fix: upgrade sdk 1.1.13 & fix security issue

[wabicai]

Summary by CodeRabbit

• Chores
  • Updated third‑party libraries to newer compatible versions for improved compatibility and stability.
  • Upgraded HTTP client to a newer major version for better performance and security.
  • Added package manager metadata and pinned several transitive dependency versions to stabilize installs.
  • Updated hardware SDK connection endpoint to the latest release for consistent device communication.

[coderabbitai]

Walkthrough

Updated package.json with dependency bumps (internal SDKs and axios), added packageManager metadata and resolutions pins. Adjusted hardware SDK connectSrc to use version 1.1.13 in src/hardware/instance.ts.

Changes

Cohort / File(s)	Summary
Dependency and tooling config package.json	- Bumped @onekeyfe/hd-core, @onekeyfe/hd-shared, @onekeyfe/hd-web-sdk from 1.1.11 to 1.1.13 - Upgraded axios from ^0.27.2 to 1.12.2 (major) - Added top-level packageManager: "[email protected]+sha512.a6b2f7906b721bba3d67d4aff083df04dad64c399707841b7acf00f6b133b7ac24255f2652fa22ae3534329dc6180534e98d17432037ff6fd140556e2bb3137e" - Added resolutions pinning: [email protected], [email protected], [email protected], @babel/[email protected], [email protected], [email protected], [email protected]
Hardware SDK endpoint update src/hardware/instance.ts	Updated connectSrc from https://jssdk.onekey.so/1.1.11/ to https://jssdk.onekey.so/1.1.13/; no other logic or API changes

Sequence Diagram(s)

sequenceDiagram
  autonumber
  participant App
  participant HW as getHardwareSDKInstance
  participant SDK as Hardware SDK

  App->>HW: request instance
  alt First call or re-init
    HW->>SDK: init({ connectSrc: "https://jssdk.onekey.so/1.1.13/", ... })
    SDK-->>HW: initialized SDK instance
    HW-->>App: return instance
  else Already initialized
    HW-->>App: return cached instance
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title Check	✅ Passed	The title "fix: upgrade sdk 1.1.13 & fix security issue" is concise and accurately summarizes the primary change: upgrading the SDK and addressing a security concern. The changeset updates multiple package versions (including hd-core/hd-shared/hd-web-sdk and axios) and the hardware connectSrc to 1.1.13, which matches the title. The phrasing is clear, specific, and follows conventional commit style.
Docstring Coverage	✅ Passed	No functions found in the changes. Docstring coverage check skipped.

✨ Finishing touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/secure-issue

Tip

👮 Agentic pre-merge checks are now available in preview!

Pro plan users can now enable pre-merge checks in their settings to enforce checklists before merging PRs.

• Built-in checks – Quickly apply ready-made checks to enforce title conventions, require pull request descriptions that follow templates, validate linked issues for compliance, and more.
• Custom agentic checks – Define your own rules using CodeRabbit’s advanced agentic capabilities to enforce organization-specific policies and workflows. For example, you can instruct CodeRabbit’s agent to verify that API documentation is updated whenever API schema files are modified in a PR. Note: Upto 5 custom checks are currently allowed during the preview period. Pricing for this feature will be announced in a few weeks.

Please see the documentation for more information.

Example:

reviews:
  pre_merge_checks:
    custom_checks:
      - name: "Undocumented Breaking Changes"
        mode: "warning"
        instructions: |
          Pass/fail criteria: All breaking changes to public APIs, CLI flags, environment variables, configuration keys, database schemas, or HTTP/GraphQL endpoints must be documented in the "Breaking Change" section of the PR description and in CHANGELOG.md. Exclude purely internal or private changes (e.g., code not exported from package entry points or explicitly marked as internal).

Please share your feedback with us on this Discord post.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[revan-zhang]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	hasown@​2.0.2
	has-tostringtag@​1.0.0 ⏵ 1.0.2			+1
	available-typed-arrays@​1.0.7
	es-define-property@​1.0.1
	gopd@​1.2.0
	has-symbols@​1.1.0
	es-set-tostringtag@​2.1.0
	function-bind@​1.1.1 ⏵ 1.1.2			-1
	for-each@​0.3.5
	is-typed-array@​1.1.15
	cipher-base@​1.0.4 ⏵ 1.0.6		+75	+2
	@​babel/​helper-globals@​7.28.0
	es-errors@​1.3.0
	define-data-property@​1.1.4
	dunder-proto@​1.0.1
	get-proto@​1.0.1
	@​babel/​traverse@​7.20.1 ⏵ 7.28.4	+1	+75	+1
	call-bind-apply-helpers@​1.0.2
	es-object-atoms@​1.1.1
	call-bound@​1.0.4
	get-intrinsic@​1.1.3 ⏵ 1.3.0			+1
	cross-spawn@​7.0.3 ⏵ 7.0.6	+1	+15	-2
	base-x@​3.0.9 ⏵ 3.0.11	+1	+15	+1
	follow-redirects@​1.15.2 ⏵ 1.15.11	+1	+8
	form-data@​3.0.1 ⏵ 4.0.4		+75	+1	-1
	axios@​0.27.2 ⏵ 1.12.2		+26	+1
	@​onekeyfe/​hd-transport@​1.1.11 ⏵ 1.1.13	+16		+19	+4
	@​onekeyfe/​hd-core@​1.1.11 ⏵ 1.1.13	+16		+16	+4
	@​onekeyfe/​hd-shared@​1.1.11 ⏵ 1.1.13	+19		+30	+4
	@​onekeyfe/​hd-transport-http@​1.1.11 ⏵ 1.1.13	+22		+24	+4
	@​onekeyfe/​hd-transport-web-device@​1.1.11 ⏵ 1.1.13	+22		+22	+4
	@​onekeyfe/​hd-web-sdk@​1.1.11 ⏵ 1.1.13	+17		+16	+4

