chore(release): v1.0.6-beta #1871
Conversation
The following advisories where resolved: - [RUSTSEC-2020-0056](https://rustsec.org/advisories/RUSTSEC-2020-0056.html) - [RUSTSEC-2021-0059](https://rustsec.org/advisories/RUSTSEC-2021-0059.html) - [RUSTSEC-2021-0060](https://rustsec.org/advisories/RUSTSEC-2021-0060.html) - [RUSTSEC-2022-0090](https://rustsec.org/advisories/RUSTSEC-2022-0090.html) - [RUSTSEC-2022-0092](https://rustsec.org/advisories/RUSTSEC-2022-0092.html) - [RUSTSEC-2020-0168](https://rustsec.org/advisories/RUSTSEC-2020-0168.html) - [RUSTSEC-2023-0034](https://rustsec.org/advisories/RUSTSEC-2023-0034.html) --------- Signed-off-by: ozkanonur <work@onurozkan.dev>
This commit refactors ARRR/ZCOIN code to be compiled in WebAssembly (WASM). It paves the way for subsequent implementation of the empty/todo functions related to WASM storage and other functionalities. --------- Signed-off-by: borngraced <samuelonoja970@gmail.com>
When orderbook is requested the age field now returns the right age.
Signed-off-by: ozkanonur <work@onurozkan.dev>
…ption (#1849) This commit fixes a bug that caused `best_orders` rpc to return is_mine: false for the user's orders. It also adds an optional `exclude_mine` parameter to the `best_orders` request that allows users to exclude their own orders from the response. `exclude_mine` defaults to false to maintain the same behaviour before this commit.
* Moves the watchtower integration tests to the new ethereum testnet and remove the ignore attributes. * Adds a new test case for watcher rewards. * Fixe the unstable `send_and_refund_eth_payment`, `send_and_refund_erc20_payment`, `test_nonce_lock` and `test_withdraw_and_send tests` that were failing due to concurrency
This commit changes the komodo endpoint for fetching swap prices to a working one
This commit makes `use_watchers` configuration `true` by default. This means that all nodes will broadcast a watcher message after the taker payment is sent if the swapped coins are supported by watchers (only UTXO for now). It also fixes a problem that caused the nodes to broadcast two watcher messages consecutively after the taker payment is sent.
…/native_tls/builder.rs from https://github.com/rustls/hyper-rustls/tree/286e1fa57ff5cac99994fab355f91c3454d6d83d src/acceptor.rs and src/acceptor/builder.rs
- add the required deps for native_tls to mm2_net/Cargo.toml - expose TlsStream and add remote_addr to it - format the ported code
…1768) This commit introduces the following new commands to adex-cli. `enable`, `get-enabled`, `orderbook`,`sell`, `buy`
This commit adds NFT cache support for sqlite while leaving wasm IndexedDB implementation as Todo since the logic that uses sqlite NFT cache is applicable to both targets.
This commit removes the passed config string to mm2 while initializing from the error log if there was a deserialization error.
|
@ca333 @Alrighttt @DeckerSU dependency updates or new dependencies can be found in #1861 (comment), #1768 (comment), #1853 (comment) or just check the below tables instead.
|
librustzcash |
k-1.0.0 |
-> | k-1.3.0 |
blake2 |
v0.10.4 |
-> | v0.10.6 |
metrics |
v0.19.0 |
-> | v0.21.0 |
hyper |
v0.14.18 |
-> | v0.14.26 |
rusqlite |
v0.24.2 |
-> | v0.28.0 |
env_logger |
v0.9.0 |
-> | v0.9.3 |
ahash |
0.7.6 |
-> | 0.8.3 |
block-modes |
0.7.0 |
-> | 0.8.1 |
fpe |
0.3.13 |
-> | 0.3.19 |
hashbrown |
0.12.1 |
-> | 0.13.2 |
hashlink |
0.6.0 |
-> | 0.8.2 |
httparse |
1.6.0 |
-> | 1.8.0 |
libsqlite3-sys |
0.20.1 |
-> | 0.25.2 |
metrics-exporter-prometheus |
0.10.0 |
-> | 0.12.1 |
metrics-macros |
0.5.1 |
-> | 0.7.0 |
metrics-util |
0.13.0 |
-> | 0.15.0 |
num-traits |
0.2.12 |
-> | 0.2.15 |
ordered-float |
2.10.0 |
-> | 3.7.0 |
pkg-config |
0.3.17 |
-> | 0.3.27 |
quanta |
0.9.3 |
