Skip to content

Comments

Revise README structure and add sponsorship details (#146) (#155)#156

Closed
Dargon789 wants to merge 0 commit intomasterfrom
snyk-fix-1a42f46a3694152c28f6d1d4dc5aea44
Closed

Revise README structure and add sponsorship details (#146) (#155)#156
Dargon789 wants to merge 0 commit intomasterfrom
snyk-fix-1a42f46a3694152c28f6d1d4dc5aea44

Conversation

@Dargon789
Copy link
Owner

@Dargon789 Dargon789 commented Dec 26, 2025

  • 0xsequence/master (0xsequence/master #79)

  • Create fortify.yml

  • Update issue templates

  • Update CNAME

  • fix: upgrade @tanstack/react-query from 5.45.1 to 5.64.2

Snyk has created this PR to upgrade @tanstack/react-query from 5.45.1 to 5.64.2.

See this package in npm:
@tanstack/react-query

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Create config.yml (Create config.yml #46)

  • Update fortify.yml

  • Update .github/ISSUE_TEMPLATE/bug_report.md

  • Update .github/ISSUE_TEMPLATE/feature_request.md

Summary by Sourcery
Overhaul App.tsx to build a comprehensive Sequence Wallet demo application, replacing wagmi with Sequence SDK integration, adding environment/configuration management, rich wallet operations, and a structured UI with console output for interactive testing

New Features:

Replace wagmi-based hooks with @0xsequence wallet initialization and integration Add environment selection and dynamic wallet URLs via query parameters Implement connect, disconnect, open/close wallet and customizable connection settings Provide extensive demo actions including chain/network switching, account/balance queries, message signing, typed data signing, and transaction sending Introduce a console component and logging for viewing function outputs Add email-based auto-login via modal with validation Enhancements:

Refactor UI to use design-system components and group actions thematically Initialize logger and configure default chain/network Memoize and listen to wallet events such as chain changes

Bumps next from 15.5.7 to 15.5.9.

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production ...

Snyk has created this PR to upgrade @wagmi/cli from 0.1.15 to 2.8.0.

See this package in npm:
@wagmi/cli

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Potential fix for code scanning alert no. 82: Workflow does not contain permissions

  • Potential fix for code scanning alert no. 62: Information exposure through a stack trace

  • [Snyk] Upgrade @tanstack/react-query from 5.64.2 to 5.90.11 ([Snyk] Upgrade @tanstack/react-query from 5.64.2 to 5.90.11 #125)

  • fix: upgrade @tanstack/react-query from 5.64.2 to 5.90.11

Snyk has created this PR to upgrade @tanstack/react-query from 5.64.2 to 5.90.11.

See this package in npm:
@tanstack/react-query

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Update wagmi-project/package.json

Snyk has created this PR to upgrade vite from 5.4.21 to 7.2.4.

See this package in npm:
vite

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

Snyk has created this PR to upgrade wagmi from 0.12.19 to 3.0.2.

See this package in npm:
wagmi

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

Snyk has created this PR to upgrade react-dom from 18.3.1 to 19.2.0.

See this package in npm:
react-dom

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

The following vulnerabilities are fixed with an upgrade:

Snyk has created this PR to upgrade @types/react from 18.3.27 to 19.2.7.

See this package in npm:
@types/react

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Update wagmi-project/package.json

Bumps the npm_and_yarn group with 1 update in the / directory: express.

Updates express from 4.18.2 to 4.19.2

updated-dependencies:

  • dependency-name: express dependency-type: direct:development dependency-group: npm_and_yarn-security-group ...

  • Create SECURITY.md

  • Set up CI with Azure Pipelines

[skip ci]

  • Create CNAME

  • Create fortify.yml

  • Update issue templates

  • Update CNAME

  • fix: upgrade @tanstack/react-query from 5.45.1 to 5.64.2

Snyk has created this PR to upgrade @tanstack/react-query from 5.45.1 to 5.64.2.

See this package in npm:
@tanstack/react-query

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Create config.yml (Create config.yml #46)

  • Support multiple identity signers in sessions configuration

  • Device signers can approve implicit sessions

  • Remove invalid test

  • Fix recursion

  • Fix comment

  • Improve test stability by reducing race conditions

  • Do not set passkey signer as identity signer

  • Use length checks

  • Throw on missing identity signer

  • Encoding requires identity signer to encode

  • Fix test

  • Refactor/types namings tsdoc redundant code (Refactor/types namings tsdoc redundant code 0xsequence/sequence.js#880)

  • refactor types, namings, ts doc

  • fix session response payload

  • change parameter name

  • change parameter name

  • change type in tests

  • improve types and dapp client methods

  • fix session test to use new types

  • refactor

  • refactor implicit sessions array in chain session manager

  • remove unused types

  • remove unused types and add ConnectionError

  • update pnpm lock

  • move reusable session types to wallet-core

  • Update some imports and update some response type names

Bumps the npm_and_yarn group with 1 update in the / directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/dapp-client directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/wdk directory: happy-dom.

Updates happy-dom from 17.6.3 to 20.0.2

Updates happy-dom from 17.6.3 to 20.0.2

Updates happy-dom from 17.6.3 to 20.0.2

updated-dependencies:

  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn ...

Enhancements:
Include FUNDING.json to display GitHub sponsorship options in the repository

Add initial CircleCI configuration to enable automated builds using a custom Docker executor and a defined workflow.

Build:

Add .circleci/config.yml with version 2.1 specification and custom Docker executor. CI:

Define web3-defi-game-project job with checkout step. Set up my-custom-workflow to run the job.

  • Add rc4 contracts

  • Set rc4 as default and add it to lists

  • Session enhanced replay protection

  • New sessions replay protection hashes payload

  • Use the 4337 factory wrapper

  • Update keymachine url in dapp-client constants

  • Update keymachine url in Provider constructor

  • SSR safety (SSR safety 0xsequence/sequence.js#915)

  • SSR safety test

  • Fix CI job

  • Guard dapp-client for SSR (lazy transport, browser checks, gated storage)

  • Fix guard topology (Fix guard topology 0xsequence/sequence.js#918)

  • Use proper guard topology

  • Test and fixes

  • login and setup tests

  • Switch prod manager settings (Switch prod manager settings 0xsequence/sequence.js#917)

  • Add prod guard and identity instrument info

  • Remove completed TODOs

  • Small JS tweaks (Small JS tweaks 0xsequence/sequence.js#919)

  • Fix type exports to built declarations

  • Update repository links to current package paths

  • Improve Next app tooling and React typings

  • Expose primitives CLI bin and use base lint config

  • Update relayer.gen.ts and TransactionPrecondition interface

  • Update api.gen.ts

  • Update metadata.gen.ts

  • Update marketplace.gen.ts

  • Update guard.gen.ts

  • Support multiple identity signers in sessions configuration

  • Device signers can approve implicit sessions

  • Remove invalid test

  • Fix recursion

  • Fix comment

  • Improve test stability by reducing race conditions

  • Do not set passkey signer as identity signer

  • Use length checks

  • Throw on missing identity signer

  • Encoding requires identity signer to encode

  • Fix test

  • Refactor/types namings tsdoc redundant code (Refactor/types namings tsdoc redundant code 0xsequence/sequence.js#880)

  • refactor types, namings, ts doc

  • fix session response payload

  • change parameter name

  • change parameter name

  • change type in tests

  • improve types and dapp client methods

  • fix session test to use new types

  • refactor

  • refactor implicit sessions array in chain session manager

  • remove unused types

  • remove unused types and add ConnectionError

  • update pnpm lock

  • move reusable session types to wallet-core

  • Update some imports and update some response type names

Bumps next from 15.5.5 to 15.5.7.

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.7 dependency-type: direct:production ...

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

  • Revert "Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/npm_and_yarn-318c02e2da'"

This reverts commit fd0fdf9, reversing changes made to cba7894.

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 15.5.7 to 15.5.9

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production dependency-group: npm_and_yarn ...

The following vulnerabilities are fixed with an upgrade:

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 15.5.5 to 15.5.9

Updates happy-dom from 17.6.3 to 20.0.11

Updates vite from 7.1.10 to 7.2.7

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.11 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: vite dependency-version: 7.2.7 dependency-type: indirect dependency-group: npm_and_yarn ...

Bumps next from 15.5.7 to 15.5.9.

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production ...

The following vulnerabilities are fixed with an upgrade:

  • Update wagmi-project/src/App.tsx

  • Update wagmi-project/src/App.tsx

  • Update wagmi-project/src/App.tsx

  • Update wagmi-project/src/App.tsx

  • 2.3.7 (2.3.7 #131) (2.3.7 (#131) #132)

  • 2.3.7 (2.3.7 #131)

  • fix broken guard private key

  • Expose access to passkey credential list

  • Dapp client direct txn request (Dapp client direct txn request 0xsequence/sequence.js#856)

  • Signature request refactor

  • WIP

  • Refactor

  • Update dapp-client exports (Update dapp-client exports 0xsequence/sequence.js#858)

  • Add hasPermission method to DappClient (Add hasPermission method to DappClient 0xsequence/sequence.js#859)

  • Save discovered passkey credentials upon login

  • Expose name property in PasskeySignupArgs

  • Fix blacklist sort

  • Add multi server script

  • relayer: /SimulateV3 (relayer: /SimulateV3 0xsequence/sequence.js#857)

  • Add await for handleOpenDB scheduleExpiration

  • Update increment to always include native once used

  • Fix session tests

  • Adding lastLoginAt to PasskeyCredential

  • LoginToPasskeyArgs now accept a credentialId which is used to specify which credential to use

  • Adding onSignatureRequestStatus function to register single use callbacks for when a request reaches a terminal state of completed or cancelled

  • When a login is cancelled we can remove the wallet which is logging-in

  • Add RC3 contracts

  • Sessions space restriction

  • Dedupe signers for encoding

  • Support RC3 sessions

  • Tightly increment call validation

  • CLI defaults to RC3 wallet code

  • Rc3 address test

  • Fix hashing tests

  • Add deprecated encoding test

  • wdk: throw errors from otp respond callback (wdk: throw errors from otp respond callback 0xsequence/sequence.js#864)

  • wdk: throw errors from otp respond callback

  • wdk: otp auth error and handler refactor

  • Handle guard 2FA (Handle guard 2FA 0xsequence/sequence.js#861)

  • guard: return a specific error when auth required

  • core: pass guard token to the service

  • wdk: handle prompting for guard 2FA code

  • dapp-client: handle prompting for guard 2FA code

  • guard 2fa tests

  • wdk: separate wallet and sessions guards

  • dapp-client: remove guard 2fa

  • dapp-client: fix imports

  • fix guard tests

  • wdk: remove unneeded promise resolve

  • Update relayer and api gen.ts, force public packages

  • Add standalone fetch queued payloads

  • Replacing GuardRole enum with string union type, as well as replacing guardAddresses Map with Record<GuardRole, Address>

  • Fallback to chain for non-logged in recovery

  • Add Katana, Sandbox Tesnet, Incentiv Testnet v2 (Add Katana, Sandbox Tesnet, Incentiv Testnet v2 0xsequence/sequence.js#873)

  • Update a few remaining dev1 contract addresses to rc3 (Update a few remaining dev1 contract addresses to rc3 0xsequence/sequence.js#874)

  • Remove unnecessary console.error where we already throw error

  • Improve DappClient hasPermission method

  • Wallet db try checksum and lowercase

  • Update dapp client json utils to include Map reviver and replacer

  • Bump next in the npm_and_yarn group across 1 directory

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 15.4.2 to 15.4.7

updated-dependencies:

  • dependency-name: next dependency-version: 15.4.7 dependency-type: direct:production dependency-group: npm_and_yarn ...

