[Snyk] Upgrade @stellar/stellar-sdk from 11.3.0 to 12.2.0

[OKEAMAH]

Snyk has created this PR to upgrade @stellar/stellar-sdk from 11.3.0 to 12.2.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

⚠️ Warning: This PR contains major version upgrade(s), and may be a breaking change.

• The recommended version is 7 versions ahead of your current version.

• The recommended version was released on a month ago.

Release notes

Package name: @stellar/stellar-sdk

• 12.2.0 - 2024-07-19
  

  Fixed

  • @ stellar/stellar-base and its underlying dependency @ stellar/js-xdr have been upgraded to their latest versions; reference their release notes (v12.1.0 and v3.1.2, respectively) for details (#1013).

  Added

  • You can now pass custom headers to both rpc.Server and Horizon.Server (#1013):
  import { Server } from "@ stellar/stellar-sdk/rpc";

  const s = new Server("<some URL>", { headers: { "X-Custom-Header": "hello" }})

  • Horizon.Server now supports the new POST /transactions_async endpoint via the submitAsyncTransaction method (#989). Its purpose is to provide an immediate response to the submission rather than waiting for Horizon to determine its status. The response schema is as follows:

  interface SubmitAsyncTransactionResponse {
    // the submitted transaction hash
    hash: string;
    // one of "PENDING", "DUPLICATE", "TRY_AGAIN_LATER", or "ERROR"
    tx_status: string;
    // a base64-encoded xdr.TransactionResult iff `tx_status` is "ERROR"
    error_result_xdr: string;
  }

  • rpc.Server now has a getFeeStats method which retrieves fee statistics for a previous chunk of ledgers to provide users with a way to provide informed decisions about getting their transactions included in the following ledgers (#998):
  export interface GetFeeStatsResponse {
  sorobanInclusionFee: FeeDistribution;
  inclusionFee: FeeDistribution;
  latestLedger: number; // uint32
  }

  interface FeeDistribution {
  max: string; // uint64
  min: string; // uint64
  mode: string; // uint64
  p10: string; // uint64
  p20: string; // uint64
  p30: string; // uint64
  p40: string; // uint64
  p50: string; // uint64
  p60: string; // uint64
  p70: string; // uint64
  p80: string; // uint64
  p90: string; // uint64
  p95: string; // uint64
  p99: string; // uint64
  transactionCount: string; // uint32
  ledgerCount: number; // uint32
  }

  New Contributors

  • @ celestialkylin made their first contribution in #988
  • @ aditya1702 made their first contribution in #989
  • @ kanwalpreetd made their first contribution in #1008

  Full Changelog: v12.1.0...v12.2.0

• 12.1.0 - 2024-06-14
  

  v12.1.0

  Added

  • contract now exports the DEFAULT_TIMEOUT (#984).
  • contract.AssembledTransaction now has:
    • toXDR and fromXDR methods for serializing the transaction to and from XDR. These methods should be used in place of AssembledTransaction.toJSON and AssembledTransaction.fromJSONfor multi-auth signing. The JSON methods are now deprecated. Note: you must now call simulate on the transaction before the final signAndSend call after all required signatures are gathered when using the XDR methods (#977).
    • a restoreFootprint method which accepts the restorePreamble returned when a simulation call fails due to some contract state that has expired. When invoking a contract function, one can now set restore to true in the MethodOptions. When enabled, a restoreFootprint transaction will be created and await signing when required (#991).
    • separate sign and send methods so that you can sign a transaction without sending it (signAndSend still works as before; #922).
  • contract.Client now has a txFromXDR method which should be used in place of txFromJSON for multi-auth signing (#977).

  Deprecated

  • In contract.AssembledTransaction, toJSON and fromJSON should be replaced with toXDR and fromXDR.
  • In contract.Client, txFromJSON should be replaced with txFromXDR.

  Fixed

  • If you edit an AssembledTransaction with tx.raw = cloneFrom(tx.build), the tx.simulationData will now be updated correctly (#985).
• 12.0.1 - 2024-05-30
  

  v12.0.1: Protocol 21 Stable Release

  This update supports Protocol 21. It is an additive change to the protocol so there are no binary (i.e. XDR-level) incompatibilities, but your software may break if you encounter new unexpected or renamed fields from this Protocol (#949).

