Skip to content

chore: upgrade metadata-helpers#468

Open
lwin-kyaw wants to merge 1 commit intomasterfrom
update/metadata-helpers-8.2.0
Open

chore: upgrade metadata-helpers#468
lwin-kyaw wants to merge 1 commit intomasterfrom
update/metadata-helpers-8.2.0

Conversation

@lwin-kyaw
Copy link
Contributor

@lwin-kyaw lwin-kyaw commented Mar 5, 2026
edited
Loading

Motivation and Context

Jira Link:

Description

  • Update @toruslabs/metadata-helpers from ^8.1.0 to ^8.2.0

How has this been tested?

Screenshots (if appropriate):

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

  • My code follows the code style of this project. (run lint)
  • My change requires a change to the documentation.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • My code requires a db migration.

Note

Medium Risk
Medium risk because it upgrades a crypto-related dependency and changes the keccak256 implementation source used for login/session ID hashing, which could affect key/session derivation if outputs differ.

Overview
Updates @toruslabs/metadata-helpers from 8.1.0 to 8.2.0 and refreshes package-lock.json, pulling in new transitive deps (notably @noble/hashes and @scure/base) and adjusting the resolved metadata helper tree.

Refactors src/login.ts to import keccak256 from @toruslabs/metadata-helpers instead of @toruslabs/torus.js, keeping the existing hashing behavior used for grouped verifier token aggregation and SessionManager session ID generation.

Written by Cursor Bugbot for commit 4fd402a. This will update automatically on new commits. Configure here.

cursor[bot]
cursor bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

src/login.ts
import { type INodeDetails, TORUS_NETWORK_TYPE } from "@toruslabs/constants";
import { NodeDetailManager } from "@toruslabs/fetch-node-details";
import { utf8ToBytes } from "@toruslabs/metadata-helpers";
import { keccak256, utf8ToBytes } from "@toruslabs/metadata-helpers";
Copy link

@cursor cursor bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Possible keccak256 return format mismatch after import change

High Severity

keccak256 is now imported from @toruslabs/metadata-helpers instead of @toruslabs/torus.js. Both call sites use .slice(2) on the result, a pattern that assumes a 0x-prefixed hex string. The metadata-helpers v8.2.0 swapped its crypto backend from ethereum-cryptography to @noble/hashes + @scure/base, which could change the return format. If the new keccak256 returns a Uint8Array (as @noble/hashes natively does) or a hex string without 0x prefix, .slice(2) would silently produce an incorrect value — either a truncated byte array or a hash missing its first two hex characters — breaking both the aggregateIdToken computation and the getSessionId helper.

Additional Locations (1)

Fix in Cursor Fix in Web

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lwin-kyaw