  • Update type name, update exports for dapp client

  • Expired explicit sessions can't sign

  • Improve session validity test

  • session isValid returns invalid reason

  • InvalidReason is typed

  • Support multiple identity signers in sessions configuration

  • Device signers can approve implicit sessions

  • Remove invalid test

  • Fix recursion

  • Fix comment

  • Improve test stability by reducing race conditions

  • Do not set passkey signer as identity signer

  • Use length checks

  • Throw on missing identity signer

  • Encoding requires identity signer to encode

  • Fix test

  • Refactor/types namings tsdoc redundant code (Refactor/types namings tsdoc redundant code 0xsequence/sequence.js#880)

  • refactor types, namings, ts doc

  • fix session response payload

  • change parameter name

  • change parameter name

  • change type in tests

  • improve types and dapp client methods

  • fix session test to use new types

  • refactor

  • refactor implicit sessions array in chain session manager

  • remove unused types

  • remove unused types and add ConnectionError

  • update pnpm lock

  • move reusable session types to wallet-core

  • Update some imports and update some response type names

Bumps the npm_and_yarn group with 1 update in the / directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/dapp-client directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/wdk directory: happy-dom.

Updates happy-dom from 17.6.3 to 20.0.0

Updates happy-dom from 17.6.3 to 20.0.0

Updates happy-dom from 17.6.3 to 20.0.0

updated-dependencies:

  • dependency-name: happy-dom dependency-version: 20.0.0 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.0 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.0 dependency-type: direct:development dependency-group: npm_and_yarn ...

Bumps the npm_and_yarn group with 1 update in the / directory: happy-dom.

Updates happy-dom from 20.0.0 to 20.0.2

updated-dependencies:

  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn ...

Add a security policy document outlining supported versions and vulnerability reporting.

  • Update SECURITY.md

  • Update SECURITY.md

Bumps the npm_and_yarn group with 1 update in the / directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/dapp-client directory: happy-dom.
Bumps the npm_and_yarn group with 1 update in the /packages/wallet/wdk directory: happy-dom.

Updates happy-dom from 17.6.3 to 20.0.2

Updates happy-dom from 17.6.3 to 20.0.2

Updates happy-dom from 17.6.3 to 20.0.2

updated-dependencies:

  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.2 dependency-type: direct:development dependency-group: npm_and_yarn ...

  • Add a way to reset 2fa when using a backup code (Add a way to reset 2fa when using a backup code 0xsequence/sequence.js#911)

  • Add a way to reset 2fa when using a backup code

  • use the GuardToken type instead of breaking out the props

  • Update SECURITY.md

  • Update packages/wallet/dapp-client/src/DappTransport.ts

  • Update package.json

  • Update SECURITY.md

  • Update wagmi-project/package.json

  • Update wagmi-project/package.json

  • Update wagmi-project/src/App.tsx

  • Create FUNDING.json (Create FUNDING.json #90)

Enhancements:
Include FUNDING.json to display GitHub sponsorship options in the repository

Add initial CircleCI configuration to enable automated builds using a custom Docker executor and a defined workflow.

Build:

Add .circleci/config.yml with version 2.1 specification and custom Docker executor. CI:

Define web3-defi-game-project job with checkout step. Set up my-custom-workflow to run the job.

  • Add rc4 contracts

  • Set rc4 as default and add it to lists

  • Session enhanced replay protection

  • New sessions replay protection hashes payload

  • Use the 4337 factory wrapper

  • Update keymachine url in dapp-client constants

  • Update keymachine url in Provider constructor

  • SSR safety (SSR safety 0xsequence/sequence.js#915)

  • SSR safety test

  • Fix CI job

  • Guard dapp-client for SSR (lazy transport, browser checks, gated storage)

  • Fix guard topology (Fix guard topology 0xsequence/sequence.js#918)

  • Use proper guard topology

  • Test and fixes

  • login and setup tests

  • Switch prod manager settings (Switch prod manager settings 0xsequence/sequence.js#917)

  • Add prod guard and identity instrument info

  • Remove completed TODOs

  • Small JS tweaks (Small JS tweaks 0xsequence/sequence.js#919)

