chore(deps): quarterly batch dependency upgrade 2026-Q2#3271
Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
WalkthroughUpdated dependency versions across the monorepo; extended Jest transforms to include built JS from two agent packages; added defensive BigNumber parsing (throwing ValidationError) in several numeric utilities; minor TypeScript annotations and new batch-deps-upgrade Claude skill docs. Changes
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~25 minutes Possibly related issues
Possibly related PRs
Suggested labels
Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
🧹 Nitpick comments (1)
.claude/commands/batch-deps-upgrade.md (1)
59-59: Tighten repetitive wording in output description.Line 59 repeats “explanation/explaining”; consider a cleaner phrase for readability.
Suggested wording
-1. **Code changes explanation** — write a markdown file (`.claude/commands/batch-deps-upgrade-code-changes.md`) documenting every non-package.json source code change, explaining what broke, why, and the minimal fix applied. +1. **Code changes explanation** — write a markdown file (`.claude/commands/batch-deps-upgrade-code-changes.md`) documenting every non-package.json source code change, including what broke, why, and the minimal fix applied.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.claude/commands/batch-deps-upgrade.md at line 59, The line currently repeats "explanation/explaining"; edit the sentence in .claude/commands/batch-deps-upgrade.md (the "Code changes explanation" instruction) to remove the redundancy and tighten wording—for example, rephrase to "Code changes — write a markdown file (.claude/commands/batch-deps-upgrade-code-changes.md) documenting every non-package.json source code change: what broke, why, and the minimal fix applied." Update the single sentence wherever the repeated words occur so the output description reads clearly and concisely.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In `@package.json`:
- Line 51: The package.json upgrade of the "lerna" dependency to "^9.0.4"
violates the team's decision to remain on v8; revert the version spec back to an
appropriate v8 pin (e.g., replace "^9.0.4" with the project's agreed v8 version)
in package.json or, if this PR is intentionally upgrading to v9, add the
approved v9 migration reference/approval in the PR description and include that
approval identifier in the commit message so reviewers can verify the decision;
locate the "lerna" entry in package.json to make the change.
In `@packages/ripple-binary-codec/package.json`:
- Line 15: The BigNumber constructor can now throw on invalid input; update
codec parse paths to catch those throws or validate before constructing to
preserve stable errors: wrap all BigNumber creation sites in quality.ts
(specifically in functions decodeQuality and encode) and in types/amount.ts
(places that currently call BigNumber directly and locations relying on
assertIouIsValid) with try-catch blocks that convert/normalize errors to the
library's existing error types, or add pre-validation logic before calling new
BigNumber(...); ensure decodeQuality remains safe for public input by returning
the same error shape as prior behavior instead of letting BigNumber exceptions
leak.
---
Nitpick comments:
In @.claude/commands/batch-deps-upgrade.md:
- Line 59: The line currently repeats "explanation/explaining"; edit the
sentence in .claude/commands/batch-deps-upgrade.md (the "Code changes
explanation" instruction) to remove the redundancy and tighten wording—for
example, rephrase to "Code changes — write a markdown file
(.claude/commands/batch-deps-upgrade-code-changes.md) documenting every
non-package.json source code change: what broke, why, and the minimal fix
applied." Update the single sentence wherever the repeated words occur so the
output description reads clearly and concisely.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: cf44caaf-d5c3-4463-bffa-47d3ef73b9b1
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (12)
.claude/commands/batch-deps-upgrade.md.claude/docs/batch-deps-upgrade-README.mdjest.config.base.jspackage.jsonpackages/isomorphic/package.jsonpackages/ripple-address-codec/package.jsonpackages/ripple-binary-codec/package.jsonpackages/ripple-binary-codec/src/types/amount.tspackages/ripple-binary-codec/src/types/uint-64.tspackages/xrpl/package.jsonpackages/xrpl/src/utils/quality.tspackages/xrpl/src/utils/xrpConversion.ts
|
/ai-review |
There was a problem hiding this comment.
