audit: harden core nonce handling and refresh vulnerable dependencies by ramtamilselvan · Pull Request #149 · aethelred-foundation/aethelred

ramtamilselvan · 2026-05-24T10:42:10Z

Summary

harden development nonce generation in the secret mempool to avoid literal nonce buffers flagged by CodeQL
refresh audit-facing Go, Rust, SDK, verifier, CLI, and contracts dependencies to patched lines
restore the declared tools/testnet CLI entrypoint so the crate validates cleanly again

cargo test --manifest-path crates/Cargo.toml -p aethelred-core secret_mempool -- --nocapture
go test ./...
cargo check --manifest-path sdk/rust/Cargo.toml
cargo check --manifest-path tools/testnet/Cargo.toml
cargo check --manifest-path crates/bridge/fuzz/Cargo.toml
npm audit --omit=dev --json in sdk/typescript, integrations/apps/nextjs-verifier, tools/cli/aethel, and contracts

contracts still reports moderate dev-only audit noise through the current ethers/hardhat chain with no npm fix available from the present package set.
local stale git worktree registrations were pruned separately as non-committed repo hygiene.

ramtamilselvan added 3 commits May 24, 2026 14:41

core: remove literal dev nonce buffers

ddff2f1

deps: refresh audit-facing vulnerable packages

b165645

testnet: restore declared cli entrypoint

b911284