build(deps): bump @react-navigation/drawer from 7.5.8 to 7.12.2#5
Closed
dependabot[bot] wants to merge 1 commit into
Closed
build(deps): bump @react-navigation/drawer from 7.5.8 to 7.12.2#5dependabot[bot] wants to merge 1 commit into
dependabot[bot] wants to merge 1 commit into
Conversation
Author
LabelsThe following labels could not be found: Please fix the above issues or remove invalid values from |
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/react-navigation/drawer-7.12.0
branch
2 times, most recently
from
June 14, 2026 05:42
b06d661 to
8abe599
Compare
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
… distribuido
Tres CRIT del audit Round 2 que comparten el área del mint processor + feed
realtime multiplayer. Eran independientes pero juntos cierran el bloque
"robustez onchain + realtime":
1. Schema canónico `minedAt` en mineCube.
Antes se escribía `ts: Date.now()` en mined/{cubeId}, pero
firestore.indexes.json declara mined[K, minedAt DESC] y DynamicCube201.js
subscribe con orderBy('minedAt', 'desc'). El index quedaba unused y el
feed multiplayer recibía snapshot vacío — solo aparentaba funcionar
por el optimistic local update del usuario que minó.
(Agentes #2 CRIT + #5 CRIT-1 + #12 cross-ref)
2. tx.wait(SAFE_CONFIRMATIONS=30) en runMintProcessing.
Polygon PoS confirma checkpoints cada ~30min y reorgs de hasta 100
bloques se observaron históricamente. tx.wait() sin parámetro vuelve al
primer block include — un reorg posterior puede revertir el mint
mientras Firestore ya tiene status:completed. User queda sin NFT
on-chain y sin trail para reclamo.
30 bloques @ ~2.2s ≈ 66s extra de espera por mint. Aceptable para un
cron 5min con queue chica; reduce a ~0% el riesgo de "NFT fantasma".
(Agentes #3 CRIT-6 + #8 CRIT-1)
3. Lock distribuido en `runtime/mintProcessor` con TTL 10min.
Antes, `processPendingMints` (onCall admin manual) y
`mintProcessorScheduled` (onSchedule cron 5min) podían correr
concurrentes y enviaban mintGem() con el MISMO nonce de la company
wallet → una falla con "nonce too low", MATIC quemado en gas, race
en doc.status=processing, backlog stuck.
Lock pattern: TX read snapshot, check expiresAt, write si libre.
Auto-release en finally + TTL backup si el worker crashea. Las rules
son default-deny para /runtime/* — cliente no puede tocarlo.
(Agentes #3 CRIT-4 + #8 CRIT-3)
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
…ecesarias) Cierra Agente #4 MED-FE-17 + Agente #5 MEDIUM (dead code confirmados por grep como NO importados desde ningún módulo activo). Archivos eliminados (verificados vía `grep -rn from.*Name` → 0 matches en src/ y App.js): - src/components/MassiveCube.js (169 LOC) — usaba @react-three/fiber - src/components/Layer100Renderer.js (250 LOC) — exp del renderer alterno - src/components/FaceGrid201.js (484 LOC) — renderer de cara alterno - src/utils/ThreeSetup.js (104 LOC) — helper de three.js sin uso - src/utils/CubeCalculations.js (150 LOC) — math helpers ahora en helpers.js backend - src/utils/ads.js ( 66 LOC) — RewardedAd manual; el flow real está inline en GetPeaks.js Total: ~1223 LOC eliminadas del bundle JS del cliente. Deps removidas de package.json (solo usadas por MassiveCube.js): - @react-three/fiber (^9.3.0) - @react-three/drei (^10.7.6) Reducción de bundle estimada: ~650KB (deps no minificadas) según Agente #4. APK más liviano → install rate más alto + cold-start más rápido. NO ELIMINADO (deferred por scope — refactor de DynamicCube201.js requiere test browser): - State `miningAnimations` + `setMiningAnimations` en DynamicCube201.js:1505 (state nunca actualizado pero referenciado en 4+ lugares — necesita revisión cuidadosa para evitar regresiones en animaciones). - Ref `minedPollRef` en DynamicCube201.js:1514 (mismo). Próximo paso operacional (no código): `npm install` para actualizar package-lock.json + sacar @react-three/{fiber,drei} de node_modules. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
Cierra 6 hallazgos críticos pendientes pre-launch. Cambios localizados, sin refactor estructural. 1. activityFeed TTL `expiresAt` (Agente #12 + #11 HIGH-11-40). writeActivity ahora agrega expiresAt = now + 7d. Firestore TTL Console borrará docs viejos automáticamente (después de activar la policy — pendiente operacional en RUNBOOK). Pre-fix: feed crecía infinito → cost amplification + PII histórica. 2. mineCube docId `${K}_${cubeNumber}` (Agente #1 CRIT-1). Pre-fix: `mined/${cubeNumber}` colisionaba entre layers. K=100 mina N=5; cuando K decrementa a 99 y otro user mina N=5 en K=99, el docId "5" colisiona → data mixing. Pre-launch: 0 mines reales en producción → forward-only safe. 3. processPendingMints audit log en adminActions (Agente #6 HIGH). La invocación manual del cron de mints no quedaba en adminActions, solo en Cloud Logging (retención 30d). Para forensic post-incidente esencial. 4. Override global de console.log REMOVIDO (Agente #4 CRIT-FE-06). Pre-fix: console.log = wrapper que filtraba un warning de expo-gl. Anti-pattern: HMR re-importa el módulo → wrappea otra vez → cadena infinita de wrappers. Plus dead code en prod (babel strippea console.log). 5. miningAnimations dead state REMOVIDO (Agente #5). const [miningAnimations, setMiningAnimations] = useState(new Map()) declarado pero setMiningAnimations nunca se llamaba. 3 sites referenciaban este state muerto: useEffect cleanup forEach (no-op, removido), render loop check hasActiveAnimations (siempre false), comments documentan migración a useRef si vuelve la necesidad. 6. getFaceRange() lee del cache faceRangesRef (Agente #5 CRIT-4). Pre-fix: iteraba 240k cubeNumbers por call. JSX lo llamaba en cada re-render = 15-60×/seg × 240k = 14M iter/seg = stutter Android low-end. Fix: cache hit primero (faceRangesRef ya populated por recomputeFaceRanges en buildLayer). Loop solo en cache miss. Bonus: setCorsHeaders unused import removido (post Commit K). Tests: helpers OK, lint clean, parse OK. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 17, 2026
…store cap) Cierra 2 leaks del Agente #5 sin tocar la lógica de rendering activo. 1. MinedCubesRewardStore cap a 20k entries con LRU eviction. Pre-fix: el Map de rewards crecía sin cota. En endgame (capa K minada completa, ~50k cells), residente ~10MB en RAM. Sesiones largas con múltiples servers progresados acumulaban sin liberar — ~50MB+ después de horas de juego. Fix: maxEntries=20000 + LRU eviction al exceder el cap. El delete+set pattern asegura que la entrada accedida queda al final del insertion order (Map preserva insertion order); eviction borra el head (más viejo). Trade-off: si el user re-visualiza una celda evicted, se pierde el reward indicator hasta el próximo snapshot. Acceptable porque las celdas evicted son las menos probables de re-aparecer en viewport. Bonus: método stats() agregado para debugging post-deploy. 2. Timer refs cleanup en unmount (DynamicCube201). Pre-fix: si user navega a otra screen DURANTE un mining flow activo (mid-watchdog, hud-toast visible, pre-hold counting), los setTimeout quedaban corriendo + sus callbacks disparaban contra árbol React desmontado → "Can't perform a React state update on an unmounted component" warning + retención de memoria por closures. Timer refs cleanedup ahora en el useEffect cleanup principal: - hudToastTimerRef (toast notifications) - gridExitTimerRef (transición grid → cube mode) - preHoldTimerRef (long-press indicator ~300ms) - miningWatchdogRef (modal congelado timeout) - miningProgressTimerRef (progress bar setInterval 120ms) longPressTimer y minedPollRef ya estaban en este cleanup pre-fix. Tests: parse OK. helpers 24/24 OK. NO HECHO (defer fundamentado): - BoxGeometry dedup (6 → shared): el código de fragments + addDarkPatch es complejo (lifecycle de meshes, dispose patterns). Requiere browser test sobre Android real device. Defer. - _intersectablesCache cleanup: requiere review del raycaster intersection pattern; refs a meshes disposed podrían causar GL crash si no se hace bien. Defer. - LRU textureCache evict: similar — defer hasta poder testear. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
Bumps [@react-navigation/drawer](https://github.com/react-navigation/react-navigation/tree/HEAD/packages/drawer) from 7.5.8 to 7.12.2. - [Release notes](https://github.com/react-navigation/react-navigation/releases) - [Changelog](https://github.com/react-navigation/react-navigation/blob/@react-navigation/drawer@7.12.2/packages/drawer/CHANGELOG.md) - [Commits](https://github.com/react-navigation/react-navigation/commits/@react-navigation/drawer@7.12.2/packages/drawer) --- updated-dependencies: - dependency-name: "@react-navigation/drawer" dependency-version: 7.12.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/npm_and_yarn/react-navigation/drawer-7.12.0
branch
from
June 17, 2026 16:32
8abe599 to
c3ee6e4
Compare
Author
|
Superseded by #22. |
dependabot
Bot
deleted the
dependabot/npm_and_yarn/react-navigation/drawer-7.12.0
branch
June 17, 2026 16:33
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Smart contract V2 (cierra CRIT-S1/S2/S3 + MED-S1 + HIGH-S1): - Deploy: 0x2933Ff14AdeC0a4D74aD8380E5c491321bBd3195 (Polygon mainnet, verified) - AccessControl 2-of-3 Safe (0x83a3F5...86aCD) ADMIN+PAUSER, EOA nftv2 MINTER - Supply caps inmutables por tier [1,1,5,50,100,500,1000,4000,10000] - tokenURI canónico por tier (caller no controla URI) - renounceRole(ADMIN) bloqueado (anti-bricking) - functions/index.js: ABI actualizado (mintGem 3 args sin tokenURI_) Backend fixes (batch 3): - #2 HIGH-1 cross-attribution USDC: senderWalletAddress opt-in + match con event.args.from - #4 HIGH-M1 gem-loss window: gem + pendingMint dentro del TX con docIds determinísticos - #4 HIGH-R1 cap referrer bonus: 50 invitados rewarded max (campo referralsRewarded) - #2 HIGH-2 rateLimits TTL: expiresAt usa Timestamp.fromMillis - #3 MED-4 Sentry PII scrubber: beforeSend + beforeBreadcrumb sobre email/wallet/phone Build / Deploy (batch 1): - #9 HIGH-1 credentialsSource:local en eas.json production - #9 HIGH-3 versionCode:5 en app.json - #9 HIGH-4 runtimeVersion appVersion en app.json - #9 HIGH-7 MTB-v1.1.0.apk.sha256 copiado a docs/ - #9 HIGH-8 download URL -> releases/latest Supply chain (batch 1+2): - #5 HIGH-2 nodemailer ^8.0.10 -> ^9.0.1 - #5 HIGH-3 npm overrides ws@^8.21.0 + undici@^6.27.0 - #5 HIGH-4 npm audit en root agregado al CI - #5 HIGH-5 @cyclonedx/cdxgen pinned a 11.5.0 (no @latest) Privacy / Legal (batch 1+2): - #8 HIGH-1 retention 5y AML/KYC explícito (EN + ES) - #8 HIGH-2 governing law: Argentina/Buenos Aires (EN + ES) - #8 HIGH-8 clarificado solo email+password sin OAuth Apple/Google (EN + ES) Frontend security (batch 2): - #3 HIGH-1 verify.html inline script -> public/verify.js + removido unsafe-inline - #3 HIGH-2 el() helper sin innerHTML Web / SEO / a11y (batch 1+2): - #10 HIGH-5 frame-buster JS anti-clickjacking - #10 HIGH-6 docs/robots.txt + docs/sitemap.xml - #10 HIGH-7 OG + Twitter Card + canonical en docs/index.html - #10 HIGH-8 label for=... en form inputs + .sr-only utility Smart contract tooling: - contracts/MTBGemsV2.sol (source) + contracts_build/ (hardhat 0.8.27 cancun, 17/17 tests) Pre-commit hook: refinado patrón anti-secret para no flagear tx hashes públicos en docs y constantes role de OpenZeppelin. Pendiente acción manual (documentado en PENDING_FIXES.md): - cd functions && npm install - firebase deploy --only functions / --only hosting - GitHub Settings -> Pages -> Enforce HTTPS - DNS records SPF/DMARC/CAA en Cloudflare Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
#5 HIGH-1) - src/components/DynamicCube201.js: nuevo helper createGLRenderer(gl) que wrapea el context de expo-gl con un canvas-mock mínimo y construye un THREE.WebGLRenderer nativo. Reemplaza `new Renderer({gl})` de expo-three. - package.json: removed expo-three ^8.0.0. - npm uninstall removió 27 paquetes (toda la cadena abandonada). Pre-fix: expo-three arrastraba 8 paquetes con CVEs (node-fetch@1.7.3 CVSS 8.8, fbjs, fbemitter, isomorphic-fetch, uuid@8.3.2, etc.). Las CVEs no eran explotables en RN runtime (el polyfill no corre), pero la cadena entera era deuda y dependía de un package deprecado upstream. Three.js 0.166+ acepta un canvas-mock + el gl context de expo-gl directamente. El render loop ya llamaba gl.endFrameEXP() manualmente (línea ~3678), así que no perdemos nada del wrapper. Testing: requiere validación on-device del cube (mining + raycast + viewport en distintos pixel ratios). Mismo setSize/setViewport/setClearColor que antes + setPixelRatio(1) — comportamiento esperado idéntico. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
… MED-2)
expo-av está deprecated por Expo desde 2025 y se va a eliminar en Expo
SDK 55 (~Q1 2026). expo-audio es el reemplazo oficial para sonidos
(expo-video para video).
