refactor: move @hyperlane-xyz/utils to devDependencies in core

[yorhodes]

Summary

• Moves @hyperlane-xyz/utils from dependencies to devDependencies in @hyperlane-xyz/core
• Utils is only used in test files (addressToBytes32, messageId, parseMessage), not in published contracts or build artifacts

Context

Previously, changes to @hyperlane-xyz/utils implied transitive patch bumps to @hyperlane-xyz/core, which could affect onchain bytecode versioning even when no contracts changed. This change breaks that dependency chain.

With the new Solidity changeset validation CI (#7801), explicit changesets are now required for @hyperlane-xyz/core when contracts change, making this transitive bump unnecessary.

[cursor]

You have run out of free Bugbot PR reviews for this billing cycle. This will reset on February 13.

To receive reviews on all of your PRs, visit the Cursor dashboard to activate Pro and start your 14-day free trial.

[changeset-bot]

⚠️ No Changeset found

Latest commit: cda9ca7

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Warning

Rate limit exceeded

@yorhodes has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 9 minutes and 43 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

📥 Commits

Reviewing files that changed from the base of the PR and between b5962a5 and cda9ca7.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (1)

• solidity/package.json

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor/core-utils-devdep

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude finished @yorhodes's task in 1m 7s —— View job

---

Review Complete

• Analyze PR changes and context
• Verify utils is only used in test files
• Perform security review
• Provide summary and recommendations

---

Summary

This PR correctly moves @hyperlane-xyz/utils from dependencies to devDependencies in @hyperlane-xyz/core.

Verification

I verified that @hyperlane-xyz/utils is only imported in test files:

• solidity/test/mockMailbox.test.ts:4
• solidity/test/testrecipient.test.ts:4
• solidity/test/message.test.ts:8
• solidity/test/lib/mailboxes.ts:15

The utils are used for test helpers (addressToBytes32, messageId, parseMessage) and are not imported in:

• Any Solidity contracts (contracts/ directory)
• Any source files in core-utils/ that get published to npm

Security Review

No security concerns. This is a purely build-related change that:

1. Does not modify any contract code
2. Does not affect runtime behavior
3. Does not change published artifacts

The change correctly breaks the transitive dependency chain, preventing unnecessary version bumps to @hyperlane-xyz/core when only @hyperlane-xyz/utils changes.

CI Status

The Solidity Fork Tests failure is unrelated to this PR - it's a transient network error downloading forge-std from Soldeer's S3 bucket:

error downloading dependency: error sending request for url 
(https://soldeer-revisions.s3.amazonaws.com/forge-std/1_9_2_...)

This is an infrastructure issue that should resolve on retry.

Recommendation

Approve. The change is correct and aligns with best practices for dependency management.

[hyper-gonk]

🐳 Monorepo Docker Image Built Successfully

Image Tags:

gcr.io/abacus-labs-dev/hyperlane-monorepo:pr-7805
gcr.io/abacus-labs-dev/hyperlane-monorepo:cda9ca7-20260115-203454

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 77.02%. Comparing base (b5962a5) to head (cda9ca7).
⚠️ Report is 7 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #7805   +/-   ##
=======================================
  Coverage   77.02%   77.02%           
=======================================
  Files         117      117           
  Lines        2651     2651           
  Branches      244      244           
=======================================
  Hits         2042     2042           
  Misses        593      593           
  Partials       16       16           

Flag	Coverage Δ
solidity	77.02% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

Components	Coverage Δ
core	87.80% <ø> (ø)
hooks	71.86% <ø> (ø)
isms	81.10% <ø> (ø)
token	86.67% <ø> (ø)
middlewares	84.98% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.