chore: remove TypeScript package publishing from repository #385
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This pull request updates the project version from v21.0.0 to v22.0.0 across the codebase and documentation to reflect the new release. The most important changes are grouped below: Version bump and upgrade handler: * Updated the `UpgradeName` constant in `app/upgrades.go` from `"v21"` to `"v22"` to prepare for the new upgrade cycle. Documentation updates: * Updated the API version in `client/docs/config.yaml` from `v21.0.0` to `v22.0.0` to match the new release. * Updated the version in `client/docs/static/openapi.json` from `v21.0.0` to `v22.0.0`. * Updated the version in `client/docs/static/swagger.json` from `v21.0.0` to `v22.0.0`.
This pull request updates the codebase and documentation for the next major release (v22) and improves JWT claim handling to prevent panics and ensure robust claim processing. The most important changes are grouped below: ## Version Upgrade * Updated the upgrade name constant in `app/upgrades.go` from `v21` to `v22` to reflect the new release version. * Updated API documentation version to `v22.0.0` in `client/docs/config.yaml`, `client/docs/static/openapi.json`, and `client/docs/static/swagger.json`. [[1]](diffhunk://#diff-f8c6defcc262f9da2d31c779a3bf423772af16800e312eb9f0ef4fb861688252L5-R5) [[2]](diffhunk://#diff-386a246a0b4d1f3bb64a258ce2cb6f1f41a779c5d6d0b76d21a77dfc95d67fcaL6-R6) [[3]](diffhunk://#diff-29ed015c57a76af9d207430ce4bdb8a1a999afde18d1e069e7a03be7953dfcdaL6-R6) ## JWT Claim Handling Improvements * Enhanced the JWT validation logic in `x/jwk/keeper/query_validate_jwt.go` to robustly handle non-string private claims: now all claim values are stringified using type checks, JSON marshaling, or fallback formatting, preventing panics and ensuring claims are returned as strings. * Added a regression test in `x/jwk/keeper/query_test.go` to verify that non-string private claims do not cause panics and are properly stringified in JWT validation responses. * Added necessary imports for JSON and formatting in `x/jwk/keeper/query_validate_jwt.go` to support the improved claim stringification logic.
This pull request introduces several improvements and fixes across integration tests, coverage reporting scripts, dependency management, and core logic. The most significant changes include enhanced integration test coverage for message encoding bugs, stricter global fee bypass gas limit enforcement, and updates to coverage reporting thresholds. Additionally, there are dependency cleanups and additions for better test reliability. **Integration test improvements:** * Added `TestMsgSetPlatformMinimumCodecBug` to `integration_tests/minimum_fee_test.go` to verify that `MsgSetPlatformMinimum` correctly implements all required methods and encodes/decodes as expected, addressing a prior security report. (Fcdfb898L742R742) * Improved `TestWebAuthNAbstractAccount` in `integration_tests/webauthn_test.go` by ensuring block commitment before transactions and using deterministic assertions for balance checks. [[1]](diffhunk://#diff-80ecc513d7b1475e00030f6f584e0effcd5bf324d68413a0c3ad748048ac68f5R152-R154) [[2]](diffhunk://#diff-80ecc513d7b1475e00030f6f584e0effcd5bf324d68413a0c3ad748048ac68f5L267-R281) **Global fee logic and tests:** * Added new test cases to `TestGlobalFeeSetAnteHandler` in `x/globalfee/ante/antetest/fee_test.go` to enforce and validate the maximum bypass