Actionable comments posted: 4
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/skills/batch-deps-upgrade/SKILL.md:
- Line 69: The markdown in .claude/skills/batch-deps-upgrade/SKILL.md uses
non-canonical product casing on the PR template instruction; update the text at
the PR template reference (the sentence "write a markdown file
(`.claude/skills/batch-deps-upgrade/pr-description.md`) following the repo's PR
template") to use the official product casing "GitHub" instead of any other
variant so the line reads using "GitHub" consistently.
- Line 65: Edit the bullet titled "Code changes explanation" to remove the
duplicated wording "explanation/explaining" by rephrasing the sentence; replace
the current line with something like: "Write a markdown file documenting every
non-package.json source code change: explain what broke, why it broke, and the
minimal fix applied." This targets the exact heading "Code changes explanation"
and the sentence that repeats "explanation/explaining."
- Around line 26-29: The step that tells maintainers to "remove unused
dependencies" based solely on `npx knip` output is risky; update the SKILL.md
instructions around the `npx knip` step (the bullet starting "Unused
dependencies") so removals require human confirmation or a secondary
verification (e.g., run full test suite, search for dynamic/optional imports, or
run a CI job that checks runtime usage) before editing package.json, and add a
short note next to the `npx knip` / "Unlisted dependencies" guidance to
explicitly require adding transitive-but-used packages only after manual
validation.
- Around line 42-45: Replace the vague "Wait for healthy" instruction with a
concrete readiness check and bounded timeout: poll the rippled_standalone
container health/status (e.g., docker inspect .State.Health.Status or curl to
the node's health endpoint) in a loop with a clear timeout (e.g., 60–120s) and
fail fast if not ready, then only run "npm run test:integration && npm run
test:browser" after the readiness check succeeds; ensure the instructions name
the container "rippled_standalone" so the command to check readiness and the
timeout are unambiguous.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 207a49ef-f320-4ce9-9003-34ab5cffdf46
📒 Files selected for processing (3)
.claude/skills/batch-deps-upgrade/README.md.claude/skills/batch-deps-upgrade/SKILL.mdpackages/xrpl/src/utils/xrpConversion.ts
✅ Files skipped from review due to trivial changes (1)
- .claude/skills/batch-deps-upgrade/README.md
🚧 Files skipped from review as they are similar to previous changes (1)
- packages/xrpl/src/utils/xrpConversion.ts
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/skills/batch-deps-upgrade/SKILL.md:
- Line 43: The Docker command in the SKILL.md snippet uses incorrect image,
binary and volume path; update the docker run invocation so the image tag uses
rippleci/rippled:develop (not rippleci/xrpld:develop), run the rippled binary
(replace xrpld --standalone with rippled --standalone), and change the mounted
config path from /etc/opt/xrpld/ to /etc/opt/ripple/ so the command uses the
correct image name, executable and config mount.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: 5af207f4-7594-468f-b3dc-ffb157aa549d
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (1)
.claude/skills/batch-deps-upgrade/SKILL.md
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (2)
packages/ripple-binary-codec/src/quality.ts (1)
15-27: Minor: stylistic inconsistency betweenencodeanddecode.
