Skip to content

chore: bump @ckb-ccc/core to 1.14.0 to fix ws vulnerability#436

Merged
RetricSu merged 4 commits into
ckb-devrel:developfrom
humble-little-bear:bump-ccc-core-ws-fix
Jun 25, 2026
Merged

chore: bump @ckb-ccc/core to 1.14.0 to fix ws vulnerability#436
RetricSu merged 4 commits into
ckb-devrel:developfrom
humble-little-bear:bump-ccc-core-ws-fix

Conversation

@humble-little-bear

Copy link
Copy Markdown
Contributor

Upgrades @ckb-ccc/core from 1.5.3 to 1.14.0 so the transitive ws dependency resolves to ^8.21.0, which patches the reported memory exhaustion DoS advisory.

humble-little-bear and others added 4 commits June 24, 2026 12:42
Upgrades @ckb-ccc/core from 1.5.3 to 1.14.0 so the transitive
ws dependency resolves to ^8.21.0, which patches the reported
memory exhaustion DoS advisory.
ccc >= 1.14.0 calls getKnownScript(NervosDao) during completeFeeBy
for every input. Devnet has no NervosDao deployment, so supplying the
testnet definition lets isNervosDao() return false without throwing.

Also add the missing changeset for the @ckb-ccc/core bump.

Co-Authored-By: Claude <noreply@anthropic.com>
The github-script comment steps require pull-requests: write, which
fork PRs do not receive with the pull_request trigger. Skip the
optional comment steps on forks so the required changeset check can
still pass/fail cleanly.

Co-Authored-By: Claude <noreply@anthropic.com>
The previous fallback reused the testnet NervosDao definition. Devnet
deploys its own DAO system cell, so map KnownScript.NervosDao to the
devnet dao script derived from ckb list-hashes instead.

Co-Authored-By: Claude <noreply@anthropic.com>
@humble-little-bear

Copy link
Copy Markdown
Contributor Author

最终质量评估结论:通过 ✅

PR #436 的核心改动已完成验证,建议合并。

验证覆盖

检查项 结果
@ckb-ccc/core 1.5.3 → 1.14.0 升级回归 ✅ 本地 build 下 deploy / transfer / debug 均通过
KnownScript.NervosDao 使用 devnet 实际 DAO script offckb system-scripts --export-style ccc --network devnet 确认 cellDep 指向 devnet genesis DAO cell
ccc-based transaction dumper ✅ mock transaction JSON 结构正确,dep_group 展开为 3 个 cell_deps,WASM debugger Run result: 0
根因复现 ✅ 在 7d90052(仅 bump ccc,无 NervosDao 映射)复现 transfer 失败:Error: No script information was found for NervosDao on ckt;PR head c0633be 修复有效
单测补充 ✅ 新增 tests/scripts-private.test.ts,覆盖 scripts.dao 存在/缺失边界,pnpm test 全绿(43 passed / 7 skipped)
.github/workflows/changeset-check.yml fork PR 行为 ✅ 评论步骤在 fork PR 上正确跳过,避免 pull-requests: write 权限失败

遗留风险

  • mainnet / 自定义 devnet config 未实测;
  • ccc 1.14.0 全量调用点静态审计未做(核心路径已验证无回归);
  • toCCCKnownScripts 对 required scripts 使用 ! 非空断言,缺失时抛 TypeError 而非语义化 Error(建议后续改进);
  • 非 PR 引入的 CLI 体验问题(debug --tx-hash 不会自动拉取链上交易 JSON、--single-script output[N].type 对无 type 输出 panic、Node 22 punycode 警告)建议另开 issue。

结论

所有「有条件通过」项均已关闭,PR #436 通过


🤖 Generated with Claude Code

@RetricSu RetricSu merged commit 1c17600 into ckb-devrel:develop Jun 25, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants