Fix merge branch 0xsequence/master

[Dargon789]

Summary by Sourcery

Upgrade dependencies and security resolutions, integrate CI/CD and security workflows, and scaffold a new Vite-React wagmi sample project with accompanying configuration and documentation

New Features:

• Add a new wagmi-project sample application built with Vite, React, and wagmi connectors

Enhancements:

• Upgrade core dependencies (express, hardhat, puppeteer) and add vitest for testing
• Add resolutions to enforce safe versions of transitive packages
• Introduce @tanstack/react-query, geth, viem, and wagmi dependencies in the root project

CI:

• Add a Fortify AST scanning workflow
• Add CircleCI and Azure Pipelines configurations

Documentation:

• Add GitHub issue templates for bug reports, feature requests, and custom issues
• Add SECURITY.md to define supported versions and vulnerability reporting guidelines

[codesandbox]

Review or Edit in CodeSandbox

Open the branch in Web Editor • VS Code • Insiders

Open Preview

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
sequence-js-docs	Error			Nov 14, 2025 9:45am
sequence-js-web	Error			Nov 14, 2025 9:45am
sequence.js	Ready	Preview	Comment	Nov 14, 2025 9:45am

[sourcery-ai]

Reviewer's Guide

This PR resolves merge conflicts with 0xsequence/master by bumping core dependencies and adding vulnerability resolutions, introduces security/CI workflows, issue templates and scaffolding for a new wagmi-project demo app built with Vite, React, TypeScript, and wagmi.

Entity relationship diagram for wagmi-project config and chains/connectors

erDiagram
  CONFIG {
    string id
    string[] chains
    string[] connectors
    object transports
  }
  CHAIN {
    int id
    string name
  }
  CONNECTOR {
    string uid
    string name
  }
  CONFIG ||--o{ CHAIN : includes
  CONFIG ||--o{ CONNECTOR : uses

Loading

Class diagram for new wagmi-project React app structure

classDiagram
  class App {
    +useAccount()
    +useConnect()
    +useDisconnect()
    +render()
  }
  class WagmiProvider {
    +config: Config
  }
  class QueryClientProvider {
    +client: QueryClient
  }
  class QueryClient {
  }
  class Config {
    +chains: Chain[]
    +connectors: Connector[]
    +transports: object
  }
  class Connector {
    +uid
    +name
  }
  class main {
    +Buffer
    +QueryClient
    +WagmiProvider
    +QueryClientProvider
    +App
  }
  WagmiProvider --> Config
  QueryClientProvider --> QueryClient
  main --> WagmiProvider
  main --> QueryClientProvider
  main --> App
  App --> Connector

Loading

File-Level Changes

Change	Details	Files
Update root dependencies and add vulnerability resolutions	Bump express, hardhat and puppeteer versions Add vitest as a test runner Restructure dependencies and add new dependencies block Add package resolutions for semver, webpack-dev-middleware, tar, tough-cookie, braces and ws	package.json
Add security policy and issue templates	Introduce SECURITY.md with supported versions and reporting process Add GitHub issue templates for bugs, features and custom issues	SECURITY.md .github/ISSUE_TEMPLATE/bug_report.md .github/ISSUE_TEMPLATE/feature_request.md .github/ISSUE_TEMPLATE/custom.md
Introduce Fortify SAST scan workflow	Add GitHub Actions workflow to perform Fortify AST scans on push, PR and schedule	.github/workflows/fortify.yml
Add CI pipeline configurations	Introduce Azure Pipelines YAML for Node.js build Add CircleCI config with custom Docker executor	azure-pipelines.yml .circleci/config.yml
Scaffold wagmi-project demo application	Add Vite/React/TypeScript project structure and configs Implement App.tsx, main.tsx and wagmi.ts with React Query and wagmi integration Add supporting files: index.html, index.css, vite-env types, README, tsconfig files, biome, npmrc, gitignore	wagmi-project/package.json wagmi-project/tsconfig.json wagmi-project/src/App.tsx wagmi-project/src/main.tsx wagmi-project/src/wagmi.ts wagmi-project/src/index.css wagmi-project/index.html wagmi-project/vite.config.ts wagmi-project/tsconfig.node.json wagmi-project/biome.json wagmi-project/.npmrc wagmi-project/.gitignore wagmi-project/README.md wagmi-project/src/vite-env.d.ts

Possibly linked issues

• 0xsequence/master #79: The PR implements the Fortify AST scan, CircleCI config, GitHub issue templates, and upgrades React Query as detailed in the issue.
• Feature/integration #17: The PR directly implements the wagmi project with hooks, updates development dependencies, and adds security and CI/CD configurations as detailed in the issue description.

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[snyk-io]

⛔ Snyk checks have failed. 19 issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (19)
⛔	Open Source Security	6	3	7	3	19 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[gemini-code-assist]

Summary of Changes

Hello @Dargon789, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly expands the project's development infrastructure and introduces a new Web3-focused application. It establishes new continuous integration and deployment pipelines, standardizes development environment tasks, and provides structured templates for community contributions. A notable addition is the wagmi-project, a boilerplate for building decentralized applications, indicating a strategic move towards or enhancement of Web3 capabilities.

