Skip to content

Release/v225#1842

Merged
dbeal-eth merged 17 commits intomainfrom
release/v225
Oct 20, 2025
Merged

Release/v225#1842
dbeal-eth merged 17 commits intomainfrom
release/v225

Conversation

@dbeal-eth
Copy link
Contributor

@dbeal-eth dbeal-eth commented Oct 20, 2025

No description provided.

dbeal-eth and others added 17 commits September 3, 2025 09:55
@dbeal-eth @claude
docs: Add comprehensive CLAUDE.md for Claude Code integration (#1830)
3d5c36b 
Co-authored-by: Claude <noreply@anthropic.com>
@dbeal-eth
feat(cli): increase default memory (#1829)
52b1860
@dbeal-eth
Add Claude Code GitHub Workflow (#1834)
0501dc4
@dbeal-eth
fix(builder): infinite loop possible on cycle in chain definition (#1832
2db277a 
)
@AkihisaY
fix(website): filters to package list (#1836)
dd3ac82
@dbeal-eth
fix(cli): printing of RPC errors should be debug (#1837)
3e3ab4f
@dbeal-eth
fix(builder): try using optimism default RPC endpoint (#1827)
7c1885f
@AkihisaY @claude @dbeal-eth
fix(cli): add progress spinner (#1833)
7538483 
Co-authored-by: claude[bot] <209825114+claude[bot]@users.noreply.github.com>
Co-authored-by: dbeal <dbeal-eth@users.noreply.github.com>
@dbeal-eth
feat(builder): chain specific build steps (#1821)
0d14049
@AkihisaY @dbeal-eth
fix(website): decode input data (#1824)
fd9cedc 
Co-authored-by: Daniel Beal <git@dbeal.dev>
@dbeal-eth
feat(cli): trace should be able to show value on a transaction if it …
b76bac5 
…exists (#1825)
@dbeal-eth @claude
feat(website): Docs/gitops queue guide (#1831)
de7bbf6 
Co-authored-by: Claude <noreply@anthropic.com>
@dbeal-eth
fix(cli): stall on some forge cli builds (#1840)
a32e8b2
@dbeal-eth
fix(website): clear display when buttons are grayed out due to outsid… (
67016c4 
#1841)
@dbeal-eth
fix(cli): cleanup pitfalls and improve overall fetch UX (#1835)
d8f37a3
@dbeal-eth @google-labs-jules
feat(builder): create2 option support for router step (#1839)
67617fd 
Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
@dbeal-eth
v2.25.0
8cc76c1
@dbeal-eth dbeal-eth self-assigned this Oct 20, 2025
@socket-security
Copy link

socket-security bot commented Oct 20, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​types/​jest@​29.5.141001007779100
Addedfast-deep-equal@​3.1.31001009978100
Addeddeepmerge@​4.3.110010010078100
Addedprompts@​2.4.210010010078100
Addedbuffer@​6.0.310010010078100
Added@​types/​ms@​2.1.01001009479100
Addedrfdc@​1.4.110010010080100
Addedcors@​2.8.510010010081100
Addedlodash@​4.17.211001008781100
Updated@​cypress/​webpack-preprocessor@​6.0.2 ⏵ 6.0.499 +110010083 -1100
Addedchalk@​4.1.210010010083100
Updated@​bahmutov/​cypress-esbuild-preprocessor@​2.2.2 ⏵ 2.2.410010010086 +2100
Updated@​cypress/​code-coverage@​3.13.11 ⏵ 3.14.09910010090 +3100
Addeddotenv@​16.4.510010010093100

View full report

@socket-security
Copy link

socket-security bot commented Oct 20, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
safer-buffer@2.1.2 has Obfuscated code.

Confidence: 0.94

Location: Package overview

From: pnpm-lock.yamlnpm/@changesets/cli@2.27.7npm/safer-buffer@2.1.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/safer-buffer@2.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@claude
Copy link
Contributor

claude bot commented Oct 20, 2025

Code Review for Release v2.25.0

This is a comprehensive release PR with 17 commits. Overall, the changes demonstrate good engineering practices. Here is my detailed feedback:

Strengths

  1. Infrastructure Improvements

    • CLAUDE.md: Excellent documentation for AI-assisted development
    • GitHub Workflows: Well-structured with proper permissions
    • Progress Spinners: Great UX with TTY detection

  2. Memory & Performance

    • Increased Node memory to 8192MB addresses build issues

  3. Security & Robustness

    • Cycle Detection fix: Critical fix preventing infinite loops
    • Improved error handling for forge builds

  4. Feature Enhancements

    • CREATE2 support for router step
    • Chain-specific build steps
    • Improved fetch command with better validation

Concerns & Recommendations

  1. Console Utility (packages/cli/src/util/console.ts)

    • Issue: Spinner created as module-level singleton with immediate start
    • Side effects on import are an anti-pattern
    • Recommendation: Use lazy initialization function instead

  2. Router CREATE2 (packages/builder/src/steps/router.ts)

    • Missing validation for templated CREATE2 addresses
    • Recommendation: Add viem.isAddress() check after templating

  3. Cycle Detection Timing (packages/builder/src/definition.ts)

    • Happens after expensive dependency computation
    • Consider early detection during computation

  4. Test Coverage

    • Missing tests for console.ts utilities
    • CREATE2 template injection needs error scenario tests
    • Add tests for spinner in non-TTY environments

  5. Package Lock Churn

    • Significant unrelated changes in pnpm-lock.yaml
    • Consider pinning pnpm version

Security Considerations

  • GitHub workflow permissions: Well-scoped ✅
  • CREATE2 factory: Validate/whitelist custom addresses
  • IPFS validation: Proper checks in place ✅

Priority Action Items

High:

  • Fix spinner initialization pattern
  • Add CREATE2 address validation
  • Add console utility tests

Medium:

  • Optimize cycle detection
  • Improve IPFS error messages
  • Add JSDoc for CREATE2

Low:

  • Document memory increase rationale
  • Investigate pnpm-lock churn

Overall Assessment

Solid release with valuable features and important fixes. Code quality is high. Main concerns are around console utility pattern and test coverage.

Recommendation: Approve with minor revisions

Issues are refinements, not blockers. Critical fixes (cycle detection, RPC errors) and UX improvements provide clear value.

Risk: Low-Medium

  • Cycle detection: well-implemented
  • Spinner changes: isolated with fallbacks
  • CREATE2: backward compatible

Great work! 🎉

@dbeal-eth dbeal-eth merged commit 3f6e74e into main Oct 20, 2025
7 of 10 checks passed
@dbeal-eth dbeal-eth deleted the release/v225 branch October 20, 2025 16:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@dbeal-eth dbeal-eth

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dbeal-eth @AkihisaY