  The following changelog is a concatenation of all of the RCs since the previous stable release and includes one additional added feature.

  Breaking Changes

  • The default timeout for transaction calls is now set to 300 seconds (5 minutes) when using ContractClient from the previous default of 10 seconds. 10 seconds is often not enough time to review transactions before signing, especially in Freighter or using a hardware wallet like a Ledger, which would cause a txTooLate error response from the server. Five minutes is also the value used by the CLI, so this brings the two into alignment (#956).
  • ContractClient functionality previously added in v11.3.0 was exported in a non-standard way. You can now import it as any other stellar-sdk module (#962):

  -import { ContractClient } from '@ stellar/stellar-sdk/lib/contract_client'
  +import { contract } from '@ stellar/stellar-sdk'
  +const { Client } = contract

  Note that this top-level contract export is a container for ContractClient and related functionality. The ContractClient class is now available at contract.Client, as shown. Further note that there is a capitalized Contract export as well, which comes from stellar-base. You can remember which is which because capital-C Contract is a class, whereas lowercase-c contract is a container/module with a bunch of classes, functions, and types.

  Additionally, this is available from the /contract entrypoint, if your version of Node and TypeScript support the exports declaration. Finally, some of its exports have been renamed:

  import {
     AssembledTransaction,
     SentTransaction,
  -  ContractClient,
  -  ContractClientOptions,
  -} from '@ stellar/stellar-sdk/lib/contract_client'
  +  Client,
  +  ClientOptions,
  +} from '@ stellar/stellar-sdk/contract'

  • The ContractSpec class is now nested under the contract module, and has been renamed to Spec (#962). Alternatively, you can import this from the contract entrypoint, if your version of Node and TypeScript support the exports declaration:

  -import { ContractSpec } from '@ stellar/stellar-sdk'
  +import { contract } from '@ stellar/stellar-sdk'
  +const { Spec } = contract
  // OR
  +import { Spec } from '@ stellar/stellar-sdk/contract'

  • Previously, AssembledTransaction.signAndSend() would return a SentTransaction even if the transaction never finalized. That is, if it successfully sent the transaction to the network, but the transaction was still status: 'PENDING', then it would console.error an error message, but return the indeterminate transaction anyhow. It now throws a SentTransaction.Errors.TransactionStillPending error with that error message instead (#962).

  Deprecated

  • SorobanRpc module is now also exported as rpc (#962). You can import it with either name for now, but SorobanRpc will be removed in a future release:

  -import { SorobanRpc } from '@ stellar/stellar-sdk'
  +import { rpc } from '@ stellar/stellar-sdk'

  You can also now import it at the /rpc entrypoint, if your version of Node and TypeScript support the exports declaration.

  -import { SorobanRpc } from '@ stellar/stellar-sdk'
  -const { Api } = SorobanRpc
  +import { Api } from '@ stellar/stellar-sdk/rpc'

  Added

  • New methods on contract.Client (#960):
    • from(opts: ContractClientOptions) instantiates contract.Client by fetching the contractId's WASM from the network to fill out the client's ContractSpec.
    • fromWasm and fromWasmHash methods to instantiate a contract.Client when you already have the WASM bytes or hash alongside the contract.ClientOptions.
  • New methods on rpc.Server (#960):
    • getContractWasmByContractId and getContractWasmByHash to retrieve a contract's WASM bytecode via its contractId or wasmHash, respectively.
  • rpc.server.simulateTransaction now supports an optional stateChanges?: LedgerEntryChange[] field (#963):
    • If Before is omitted, it constitutes a creation, if After is omitted, it constitutes a deletions, note that Before and After cannot be be omitted at the same time. Each item follows this schema:

  interface LedgerEntryChange {
    type: number;
    key: xdr.LedgerKey;
    before: xdr.LedgerEntry | null;
    after: xdr.LedgerEntry | null;
  }

  Fixed

  • The breaking changes above (strictly speaking, they are not breaking changes because importing from the inner guts of the SDK is not supported) enable the contract module to be used in non-Node environments.
  • Dependencies have been properly updated to pull in Protocol 21 XDR, where RC1 was not pulling properly for existing installs (#959).
  • Each item in the GetEventsResponse.events list will now have a txHash item corresponding to the transaction hash that triggered a particular event (#939).
  • ContractClient now properly handles methods that take no arguments by making MethodOptions the only parameter, bringing it inline with the types generated by Soroban CLI's soroban contract bindings typescript (#940).
  • ContractClient now allows publicKey to be undefined (#941).
  • SentTransaction will only pass allowHttp if (and only if) its corresponding AssembledTransaction#options config allowed it (#952).