Cambios al audioManager:
- import { Audio } from 'expo-av' -> import { createAudioPlayer,
setAudioModeAsync } from 'expo-audio'
- Audio.Sound.createAsync(src, opts) -> createAudioPlayer(src) + player.volume = vol
(la nueva API expone el player directo, no { sound })
- play/pause/seekTo: ahora son síncronos (no async)
- volume: ahora es propiedad asignable (no setVolumeAsync)
- getStatusAsync(): ahora .currentStatus (sync property)
- setOnPlaybackStatusUpdate(cb): ahora addListener('playbackStatusUpdate', cb)
devuelve subscription con .remove(). Mantenemos refs a las subs para
cleanup explícito (anti-leak en interrupts).
- setAudioModeAsync: flags renombrados (allowsRecording, playsInSilentMode,
shouldPlayInBackground, interruptionMode='duckOthers').
package.json: expo-av ~16.0.7 -> expo-audio ~1.0.10. npm install removed
1 / added 1.
Compatibilidad: API funcional 100% preservada. Tests on-device requeridos
para validar mining sound, mining_ok, background music + crescendo,
playSound (rotura/explosion/win/lose), pause/resume al toggle de settings,
cleanup en logout.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
miningtheblocks
added a commit
that referenced
this pull request
Jun 23, 2026
Version bump por features nuevas de la sesión 2026-06-23 (audit R2): - Swap flow 2-step con verificación on-chain del NFT (#8 HIGH-3) - Cookie consent banner GDPR/LGPD/CCPA (#8 HIGH-6) - Email notifications al user al completar canje - TOS sin lista 13 países (geo-blocking decision) - Smart Contract V2 deployed + activo (functions/constants.js apunta acá) - expo-three -> THREE.WebGLRenderer nativo (#5 HIGH-1) - expo-av -> expo-audio (SDK 55 prep, #5 MED-2) - Icon optimize 1.1MB -> 8.5KB WebP (#10 HIGH-9) - Sentry source maps pipeline - Keystore rotation + 3 backups offline - DNS records (SPF + DMARC + CAA) - Web hardening: frame-buster, robots, sitemap, OG meta, form labels Bumps: - app.json: version 1.1.0 -> 1.2.0, versionCode 5 -> 6 - package.json: 1.1.0 -> 1.2.0 - src/constants.js: FALLBACK_APP_VERSION 1.1.0 -> 1.2.0 - docs/index.html: download link y label -> v1.2.0 - MTB-v1.1.0.apk.sha256 archivos eliminados (se regeneran post-build) PENDING_FIXES.md actualizado con estado final completo. 10 commits previos cerraron: 5 CRIT smart contract + 3 CRIT web + 31 HIGH técnicos. Single HIGH legal pendiente (#8 HIGH-7 MICA + Howey) por consulta externa, no técnico. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps @react-navigation/drawer from 7.5.8 to 7.12.2.
Release notes
Sourced from @react-navigation/drawer's releases.
Changelog
Sourced from @react-navigation/drawer's changelog.
... (truncated)
Commits
f4af343chore: publishc9ddec7chore: publishd1f2a06chore: publish66b5164feat: deprecate navigate object overload83cf9bfchore: publishdd325d6chore: publish8ac4d5echore: upgrade bob7347d36chore: upgrade boba103913chore: publishaa1fd10fix: use aria-current for drawer links on web