  • Fix type exports to built declarations

  • Update repository links to current package paths

  • Improve Next app tooling and React typings

  • Expose primitives CLI bin and use base lint config

  • Update relayer.gen.ts and TransactionPrecondition interface

  • Update api.gen.ts

  • Update metadata.gen.ts

  • Update marketplace.gen.ts

  • Update guard.gen.ts

  • Support multiple identity signers in sessions configuration

  • Device signers can approve implicit sessions

  • Remove invalid test

  • Fix recursion

  • Fix comment

  • Improve test stability by reducing race conditions

  • Do not set passkey signer as identity signer

  • Use length checks

  • Throw on missing identity signer

  • Encoding requires identity signer to encode

  • Fix test

  • Refactor/types namings tsdoc redundant code (Refactor/types namings tsdoc redundant code 0xsequence/sequence.js#880)

  • refactor types, namings, ts doc

  • fix session response payload

  • change parameter name

  • change parameter name

  • change type in tests

  • improve types and dapp client methods

  • fix session test to use new types

  • refactor

  • refactor implicit sessions array in chain session manager

  • remove unused types

  • remove unused types and add ConnectionError

  • update pnpm lock

  • move reusable session types to wallet-core

  • Update some imports and update some response type names

Bumps next from 15.5.5 to 15.5.7.

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.7 dependency-type: direct:production ...

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

  • Revert "Merge remote-tracking branch 'origin/dependabot/npm_and_yarn/npm_and_yarn-318c02e2da'"

This reverts commit fd0fdf9, reversing changes made to cba7894.

The following vulnerabilities are fixed with an upgrade:

The following vulnerabilities are fixed with an upgrade:

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 15.5.7 to 15.5.9

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production dependency-group: npm_and_yarn ...

The following vulnerabilities are fixed with an upgrade:

Bumps the npm_and_yarn group with 1 update in the / directory: next.

Updates next from 15.5.5 to 15.5.9

Updates happy-dom from 17.6.3 to 20.0.11

Updates vite from 7.1.10 to 7.2.7

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production dependency-group: npm_and_yarn
  • dependency-name: happy-dom dependency-version: 20.0.11 dependency-type: direct:development dependency-group: npm_and_yarn
  • dependency-name: vite dependency-version: 7.2.7 dependency-type: indirect dependency-group: npm_and_yarn ...

Bumps next from 15.5.7 to 15.5.9.

updated-dependencies:

  • dependency-name: next dependency-version: 15.5.9 dependency-type: direct:production ...

Snyk has created this PR to upgrade @wagmi/cli from 0.1.15 to 2.8.0.

See this package in npm:
@wagmi/cli

See this project in Snyk:
https://app.snyk.io/org/dargon789/project/bb845543-cbee-4e11-8cf9-8bfdf9205bf1?utm_source=github&utm_medium=referral&page=upgrade-pr

  • Potential fix for code scanning alert no. 82: Workflow does not contain permissions

  • Potential fix for code scanning alert no. 62: Information exposure through a stack trace

Co-authored-by: gemini-code…

@codesandbox
Copy link

codesandbox bot commented Dec 26, 2025

Review or Edit in CodeSandbox

Open the branch in Web EditorVS CodeInsiders

Open Preview

@bolt-new-by-stackblitz
Copy link

bolt-new-by-stackblitz bot commented Dec 26, 2025

Review PR in StackBlitz Codeflow Run & review this pull request in StackBlitz Codeflow.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 26, 2025
View reviewed changes
wagmi-project/packages/core/src/createEmitter.ts
}
}

export function createEmitter<eventMap extends EventMap>(uid: string) {

Check failure

Code scanning / CodeQL

Insecure randomness

This uses a cryptographically insecure random number generated at [Math.random()](1) in a security context.
...re-1.0.0/lib/signals-implicit-mode/lib/sequence-v3/lib/openzeppelin-contracts/certora/run.js
stream.end();

// write results in markdown format
writeEntry(spec, contract, code || signal, (await output).match(/https:\/\/prover.certora.com\/output\/\S*/)?.[0]);

Check failure

Code scanning / CodeQL

Incomplete regular expression for hostnames

This regular expression has an unescaped '.' before 'certora.com', so it might match more hosts than expected.
wagmi-project/packages/sequence-core-1.0.0/packages/services/builder/src/builder.gen.ts
protected path = '/rpc/Builder/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'. This [regular expression](1) that depends on [library input](3) may run slow on strings with many repetitions of '/'.
...ges/sequence-core-1.0.0/packages/services/identity-instrument/src/identity-instrument.gen.ts
protected path = '/rpc/IdentityInstrument/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'.
wagmi-project/packages/sequence-core-1.0.0/packages/services/indexer/src/indexer.gen.ts
protected path = '/rpc/Indexer/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'. This [regular expression](1) that depends on [library input](3) may run slow on strings with many repetitions of '/'.
wagmi-project/packages/sequence-core-1.0.0/packages/services/metadata/src/metadata.gen.ts
protected path = '/rpc/Collections/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'. This [regular expression](1) that depends on [library input](3) may run slow on strings with many repetitions of '/'.
wagmi-project/packages/sequence-core-1.0.0/packages/services/metadata/src/metadata.gen.ts
protected path = '/rpc/Admin/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'.
...roject/packages/sequence-core-1.0.0/packages/services/relayer/src/rpc-relayer/relayer.gen.ts
protected path = '/rpc/Relayer/'

constructor(hostname: string, fetch: Fetch) {
this.hostname = hostname.replace(/\/*$/, '')

Check failure

Code scanning / CodeQL

Polynomial regular expression used on uncontrolled data

This [regular expression](1) that depends on [library input](2) may run slow on strings with many repetitions of '/'.
wagmi-project/packages/sequence-core-1.0.0/packages/wallet/dapp-client/src/DappTransport.ts
this.readyPromise.catch(() => {})
this.initId = this.generateId()
const fullWalletUrl = path ? `${this.walletUrl}${path}` : this.walletUrl
this.sessionId = this.generateId()

Check failure

Code scanning / CodeQL

Insecure randomness

This uses a cryptographically insecure random number generated at [Math.random()](1) in a security context.
...roject/packages/sequence-core-1.0.0/packages/wallet/primitives-cli/src/subcommands/server.ts
} catch (error) {
if (!silent) console.log(`[${new Date().toISOString()}] JSON parse error:`, error)
res.statusCode = 400
res.end(JSON.stringify(errorResponse(undefined, -32700, 'Parse error', String(error))))

Check warning

Code scanning / CodeQL

Information exposure through a stack trace

This information exposed to the user depends on [stack trace information](1).
sourcery-ai[bot]
sourcery-ai bot reviewed Dec 26, 2025
View reviewed changes
Copy link

@sourcery-ai sourcery-ai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sorry, we are unable to review this pull request

The GitHub API does not allow us to fetch diffs exceeding 300 files, and this pull request has 3668

@snyk-io
Copy link

snyk-io bot commented Dec 26, 2025

Snyk checks have passed. No issues have been found so far.

Status Scanner Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@Dargon789 Dargon789 closed this Dec 26, 2025
@Dargon789 Dargon789 force-pushed the snyk-fix-1a42f46a3694152c28f6d1d4dc5aea44 branch from 6efa62e to d640003 Compare December 26, 2025 22:47
Repository owner deleted a comment from vercel bot Dec 26, 2025
@gemini-code-assist
Copy link

gemini-code-assist bot commented Dec 26, 2025

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request represents a substantial effort to modernize and stabilize the project's codebase. It integrates a new wallet demo application, updates a vast array of dependencies to their latest versions, and refines core wallet functionalities. The changes also include significant improvements to development workflows, CI/CD pipelines, and overall project maintainability, ensuring a more robust and secure foundation for future development.