  New Contributors

  • @ silence48 made their first contribution in #934
  • @ BlaineHeffron made their first contribution in #951
  • @ psheth9 made their first contribution in #963

  Full Changelog: v11.3.0...v12.0.1

• 12.0.0 - 2024-05-02
• 12.0.0-rc.3 - 2024-05-15
  

  v12.0.0-rc.3: Protocol 21 Release Candidate 3

  This update supports Protocol 21. It is an additive change to the protocol so there are no true backwards incompatibilities, but your software may break if you encounter new unexpected fields from this Protocol (#949).

  Breaking Changes

  • ContractClient functionality previously added in v11.3.0 was exported in a non-standard way. You can now import it as any other stellar-sdk module (#962):

  -import { ContractClient } from '@ stellar/stellar-sdk/lib/contract_client'
  +import { contract } from '@ stellar/stellar-sdk'
  +const { Client } = contract

  Note that this top-level contract export is a container for ContractClient and related functionality. The ContractClient class is now available at contract.Client, as shown. Further note that there is a capitalized Contract export as well, which comes from stellar-base. You can remember which is which because capital-C Contract is a class, whereas lowercase-c contract is a container/module with a bunch of classes, functions, and types.

  Additionally, this is available from the /contract entrypoint, if your version of Node and TypeScript support the exports declaration. Finally, some of its exports have been renamed:

  import {
     AssembledTransaction,
     SentTransaction,
  -  ContractClient,
  -  ContractClientOptions,
  -} from '@ stellar/stellar-sdk/lib/contract_client'
  +  Client,
  +  ClientOptions,
  +} from '@ stellar/stellar-sdk/contract'

  • The ContractSpec class is now nested under the contract module, and has been renamed to Spec (#962). Alternatively, you can import this from the contract entrypoint, if your version of Node and TypeScript support the exports declaration:

  -import { ContractSpec } from '@ stellar/stellar-sdk'
  +import { contract } from '@ stellar/stellar-sdk'
  +const { Spec } = contract
  // OR
  +import { Spec } from '@ stellar/stellar-sdk/contract'

  • Previously, AssembledTransaction.signAndSend() would return a SentTransaction even if the transaction never finalized. That is, if it successfully sent the transaction to the network, but the transaction was still status: 'PENDING', then it would console.error an error message, but return the indeterminate transaction anyhow. It now throws a SentTransaction.Errors.TransactionStillPending error with that error message instead (#962).

  Deprecated

  • SorobanRpc module is now also exported as rpc (#962). You can import it with either name for now, but SorobanRpc will be removed in a future release:

  -import { SorobanRpc } from '@ stellar/stellar-sdk'
  +import { rpc } from '@ stellar/stellar-sdk'

  You can also now import it at the /rpc entrypoint, if your version of Node and TypeScript support the exports declaration.

  -import { SorobanRpc } from '@ stellar/stellar-sdk'
  -const { Api } = SorobanRpc
  +import { Api } from '@ stellar/stellar-sdk/rpc'

  Added

  • New methods on contract.Client (#960):
    • from(opts: ContractClientOptions) instantiates contract.Client by fetching the contractId's WASM from the network to fill out the client's ContractSpec.
    • fromWasm and fromWasmHash methods to instantiate a contract.Client when you already have the WASM bytes or hash alongside the contract.ClientOptions.
  • New methods on rpc.Server (#960):
    • getContractWasmByContractId and getContractWasmByHash to retrieve a contract's WASM bytecode via its contractId or wasmHash, respectively.

  Fixed

  • The breaking changes above (strictly speaking, they are not breaking changes because importing from the inner guts of the SDK is not supported) enable the contract module to be used in non-Node environments.

  Full Changelog: v11.3.0...v12.0.0-rc.3

• 12.0.0-rc.2 - 2024-05-07
  

  v12.0.0-rc.2: Protocol 21 Release Candidate 2

  This update supports Protocol 21. It is an additive change to the protocol so there are no true backwards incompatibilities, but your software may break if you encounter new unexpected fields from this Protocol (#949).

  Please refer to RC1 for additional changes since the last major version.

  Breaking Changes

  • The default timeout for transaction calls is now set to 300 seconds (5 minutes) from the previous default of 10 seconds. 10 seconds is often not enough time to review transactions before signing, especially in Freighter or using a hardware wallet like a Ledger, which would cause a txTooLate error response from the server. Five minutes is also the value used by the CLI, so this brings the two into alignment (#956).

  Fixed

  • Dependencies have been properly updated to pull in Protocol 21 XDR, where RC1 was not pulling properly for existing installs (#959).

  New Contributors

  • @ BlaineHeffron made their first contribution in #951

  Full Changelog: v11.3.0...v12.0.0-rc.2

• 12.0.0-rc.1 - 2024-05-02
  

  v12.0.0-rc.1: Protocol 21 Release Candidate

  Breaking Changes

  • This update supports Protocol 21. It is an additive change to the protocol so there are no true backwards incompatibilities, but your software may break if you encounter new unexpected fields from this Protocol (#949).

  Fixed

  • Each item in the GetEventsResponse.events list will now have a txHash item corresponding to the transaction hash that triggered a particular event (#939).
  • ContractClient now properly handles methods that take no arguments by making MethodOptions the only parameter, bringing it inline with the types generated by Soroban CLI's soroban contract bindings typescript (#940).
  • ContractClient now allows publicKey to be undefined (#941).
  • SentTransaction will only pass allowHttp if (and only if) its corresponding AssembledTransaction#options config allowed it (#952).

  New Contributors

  • @ silence48 made their first contribution in #934

  Full Changelog: v11.3.0...v12.0.0-rc.1

• 11.3.0 - 2024-03-20
  

  Added

  • Introduces an entire suite of helpers to assist with interacting with smart contracts (#929):
    • ContractClient: generate a class from the contract specification where each Rust contract method gets a matching method in this class. Each method returns an AssembledTransaction that can be used to modify, simulate, decode results, and possibly sign, & submit the transaction.
    • AssembledTransaction: used to wrap a transaction-under-construction and provide high-level interfaces to the most common workflows, while still providing access to low-level transaction manipulation.
    • SentTransaction: transaction sent to the Soroban network, in two steps - initial submission and waiting for it to finalize to get the result (retried with exponential backoff)

  Fixed

  • Upgrade underlying dependencies, including @ stellar/js-xdr which should broaden compatibility to pre-ES2016 environments (#932, #930).
  • SorobanRpc.Server will no longer use array-based passing to invoke JSON-RPC methods (#924).

  Full Changelog: v11.2.2...v11.3.0

from @stellar/stellar-sdk GitHub release notes

---

Important

• Warning: This PR contains a major version upgrade, and may be a breaking change.
• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot ('[Snyk]' found in title). We assume it knows what it's doing!
• We don't review packaging changes - Let us know if you'd like us to change this.

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/[email protected]	environment, filesystem	0	79.1 kB	motdotla
npm/[email protected]	None	0	20.8 kB	lydell
npm/[email protected]	None	+2	95.8 kB	jounqin
npm/[email protected]	environment, filesystem Transitive: eval, shell, unsafe	+86	10 MB	eslintbot
npm/[email protected]	None	0	39.7 kB	matteo.collina
npm/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	+237	18.6 MB	simenb
npm/[email protected]	environment, filesystem, unsafe	0	8.39 MB	prettier-bot
npm/[email protected]	filesystem	+2	895 kB	linusu

🚮 Removed packages: npm/@solana/[email protected], npm/@typescript-eslint/[email protected], npm/@typescript-eslint/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Install scripts	npm/[email protected]	Install script: postinstall Source: node scripts/postinstall	rest-api/package.json rest-api/pnpm-lock.yaml	🚫

View full report↗︎

Next steps

What is an install script?

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]