-> | 0.11.1 |
rmp |
0.8.9 |
-> | 0.8.11 |
sketches-ddsketch |
0.1.3 |
-> | 0.2.1 |
socket2 |
0.4.4 |
-> | 0.4.9 |
termcolor |
1.1.0 |
-> | 1.2.0 |
version_check |
0.9.2 |
-> | 0.9.4 |
rustls-pemfile |
v1.0.0 |
-> | v1.0.2 |
base64 |
v0.13.0 |
-> | v0.21.2 |
New:
| Instead of | ||
|---|---|---|
libm |
v0.2.7 |
|
mach2 |
v0.4.1 |
mach v0.3.2 |
portable-atomic |
v1.3.2 |
|
pem |
v1.1.1 |
|
rcgen |
v0.10.0 |
|
yasna |
v0.5.2 |
adex-cli Dependency Updates:
Updated:
| mm2 Cargo.lock | ||||
|---|---|---|---|---|
clap |
2.34.0 |
-> | 4.3.4 |
2.33.3 |
hashbrown |
0.12.3 |
-> | 0.14.0 |
0.11.2,0.12.1,0.13.2 |
hashlink |
0.6.0 |
-> | 0.8.3 |
0.8.2 |
strsim |
0.8.0 |
-> | 0.10.0 |
0.8.0 |
wasm-bindgen |
0.2.80 |
-> | 0.2.87 |
0.2.86 |
wasm-bindgen-backend |
0.2.80 |
-> | 0.2.87 |
0.2.86 |
wasm-bindgen-macro |
0.2.80 |
-> | 0.2.87 |
0.2.86 |
wasm-bindgen-macro-support |
0.2.80 |
-> | 0.2.87 |
0.2.86 |
wasm-bindgen-shared |
0.2.80 |
-> | 0.2.87 |
0.2.86 |
New:
| mm2 Cargo.lock | ||
|---|---|---|
allocator-api2 |
0.2.15 |
|
anstream |
0.3.2 |
|
anstyle |
1.0.0 |
|
anstyle-parse |
0.2.0 |
|
anstyle-query |
1.0.0 |
|
anstyle-wincon |
1.0.1 |
|
arrayvec |
0.5.2 |
0.5.1,0.7.1 |
base64 |
0.13.1 |
0.10.1,0.11.0, 0.12.3, 0.13.0, 0.21.2 |
bigdecimal |
0.3.1 |
0.3.0 |
blake2b_simd |
0.5.11 |
0.5.10 |
clap_builder |
4.3.4 |
|
clap_derive |
4.3.2 |
|
colorchoice |
1.0.0 |
|
directories |
5.0.1 |
3.0.2 |
dirs-sys |
0.4.1 |
0.3.6 |
errno |
0.3.1 |
0.2.8 |
heck |
0.4.1 |
0.4.0 |
hermit-abi |
0.3.1 |
0.1.14 |
io-lifetimes |
1.0.11 |
1.0.6 |
is-terminal |
0.4.7 |
|
keccak |
0.1.4 |
0.1.0 |
linux-raw-sys |
0.3.8 |
0.1.4 |
num-rational |
0.4.1 |
0.4.0 |
option-ext |
0.2.0 |
|
paste |
1.0.12 |
1.0.7 |
portable-atomic |
1.3.3 |
1.3.2 |
redox_users |
0.4.3 |
0.3.4, 0.4.0 |
rustix |
0.37.20 |
0.36.9 |
sct |
0.6.1 |
0.6.0,0.7.0 |
utf8parse |
0.2.1 |
|
webpki |
0.21.4 |
0.21.3,0.22.0 |
Thank you @rozhkovdmitrii for the table format.
|
Btw, JFYI ... there is a cargo plugin named cargo-lockdiff to generate similar diff tables. For example, for our case it generates the following, as a diff between
It's good, but it's not ideal, like it was unable to determine changes in p.s. I will mark the reviewed packages in Review Result column with 🟢, 🟡, 🔴 symbols and corresponding comments. |
There was a problem hiding this comment.
A review of changed dependencies, including librustzcash, has been done. Everything seems to be okay. I also want to note that the review was only carried out on "malicious inclusions" and does not affect errors in the logic of the operation of certain modules. Obviously, it is impossible to know the nuances of how all crates work, such as, for example, the distributed quantile sketch algorithm, etc. At this moment, the mm2 sources themselves have not been reviewed; I will do it a bit later and leave a comment here.
|
@cipig UTXO watchers should be tried and tested before approving and merging this PR. You can refer to this document until this feature is fully documented. You can reach out to me or @caglaryucekaya if you have any questions about how to set this up and what to expect from it. |
This commit reduces the time needed for CI by caching the downloaded dependencies. --------- Signed-off-by: ozkanonur <work@onurozkan.dev>
This commit adds label validation on PRs. The validation will only succeed if one of the following labels is used but not both: `under review` or `in progress`. --------- Signed-off-by: ozkanonur <work@onurozkan.dev>
| @@ -1070,19 +1075,19 @@ impl TakerSwap { | |||
| }; | |||
|
|
|||
| // This will be done during order match | |||
| self.w().watcher_reward = false; | |||
| self.w().watcher_reward = std::env::var("USE_WATCHER_REWARD").is_ok(); | |||
There was a problem hiding this comment.