encodeusesBigNumber(quality)(factory-style) whiledecodeat Line 40 usesnew BigNumber(...). Both are valid in bignumber.js, but mixing them in adjacent methods is easy to trip over. Also,decimal?.eat Line 22 no longer needs the optional chain — after thetry/catchassigns or throws,decimalis guaranteed to be defined.♻️ Optional cleanup
static encode(quality: string): Uint8Array { let decimal: BigNumber try { - decimal = BigNumber(quality) + decimal = new BigNumber(quality) } catch (_err) { throw new Error(`${quality} is not a valid quality`) } - const exponent = (decimal?.e || 0) - 15 + const exponent = (decimal.e || 0) - 15🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/ripple-binary-codec/src/quality.ts` around lines 15 - 27, The encode method uses the factory call BigNumber(quality) and an unnecessary optional chain on decimal (decimal?.e), causing stylistic mismatch with decode which uses new BigNumber(...); update encode to use new BigNumber(quality) and remove the optional chaining (use decimal.e) after the try/catch so the code is consistent and reflects that decimal is always defined or an error was thrown.packages/ripple-binary-codec/src/types/amount.ts (1)
112-172: BigNumber guarding looks correct, but error type diverges from the rest of the PR.The three
try/catchblocks correctly convert bignumber.js v10's new throw-on-invalid into a descriptive domain error, and the${value} is an illegal amountmessage matches the existing test contract (e.g.packages/ripple-binary-codec/test/amount.test.ts:86-90), so behavior is preserved.Minor consistency note: the companion changes in
packages/xrpl/src/utils/xrpConversion.tsandpackages/xrpl/src/utils/quality.tsthrowValidationErroron the same class of failure. Here we throw a plainError. This is intentional given the existing tests inripple-binary-codec, but worth calling out so future consumers don't assume a uniform error type across packages.Also note that the pre-existing MPT path at Line 325 (
BigInt(amount) & BigInt(mptMask)) will still throw a rawSyntaxErrorfor BigNumber-valid but BigInt-invalid inputs such as"1e5"— not introduced here, but the broader hardening in this PR might be a good moment to wrap it too.🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In `@packages/ripple-binary-codec/src/types/amount.ts` around lines 112 - 172, Summary: Replace plain Error throws for invalid BigNumber/BigInt conversions with a consistent ValidationError and guard BigInt parsing in the MPT path. Update the catch in the isAmountObjectIOU BigNumber conversion to throw ValidationError instead of Error (change the current catch that throws `${value.value} is an illegal amount`), and similarly change the other two BigNumber try/catch sites in this module to throw ValidationError; additionally wrap BigInt parsing in the isAmountObjectMPT path (the const num = BigInt(value.value) line) and the existing BigInt mask operation (BigInt(amount) & BigInt(mptMask)) in try/catch blocks that throw ValidationError on failure so BigInt-invalid inputs like "1e5" produce a ValidationError rather than a raw SyntaxError. Ensure you import or reference the ValidationError class used elsewhere in the repo.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.claude/skills/batch-deps-upgrade/SKILL.md:
- Around line 42-50: The fenced code block containing the shell snippet (the
block starting with ```) is missing a language tag which triggers markdownlint
MD040; update the opening fence to include a language (e.g., add "bash" after
the backticks) so the block becomes ```bash, preserving the existing shell
content (SECONDS loop, nc checks, docker logs, exit) and nothing else.
---
Nitpick comments:
In `@packages/ripple-binary-codec/src/quality.ts`:
- Around line 15-27: The encode method uses the factory call BigNumber(quality)
and an unnecessary optional chain on decimal (decimal?.e), causing stylistic
mismatch with decode which uses new BigNumber(...); update encode to use new
BigNumber(quality) and remove the optional chaining (use decimal.e) after the
try/catch so the code is consistent and reflects that decimal is always defined
or an error was thrown.
In `@packages/ripple-binary-codec/src/types/amount.ts`:
- Around line 112-172: Summary: Replace plain Error throws for invalid
BigNumber/BigInt conversions with a consistent ValidationError and guard BigInt
parsing in the MPT path. Update the catch in the isAmountObjectIOU BigNumber
conversion to throw ValidationError instead of Error (change the current catch
that throws `${value.value} is an illegal amount`), and similarly change the
other two BigNumber try/catch sites in this module to throw ValidationError;
additionally wrap BigInt parsing in the isAmountObjectMPT path (the const num =
BigInt(value.value) line) and the existing BigInt mask operation (BigInt(amount)
& BigInt(mptMask)) in try/catch blocks that throw ValidationError on failure so
BigInt-invalid inputs like "1e5" produce a ValidationError rather than a raw
SyntaxError. Ensure you import or reference the ValidationError class used
elsewhere in the repo.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: CHILL
Plan: Pro
Run ID: cae30c97-fef7-4f4a-93b5-941567982d34
⛔ Files ignored due to path filters (1)
package-lock.jsonis excluded by!**/package-lock.json
📒 Files selected for processing (5)
.claude/skills/batch-deps-upgrade/SKILL.mdpackage.jsonpackages/ripple-binary-codec/src/quality.tspackages/ripple-binary-codec/src/types/amount.tswebpack.test.config.js
✅ Files skipped from review due to trivial changes (2)
- webpack.test.config.js
- package.json
| @@ -12,7 +12,7 @@ module.exports = { | |||
| }, | |||
There was a problem hiding this comment.
