Dependabot/npm and yarn/lib/signals implicit mode/lib/sequence v3/lib/account abstraction/npm and yarn 9b5403960e

[Dargon789]

Summary by Sourcery

Strengthen security and privacy in wallet utilities while adding a new Wagmi-based demo app and expanding CI coverage.

New Features:

• Introduce a new Wagmi-based React demo dapp scaffolded with Vite, including wagmi configuration and QueryClient integration.

Bug Fixes:

• Use cryptographically secure randomness for dapp-client ID generation.
• Avoid leaking internal JSON parse error details in the primitives CLI HTTP server responses.

Enhancements:

• Refine GitHub workflows by specifying permissions for the pnpm-format-label workflow and adding a pnpm install step to the tests workflow.

CI:

• Add a CircleCI configuration to build and test smart contracts using Foundry.

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[sourcery-ai]

Reviewer's Guide

Improves security and infrastructure around the wallet app while adding a new wagmi-based demo project. Key changes include a cryptographically secure ID generator in the dapp client, safer JSON-RPC error responses, CI/config updates, and the introduction of a standalone Vite+wagmi React example app with basic wallet connectivity and UI wiring.

Sequence diagram for JSON-RPC parse error handling in handleHttpRequest

sequenceDiagram
  participant Client
  participant Server
  participant handleHttpRequest
  participant errorResponse

  Client->>Server: HTTP request with JSON body
  Server->>handleHttpRequest: handleHttpRequest(req, res, debug)
  handleHttpRequest->>handleHttpRequest: JSON.parse(body)
  alt parse error
    handleHttpRequest-->>handleHttpRequest: [throw SyntaxError]
    handleHttpRequest->>errorResponse: errorResponse(undefined, -32700, Parse_error)
    errorResponse-->>handleHttpRequest: generic_error_payload
    handleHttpRequest->>Client: HTTP 400 with generic Parse error JSON
  else valid JSON
    handleHttpRequest-->>Client: normal JSON-RPC response
  end

Loading

File-Level Changes

Change	Details	Files
Switch ID generation in the dapp transport to cryptographically secure randomness.	Replace Math.random-based ID suffix with crypto.getRandomValues using a Uint32Array Generate a base-36 random string from two 32-bit values, padded and sliced to fixed length Preserve existing Date.now-based prefix while improving entropy and predictability resistance	packages/wallet/dapp-client/src/DappTransport.ts
Harden HTTP JSON parse error handling in the primitives CLI server.	Catch JSON parse errors during request handling and log them server-side Return a standardized JSON-RPC parse error response without echoing internal error details to clients	packages/wallet/primitives-cli/src/subcommands/server.ts
Adjust CI workflows and permissions for GitHub Actions and tests.	Add explicit contents read and issues write permissions to pnpm-format-label workflow to comply with GitHub permission model Insert an extra pnpm install step without frozen lockfile before running tests build job to ensure dependencies are installed	.github/workflows/on_pr_pnpm-format-label.yml .github/workflows/tests.yml
Introduce CircleCI configuration for Foundry-based solidity tests.	Define a CircleCI job that uses the foundry Docker image Checkout code and initialize git submodules recursively Run forge build and forge test -vvv as part of the test workflow	.circleci/config.yml
Add a new wagmi-based Vite React demo project with basic wallet connectivity.	Create a Vite+React TypeScript app scaffolded by create-wagmi with strict TS config and Biome linting Configure wagmi with mainnet and sepolia chains plus injected, Coinbase Wallet, and WalletConnect connectors Set up React Query client and WagmiProvider in main entry point Define a large App component that initializes the Sequence wallet, manages environment/network selection, and exposes many demo actions (connect/auth flows, signing, transactions, token queries, and advanced wallet actions) via a button-driven UI Add basic theming styles, HTML shell, vite config, and project metadata files including package.json, tsconfigs, README, .gitignore, and biome config	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/tsconfig.node.json wagmi-project/src/App.tsx wagmi-project/src/main.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/src/vite-env.d.ts wagmi-project/index.html wagmi-project/vite.config.ts wagmi-project/README.md wagmi-project/.gitignore wagmi-project/.npmrc wagmi-project/biome.json
Check in additional build/cache artifacts and lockfile updates from dependency tooling.	Update or add yarn.lock under the account abstraction sequence submodule path Commit v8-compile-cache .MAP artifacts under the v8-compile-cache-0 hierarchy	lib/signals-implicit-mode/lib/sequence-v3/lib/account-abstraction/yarn.lock v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSsequence.jszSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP v8-compile-cache-0/x64/11.3.244.8-node.19/zSprojectzSworkspacezSnode_moduleszS.pnpmzS@preconstruct+cli@2.8.7zSnode_moduleszS@preconstructzSclizSbin.js.MAP

Possibly linked issues

• Fix merge branch 0xsequence/master #86: PR adds the wagmi-project app and wagmi.ts config implementing the chains/connectors relationships described in the issue.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Code Review

This pull request introduces a new wagmi-project demo application, improves ID generation security using crypto.getRandomValues, and refines error responses to avoid exposing internal details. The review identifies several critical issues, including missing dependencies in package.json, a logic error when calling setDefaultChainId on a provider instance, and a potential null pointer dereference during email sanitization. Furthermore, suggestions were made to pin Docker image versions in the CI configuration and to exclude generated V8 cache files from the repository.