gas limit, ensuring excessive gas usage fails as expected and boundary cases pass. **Coverage reporting enhancements:** * Updated `scripts/test-coverage.sh` to raise the threshold for "OK" coverage to 80%, merge low and zero coverage reporting (now <=80%), and clarify output messages for coverage validation. [[1]](diffhunk://#diff-f81ccbb6c44a419fa4852ef44ecb205b0984c0e09cebc9e1d31bcfa0d550da69L6-R14) [[2]](diffhunk://#diff-f81ccbb6c44a419fa4852ef44ecb205b0984c0e09cebc9e1d31bcfa0d550da69L65-R76) [[3]](diffhunk://#diff-f81ccbb6c44a419fa4852ef44ecb205b0984c0e09cebc9e1d31bcfa0d550da69L96-R96) [[4]](diffhunk://#diff-f81ccbb6c44a419fa4852ef44ecb205b0984c0e09cebc9e1d31bcfa0d550da69L117-R117) **Dependency management:** * Removed unused indirect dependencies from `go.mod` and added/testing new ones in `integration_tests/go.mod` for improved reliability and compatibility. [[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L92) [[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L271) [[3]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L290) [[4]](diffhunk://#diff-fb3953e4f94de3c0f24c3b70b3b9717472d12038e578ce7834d24572120c3ea7R91) [[5]](diffhunk://#diff-fb3953e4f94de3c0f24c3b70b3b9717472d12038e578ce7834d24572120c3ea7R106) [[6]](diffhunk://#diff-fb3953e4f94de3c0f24c3b70b3b9717472d12038e578ce7834d24572120c3ea7R276-R281) **Minor codebase cleanups:** * Removed obsolete comments and improved import statements for clarity and correctness in various files. [[1]](diffhunk://#diff-0f1d2976054440336a576d47a44a37b80cdf6701dd9113012bce0e3c425819b7L331) [[2]](diffhunk://#diff-6def7b3b4a9f821b2aef0339fcaed514bc96dbe8cc0d49a1fcd43334548f6dc8R11) [[3]](diffhunk://#diff-6def7b3b4a9f821b2aef0339fcaed514bc96dbe8cc0d49a1fcd43334548f6dc8R20) [[4]](diffhunk://#diff-3b76906a37233d12e77e967a4782ac8208fa5a0f15883b40cfedc7ce2d70b9d4R8) --------- Signed-off-by: TwiceBurnt <[email protected]> Co-authored-by: Copilot <[email protected]>
…ing (#377) This pull request adds support for deleting audience claims via the CLI, along with comprehensive test coverage for the new command. The main changes include introducing the `CmdDeleteAudienceClaim` command, updating the transaction command registry, and extending the test suite to validate argument handling and command behavior. ### New CLI command for deleting audience claims * Added `CmdDeleteAudienceClaim` function to `tx_audience.go`, allowing users to delete an audience claim by specifying the audience identifier. The implementation includes argument validation, message creation, and transaction broadcasting. ### Command registration * Registered the new `delete-audience-claim` command in the transaction command group within `tx.go`, making it available in the CLI tool. ### Test coverage for delete audience claim command * Added tests to verify command metadata and argument validation for `delete-audience-claim` in `cli_test.go`. This ensures correct command registration and error handling for missing or invalid arguments. [[1]](diffhunk://#diff-1d46efd4214a00ca13fb864da98971023efe6340b390a9524cbb4b93f9d23833R71) [[2]](diffhunk://#diff-1d46efd4214a00ca13fb864da98971023efe6340b390a9524cbb4b93f9d23833R104-R105) * Extended transaction command tests to include scenarios for deleting audience claims, verifying integration with the CLI. * Added a new test function, `TestDeleteAudienceClaimVariants`, to cover validation errors and context handling for the delete audience claim command.