Highlights

• New CI/CD Pipelines: Introduced configurations for both CircleCI and Azure Pipelines, establishing automated build and deployment processes for the project.
• CodeSandbox Integration: Added a comprehensive tasks.json file for CodeSandbox, defining various development workflows such as build, test, lint, and dev server startup using pnpm.
• GitHub Issue Templates: New issue templates for bug reports, feature requests, and custom issues were added to streamline community contributions and project management.
• Web3 Project Setup: A new wagmi-project was integrated, featuring a basic React application bootstrapped with Vite and configured to use Wagmi and Viem for Web3 interactions.
• Dependency Updates and Security Enhancements: Several core dependencies like express, hardhat, and puppeteer were updated, and vitest was added. Additionally, numerous dependency resolutions were included to address potential security vulnerabilities.

Ignored Files

• Ignored by pattern: .github/workflows/** (1)
  • .github/workflows/fortify.yml

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sourcery-ai]

Hey there - I've reviewed your changes - here's some feedback:

• Consolidate duplicate/conflicting entries in package.json (e.g., express, hardhat) so each dependency only appears once with the intended version.
• Remove auto-generated build/cache artifacts (v8-compile-cache, preconstruct maps, pnpm-lock additions) from the commit to keep the repository clean.
• This PR spans dependency bumps, CI/CD configs, and a new wagmi project scaffold—consider breaking it into smaller, focused PRs for each area to simplify review.

Prompt for AI Agents

Please address the comments from this code review:

## Overall Comments
- Consolidate duplicate/conflicting entries in package.json (e.g., express, hardhat) so each dependency only appears once with the intended version.
- Remove auto-generated build/cache artifacts (v8-compile-cache, preconstruct maps, pnpm-lock additions) from the commit to keep the repository clean.
- This PR spans dependency bumps, CI/CD configs, and a new wagmi project scaffold—consider breaking it into smaller, focused PRs for each area to simplify review.

## Individual Comments

### Comment 1
<location> `package.json:73-76` </location>
<code_context>
     "eslint-plugin-import": "^2.27.5",
     "eslint-plugin-prettier": "^5.0.1",
     "ethers": "^5.7.2",
-    "express": "^4.18.2",
+    "express": "^4.19.2",
     "hardhat": "^2.20.1",
+    "express": "^4.18.2",
+    "hardhat": "^2.22.7",
     "husky": "^8.0.0",
     "mocha": "^10.1.0",
</code_context>

<issue_to_address>
**issue (bug_risk):** Duplicate dependencies for 'express' and 'hardhat' found in devDependencies.

Remove the duplicate entries and keep only the required version for each dependency to avoid installation issues.
</issue_to_address>

### Comment 2
<location> `wagmi-project/src/App.tsx:30-36` </location>
<code_context>
+
+      <div>
+        <h2>Connect</h2>
+        {connectors.map((connector) => (
+          <button
+            key={connector.uid}
+            onClick={() => connect({ connector })}
+            type="button"
+          >
+            {connector.name}
+          </button>
+        ))}
</code_context>

<issue_to_address>
**suggestion:** No loading or error state for connectors list.

Consider displaying a loading indicator while connectors are loading and a message when none are available to enhance user feedback.

Suggested implementation:

```typescript
      <div>
        <h2>Connect</h2>
        {/* Loading and error states for connectors */}
        {connectorsLoading ? (
          <div>Loading connectors...</div>
        ) : connectorsError ? (
          <div>Error loading connectors: {connectorsError.message}</div>
        ) : connectors.length === 0 ? (
          <div>No connectors available.</div>
        ) : (
          connectors.map((connector) => (
            <button
              key={connector.uid}
              onClick={() => connect({ connector })}
              type="button"
            >
              {connector.name}
            </button>
          ))
        )}
        <div>{status}</div>
        <div>{error?.message}</div>
      </div>

```

You will need to ensure that `connectorsLoading` and `connectorsError` are defined and properly set in your component. If you are fetching connectors via a hook or async function, set these states accordingly. For example:

```ts
const [connectorsLoading, setConnectorsLoading] = useState(true);
const [connectorsError, setConnectorsError] = useState<Error | null>(null);

// Fetch connectors and update loading/error states as appropriate.
```

If your connectors are not loaded asynchronously, you may need to adapt this logic to fit your actual data fetching pattern.
</issue_to_address>

### Comment 3
<location> `wagmi-project/src/wagmi.ts:5-16` </location>
<code_context>
+  connectors: [
+    injected(),
+    coinbaseWallet(),
+    walletConnect({ projectId: import.meta.env.VITE_WC_PROJECT_ID }),
+  ],
+  transports: {
</code_context>

<issue_to_address>
**suggestion:** No fallback or validation for missing WalletConnect projectId.

Validate that 'VITE_WC_PROJECT_ID' is set before initializing WalletConnect, and handle missing values with a clear error or fallback to avoid runtime failures.

```suggestion
const wcProjectId = import.meta.env.VITE_WC_PROJECT_ID

if (!wcProjectId) {
  throw new Error(
    "VITE_WC_PROJECT_ID is not set. Please set the WalletConnect projectId in your environment variables."
  )
}

export const config = createConfig({
  chains: [mainnet, sepolia],
  connectors: [
    injected(),
    coinbaseWallet(),
    walletConnect({ projectId: wcProjectId }),
  ],
  transports: {
    [mainnet.id]: http(),
    [sepolia.id]: http(),
  },
})
```
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}