The changes in this file are caused by: https-proxy-agent 7 → 9
v9 is ESM-only (import syntax), but Jest runs in CommonJS. Without this, Jest fails with SyntaxError: Cannot use import statement outside a module when tests import the xrpl client (which uses https-proxy-agent).
Fix: Added transform entries so ts-jest transpiles the ESM code, and excluded them from transformIgnorePatterns so Jest doesn't skip them.
| @@ -21,12 +21,12 @@ export function dropsToXrp(dropsToConvert: BigNumber.Value): number { | |||
| * decimal point followed by zeros, e.g. '1.00'. | |||
There was a problem hiding this comment.
The changes in this file are caused by: bignumber.js 9 → 10
v9: new BigNumber("FOO") returns a BigNumber with value NaN.
v10: new BigNumber("FOO") throws [BigNumber Error] Not a number: FOO.
The existing code passed invalid input to BigNumber first, then checked if the result was NaN to throw a custom ValidationError. In v10 the BigNumber constructor throws before the NaN check runs, so the user-facing error message changes from the expected ValidationError to a raw BigNumber error.
Fix: Wrap new BigNumber() calls in try-catch, re-throwing as the same ValidationError the code already intended. Also removed the now-dead NaN checks that followed (unreachable since the constructor throws first). Applied in both dropsToXrp and xrpToDrops.
| @@ -17,7 +17,11 @@ function percentToDecimal(percent: string): string { | |||
| throw new ValidationError(`Value ${percent} contains too many % signs`) | |||
There was a problem hiding this comment.
Similar to the changes in xrpConversion.ts, the changes in this file are caused by: same bignumber.js 9 → 10
Three functions accept user string input and construct a BigNumber: percentToDecimal, decimalToTransferRate, and decimalToQuality. All three previously relied on v9's NaN-return behavior to either propagate a 'NaN' string downstream or trip an explicit if (billionths === 'NaN') check that threw ValidationError("Value is not a number").
In v10, the constructor throws a raw [BigNumber Error] before any downstream check can run, so the expected ValidationError is never produced and tests (e.g., percentToQuality throws with gibberish, decimalToQuality throws with gibberish in quality.test.ts) fail with a raw BigNumber error.
Fix:
- Wrap each
new BigNumber()call in try-catch and re-throwValidationError("Value is not a number")— the exact error class and message consumers already observed in v9. - Remove the now-unreachable NaN checks in
decimalToTransferRateanddecimalToQuality(the stringified'NaN'path is dead in v10 because the constructor throws first).a
| @@ -13,8 +13,13 @@ class quality { | |||
| * @returns Serialized quality | |||
There was a problem hiding this comment.
The changes in this file are caused by: same bignumber.js 9 → 10
encode(quality) and decode(quality) construct BigNumbers from strings. In v10 both will throw raw [BigNumber Error] on invalid input instead of returning NaN.
Fix: Wrap both constructor calls in try-catch and re-throw a clear Error: <value> is not a valid quality instead.instead.
| } | ||
|
|
||
| let amount = new Uint8Array(8) | ||
| let amount: Uint8Array = new Uint8Array(8) |
There was a problem hiding this comment.
This change is caused by: @scure/base 1 → 2
v2 introduced stricter Uint8Array generics. new Uint8Array(8) is inferred as Uint8Array<ArrayBuffer>, but concat() (via @noble/hashes) returns Uint8Array<ArrayBufferLike> — a wider type that includes SharedArrayBuffer. TypeScript won't assign the wider return type back to the narrower variable, causing a compile error. This is purely a compile-time issue — at runtime there is no difference.
Fix: Explicit type annotation Uint8Array (without generic parameter) so TypeScript uses the unparameterized base type that accepts both.
| @@ -110,7 +110,12 @@ class Amount extends SerializedType { | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
The following changes are caused by: same bignumber.js 9 → 10
Three constructor call sites accept user input and could throw in v10:
- Line 113:
new BigNumber(value.value)insidefrom()for IOU amounts - Line 264:
new BigNumber(amount)insideassertXrpIsValid - Line 304:
new BigNumber(amount)insideassertMptIsValid
Fix: Wrap each constructor call in try-catch, re-throwing the existing Error: <amount> is an illegal amount message to preserve API behavior. Also removed the dead if (decimal.isNaN()) check in assertMptIsValid — unreachable in v10 because the constructor throws first.
| } | ||
|
|
||
| let buf = new Uint8Array(UInt64.width) | ||
| let buf: Uint8Array = new Uint8Array(UInt64.width) |
There was a problem hiding this comment.