This pull request improves the handling of platform fee calculations in the `msg_server.go` file by introducing overflow-safe arithmetic. The main enhancement is the use of big integer math to prevent overflow when calculating platform fees for large coin amounts, ensuring correct and safe fee deduction. **Overflow-safe platform fee calculation:** * Updated the platform fee calculation logic in both the `Send` and `MultiSend` message handlers to use big integer arithmetic when coin amounts are too large for standard multiplication, preventing overflow and ensuring accurate fee computation. [[1]](diffhunk://#diff-b026d8897e6cc60e07d9c7e1ca5a374301fbb719566e546a86d9917c4f84b32bL66-R89) [[2]](diffhunk://#diff-b026d8897e6cc60e07d9c7e1ca5a374301fbb719566e546a86d9917c4f84b32bL126-R169) * Added import of the `math/big` package to support big integer operations for fee calculations. **Testing:** * Minor formatting change in the `TestMsgServer_MultiSend_HighPlatformFee` test to maintain code style consistency. --------- Co-authored-by: Eduardo Diaz <[email protected]>
This pull request introduces a critical security improvement to the application's block processing and addresses a potential gas-related vulnerability in the JWK module. The main changes include adding panic recovery to the `BeginBlocker` to prevent validator shutdowns from malicious WASM contract panics, and ensuring consistent gas consumption between audience creation operations to mitigate spam attacks. **Security improvements:** * Added panic recovery to the `BeginBlocker` in `app/app.go` to prevent network shutdown from malicious WASM contracts that panic during execution. This logs the panic and stack trace, allowing the validator to continue running instead of crashing. * Imported the `runtime/debug` package in `app/app.go` to support stack trace logging in the panic recovery logic. **Gas consistency and anti-spam protections:** * Added extra gas consumption to the `CreateAudience` method in `x/jwk/keeper/msg_server_audience.go` to disincentivize spamming by charging a deployment gas penalty for audience creation. * Added a new test `TestGasConsistency` in `x/jwk/keeper/gas_consistency_test.go` to verify that `CreateAudienceClaim` and `CreateAudience` consume similar amounts of gas, preventing exploitation of gas cost differences for spam attacks.
This pull request introduces comprehensive documentation for the XION module and clarifies the security boundaries of its WebAuthn utilities. The new README provides an overview of the module's architecture, features, and usage, while inline comments in `grpc_query.go` emphasize that WebAuthn functions only perform cryptographic validation and do not grant account access or authorization. These changes help developers understand both the technical and security aspects of the XION module. **Documentation Improvements:** * Added a detailed `README.md` for the `x/xion` module, covering platform fee management, WebAuthn signature validation, Abstract Account architecture, integration points, governance, security model, and testing instructions. **Security Clarifications:** * Added explicit comments to `WebAuthNVerifyRegister` in `grpc_query.go` to clarify that the function only performs cryptographic validation and does not grant permissions or access to accounts; authorization occurs at the contract level. * Added explicit comments to `WebAuthNVerifyAuthenticate` in `grpc_query.go` to clarify that the function does not provide authentication or authorization, but only validates assertions cryptographically.
Fix: Set reasonable IBC packet forwarding hop limit Problem: XION's IBC packet forwarding middleware was configured with a hop limit of 0, which allows unlimited hops in multi-hop IBC transfers. While not a critical vulnerability (due to built-in IBC timeout protections), this configuration could allow unnecessarily long forwarding chains that consume more network resources than needed. Solution: Set the hop limit to 10 in the packet forwarding middleware configuration. This provides: ✅ Sufficient hops for virtually all legitimate multi-hop IBC transfer scenarios ✅ Reasonable resource protection against excessively long forwarding chains ✅ Clear operational boundaries for packet forwarding ✅ Following security best practices for resource management Changes: No breaking changes - 10 hops is more than adequate for normal multi-hop transfers Improved resource management and operational clarity Better defense against potential misuse of the forwarding system Testing: Existing IBC integration tests continue to pass, confirming no functional impact on normal operations.
2xburnt
requested changes
Sep 3, 2025
2xburnt
force-pushed
the
remove-typescript-package-building-and-publishing-from-the-eng-1256
branch
from
0b5ca74 to
7c3bb6f
Compare
- Remove client/ts directory and all TypeScript package code - Remove proto-gen-ts target from Makefile - Remove TypeScript generation from proto-gen.sh script - Remove publish-types.yaml GitHub Actions workflow - Remove buf.gen.ts.yaml and buf.gen.js.yaml proto generation configs TypeScript types package will be maintained in a separate repository
2xburnt
force-pushed
the
remove-typescript-package-building-and-publishing-from-the-eng-1256
branch
from
7c3bb6f to
d0d7b49
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TypeScript types package will be maintained in a separate repository