Highlights

  • README Overhaul & Sponsorship: The project's main README.md has been completely restructured to focus on 'Wagmi' as reactive primitives for Ethereum apps, including new sections for documentation, community, contributing, and a comprehensive list of sponsors. A FUNDING.json file was also added to enable GitHub sponsorship options.
  • Extensive Dependency Upgrades: Numerous dependencies across the project have been upgraded, including @tanstack/react-query (to 5.90.11), next (to 15.5.9), @wagmi/cli (to 2.8.0), vite (to 7.2.4), wagmi (to 3.0.2), react-dom (to 19.2.0), @types/react (to 19.2.7), happy-dom (to 20.0.10/11), ox (to 9.17.0), and TypeScript (to 5.9.3). Many of these upgrades address vulnerabilities and improve compatibility.
  • Sequence Wallet Demo Application: The App.tsx file underwent a significant overhaul to build a comprehensive Sequence Wallet demo application. This involved replacing wagmi-based hooks with Sequence SDK integration, adding environment/configuration management, rich wallet operations, and a structured UI with console output for interactive testing.
  • Core Wallet & Service Enhancements: Key improvements were made to core wallet functionalities and services, including support for multiple identity signers in sessions, session signature decoding, adding a feeTokens endpoint to the relayer and dapp client, making dapp-client implicit sessions chain agnostic, and enhancing sessionless connection handling. RC4 and RC5 contracts were added and set as default, alongside a new 4337 factory wrapper.
  • Developer Tooling & CI/CD Improvements: The project's developer experience was boosted with updates to syncpack configuration, pinning foundry to a stable version, and implementing various GitHub workflows for Vercel preview deployments, changesets, dependency review, issue management, and Octopus Deploy. Initial CircleCI configuration was also added.
  • Security & Bug Fixes: Several fixes were implemented to reduce vulnerabilities in extras/docs/package.json and extras/web/package.json. Potential code scanning alerts were addressed, and error handling was improved in wallet/primitives-cli to prevent exposure of internal details. Logic was added to skip witness probes for Passkeys and non-witnessable signers, and 2FA recovery mechanisms were enhanced.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Ignored Files
  • Ignored by pattern: .github/workflows/** (2)
    • .github/workflows/Publish-Dists.yml
    • .github/workflows/tests.yml
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

gemini-code-assist[bot]
gemini-code-assist bot reviewed Dec 26, 2025
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces a wide range of improvements, including significant security fixes, dependency updates, and a major overhaul of the README file. The security enhancements, such as improving nonce generation and preventing error detail leakage, are particularly valuable. The refactoring to handle non-witnessable signers is also a notable improvement for performance and correctness. While the changes are extensive and positive, there are some minor opportunities to improve test code quality by avoiding non-null assertions. Overall, this is a substantial and beneficial contribution to the repository.

I am having trouble creating individual review comments. Click here to see my feedback.

packages/services/identity-instrument/src/index.ts (68)

security-high high

This is an excellent security improvement. Using Date.now() for a nonce is predictable and can lead to security vulnerabilities like replay attacks. Switching to Hex.random(16) ensures a cryptographically secure random value is used, which is the correct approach for generating nonces.

packages/wallet/primitives-cli/src/subcommands/server.ts (330-331)

security-high high

This is a great security fix. By removing the detailed error object from the JSON response, you are preventing potential information leakage, such as stack traces or internal system details, to the client. This aligns with security best practices for error handling.

packages/wallet/wdk/test/authcode.test.ts (257)

medium

While this is in a test file, using non-null assertions (!) can make tests more brittle and potentially hide bugs if the value is unexpectedly null or undefined. It's safer to assert that the value is defined before accessing it.

For example, you could check the length of the array first:

expect(mockAuthCommitmentsSet.mock.calls).toHaveLength(1);
const commitmentCall = mockAuthCommitmentsSet.mock.calls[0][0];

This pattern of using ! appears in multiple test files in this PR. It would be good to apply this feedback across all similar instances for more robust tests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sourcery-ai sourcery-ai[bot] sourcery-ai[bot] left review comments

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

web3-Defi-Gamefi
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Dargon789