This change is caused by: @scure/base 1 → 2
v2 introduced stricter Uint8Array generics. new Uint8Array(8) is inferred as Uint8Array<ArrayBuffer>, but concat() (via @noble/hashes) returns Uint8Array<ArrayBufferLike> — a wider type that includes SharedArrayBuffer. TypeScript won't assign the wider return type back to the narrower variable, causing a compile error. This is purely a compile-time issue — at runtime there is no difference.
Fix: Explicit type annotation Uint8Array (without generic parameter) so TypeScript uses the unparameterized base type that accepts both.
kuan121
force-pushed
the
test-consolidate-deps-workflow
branch
from
16c5dd4 to
6d84fdc
Compare
kuan121
force-pushed
the
test-consolidate-deps-workflow
branch
from
6d84fdc to
fa51f79
Compare
| } catch (_err) { | ||
| throw new Error(`${quality} is not a valid quality`) | ||
| } | ||
| const exponent = (decimal.e || 0) - 15 |
There was a problem hiding this comment.
| const exponent = (decimal.e || 0) - 15 | |
| const exponent = (decimal.e) - 15 |
Since the BIgNumber object is constructed successfully, the exponent attribute must always be present.
There was a problem hiding this comment.
If the decimal is 0, decimal.e can be null, which would result in null - 15. So it’s safer to keep the || 0.
… close list for Skipped PRs
4 participants
High Level Overview of Change
Batches 30 open Dependabot dependency upgrade PRs into a single quarterly upgrade. Upgrades 23 packages across the monorepo, skips 5 blocked by peer dependency constraints or migration scope, and classifies 2 as no-ops.
Context of Change
Dependabot PRs accumulate faster than they can be individually reviewed and merged. This batch upgrade applies all compatible upgrades at once, fixes breaking changes introduced by major version bumps, and validates the full test suite against the combined result.
Breaking dependency changes fixed:
bignumber.js9→10: constructor now throws on invalid input instead of returning NaN. Wrapped in try-catch in bothxrpl(xrpConversion.ts, quality.ts) andripple-binary-codec(quality.ts, amount.ts) to preserve existing error behavior.https-proxy-agent7→9: now ESM-only. Updated Jest config to transpile ESM imports.@scure/base1→2: stricterUint8Arraygenerics. Widened type annotations inripple-binary-codec(amount.ts, uint-64.ts) to resolve compile errors.This change is pure dependency maintenance — no public API of any published package changes.
Type of Change
Did you update HISTORY.md?
Test Plan
npm run build— all 6 packages compilenpm run lint— no lint errorsnpm test— 1032 unit tests passnpm run test:integration— 159 integration tests pass against xrpld Docker containernpm run test:browser— 159 browser tests pass (also fixed a pre-existing TS1503 error inripple-keypairsby addingtarget: "es2018"to the shared ts-loader config)npm run test:faucet— 4 faucet tests passSuperseded Dependabot PRs
@xrplf/eslint-config@^3requireseslint-plugin-jsdoc@^52)@xrplf/eslint-config@^3requires@eslint/js@^9)@xrplf/eslint-config@^3requireseslint@^9)@xrplf/eslint-config@^3requiresglobals@^16)Closing Instructions
After merging, close the following superseded PRs (Skipped ones remain open for future handling): #3276, #3272, #3267, #3266, #3264, #3263, #3262, #3261, #3260, #3259, #3258, #3255, #3253, #3252, #3251, #3250, #3248, #3247, #3246, #3243, #3242, #3241, #3080, #3051, #3013
The following PRs were Skipped and should remain open: #3265 (eslint-plugin-jsdoc), #3257 (@eslint/js), #3249 (eslint), #3245 (globals), #3244 (typescript).