We should avoid reading a system variable like this throughout the execution of the program. Ideally it should be read only once while initializing mm2 or possibly while enabling specific coins.
|
| sql_builder | ||
| .sql_builder() | ||
| .and_where_eq("token_address", format!("'{}'", token_address)) | ||
| .and_where_eq("token_id", format!("'{}'", token_id)) |
There was a problem hiding this comment.
This function has potential for sql injection if the moralis endpoint were to somehow return malicious token_address values or if it were ever reused with a different source for the token_id argument.
eg,
let token_id = "a_token_id'; DROP TABLE an_important_table;'".to_string();
or
let token_address = "a_token_address'; DROP TABLE an_important_table;'".to_string();
We should be deserializing any data from external sources to strict types. For example, if we know token_address must be an EVM compatible address, we should deserialize it directly to a Address type and convert to String as needed to ensure we are in fact dealing with a valid address.
There was a problem hiding this comment.
Please use prepared statement here @laruh
We should avoid using sql_builder as it will be replaced or refactored to be built on prepared statements. Any query created with sql_builder is vulnerable to SQL injections.
Signed-off-by: ozkanonur <work@onurozkan.dev>
There was a problem hiding this comment.
Do we need to include a license file here?
There was a problem hiding this comment.
This is the licences for the ported mod https://github.com/rustls/hyper-rustls/tree/286e1fa57ff5cac99994fab355f91c3454d6d83d#license, I think we should include them. Will do that.
There was a problem hiding this comment.
Should it be included in this file instead https://github.com/KomodoPlatform/komodo-defi-framework/blob/dev/LEGAL/THIRDPARTY-LICENSES . I don't know a lot about licencing.
There was a problem hiding this comment.
I see that hyper-rustls is already in our thirdparty licences file here
@ca333 should anything else be added because we ported some of
hyper-rustls new code and changed it a bit to fit what we needed.
| ## Purpose | ||
|
|
||
| The purpose of porting these files is to enable retrieving the remote address from the incoming connection and to expose the `TlsStream` type. | ||
| > **Note:** The following commit [7eca34d](https://github.com/KomodoPlatform/atomicDEX-API/pull/1861/commits/7eca34dd4621a7de0033f8a81cc11ad117aeb3c3) show the changes applied to the ported code. |
There was a problem hiding this comment.
Thanks for pointing this out, will fix it
There was a problem hiding this comment.
Fixed here dd1b098
* run all tests ignoring the failed ones Signed-off-by: ozkanonur <work@onurozkan.dev> * Update adex-cli.yml --------- Signed-off-by: ozkanonur <work@onurozkan.dev>
- Address was used instead of string in NFT and transaction objects - `guard: Arc<AsyncMutex<()>>` from struct `NftCtx` is added to lock nft functions which uses db - IndexedDB Cursor collect method is used to fix uncaught Error
These issues should be solved by this commit 1e0cf5b, @tonymorony please remove |
) This commit addresses index out of bounds errors in the `tx_details_by_hash` functions. The changes replace direct array access with safer methods, avoiding potential panics due to out-of-range indices. In addition, error handling around the function was improved to log and skip transactions in case of errors.
|
@shamardy the NFT related issues were resolved, removed the label |
chore(release): v1.0.6-beta
Features:
use_watchersconfiguration was set to true by default. It was later disabled in #1897 due to this issue #1887bafyin IPFS Moralis links in a correct way was done in #1877get_uri_metafunction was added to optimize the retrieval ofUriMetafromtoken_uriandmetadatain #1877protect_from_spamfeature was added to redact URLs in specific fields and flag them as possible spam in #1877enable,get-enabled,orderbook,sell,buywere added to adex-cli in #1768Enhancements/Fixes:
best_ordersrpc to returnis_mine: falsefor the user's orders was fixed in #1846exclude_minewas also added to thebest_ordersrequest that allows users to exclude their own orders from the response.exclude_minedefaults to false to maintain the same behaviour before the PR.send_and_refund_eth_payment,send_and_refund_erc20_payment,test_nonce_lockandtest_withdraw_and_send teststests that were failing due to concurrency issues.under revieworin progress#1881orderbookmod of adex-cli was refactored by moving it from the internalresponse_handlerto its appropriate folder, enhancing code organization and clarity in #1879