32 bytes before calling crypto.VerifySignature) and ensure
any public-key handling still uses crypto.FromECDSAPub; add/adjust tests in
gateway/receipt_test.go to include cases that assert VerifySignature fails for
tampered signatures and for inputs with invalid lengths (e.g., non-32-byte
digests) so the behavior is covered.
---
Nitpick comments:
In `@web/Dockerfile`:
- Line 25: The runtime stage in the Dockerfile currently uses the oven/bun base
as root; create and switch to a non-root user in that stage (e.g., create a
dedicated uid/gid, set ownership on runtime assets, and add a USER directive) so
the container does not run as root at runtime. Locate the runtime stage labeled
"AS runtime" in the Dockerfile, add commands to create a non-privileged
user/group, chown the app/build/static directories and any needed runtime files
to that user, and then add USER <username> (or UID:GID) before the final
CMD/ENTRYPOINT to ensure the process runs unprivileged.
In `@web/package.json`:
- Line 20: Update the "`@next/mdx`" dependency to "16.2.7" in package.json
(replace the older 16.1.1 version), run your package manager to install, and run
the app's build/test suite to catch regressions; after upgrading, read the
Next.js 16.2.7 release notes for breaking changes and verify any code or docs
that reference Next.js 15 (particularly MDX usage) are still correct and
compatible with React 19.2.7.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 3e7b1c9d-1f8e-4786-9318-24eed96f7c2a
⛔ Files ignored due to path filters (5)
bun.lockis excluded by!**/*.lockgateway/go.sumis excluded by!**/*.sumsdk/typescript/bun.lockis excluded by!**/*.lockverifier/Cargo.lockis excluded by!**/*.lockweb/bun.lockis excluded by!**/*.lock
📒 Files selected for processing (16)
.github/workflows/claude.yml.github/workflows/e2e.yml.github/workflows/go-lint.yml.github/workflows/go-tests.yml.github/workflows/sdk-tests.yml.github/workflows/web-lint-build.ymlCONTRIBUTING.mdREADME.mdgateway/Dockerfilegateway/go.modpackage.jsonsdk/typescript/package.jsonverifier/Cargo.tomlverifier/Dockerfileweb/Dockerfileweb/package.json
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 2 unresolved review comments. Files modified:
Commit: The changes have been pushed to the Time taken:
Lines 27–33 timeout-minutes: 20
steps:
- name: Checkout repository
- uses: actions/checkout@v6
+ uses: actions/checkout@f95a4f69e68f4e73b5a20ab655c7f9e98f5bb2c9 # v6
with:
fetch-depth: 0 |
Fixed 1 file(s) based on 2 unresolved review comments. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
There was a problem hiding this comment.
Actionable comments posted: 2
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@gateway/receipt_test.go`:
- Around line 499-500: The code calls json.Marshal on signedReceipt.Receipt and
immediately hashes the result without checking the error; update both
occurrences (where receiptBytes is created and passed to crypto.Keccak256Hash)
to capture the marshal error (err := json.Marshal(...)) and if err != nil fail
the test or return early (e.g. t.Fatalf("json.Marshal(signedReceipt.Receipt)
failed: %v", err)) before computing crypto.Keccak256Hash to avoid misleading
verification failures if serialization fails.
- Around line 465-468: The test currently skips when SERVER_WALLET_PRIVATE_KEY
is missing; instead set a deterministic test key with
t.Setenv("SERVER_WALLET_PRIVATE_KEY", "<deterministic-priv-key>") before calling
getServerPrivateKey() in the receipt tests, then replace the t.Skip path with a
fast failure (t.Fatalf or t.Fatal) if getServerPrivateKey() still returns an
error or nil to ensure the regression test always runs; apply the same change to
the other occurrence around lines 538-541 so both places use t.Setenv and fail
fast rather than silently skipping.
🪄 Autofix (Beta)
✅ Autofix completed
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 88f55a0d-19c3-4517-9520-525a57fbc864
📒 Files selected for processing (3)
.github/workflows/go-tests.ymlgateway/cache_integration_test.gogateway/receipt_test.go
🚧 Files skipped from review as they are similar to previous changes (1)
- .github/workflows/go-tests.yml
|
Note Autofix is a beta feature. Expect some limitations and changes as we gather feedback and continue to improve it. Fixes Applied SuccessfullyFixed 1 file(s) based on 2 unresolved review comments. Files modified:
Commit: The changes have been pushed to the Time taken: |
Fixed 1 file(s) based on 2 unresolved review comments. Co-authored-by: CodeRabbit <noreply@coderabbit.ai>
Co-authored-by: codex <codex@users.noreply.github.com>
Co-authored-by: codex <codex@users.noreply.github.com>
1 participant
What changed
This PR refreshes the repo's pinned dependency and toolchain versions across the gateway, verifier, web app, SDK, Dockerfiles, CI workflows, and version references in docs.
Why
The repo had a mix of older runtime and package pins across Go, Rust, Bun, Next.js, React, and supporting libraries. This brings those forward to current safe stable releases that were validated in this checkout.
Impact
Validation
cd gateway && go test ./...cd gateway && go vet ./...cd web && bun run lintcd web && bun run typecheckcd web && bun run buildcd sdk/typescript && bun run typecheck && bun run testcd verifier && cargo testcd verifier && cargo fmt -- --check && cargo clippy -- -D warningsSummary by CodeRabbit
Chores
Tests
Documentation