Skip to content

build(deps): bump actions/setup-node from 4 to 6#2

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-node-6
Open

build(deps): bump actions/setup-node from 4 to 6#2
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/github_actions/actions/setup-node-6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown

Bumps actions/setup-node from 4 to 6.

Release notes

Sourced from actions/setup-node's releases.

v6.0.0

What's Changed

Breaking Changes

Dependency Upgrades

Full Changelog: actions/setup-node@v5...v6.0.0

v5.0.0

What's Changed

Breaking Changes

This update, introduces automatic caching when a valid packageManager field is present in your package.json. This aims to improve workflow performance and make dependency management more seamless. To disable this automatic caching, set package-manager-cache: false

steps:
- uses: actions/checkout@v5
- uses: actions/setup-node@v5
  with:
    package-manager-cache: false

Make sure your runner is on version v2.327.1 or later to ensure compatibility with this release. See Release Notes

Dependency Upgrades

New Contributors

Full Changelog: actions/setup-node@v4...v5.0.0

v4.4.0

... (truncated)

Commits

@dependabot @github

dependabot Bot commented on behalf of github Jun 14, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: ci, dependencies. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

miningtheblocks added a commit that referenced this pull request Jun 17, 2026
… distribuido

Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":

1. Schema canónico `minedAt` en mineCube.

   Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
   firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
   subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
   feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
   por el optimistic local update del usuario que minó.
   (Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)

2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.

   Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
   bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
   primer block include — un reorg posterior puede revertir el mint
   mientras Firestore ya tiene status:completed. User queda sin NFT
   on-chain y sin trail para reclamo.

   30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
   cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
   (Agentes #3 CRIT-6 + #8 CRIT-1)

3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.

   Antes, `processPendingMints` (onCall admin manual) y
   `mintProcessorScheduled` (onSchedule cron 5min) podían correr
   concurrentes y enviaban mintGem() con el MISMO nonce de la company
   wallet → una falla con "nonce too low", MATIC quemado en gas, race
   en doc.status=processing, backlog stuck.

   Lock pattern: TX read snapshot, check expiresAt, write si libre.
   Auto-release en finally + TTL backup si el worker crashea. Las rules
   son default-deny para /runtime/* — cliente no puede tocarlo.
   (Agentes #3 CRIT-4 + #8 CRIT-3)

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dependabot dependabot Bot changed the title Bump actions/setup-node from 4 to 6 build(deps): bump actions/setup-node from 4 to 6 Jun 17, 2026
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-node-6 branch from c727ee9 to c32cbc9 Compare June 17, 2026 16:32
miningtheblocks added a commit that referenced this pull request Jun 18, 2026
…n plural

Cubre 5 hallazgos de los reportes de los 12 agentes que quedaron sin
attended en commits A-Z.

1. HIGH-09-04: App Links autoVerify para deep links HTTPS
   - docs/.well-known/assetlinks.json declara SHA-256 BF:8F:25... del
     keystore mtb-release-v2 → Android verifica al install que el APK
     viene del owner del dominio miningtheblocks.com.
   - AndroidManifest.xml: intent-filter android:autoVerify="true" para
     scheme=https + host=miningtheblocks.com + pathPrefix=/app/. Sin esto,
     otra app maliciosa podría declarar el mismo scheme y secuestrar el
     callback.
   - App.js DeepLinkHandler reconoce https://miningtheblocks.com/app/<page>
     además del scheme mtb:// existente.
   - docs/app/index.html: fallback page para users que clickean el link
     sin tener la app instalada (los redirige al GitHub releases).

2. HIGH #2/#12 (Firestore rules): query.limit caps explícitos
   - activityFeed: limit <= 100 (sin cap, cliente authed traía la
     colección entera en bucle).
   - mined: limit <= 500 (servidor con 6 capas = ~50k cubos).
   Cost amplification prevention. Deployed via firebase deploy.

3. P3 defense-in-depth (firebase.json hosting headers):
   - Cross-Origin-Opener-Policy: same-origin (isola browsing context al
     window.open).
   - Cross-Origin-Resource-Policy: same-origin (mis assets no embebibles
     cross-origin como <img>/<script>/etc.).
   - Permissions-Policy extendida: autoplay, display-capture,
     encrypted-media, fullscreen=(self), picture-in-picture, screen-wake-lock,
     sync-xhr, web-share, xr-spatial-tracking, etc. — cierra ~10 features
     no usadas que el browser exponía por default.
   - STS preload directive agregado (`includeSubDomains; preload`).
   - COEP `require-corp` evaluado y descartado: rompería verify.html
     (Firebase SDK desde gstatic.com sin CORP headers).

4. CRIT-10-04 follow-up: pluralization helper tn(key, count, vars)
   - CLDR plural rules para en/es (binary: one / other).
   - Uso: tn('gem.found', 5, { tier: 3 }) → busca 'gem.found_one' o
     'gem.found_other' con `{count}` autoinyectado como var.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-node-6 branch from c32cbc9 to d6d441e Compare June 18, 2026 03:15
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1):
- Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified)
- AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER
- Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000]
- tokenURI canónico por tier (caller no controla URI)
- renounceRole(ADMIN) bloqueado (anti-bricking)
- functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_)

Backend fixes (batch 3):
- #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from
- #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos
- #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded)
- #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis
- #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone

Build / Deploy (batch 1):
- #9 HIGH-1 credentialsSource:local en eas.json production
- #9 HIGH-3 versionCode:5 en app.json
- #9 HIGH-4 runtimeVersion appVersion en app.json
- #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/
- #9 HIGH-8 download URL -> releases/latest

Supply chain (batch 1+2):
- #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1
- #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0
- #5 HIGH-4 npm audit en root agregado al CI
- #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest)

Privacy / Legal (batch 1+2):
- #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES)
- #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES)
- #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES)

Frontend security (batch 2):
- #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline
- #3 HIGH-2 el() helper sin innerHTML

Web / SEO / a11y (batch 1+2):
- #10 HIGH-5 frame-buster JS anti-clickjacking
- #10 HIGH-6 docs/robots.txt + docs/sitemap.xml
- #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html
- #10 HIGH-8 label for=... en form inputs + .sr-only utility

Smart contract tooling:
- contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests)

Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos
en docs y constantes role de OpenZeppelin.