[sourcery-ai]

Sorry @Dargon789, you have reached your weekly rate limit of 500000 diff characters.

Please try again later or upgrade to continue using Sourcery

[sourcery-ai]

Hey - I've found 3 issues, and left some high level feedback:

• The new generateId implementation relies on globalThis.crypto.getRandomValues being present, which may not hold in all runtimes (e.g., some Node environments); consider feature-detecting crypto and falling back to a Node/webcrypto-safe implementation to avoid runtime errors.
• In wagmi-project/src/App.tsx, sanitizeEmail expects a string but is called with email which is string | null, so you should either default or guard against null before calling to avoid a runtime type error.
• In getAccounts in wagmi-project/src/App.tsx, provider.listAccounts() (ethers v6) returns a promise, but the result is used synchronously and stringified directly; you likely want to await provider.listAccounts() before logging.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- The new `generateId` implementation relies on `globalThis.crypto.getRandomValues` being present, which may not hold in all runtimes (e.g., some Node environments); consider feature-detecting `crypto` and falling back to a Node/webcrypto-safe implementation to avoid runtime errors.
- In `wagmi-project/src/App.tsx`, `sanitizeEmail` expects a string but is called with `email` which is `string | null`, so you should either default or guard against `null` before calling to avoid a runtime type error.
- In `getAccounts` in `wagmi-project/src/App.tsx`, `provider.listAccounts()` (ethers v6) returns a promise, but the result is used synchronously and stringified directly; you likely want to `await provider.listAccounts()` before logging.

## Individual Comments

### Comment 1
<location path="packages/wallet/dapp-client/src/DappTransport.ts" line_range="517-519" />
<code_context>
   private generateId(): string {
-    return `${Date.now().toString(36)}-${Math.random().toString(36).substring(2, 9)}`
+    // Use crypto.getRandomValues for cryptographically secure randomness
+    const array = new Uint32Array(2);
+    globalThis.crypto.getRandomValues(array);
+    const randStr = (array[0].toString(36).padStart(7, '0') + array[1].toString(36).padStart(7, '0')).slice(0, 9);
+    return `${Date.now().toString(36)}-${randStr}`;
   }
</code_context>
<issue_to_address>
**issue (bug_risk):** Guard against environments where `globalThis.crypto` or `getRandomValues` is unavailable.

In some runtimes (older browsers, certain Node setups), `globalThis.crypto` or `crypto.getRandomValues` may be undefined, causing a runtime error here. Please add a feature check and fall back to the previous `Math.random`-based (or another non‑crypto) implementation when `getRandomValues` is unavailable to keep ID generation working across environments.
</issue_to_address>

### Comment 2
<location path="wagmi-project/src/App.tsx" line_range="105-114" />
<code_context>
+  const [email, setEmail] = useState<null | string>(null)
</code_context>
<issue_to_address>
**issue (bug_risk):** State type for `email` is incompatible with `sanitizeEmail` usage and can lead to runtime errors.

`email` is typed as `string | null`, but `sanitizeEmail` expects a `string` and is called as `sanitizeEmail(email)` in the login handler. If login is triggered before any input, `email` will be `null` and passed into a string-only function, violating the types and causing a runtime error.

Either:
1. Initialize as `const [email, setEmail] = useState('')` and treat `''` as “not set”, or
2. Change `sanitizeEmail` to accept `string | null`, handle `null` explicitly, and guard the call (e.g. `if (!email || !sanitizeEmail(email)) ...`).
</issue_to_address>

### Comment 3
<location path="wagmi-project/src/wagmi.ts" line_range="5-16" />
<code_context>
+  connectors: [
+    injected(),
+    coinbaseWallet(),
+    walletConnect({ projectId: import.meta.env.VITE_WC_PROJECT_ID }),
+  ],
+  transports: {
</code_context>
<issue_to_address>
**suggestion (bug_risk):** Validate `VITE_WC_PROJECT_ID` before initializing the WalletConnect connector.

If `import.meta.env.VITE_WC_PROJECT_ID` is missing or empty, `walletConnect` may fail at runtime with an unclear error. Add an explicit check at startup (e.g., throw with a clear message or skip initializing `walletConnect`) so misconfiguration is caught early and doesn’t cause opaque runtime issues.

```suggestion
const wcProjectId = import.meta.env.VITE_WC_PROJECT_ID

if (!wcProjectId) {
  // Prefer failing fast with a clear error over opaque runtime connector failures.
  // If you would rather not throw, replace this with a console.warn and keep the
  // conditional connector initialization below.
  console.warn(
    '[wagmi] WalletConnect projectId (VITE_WC_PROJECT_ID) is missing. ' +
      'WalletConnect connector will not be initialized.'
  )
}

export const config = createConfig({
  chains: [mainnet, sepolia],
  connectors: [
    injected(),
    coinbaseWallet(),
    ...(wcProjectId ? [walletConnect({ projectId: wcProjectId })] : []),
  ],
  transports: {
    [mainnet.id]: http(),
    [sepolia.id]: http(),
  },
})
```
</issue_to_address>

Fix all in Cursor

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
sequence-js-docs	Ready	Preview, Comment	May 23, 2026 3:24am
sequence-js-web	Ready	Preview, Comment	May 23, 2026 3:24am
wagmi-project	Ready	Preview, Comment	May 23, 2026 3:24am