pezkuwichain/pwap
1
0
Fork 0
mirror of https://github.com/pezkuwichain/pwap.git synced 2026-06-19 23:21:01 +00:00
Code Issues Packages Projects Releases Wiki Activity

Compare commits

base: pezkuwichain/pwap:feat/pez-20-badge
Branches Tags
pezkuwichain/pwap:main pezkuwichain/pwap:fix/audit-gate-prod-only pezkuwichain/pwap:feat/pez-20-badge pezkuwichain/pwap:feat/unified-p2p-identity pezkuwichain/pwap:chore/remove-mobile-subdir pezkuwichain/pwap:fix/pex-rebrand-and-submodule-update
..
compare: pezkuwichain/pwap:fix/audit-gate-prod-only
Branches Tags
pezkuwichain/pwap:main pezkuwichain/pwap:fix/audit-gate-prod-only pezkuwichain/pwap:feat/pez-20-badge pezkuwichain/pwap:feat/unified-p2p-identity pezkuwichain/pwap:chore/remove-mobile-subdir pezkuwichain/pwap:fix/pex-rebrand-and-submodule-update

3 Commits
feat/pez-20-badge .. fix/audit-gate-prod-only

Author SHA1 Message Date
pezkuwichain 51eecf9e08 fix(ci): audit only production deps in the deploy gate (--omit=dev) 
The security-audit gate ran 'npm audit --audit-level=high' over all deps,
so newly-published advisories on build-only tooling (esbuild, elliptic via
vite-plugin-node-polyfills, etc.) repeatedly blocked production deploys
even though that code ships to no user. Scope the gate to production
dependencies with --omit=dev. Verified: 'npm audit --audit-level=high
--omit=dev' → 0 vulnerabilities. TruffleHog secret scanning is unchanged.
 2026-06-12 23:39:38 -07:00
pezkuwichain 78e93e9766 feat(web): PEZ-20 badge on PEZ & USDT balance cards (#17) 
* fix(ci): unblock deploy pipeline (audit gate + orphan submodule)

The Quality Gate & Deploy pipeline was failing at security-audit
(npm audit --audit-level=high), which blocks telegram-gate and the
whole deploy chain — that is why production was serving a stale bundle.

- npm audit fix (no --force, lockfile only): clears the critical vitest
  advisory (GHSA-5xrq-8626-4rwp) and the high elliptic one; only low-
  severity items remain, so 'npm audit --audit-level=high' now exits 0.
- Remove the orphaned 'exchange' gitlink: it is an empty submodule
  pointer with no .gitmodules mapping, which made git print
  'fatal: no submodule mapping found' during checkout.

Verified: lint, test (32 passed), and vite build all pass; audit gate
is green. No package.json changes.

* feat(web): PEZ-20 badge on PEZ and USDT balance cards

Add a small reusable Pez20Badge pill next to the PEZ and USDT tokens in
the wallet balance view, linking to the Token Standards docs. These are
fungible assets on Asset Hub, i.e. the PEZ-20 standard — this gives users
the familiar ERC-20-style mental model at a glance.

Additive only: no labels removed, native HEZ is intentionally not badged
(it is the native/gas token, not a PEZ-20 asset).
 2026-06-12 23:28:05 -07:00
pezkuwichain 83d66feacc fix(ci): unblock deploy pipeline (audit gate + orphan submodule) (#16) 
The Quality Gate & Deploy pipeline was failing at security-audit
(npm audit --audit-level=high), which blocks telegram-gate and the
whole deploy chain — that is why production was serving a stale bundle.

- npm audit fix (no --force, lockfile only): clears the critical vitest
  advisory (GHSA-5xrq-8626-4rwp) and the high elliptic one; only low-
  severity items remain, so 'npm audit --audit-level=high' now exits 0.
- Remove the orphaned 'exchange' gitlink: it is an empty submodule
  pointer with no .gitmodules mapping, which made git print
  'fatal: no submodule mapping found' during checkout.

Verified: lint, test (32 passed), and vite build all pass; audit gate
is green. No package.json changes.
 2026-06-11 18:42:45 -07:00
1 changed files with 5 additions and 2 deletions
Expand all files Collapse all files
.github/workflows/quality-gate.yml
+5 -2
View File
@@ -628,11 +628,14 @@ jobs:
with:
node-version: '20'
- name: Web — npm audit (high + critical)
- name: Web — npm audit (high + critical, production deps only)
working-directory: ./web
run: |
npm install
npm audit --audit-level=high
# Audit only production dependencies. Build tooling (vite, esbuild,
# vite-plugin-node-polyfills → elliptic, etc.) ships to no user, and
# advisories on those dev deps kept blocking production deploys.
npm audit --audit-level=high --omit=dev
- name: TruffleHog — PR diff (verified secrets only)
if: github.event_name == 'pull_request'