Pendiente acción manual (documentado en PENDING_FIXES.md):
- cd functions && npm install
- firebase deploy --only functions / --only hosting
- GitHub Settings -> Pages -> Enforce HTTPS
- DNS records SPF/DMARC/CAA en Cloudflare

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Doc en RUNBOOK de las copias offline del keystore release v2 hechas el
2026-06-23:
- Copia #1: Hitachi sda /run/media/code/datos/keystore-backup-2026-06-23/
- Copia #2: USB Kingston DT 101 G2 (DataTraveler, extraído físicamente)
- Copia #3: off-site (pendiente)

Test recovery EXITOSO 2026-06-23: descifrado con password de Bitwarden,
SHA-256 raw matches 36785fb2...af9f6f64. Próximo test recovery 2027-Q1.

Pre-fix: 1 keystore + 1 .gpg, ambos en el MISMO disco sdb (PNY SSD). Disk
failure = bricked release line forever (mismo modo del v1 perdido).

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks added a commit that referenced this pull request Jun 23, 2026
Pre-fix: el monto SIEMPRE era $15.XX random (15.01-15.99) para
identificar de qué user es cada pago USDC (USDC no tiene memo field
como otras cryptos). UX confusa ("¿por qué me cobran $15.55?") + costo
extra de 1-99¢ por crédito sobre el user.

Sistema híbrido:
- Si el caller pasa senderWalletAddress (la wallet del user):
   * Monto: $15.00 redondo
   * docId: walletpay_${senderWalletAddress}
   * Processor matchea por `from` address del Transfer event (lógica
     ya implementada commit a5cb3aa audit #2 HIGH-1)
- Si NO pasa senderWalletAddress (legacy/sin wallet linked):
   * Monto: $15.XX con cents random (1..99)
   * docId: amt_${amountUnits}
   * Processor matchea por amount (comportamiento original)

Frontend (BuyCredits.js): lee userData.walletAddress del onSnapshot del
user doc. Si está populated → pasa la wallet a callCreateCryptoPayment.
Si user no tiene wallet linked (registro reciente) → omite el param.

src/firebase/functions.js: signature actualizado para aceptar el
senderWalletAddress como argumento opcional.

Backend tx atómica: si ya hay un pending para esa walletpay_${addr}, lo
re-usa en vez de fallar (soporta retries del cliente). Si está expired
o de otro status, lo sobreescribe.

Impact: 90%+ de users (que tienen wallet linked al usar la app a fondo)
ahora pagan $15.00 limpio. Usuarios nuevos sin wallet → siguen con $15.XX.
38/38 tests passing.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4 to 6.
- [Release notes](https://github.com/actions/setup-node/releases)
- [Commits](actions/setup-node@v4...v6)

---
updated-dependencies:
- dependency-name: actions/setup-node
  dependency-version: '6'
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/github_actions/actions/setup-node-6 branch from d6d441e to 060ed68 Compare June 24, 2026 00:35
miningtheblocks added a commit that referenced this pull request Jun 25, 2026
PROBLEMA — Apretar botón de cara terminaba en cara incorrecta:
  Reproducción: estando en grid mode mirando "left", apretar "back" iba a
  "front". El render loop salía/entraba a grid mode durante la animación
  de goToFaceCenter (3 fases: zoom out a 650 → rotar → zoom in a 118.85).
  La fase 1 (distance=650 > EXIT_GRID_DIST=275) disparaba la transición
  auto grid→cube que limpiaba requestedFaceRef. Al volver a grid en fase 3,
  la cara solicitada se había perdido → fallback a lastDetectedFaceIndexRef
  que durante el zoom out apuntaba a 'front'.

Fix (DynamicCube201.js render loop ~L3491):
  Agregar `suppressedAutoGrid = nowTs < suppressAutoGridRef.current` y
  sumarlo a las condiciones de shouldUseCameraMode / stickyGrid. Durante
  los ~1860ms de animación que goToFaceCenter cubre vía suppressAutoGridRef,
  el modo grid y requestedFaceRef se mantienen → la cámara aterriza en la
  cara correcta.

BACKEND — firestore.rules cap subido de 500 a 2500:
  El listener de mined pedía limit(2500) pero las rules cap eaban a 500
  (Round 2 #2/#12 HIGH). Quedó desincronizado en algún commit anterior →
  query del listener fallaba con permission-denied → minedCubes nunca se
  poblaba en cold start → parches no persistían. Confirmado via logcat.

LIMPIEZA:
  - Quitar toasts de diagnóstico (Mineds DB / ERR Firestore) — eran solo
    para identificar el bug de rules, ya cumplió su función.
  - Mantener console.warn en error handler del onSnapshot.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants