Skip to content

Fix sync, update dependencies, fix org creation#1492

Merged
TheLastCicada merged 37 commits intodevelopfrom
v2-rc2
Feb 6, 2026
Merged

Fix sync, update dependencies, fix org creation#1492
TheLastCicada merged 37 commits intodevelopfrom
v2-rc2

Conversation

@TheLastCicada
Copy link
Contributor

@TheLastCicada TheLastCicada commented Feb 4, 2026

No description provided.

@socket-security
Copy link

socket-security bot commented Feb 4, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updated@​babel/​plugin-syntax-import-attributes@​7.27.1 ⏵ 7.28.61001006895100
Updated@​commitlint/​cli@​20.3.0 ⏵ 20.4.11001007396 +4100
Updatedlodash@​4.17.21 ⏵ 4.17.2376 -5100 +286 +188100
Updated@​babel/​register@​7.28.3 ⏵ 7.28.6991007696100
Updated@​babel/​preset-env@​7.28.5 ⏵ 7.29.0971007797100
Updated@​babel/​cli@​7.28.3 ⏵ 7.28.61001007796100
Updated@​babel/​eslint-parser@​7.28.5 ⏵ 7.28.61001007797 +1100
Updated@​babel/​core@​7.28.5 ⏵ 7.29.0971008097100
Addedexpress-rate-limit@​8.2.19910010085100
Updatedglobals@​17.0.0 ⏵ 17.3.0100 +110086 +196 +5100
Updatedcors@​2.8.5 ⏵ 2.8.610010010088100
Updatedbody-parser@​2.2.1 ⏵ 2.2.299 +1100100 +190 -1100
Updatedsuperagent@​10.2.3 ⏵ 10.3.098 +110010090 -1100
Updatedprettier@​3.7.4 ⏵ 3.8.19010097 +196100
Updated@​yao-pkg/​pkg@​6.11.0 ⏵ 6.12.09510010092 +1100
Updatedsupertest@​7.1.4 ⏵ 7.2.299100100 +192 -2100
Updated@​commitlint/​config-conventional@​20.3.0 ⏵ 20.4.110010010095 +4100
Updatedmysql2@​3.16.0 ⏵ 3.16.39810010096100

View full report

@socket-security
Copy link

socket-security bot commented Feb 4, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
License policy violation: npm meow under CC-BY-3.0

License: CC-BY-3.0 - the applicable license policy does not allow this license (4) (package/build/licenses.md)

From: package-lock.jsonnpm/@commitlint/config-conventional@20.4.1npm/@commitlint/cli@20.4.1npm/meow@13.2.0

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/meow@13.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly

Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious.

Confidence: 1.00

Severity: 0.60

From: package-lock.jsonnpm/@babel/core@7.29.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @yao-pkg/pkg is 80.0% likely to have a medium risk anomaly

Notes: The code involves dynamically executing JavaScript code using the vm.Script module and managing child processes to handle this execution. This approach is inherently risky as it allows for arbitrary code execution and has potential security implications if the input data is not properly sanitized. However, there are no explicit signs of malicious intent such as data theft or system damage. The main concerns are related to the potential misuse of dynamic code execution and process management, which could be exploited in a supply chain attack scenario.

Confidence: 0.80

Severity: 0.65

From: package-lock.jsonnpm/@yao-pkg/pkg@6.12.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@yao-pkg/pkg@6.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @yao-pkg/pkg is 72.0% likely to have a medium risk anomaly

Notes: The fragment implements a sophisticated packaging/assembly mechanism for bundling a virtual filesystem with optional native binaries. While legitimate in advanced packaging tools, the combination of dynamic prelude injection, on-disk binary manipulation (bak/overwrite), and environment-driven external binary installation creates meaningful supply-chain security risk. The absence of explicit exfiltration or hard-coded secrets does not mitigate the risk of hidden Payload/Code injection in a build pipeline. Recommend thorough provenance checks, strict controls around prebuild-install, explicit documentation of dynamic payload embedding, and integrity verification (signatures, hashes) of all artifacts involved.

Confidence: 0.72

Severity: 0.60

From: package-lock.jsonnpm/@yao-pkg/pkg@6.12.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@yao-pkg/pkg@6.12.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

TheLastCicada and others added 15 commits February 4, 2026 11:34
@TheLastCicada
fix: security improvements on routes
fc0d05c
@TheLastCicada
test: fix org validation tests
f42c65d
@TheLastCicada
fix: add multer upload limits
89b5436
@TheLastCicada
feat: add rate limiting
ffd34b9
@TheLastCicada
test: remove redundant tests and combine other tests
e7929ed
@TheLastCicada
test: test fixes for org setup
d0e5b85
@TheLastCicada
test: test fixes for org setup
18011e5
@TheLastCicada
test: fix flakey race condition test
2b9d984
@TheLastCicada
test: add mysql tests to ci
3bb43a4
@TheLastCicada @cursoragent
fix: use MariaDB for MySQL mirror testing and add startup phase retry
f5bfd0d 
- Use default-mysql-server/client packages instead of mysql-server/client
  (the latter are not available in Debian Bookworm used by node:20.16 image)
- Add retry logic for 503 coin_management startup phase errors in organization
  creation tests (addresses intermittent test failures)
- Add isStartupPhaseError and isRetryableError helpers to centralize retry logic

Co-authored-by: Cursor <cursoragent@cursor.com>
@TheLastCicada @cursoragent
fix: use V2.MIRROR_DB config path for V2 MySQL mirror testing
c386346 
The unified config stores MIRROR_DB under V2 section for V2 API.
Both CI workflow and test helper now use the correct path.

Co-authored-by: Cursor <cursoragent@cursor.com>
@TheLastCicada @cursoragent
feat: implement V2 MySQL mirror database functionality
eaf5891 
- Fix V2 mirror models to use sequelizeV2Mirror instead of sequelizeV2
- Add safeMirrorDbHandlerV2 calls to main V2 models for data sync
- Fix mirror table names (remove _mirror suffix to match migrations)
- Update config loading to use getConfigV2() for V2 mirror database
- Update test helper table name mappings

Co-authored-by: Cursor <cursoragent@cursor.com>
@TheLastCicada @cursoragent
fix: use MySQL mirror when configured regardless of NODE_ENV
34e5b0b 
The mirror database config selection was based on NODE_ENV, which meant
MySQL mirror was only used in "local" mode. This fix checks if MySQL is
actually configured (has host, username, password, database) and uses
it when available, regardless of NODE_ENV.

This allows MySQL mirror to work in CI and production environments.

Co-authored-by: Cursor <cursoragent@cursor.com>
@TheLastCicada @cursoragent
fix: add missing imports to estimation-v2.model.js and fix mirror ena…
81cf95c 
…ble logic

- Add missing safeMirrorDbHandlerV2 and EstimationV2Mirror imports
- Add mirror calls to create and bulkCreate methods
- Fix mirrorDBEnabledV2() to only return true when MySQL is configured
- In test mode without MySQL, mirror operations are now no-ops

Co-authored-by: Cursor <cursoragent@cursor.com>
@TheLastCicada
fix: fix V2 tests to use main models and add UUID auto-generation to …
77cece6 
…modeltypes
TheLastCicada and others added 9 commits February 5, 2026 15:06
@TheLastCicada
fix: prevent V1 to V2 upgrade race condition by validating singleton …
4bbd921 
…data

The V2 upgrade was failing because it could start before the V1 org
singleton store had the v1 key written to the blockchain.

Changes:
- waitForV1OrganizationReady now checks orgHash and dataModelVersionStoreHash
  are populated (non-null/non-zero) before returning
- V2 upgrade endpoint validates orgHash is populated and singleton store
  actually contains the v1 key before accepting upgrade request
- Upgrade test now retries on transient singleton validation errors

This ensures the V1 org is fully complete before upgrade can proceed.
@TheLastCicada
test: fix MySQL mirror verification to handle DECIMAL precision diffe…
ee39543 
…rences
@TheLastCicada
fix: resolve V2 upgrade test failures
e14d73b 
- Fix MySQL mirror verification to handle DECIMAL precision
- Add orgHash to integration test V1 org creation
- Fix getStoreDataPromise to use raw persistance.getStoreData
  (syncService version decoded data, breaking keys_values checks)
@TheLastCicada
fix: improve org creation reliability and coin management
f2c1380 
Org creation data pushes now call pushChangeListToDataLayer directly,
bypassing the legacy hasUnconfirmedTransactions gate that assumed a
single coin. With coin splitting we maintain multiple coins so
back-to-back transactions work fine. Pushes are staggered by 2s to
avoid wallet coin-selection races.

When a push fails, a fire-and-forget retry is scheduled every 30s
but the caller is notified immediately via throw, preventing false
2/2 stores updated when the data model version push actually failed.
The Already have a pending root error from Chia is now handled
inline with wait-and-retry instead of bouncing to a 30s retry loop.
Null hashes are no longer persisted as dataModelVersionStoreHash;
getLocalRoot is used as fallback.

Coin split target increased from 12 to 15.
@TheLastCicada
fix(V2): use StagingV2.create instead of upsert in project transfer
80d165b
@TheLastCicada
feat(TEST): add org creation timing reports to live API tests
19f0aab 
Add timing instrumentation around organization creation in all three
live API test files (V1, V2, and V1-to-V2 upgrade). Each prints a
clear boxed report showing the org UID and total elapsed time
including retries and wait-for-ready polling.
@TheLastCicada
fix: increase coin split size and use config fee for coin management
b992569 
Coin size increased from 10,000 to 100,000,000 mojos to exceed the
default xch_spam_amount (1,000,000 mojos). Split fee now reads from
DEFAULT_FEE in CADT config instead of being hardcoded. Added
MIN_COIN_SIZE guard to prevent creating remainder coins below the
spam threshold.
@TheLastCicada
fix(V2): fix governance orgList sync and coin management sizing
a8121f0 
The sync-default-organizations-v2 task was using
GOVERNANCE_SYNC_TASK_INTERVAL (86400s/24h) instead of
ORGANIZATION_META_SYNC_TASK_INTERVAL (300s/5min), causing new
organizations from the governance orgList to not be discovered for
24 hours after a governance change.

Additionally, importOrganization checked datalayer sync status before
subscribing to the org store, creating a chicken-and-egg problem where
new orgs could never be imported because unsubscribed stores can never
report as synced. The fix subscribes to the store first, then checks
sync status.

Also fixes coin management to use config-derived MIN_USABLE_COIN_SIZE
(DEFAULT_COIN_AMOUNT + DEFAULT_FEE) instead of hardcoded 100000000
mojos for usable coin filtering.
@TheLastCicada
fix: adjust coin size down to fit better in small ci wallet
0791d74
@TheLastCicada TheLastCicada changed the title Update dependencies Fix sync, update dependencies, fix org creation Feb 6, 2026
@TheLastCicada TheLastCicada merged commit c732f05 into develop Feb 6, 2026
27 of 34 checks passed
@TheLastCicada TheLastCicada deleted the v2-rc2 branch February 6, 2026 21:25
@TheLastCicada TheLastCicada restored the v2-rc2 branch February 6, 2026 21:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@TheLastCicada