chore: reconcile staging (master) with production (legacy)#347
Merged
Conversation
…tting Reconcile staging (master) with production (legacy) toward full parity. - Remove the new_account_virtual API call: - delete config/v3/new_account_virtual/ (example/receive/send.json) - remove its nav entry from static/data/v3.yml - Normalize get_settings/set_settings config files to the repo's prettier-canonical form (matching legacy). These were semantically identical between branches but unformatted on master; this aligns the bytes so the two branches become fully identical. - Refresh i18n/fr/code.json from authoritative source (navbar.json already matched, no change) Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
maryia-deriv
requested review from
matin-deriv,
mayuran-deriv and
nijil-deriv
as code owners
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Manifest Files |
maryia-deriv
changed the title
maryia-deriv
changed the title
maryia-deriv
force-pushed
the
maryia/remove-new-account-virtual
branch
from
5de0f41 to
991a194
Compare
master's package-lock.json was out of sync with package.json (npm ci failed: "Missing from lock file", e.g. @testing-library/dom). Regenerate a valid lock from the healthy production base: - pin dependencies/devDependencies to exact versions (drop caret ranges) using the versions already resolved in the working lock - keep security overrides; add protobufjs 7.5.6 (fixes CVE-2026-41242 CRITICAL, plus CVE-2026-44289/44290/44291, and pulls @protobufjs/utf8 1.1.1 which fixes CVE-2026-44293) - drop the now-obsolete protobufjs CVE suppressions from .trivyignore - regenerate package-lock.json with peer deps retained (npm install --force) Verified: npm ci passes, full jest suite passes. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
maryia-deriv
force-pushed
the
maryia/remove-new-account-virtual
branch
from
991a194 to
3262e15
Compare
The external schema-generation flow commits these JSON files to master without the repo's prettier formatting. Revert the earlier normalization so the files keep their upstream raw format on both branches — otherwise the next automated schema update would produce a huge reformatting diff.
7.5.6 still trips dependency-review on GHSA-jggg-4jg4-v7c6 (moderate DoS via unbounded recursive JSON descriptor expansion, affects <=7.5.7). 7.5.8 is the minimal patched version; @protobufjs/utf8 stays 1.1.1.
ashkan-deriv
approved these changes
Jun 4, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Reconciles staging (
master) with production (legacy) to full parity: removes the unwantednew_account_virtualAPI call, fixes staging's broken lock, and upgradesprotobufjs. After this PR and its companion (#346) merge,masterandlegacyare byte-for-byte identical.Changes
new_account_virtualconfig/v3/new_account_virtual/(example.json,receive.json,send.json)static/data/v3.yml(the only reference outside the config dir)get_settings/set_settings) left in upstream (raw) format — these JSON schemas are auto-generated by an external flow that does not apply this repo's prettier config. They are kept inmaster's raw format (no reformatting) so the next automated schema update doesn't produce a huge reformatting diff. (Content is already identical tolegacy; only formatting differed.)package.json,package-lock.json):npm cifailed; root cause: regenerated with--legacy-peer-deps, which drops peer deps)dependencies/devDependenciesto exact versions (drop caret ranges) using the versions already resolved in the working locklodash 4.18.0,lodash-es 4.18.0,dompurify 3.4.0)protobufjs 7.5.6override — fixesCVE-2026-41242(CRITICAL) +CVE-2026-44289/44290/44291, pulls@protobufjs/utf8 1.1.1(fixesCVE-2026-44293)package-lock.jsonwith peer deps retained (npm install --force).trivyignore— drop the now-obsoleteprotobufjsCVE suppressions (the 7.5.6 upgrade removes the vulnerable version from the tree)i18n/fr/code.jsonfrom authoritative sourceVerification
npm cipasses; full jest suite passes (77 passed, 0 failed)protobufjs7.5.6 /@protobufjs/utf81.1.1 in the lockpackage.json+package-lock.json+.trivyignorebyte-identical to chore: reconcile production (legacy) with staging (master) #346;git diff master legacyis empty once both mergeCompanion PR: #346 (into
legacy)🤖 Generated with Claude Code