chore: dependabot deps

[mralj]

This PR updates most of the yarn-project dependabot alerted deps.

On resolutions

I have tried to update all deps "properly", using resolutions as a fallback. This is when we depend on D, which has outdated D' for which Dependabot complains, and D doesn't have a newer version.

An example of this is docosaurus-plugin-ideal-image > sharp (outdated) > tar-fs (outdated) - meaning that docusaurus-plugin-ideal-image imports an outdated version of sharp, which in turn imports an outdated version of tar-fs, so we have to force this fix via resolutions

Not updated deps

I could not update two dependencies because the author has not fixed the bug and published an update:

1. bigint-buffer
2. private-ip

Both of these are transitive deps, further complicating the update.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​d3-shape@​3.1.6 ⏵ 3.1.7	+1		+1
	npm/​@​babel/​generator@​7.27.1 ⏵ 7.27.5	+1		+1
	npm/​@​babel/​traverse@​7.27.1 ⏵ 7.27.4	+1		+1
	npm/​vite@​4.5.14 ⏵ 7.1.7	+3	+8
	npm/​mlly@​1.8.0
	npm/​yaml@​2.8.1
	npm/​tar@​7.5.1
	npm/​puppeteer@​22.15.0 ⏵ 24.22.3			-1	+1
	npm/​@​opentelemetry/​host-metrics@​0.36.2

View full report

[spalladino]

Looks good!

On bigint-buffer, I see we're using it only via the chainsafe discv5 and enr packages, but it seems they removed this dependency earlier this year. Maybe we can update to those versions?

As for private-ip, it's only pulled in from kad-dht, which removed it in early 2024. Perhaps we can update it as well? But more interestingly, it seems we're importing the package but not using it for anything, unless it has side effects? So maybe we could just remove it?

aztec-packages/yarn-project/p2p/src/services/libp2p/libp2p_service.ts

Line 46 in ce66e54

import '@libp2p/kad-dht';

[mralj]

Looks good!

On bigint-buffer, I see we're using it only via the chainsafe discv5 and enr packages, but it seems they removed this dependency earlier this year. Maybe we can update to those versions?

As for private-ip, it's only pulled in from kad-dht, which removed it in early 2024. Perhaps we can update it as well? But more interestingly, it seems we're importing the package but not using it for anything, unless it has side effects? So maybe we could just remove it?

aztec-packages/yarn-project/p2p/src/services/libp2p/libp2p_service.ts

Line 46 in ce66e54

import '@libp2p/kad-dht';

Good catch @spalladino, sorry for missing this 🤦

1. I have removed kad-dht
2. I will update discv5 & enr in a separate PR, as the update yielded ~40 TS errors, so I think separate PR for this one is bettter :)

[AztecBot]

💔 All backports failed

Status	Branch	Result
❌	v2	Backport failed because of merge conflicts You might need to backport the following PRs to v2: - chore: Delete contract addresses from chain l2 config (#17417) - Delete contract addresses from chain l2 config

Manual backport

To create the backport manually run:

backport --pr 17418

Questions ?

Please refer to the Backport tool documentation and see the Github Action logs for details

[mralj]

@spalladino, updating discv5/enr seems to be a no-go at the moment.
The issue is that both rely on libp2p types with breaking changes (link), which we import as well.

Upgrading said packages (libp2p/interface/libp2p/peer-id) breaks a lot of code, and following this rabbit hole a bit it looks like it would imply upgrading the libp2p itself 🥲

[spalladino]

Damn. WDYT about using yarn patch to manually remove all bigint-buffer usage from the packages then? The other option is to just fork, since I doubt libp2p would accept a patch with that change for such an older version (though we could try).

[mralj]

Damn. WDYT about using yarn patch to manually remove all bigint-buffer usage from the packages then? The other option is to just fork, since I doubt libp2p would accept a patch with that change for such an older version (though we could try).

I'll attack this tomorrow, atm. forking seems cleaner :)