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 21dcdef and 945f1ed.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (2)

• package.json (3 hunks)
• src/hardware/instance.ts (1 hunks)

🔇 Additional comments (3)

package.json (2)

182-191: Enforce Yarn 1.22.22 and document resolution pins

• yarn.lock is present and contains the pinned versions (protobufjs 6.11.4, sha.js 2.4.12, cipher-base 1.0.6, @babel/traverse 7.28.4, base-x 3.0.11, cross-spawn 7.0.6, webpack-dev-middleware 5.3.4).
• Action: enforce Yarn v1.22.22 in CI and dev environments (add "engines" to package.json and/or pin/validate Yarn in CI jobs) and add a short rationale for each resolution (security/bug/compat) in package.json or a DEPENDENCIES.md.

---

33-33: Verify Axios 1.x migration — repo scan failed, please re-run checks

rg errored with "unrecognized file type: tsx" so I couldn't confirm usages. Run these from the repo root (no --type flags) and paste results:

rg -n -S '\baxios\b' -C2 .
rg -n -S 'CancelToken|isCancel|axios.all(|axios.spread(|interceptors.(request|response).use(' -C2 .
rg -n -S 'paramsSerializer|toFormData|FormData|Content-Type|headers.common' -C2 .
rg -n -S "from\s+'axios'|require(['"]axios['"])" -C2 .

Quick migration checklist to act on if matches appear:

• Replace CancelToken usage (use AbortController) and remove isCancel reliance.
• Ensure default import style (import axios from 'axios') or correct require interop.
• Update error handling to use axios.isAxiosError and adjust interceptor types.
• Audit FormData uploads and explicitly set/omit Content-Type; use toFormData if needed.
• Stop relying on request.headers.common.*; use the flattened header object.
• Update paramsSerializer shape or pick a 1.x that restores function option.

Attach the rg outputs and I will verify findings.

src/hardware/instance.ts (1)

18-23: Avoid version skew: don't hardcode connectSrc.

You bumped SDK deps to ^1.1.13 but hardcoded connectSrc to 1.1.13. A later minor/patch (e.g., 1.1.14) will mismatch and can break runtime. Derive the URL from the installed SDK version (allow an env override), or pin deps exactly.

Apply this diff:

-        connectSrc: 'https://jssdk.onekey.so/1.1.13/',
+        // Keep JSSDK in lockstep with the installed SDK (override via env if needed)
+        connectSrc: `https://jssdk.onekey.so/${(process.env.REACT_APP_ONEKEY_JSSDK_VERSION ?? getSDKVersion()).split('-')[0]}/`,

Docs show the JSSDK uses versioned iframe URLs — confirm the CDN serves https://jssdk.onekey.so//iframe.html for the versions you expect (stable and prerelease). (developer.onekey.so)

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 945f1ed and 3fed567.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json (3 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Socket Security: Pull Request Alerts

🔇 Additional comments (4)

package.json (4)

181-181: No behavior change in eslintConfig block.

Looks fine.

---

12-14: Approve: OneKey SDKs pinned to 1.1.13 — verification passed.
No 1.1.11 references found. Confirmed jssdk.onekey.so/1.1.13 at src/hardware/instance.ts:20.

---

183-191: Resolutions applied in yarn.lock — document reasons and verify compatibility.

yarn.lock shows the resolutions took effect: protobufjs → 6.11.4; sha.js → 2.4.12; cipher-base → 1.0.6; @babel/traverse → 7.28.4; base-x → 3.0.11; cross-spawn → 7.0.6; webpack-dev-middleware → 5.3.4.

• Document why each pin is required (link each to the advisory/PR). Prefer bumping direct deps or scoped resolutions instead of broad overrides.
• Babel: @babel/traverse is forced to 7.28.4 while other @babel/* versions vary in yarn.lock — verify @babel/core/@babel/parser compatibility and run the build/tests.
• webpack-dev-middleware: confirm compatibility with webpack-dev-server 4.x (check package.json) and smoke-test the dev server.

File: package.json (resolutions block lines 183–191).

---

33-33: Axios 1.x bump — verify CancelToken → AbortController and progress handlers

rg returned "No files were searched", so I couldn't verify. Run and paste results:

rg -nP --hidden --no-ignore '\bCancelToken\b|axios.CancelToken|axios.isCancel' -g '!/node_modules/' || true
rg -nP --hidden --no-ignore '\bon(Upload|Download)Progress\b' -g '!/node_modules/' || true

If matches are found, migrate CancelToken/axios.isCancel to AbortController-based cancellation and test onUploadProgress/onDownloadProgress and any adapter/polyfill assumptions.