commit all staged changes

[BoomchainLabs]

This change is 

Summary by CodeRabbit

• Chores
  • Added automated publishing to PyPI on tagged releases to streamline distribution and reduce manual steps.
  • Updated several project dependencies to newer versions to improve compatibility, performance, and security.
  • General maintenance to ensure smoother releases and more reliable package delivery for end users.

[coderabbitai]

Walkthrough

Adds a GitHub Actions workflow to publish packages to PyPI on version tags and updates multiple JavaScript dependencies in package.json. No source code or public API changes are included.

Changes

Cohort / File(s)	Summary of Changes
CI: PyPI publish workflow .github/workflows/pypi-publish.yml	New GitHub Actions workflow “Publish to PyPI” triggered on pushes to tags matching v*; checks out code, sets up Python 3.11, installs build tools (pip, build, twine), runs python -m build, and uploads dist/* to PyPI using TWINE_USERNAME=__token__ and TWINE_PASSWORD from PYPI_API_TOKEN.
JS dependencies update package.json	Dependency version bumps only: @0xsequence/api 2.1.0 → 2.3.20, @0xsequence/kit-checkout 4.4.4 → 4.6.5, @tanstack/react-query ^5.61.4 → ^5.89.0, ethers 6.13.4 → 6.14.4, viem ^2.21.51 → ^2.37.6, wagmi ^2.13.0 → ^2.14.16. No script or source changes.

Sequence Diagram(s)

sequenceDiagram
  autonumber
  actor Dev as Developer
  participant GH as GitHub
  participant Runner as GitHub Runner (ubuntu-latest)
  participant PyPI as PyPI Registry

  Dev->>GH: Push tag vX.Y.Z
  GH-->>Runner: Trigger "Publish to PyPI"
  rect rgba(200,220,255,0.25)
    note right of Runner: Setup
    Runner->>Runner: actions/checkout@v4
    Runner->>Runner: actions/setup-python@v5 (3.11)
    Runner->>Runner: pip install pip, build, twine
  end
  rect rgba(200,255,200,0.25)
    note right of Runner: Build
    Runner->>Runner: python -m build
  end
  rect rgba(255,240,200,0.25)
    note right of Runner: Publish
    Runner->>PyPI: twine upload dist/* (auth: __token__/PYPI_API_TOKEN)
    alt Success
      PyPI-->>Runner: 200 OK
    else Failure
      PyPI-->>Runner: error
    end
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

• Pay attention to: .github/workflows/pypi-publish.yml (secrets usage, tag filter, Python/tool versions) and package.json (verify compatibility of bumped dependencies and any peer dependency implications).

Poem

I hop a tag into the sky, ears tuned for CI's chime,
Wheels spin, twine hums, the package climbs in time.
Fresh deps on my whiskers, new versions to admire,
A carrot-coded cheer — release up, release higher! 🥕🚀

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title Check	❓ Inconclusive	The title "commit all staged changes" is a generic, non-descriptive statement that fails to convey meaningful information about what was actually changed in the pull request. The changeset contains two substantive modifications: the addition of a GitHub Actions workflow for PyPI publishing and updates to multiple project dependencies (including @0xsequence/api, ethers, viem, wagmi, and others). The title does not reference either of these changes and instead describes a procedural action (committing) rather than the actual content of the changes. A teammate scanning the pull request history would have no understanding of what this PR accomplishes.	Revise the PR title to be more specific and descriptive. Consider titles such as "Add PyPI publish workflow and update dependencies" or split the changes into separate PRs with focused titles like "Add GitHub Actions workflow for PyPI publishing" and "Update project dependencies" to better communicate the purpose of each change to reviewers.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7fca619 and a955c31.

📒 Files selected for processing (1)

• package.json (1 hunks)

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Note

Unit test generation is an Early Access feature. Expect some limitations and changes as we gather feedback and continue to improve it.

---

Generating unit tests... This may take up to 20 minutes.

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between fa137d6 and c609c77.

📒 Files selected for processing (2)

• .github/workflows/pypi-publish.yml (1 hunks)
• package.json (1 hunks)

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Add --skip-existing so publishes are re-runnable.

If the workflow retries after a successful upload (for example, PyPI accepted the artifacts but a later step failed, or someone re-runs the job), PyPI will reject the duplicate files and the job will now fail permanently. Including --skip-existing keeps the publish step idempotent while still surfacing genuine upload issues.

-      run: twine upload dist/*
+      run: twine upload --skip-existing dist/*

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Publish to PyPI
	env:
	TWINE_USERNAME: __token__
	TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
	run: twine upload dist/*
	- name: Publish to PyPI
	env:
	TWINE_USERNAME: __token__
	TWINE_PASSWORD: ${{ secrets.PYPI_API_TOKEN }}
	run: twine upload --skip-existing dist/*

🤖 Prompt for AI Agents

In .github/workflows/pypi-publish.yml around lines 29-33 the twine upload step
is not idempotent and will fail on retries if PyPI already has the files; update
the twine upload invocation to include the --skip-existing flag so duplicate
distributions are ignored and the publish step becomes re-runnable (leave the
TWINE_USERNAME and TWINE_PASSWORD env as-is).

[coderabbitai]

⚠️ Potential issue | 🟠 Major

Commit the updated pnpm lockfile alongside these bumps.

These version bumps change the desired resolutions, but pnpm-lock.yaml wasn’t updated. With pnpm 9 (per the packageManager field), a pnpm install --frozen-lockfile run in CI will throw ERR_PNPM_LOCKFILE_BREAKING_CHANGE, and even a local install will rewrite the lock file. Please regenerate the lock (pnpm install or pnpm update <pkg>) and commit it so the intended versions land in the pipeline.

🤖 Prompt for AI Agents

In package.json around lines 19 to 33, the dependency version bumps were made
but the pnpm lockfile wasn’t updated; run pnpm (v9) to regenerate the lock and
commit it. Execute pnpm install (or pnpm update <pkg> for selective bumps)
locally to update pnpm-lock.yaml (CI will error with
ERR_PNPM_LOCKFILE_BREAKING_CHANGE if it’s missing), verify changes, and
add/commit the updated pnpm-lock.yaml alongside this package.json change.

[coderabbitai]

Here are the copyable unit test edits:

Copyable Edits

tests/pypi-publish-workflow.test.js

This is a new file.

/**
 * NOTE: Tests leverage Node.js built-in test runner (node:test) with strict assertions.
 * Testing library/framework: Node.js node:test with node:assert/strict.
 */
import test from 'node:test';
import assert from 'node:assert/strict';
import fs from 'node:fs';
import path from 'node:path';
import { fileURLToPath } from 'node:url';
import { load } from 'js-yaml';

const __filename = fileURLToPath(import.meta.url);
const __dirname = path.dirname(__filename);
const workflowPath = path.resolve(__dirname, '../.github/workflows/pypi-publish.yml');

assert.ok(
  fs.existsSync(workflowPath),
  'Expected workflow file to exist at .github/workflows/pypi-publish.yml'
);

const workflowContent = fs.readFileSync(workflowPath, 'utf-8');
const workflow = load(workflowContent);
const deployJob = workflow?.jobs?.deploy ?? {};
const steps = Array.isArray(deployJob.steps) ? deployJob.steps : [];

const stepByName = (name) => {
  const step = steps.find((candidate) => candidate.name === name);
  assert.ok(step, `Expected to find step named "${name}"`);
  return step;
};

test('workflow metadata is configured for PyPI publishing', () => {
  assert.equal(workflow.name, 'Publish to PyPI');
  const push = workflow.on?.push;
  assert.ok(push, 'Expected workflow to define a push trigger');
  assert.ok(Array.isArray(push.tags), 'Expected push trigger to define tags array');
  assert.ok(push.tags.includes('v*'), "Expected push trigger tags to include 'v*'");
  assert.strictEqual(push.branches, undefined, 'Workflow should not restrict branches explicitly');
  assert.strictEqual(workflow.on.pull_request, undefined, 'Workflow should not trigger on pull requests');
});

test('deploy job targets ubuntu-latest runner', () => {
  assert.equal(deployJob['runs-on'], 'ubuntu-latest');
});

test('deploy job defines the expected steps in order', () => {
  assert.equal(steps.length, 5);
  const stepNames = steps.map((step) => step.name);
  assert.deepEqual(stepNames, [
    'Checkout code',
    'Set up Python',
    'Install build dependencies',
    'Build package',
    'Publish to PyPI',
  ]);
});

test('checkout step uses pinned checkout action', () => {
  const checkout = stepByName('Checkout code');
  assert.equal(checkout.uses, 'actions/checkout@v4');
});

test('Python setup step pins interpreter version 3.11', () => {
  const setupPython = stepByName('Set up Python');
  assert.equal(setupPython.uses, 'actions/setup-python@v5');
  assert.equal(setupPython.with?.['python-version'], '3.11');
});

test('install step upgrades pip before installing build tooling', () => {
  const install = stepByName('Install build dependencies');
  const commands = install.run
    .split('\n')
    .map((line) => line.trim())
    .filter((line) => line.length > 0);

  const upgradeIndex = commands.findIndex((line) => line.includes('pip install --upgrade pip'));
  const buildIndex = commands.findIndex((line) => line.includes('pip install build twine'));

  assert.ok(upgradeIndex \!== -1, 'Expected pip upgrade command to be present');
  assert.ok(buildIndex \!== -1, 'Expected build/twine installation command to be present');
  assert.ok(upgradeIndex < buildIndex, 'Pip upgrade should occur before installing build tooling');
});

test('build step uses python -m build', () => {
  const build = stepByName('Build package');
  assert.equal(build.run.trim(), 'python -m build');
});

test('publish step uses Twine with PyPI token-based authentication', () => {
  const publish = stepByName('Publish to PyPI');
  assert.equal(publish.run.trim(), 'twine upload dist/*');
  assert.equal(publish.env?.TWINE_USERNAME, '__token__');
  assert.equal(publish.env?.TWINE_PASSWORD, '${{ secrets.PYPI_API_TOKEN }}');
});

test('publish step does not target Test PyPI or override repository', () => {
  const publish = stepByName('Publish to PyPI');
  assert.doesNotMatch(publish.run, /testpypi/i);
  assert.doesNotMatch(publish.run, /--repository\b/i);
});

test('action steps use explicit version tags for reproducibility', () => {
  const actionSteps = steps.filter((step) => typeof step.uses === 'string');
  assert.ok(actionSteps.length >= 2, 'Expected multiple action-based steps');
  for (const step of actionSteps) {
    assert.match(step.uses, /@v\d+$/);
  }
});

test('twine upload occurs after build step', () => {
  const stepNames = steps.map((step) => step.name);
  const buildIndex = stepNames.indexOf('Build package');
  const publishIndex = stepNames.indexOf('Publish to PyPI');
  assert.ok(buildIndex \!== -1 && publishIndex \!== -1, 'Expected build and publish steps to be defined');
  assert.ok(buildIndex < publishIndex, 'Publish step must run after build step');
});

test('workflow content is valid YAML with consistent indentation', () => {
  assert.doesNotThrow(() => load(workflowContent));
  const nonEmptyLines = workflowContent
    .split('\n')
    .filter((line) => line.trim().length > 0 && \!line.trim().startsWith('#'));
  for (const line of nonEmptyLines) {
    const leadingSpaces = line.match(/^\s*/)[0].length;
    assert.equal(leadingSpaces % 2, 0, 'Expected indentation to be multiples of two spaces');
  }
});

test('workflow does not contain obvious secret leaks', () => {
  assert.doesNotMatch(workflowContent, /password\s*:\s*["']?[^$"'{]/i);
  assert.doesNotMatch(workflowContent, /token\s*:\s*["']?[^$"'{]/i);
});

biome.json

This is a new file.

{
  "$schema": "https://biomejs.dev/schemas/2.1.2/schema.json",
  "formatter": {
    "enabled": false
  },
  "linter": {
    "enabled": true,
    "rules": {
      "recommended": true,
      "a11y": {
        "recommended": false
      },
      "correctness": {
        "useExhaustiveDependencies": "off",
        "noInnerDeclarations": "off"
      },
      "style": {
        "recommended": false,
        "noUselessElse": "warn",
        "useAsConstAssertion": "off",
        "useBlockStatements": "off",
        "useConsistentArrayType": "off",
        "useDefaultParameterLast": "warn",
        "useEnumInitializers": "off",
        "useExponentiationOperator": "warn",
        "useExportType": "off",
        "useFragmentSyntax": "off",
        "useImportType": "off",
        "useLiteralEnumMembers": "warn",
        "noUnusedTemplateLiteral": "off",
        "useConst": "warn",
        "useShorthandAssign": "warn",
        "useTemplate": "warn"
      },
      "complexity": {
        "noForEach": "off",
        "noExcessiveCognitiveComplexity": {
          "level": "off",
          "options": {
            "maxAllowedComplexity": 25
          }
        },
        "useLiteralKeys": "off",
        "useArrowFunction": "off",
        "useFlatMap": "off"
      },
      "suspicious": {
        "noArrayIndexKey": "off",
        "noExplicitAny": "off",
        "noImplicitAnyLet": "off",
        "noDoubleEquals": "off",
        "noGlobalIsNan": "off",
        "noAssignInExpressions": "off"
      },
      "nursery": {
        "recommended": false
      }
    }
  },
  "css": {
    "linter": {
      "enabled": true
    },
    "parser": {
      "cssModules": true
    }
  },
  "javascript": {
    "parser": {
      "unsafeParameterDecoratorsEnabled": true
    }
  }
}

coderabbit.markdownlint-cli2.jsonc

This is a new file.

{
  "outputFormatters": [
    [
      "markdownlint-cli2-formatter-json"
    ]
  ],
  "config": {
    "default": true,
    "line-length": false,
    "no-duplicate-heading": {
      "siblings_only": true
    },
    "no-trailing-punctuation": {
      "punctuation": ".,;:"
    },
    "ol-prefix": false,
    "list-marker-space": false,
    "no-inline-html": false,
    "first-line-h1": false,
    "no-trailing-spaces": false,
    "single-h1": false,
    "blank_lines": false
  }
}

jest.config.js

This is a new file.

module.exports = {
  testEnvironment: 'node',
  testMatch: [
    '**/tests/**/*.test.js'
  ],
  collectCoverageFrom: [
    'package.json'
  ],
  verbose: true,
  testTimeout: 10000,
  setupFilesAfterEnv: [],
  moduleFileExtensions: ['js', 'json'],
  transform: {},
  testPathIgnorePatterns: [
    '/node_modules/',
    '/dist/',
    '/build/'
  ]
};

package.json

@@ -12,6 +12,9 @@
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
     "preview": "vite preview",
+    ,"test": "jest",
+    ,"test:watch": "jest --watch",
+    ,"test:coverage": "jest --coverage",
     "postinstall": "(cp -n .env.example .env) || echo already exists"
   },
   "dependencies": {
@@ -49,6 +52,7 @@
     "typescript-eslint": "^8.16.0",
     "vite": "^5.4.17",
     "wrangler": "^3.91.0"
+    ,"jest": "^29.7.0"
   },
   "packageManager": "[email protected]+sha512.140036830124618d624a2187b50d04289d5a087f326c9edfc0ccd733d76c4f52c3a313d4fc148794a2a9d81553016004e6742e8cf850670268a7387fc220c903"
 }

tests/package.json.schema.test.js

This is a new file.

const fs = require('fs');
const path = require('path');

describe('Package.json Schema Validation Tests', () => {
  let packageJsonContent;
  let packageJsonString;

  beforeAll(() => {
    const packagePath = path.resolve(__dirname, '../package.json');
    packageJsonString = fs.readFileSync(packagePath, 'utf8');
    packageJsonContent = JSON.parse(packageJsonString);
  });

  describe('JSON Format Validation', () => {
    test('should be valid JSON', () => {
      expect(() => JSON.parse(packageJsonString)).not.toThrow();
    });

    test('should not have trailing commas', () => {
      // Check for common JSON syntax errors
      expect(packageJsonString).not.toMatch(/,\s*[}\]]/);
    });

    test('should have proper indentation', () => {
      // Should be properly formatted (2 spaces)
      const lines = packageJsonString.split('\n');
      const indentedLines = lines.filter(line => /^\s+/.test(line));
      
      if (indentedLines.length > 0) {
        const firstIndent = indentedLines[0].match(/^(\s*)/)[1].length;
        expect([2, 4]).toContain(firstIndent); // Either 2 or 4 space indentation
      }
    });

    test('should use double quotes for strings', () => {
      // JSON standard requires double quotes
      const singleQuoteMatches = packageJsonString.match(/'[^']*'/g);
      expect(singleQuoteMatches).toBeNull();
    });
  });

  describe('Field Type Validation', () => {
    test('name should be string', () => {
      expect(typeof packageJsonContent.name).toBe('string');
    });

    test('version should be string', () => {
      expect(typeof packageJsonContent.version).toBe('string');
    });

    test('private should be boolean', () => {
      expect(typeof packageJsonContent.private).toBe('boolean');
    });

    test('scripts should be object', () => {
      expect(typeof packageJsonContent.scripts).toBe('object');
      expect(Array.isArray(packageJsonContent.scripts)).toBe(false);
    });

    test('dependencies should be object', () => {
      expect(typeof packageJsonContent.dependencies).toBe('object');
      expect(Array.isArray(packageJsonContent.dependencies)).toBe(false);
    });

    test('devDependencies should be object', () => {
      expect(typeof packageJsonContent.devDependencies).toBe('object');
      expect(Array.isArray(packageJsonContent.devDependencies)).toBe(false);
    });
  });

  describe('Semantic Validation', () => {
    test('should not have empty objects', () => {
      if (packageJsonContent.scripts) {
        expect(Object.keys(packageJsonContent.scripts).length).toBeGreaterThan(0);
      }
      if (packageJsonContent.dependencies) {
        expect(Object.keys(packageJsonContent.dependencies).length).toBeGreaterThan(0);
      }
    });

    test('should have consistent quote usage', () => {
      const allQuotes = packageJsonString.match(/["']/g) || [];
      const doubleQuotes = allQuotes.filter(quote => quote === '"').length;
      const singleQuotes = allQuotes.filter(quote => quote === "'").length;
      
      // Should use only double quotes in JSON
      expect(singleQuotes).toBe(0);
      expect(doubleQuotes).toBeGreaterThan(0);
    });
  });
});

tests/package.json.scripts.test.js

This is a new file.

const { spawn } = require('child_process');
const packageJson = require('../package.json');

describe('Package.json Scripts Execution Tests', () => {
  // Helper function to check if a command exists
  const commandExists = (command) => {
    return new Promise((resolve) => {
      const child = spawn(command.split(' ')[0], ['--version'], { stdio: 'ignore' });
      child.on('close', (code) => {
        resolve(code === 0);
      });
      child.on('error', () => {
        resolve(false);
      });
    });
  };

  describe('Script Command Validation', () => {
    test('all scripts should have valid command syntax', () => {
      Object.entries(packageJson.scripts).forEach(([name, script]) => {
        expect(script).toBeTruthy();
        expect(typeof script).toBe('string');
        expect(script.trim().length).toBeGreaterThan(0);
        
        // Should not contain obvious syntax errors
        expect(script).not.toMatch(/&&\s*$/); // Incomplete && chain
        expect(script).not.toMatch(/\|\|\s*$/); // Incomplete || chain
        expect(script).not.toMatch(/^\s*&&/); // Starting with &&
      });
    });

    test('scripts should not have dangerous commands', () => {
      const dangerousCommands = ['rm -rf /', 'format c:', 'dd if='];
      Object.entries(packageJson.scripts).forEach(([name, script]) => {
        dangerousCommands.forEach(dangerous => {
          expect(script.toLowerCase()).not.toContain(dangerous.toLowerCase());
        });
      });
    });

    test('TypeScript scripts should reference correct paths', () => {
      const tsScripts = Object.entries(packageJson.scripts).filter(([name, script]) => 
        script.includes('.ts')
      );
      
      tsScripts.forEach(([name, script]) => {
        expect(script).toMatch(/scripts\/.*\.ts/);
      });
    });
  });

  describe('Development Scripts Validation', () => {
    test('dev script should be runnable', () => {
      const devScript = packageJson.scripts.dev;
      expect(devScript).toBe('vite');
    });

    test('build script should include necessary steps', () => {
      const buildScript = packageJson.scripts.build;
      expect(buildScript).toContain('tsc');
      expect(buildScript).toContain('vite build');
      expect(buildScript).toMatch(/tsc.*&&.*vite build/);
    });

    test('lint scripts should be comprehensive', () => {
      expect(packageJson.scripts.lint).toBeDefined();
      expect(packageJson.scripts['lint:fix']).toBeDefined();
      
      const lintScript = packageJson.scripts.lint;
      const lintFixScript = packageJson.scripts['lint:fix'];
      
      expect(lintScript).toContain('eslint');
      expect(lintFixScript).toContain('eslint');
      expect(lintFixScript).toContain('--fix');
    });
  });

  describe('Custom Scripts Validation', () => {
    test('Cloudflare Wrangler script should be properly configured', () => {
      const wranglerScript = packageJson.scripts['dev:wrangler'];
      expect(wranglerScript).toContain('wrangler dev');
      expect(wranglerScript).toContain('./functions/api/index');
    });

    test('Token management scripts should use tsx', () => {
      const createTokensScript = packageJson.scripts['create-unrevealed-tokens'];
      const revealTokensScript = packageJson.scripts['reveal-tokens'];
      
      expect(createTokensScript).toContain('tsx');
      expect(revealTokensScript).toContain('tsx');
      expect(createTokensScript).toContain('scripts/create-unrevealed-tokens.ts');
      expect(revealTokensScript).toContain('scripts/reveal-tokens.ts');
    });

    test('postinstall script should handle environment setup gracefully', () => {
      const postinstallScript = packageJson.scripts.postinstall;
      expect(postinstallScript).toContain('.env');
      expect(postinstallScript).toContain('||'); // Should have fallback
      expect(postinstallScript).toContain('echo'); // Should echo status
    });
  });

  describe('Script Performance Tests', () => {
    test('scripts should not be overly complex', () => {
      Object.entries(packageJson.scripts).forEach(([name, script]) => {
        // Scripts shouldn't be too long or complex
        expect(script.length).toBeLessThan(500);
        
        // Should not have too many chained commands
        const chainCount = (script.match(/&&/g) || []).length + (script.match(/\|\|/g) || []).length;
        expect(chainCount).toBeLessThan(10);
      });
    });
  });
});

tests/package.json.security.test.js

This is a new file.

const packageJson = require('../package.json');

describe('Package.json Security Tests', () => {
  describe('Dependency Security', () => {
    test('should not use deprecated React versions', () => {
      const reactVersion = packageJson.dependencies.react;
      const majorVersion = parseInt(reactVersion.replace(/[\^~]/, ''));
      expect(majorVersion).toBeGreaterThanOrEqual(18);
    });

    test('should not use vulnerable ethers versions', () => {
      const ethersVersion = packageJson.dependencies.ethers;
      // Should use ethers v6 or later for security fixes
      expect(ethersVersion).toMatch(/^6\./);
    });

    test('should not have known vulnerable dependency patterns', () => {
      const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
      const vulnerablePatterns = [
        '[email protected]', // Example of known vulnerable version
        'moment@<2.29.4',
        'axios@<0.21.1'
      ];
      
      Object.entries(allDeps).forEach(([name, version]) => {
        vulnerablePatterns.forEach(pattern => {
          const [depName, depVersion] = pattern.split('@');
          if (name === depName && depVersion) {
            expect(version).not.toBe(depVersion.replace('<', ''));
          }
        });
      });
    });

    test('should use secure protocol for git dependencies', () => {
      const allDeps = { ...packageJson.dependencies, ...packageJson.devDependencies };
      Object.values(allDeps).forEach(version => {
        if (version.startsWith('git+')) {
          expect(version).toMatch(/^git\+https:\/\//);
        }
      });
    });
  });

  describe('Configuration Security', () => {
    test('should not expose sensitive environment variables in scripts', () => {
      const sensitivePatterns = ['API_KEY', 'SECRET', 'PASSWORD', 'TOKEN', 'PRIVATE_KEY'];
      Object.values(packageJson.scripts).forEach(script => {
        sensitivePatterns.forEach(pattern => {
          expect(script.toUpperCase()).not.toContain(pattern);
        });
      });
    });

    test('should have secure postinstall script', () => {
      const postinstall = packageJson.scripts.postinstall;
      expect(postinstall).toBeDefined();
      
      // Should not contain potentially dangerous commands
      const dangerousCommands = ['rm -rf', 'curl', 'wget', 'eval'];
      dangerousCommands.forEach(cmd => {
        expect(postinstall).not.toContain(cmd);
      });
    });
  });
});

tests/package.json.test.js

This is a new file.

const fs = require('fs');
const path = require('path');
const packageJson = require('../package.json');

describe('Package.json Validation Tests', () => {
  let pkg;

  beforeAll(() => {
    pkg = packageJson;
  });

  describe('Basic Structure Validation', () => {
    test('should have valid JSON structure', () => {
      expect(typeof pkg).toBe('object');
      expect(pkg).not.toBeNull();
    });

    test('should have required fields', () => {
      const requiredFields = ['name', 'version', 'scripts', 'dependencies'];
      requiredFields.forEach(field => {
        expect(pkg).toHaveProperty(field);
        expect(pkg[field]).toBeDefined();
      });
    });

    test('should have valid name format', () => {
      expect(pkg.name).toBeTruthy();
      expect(typeof pkg.name).toBe('string');
      expect(pkg.name.length).toBeGreaterThan(0);
      // Valid npm package name format
      expect(pkg.name).toMatch(/^[@a-z0-9][a-z0-9\-_.]*$/);
    });

    test('should have valid version format', () => {
      expect(pkg.version).toBeTruthy();
      expect(typeof pkg.version).toBe('string');
      // Valid semver format
      expect(pkg.version).toMatch(/^\d+\.\d+\.\d+$/);
    });

    test('should have valid private field', () => {
      expect(typeof pkg.private).toBe('boolean');
    });

    test('should have valid type field', () => {
      expect(pkg.type).toBeDefined();
      expect(['module', 'commonjs']).toContain(pkg.type);
    });
  });

  describe('Scripts Validation', () => {
    test('should have scripts object', () => {
      expect(pkg.scripts).toBeDefined();
      expect(typeof pkg.scripts).toBe('object');
    });

    test('should have essential development scripts', () => {
      const essentialScripts = ['dev', 'build', 'lint'];
      essentialScripts.forEach(script => {
        expect(pkg.scripts).toHaveProperty(script);
        expect(typeof pkg.scripts[script]).toBe('string');
        expect(pkg.scripts[script].length).toBeGreaterThan(0);
      });
    });

    test('should have valid script commands', () => {
      Object.entries(pkg.scripts).forEach(([scriptName, scriptCommand]) => {
        expect(typeof scriptCommand).toBe('string');
        expect(scriptCommand.trim()).toBeTruthy();
        // Script commands should not be empty or just whitespace
        expect(scriptCommand.trim().length).toBeGreaterThan(0);
      });
    });

    test('dev script should use vite', () => {
      expect(pkg.scripts.dev).toBe('vite');
    });

    test('build script should include TypeScript compilation', () => {
      expect(pkg.scripts.build).toContain('tsc');
      expect(pkg.scripts.build).toContain('vite build');
    });

    test('lint scripts should use eslint', () => {
      expect(pkg.scripts.lint).toContain('eslint');
      expect(pkg.scripts['lint:fix']).toContain('eslint');
      expect(pkg.scripts['lint:fix']).toContain('--fix');
    });

    test('preview script should use vite', () => {
      expect(pkg.scripts.preview).toBe('vite preview');
    });

    test('custom scripts should be well-formed', () => {
      expect(pkg.scripts['create-unrevealed-tokens']).toContain('tsx');
      expect(pkg.scripts['reveal-tokens']).toContain('tsx');
      expect(pkg.scripts['dev:wrangler']).toContain('wrangler dev');
    });
  });

  describe('Dependencies Validation', () => {
    test('should have dependencies object', () => {
      expect(pkg.dependencies).toBeDefined();
      expect(typeof pkg.dependencies).toBe('object');
      expect(Object.keys(pkg.dependencies).length).toBeGreaterThan(0);
    });

    test('should have devDependencies object', () => {
      expect(pkg.devDependencies).toBeDefined();
      expect(typeof pkg.devDependencies).toBe('object');
      expect(Object.keys(pkg.devDependencies).length).toBeGreaterThan(0);
    });

    test('all dependencies should have valid version ranges', () => {
      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
      Object.entries(allDeps).forEach(([depName, version]) => {
        expect(typeof depName).toBe('string');
        expect(depName.length).toBeGreaterThan(0);
        expect(typeof version).toBe('string');
        expect(version.length).toBeGreaterThan(0);
        // Valid semver range pattern
        expect(version).toMatch(/^[\^~>=<\s\d\.\-\w@\/]+$/);
      });
    });

    test('should not have duplicate dependencies', () => {
      const prodDeps = Object.keys(pkg.dependencies);
      const devDeps = Object.keys(pkg.devDependencies);
      const duplicates = prodDeps.filter(dep => devDeps.includes(dep));
      expect(duplicates).toHaveLength(0);
    });

    test('essential blockchain dependencies should be present', () => {
      const blockchainDeps = ['ethers', 'viem', 'wagmi'];
      blockchainDeps.forEach(dep => {
        expect(pkg.dependencies).toHaveProperty(dep);
      });
    });

    test('essential UI dependencies should be present', () => {
      const uiDeps = ['react', 'react-dom'];
      uiDeps.forEach(dep => {
        expect(pkg.dependencies).toHaveProperty(dep);
      });
    });

    test('0xsequence dependencies should be consistent', () => {
      const sequenceDeps = Object.keys(pkg.dependencies).filter(dep => dep.startsWith('@0xsequence'));
      expect(sequenceDeps.length).toBeGreaterThan(0);
      
      sequenceDeps.forEach(dep => {
        expect(pkg.dependencies[dep]).toBeTruthy();
        // Most 0xsequence packages should have compatible versions
        expect(pkg.dependencies[dep]).toMatch(/^[\^~]?[2-4]\./);
      });
    });

    test('development dependencies should include build tools', () => {
      const buildDeps = ['typescript', 'vite', 'eslint'];
      buildDeps.forEach(dep => {
        expect(pkg.devDependencies).toHaveProperty(dep);
      });
    });
  });

  describe('Package Manager Validation', () => {
    test('should specify package manager', () => {
      expect(pkg.packageManager).toBeDefined();
      expect(typeof pkg.packageManager).toBe('string');
    });

    test('should use pnpm as package manager', () => {
      expect(pkg.packageManager).toContain('pnpm@');
    });

    test('should have valid package manager format', () => {
      expect(pkg.packageManager).toMatch(/^pnpm@\d+\.\d+\.\d+\+sha512\.[a-f0-9]+$/);
    });
  });

  describe('Security and Best Practices', () => {
    test('should not expose sensitive information', () => {
      const sensitiveFields = ['password', 'secret', 'key', 'token'];
      const pkgString = JSON.stringify(pkg);
      sensitiveFields.forEach(field => {
        expect(pkgString.toLowerCase()).not.toContain(field);
      });
    });

    test('should use secure dependency versions', () => {
      // Check for fixed versions that might have security issues
      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
      Object.entries(allDeps).forEach(([depName, version]) => {
        // Should not use exact versions for security-critical dependencies
        if (['react', 'ethers', 'vite'].includes(depName)) {
          expect(version).toMatch(/^[\^~]/);
        }
      });
    });

    test('should have postinstall script for environment setup', () => {
      expect(pkg.scripts.postinstall).toBeDefined();
      expect(pkg.scripts.postinstall).toContain('.env');
    });

    test('React version should be consistent', () => {
      const reactVersion = pkg.dependencies.react;
      const reactDomVersion = pkg.dependencies['react-dom'];
      const reactTypesVersion = pkg.devDependencies['@types/react'];
      const reactDomTypesVersion = pkg.devDependencies['@types/react-dom'];
      
      // React and React DOM should have compatible versions
      expect(reactVersion.replace(/[\^~]/, '')).toMatch(/^18\./);
      expect(reactDomVersion.replace(/[\^~]/, '')).toMatch(/^18\./);
      expect(reactTypesVersion.replace(/[\^~]/, '')).toMatch(/^18\./);
      expect(reactDomTypesVersion.replace(/[\^~]/, '')).toMatch(/^18\./);
    });
  });

  describe('Configuration Integrity', () => {
    test('should have valid ESLint configuration compatibility', () => {
      const eslintDeps = Object.keys(pkg.devDependencies).filter(dep => dep.includes('eslint'));
      expect(eslintDeps.length).toBeGreaterThan(1);
      
      // Should have eslint core and plugins
      expect(pkg.devDependencies.eslint).toBeDefined();
      expect(pkg.devDependencies['eslint-config-prettier']).toBeDefined();
      expect(pkg.devDependencies['eslint-plugin-prettier']).toBeDefined();
    });

    test('should have TypeScript configuration support', () => {
      expect(pkg.devDependencies.typescript).toBeDefined();
      expect(pkg.devDependencies['typescript-eslint']).toBeDefined();
      expect(pkg.devDependencies['@types/react']).toBeDefined();
      expect(pkg.devDependencies['@types/react-dom']).toBeDefined();
    });

    test('should have Vite React plugin for proper React support', () => {
      expect(pkg.devDependencies['@vitejs/plugin-react']).toBeDefined();
    });
  });

  describe('Edge Cases and Error Conditions', () => {
    test('should handle missing optional fields gracefully', () => {
      // Test what happens if optional fields are undefined
      const optionalFields = ['description', 'keywords', 'author', 'license'];
      optionalFields.forEach(field => {
        // These fields may or may not be present, but if present should be valid
        if (pkg[field] \!== undefined) {
          expect(typeof pkg[field]).toBe('string');
        }
      });
    });

    test('should not have conflicting script names', () => {
      const scriptNames = Object.keys(pkg.scripts);
      const uniqueNames = new Set(scriptNames);
      expect(scriptNames.length).toBe(uniqueNames.size);
    });

    test('should handle special characters in dependency names', () => {
      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
      Object.keys(allDeps).forEach(depName => {
        // Should be valid npm package names
        expect(depName).toMatch(/^(@[a-z0-9-~][a-z0-9-._~]*\/)?[a-z0-9-~][a-z0-9-._~]*$/);
      });
    });

    test('should validate version ranges are not overly permissive', () => {
      const allDeps = { ...pkg.dependencies, ...pkg.devDependencies };
      Object.entries(allDeps).forEach(([depName, version]) => {
        // Should not use wildcard versions
        expect(version).not.toBe('*');
        expect(version).not.toMatch(/\bx\b/);
      });
    });
  });

  describe('Integration and Compatibility Tests', () => {
    test('should have compatible Ethereum tooling versions', () => {
      const ethers = pkg.dependencies.ethers;
      const viem = pkg.dependencies.viem;
      const wagmi = pkg.dependencies.wagmi;
      
      // Ethers v6 should be compatible with other tools
      expect(ethers).toMatch(/^6\./);
      expect(viem).toMatch(/^[\^~]?2\./);
      expect(wagmi).toMatch(/^[\^~]?2\./);
    });

    test('should have compatible React ecosystem versions', () => {
      const reactQuery = pkg.dependencies['@tanstack/react-query'];
      expect(reactQuery).toMatch(/^[\^~]?5\./);
    });

    test('should validate build tool compatibility', () => {
      const viteVersion = pkg.devDependencies.vite;
      const typescriptVersion = pkg.devDependencies.typescript;
      
      expect(viteVersion).toMatch(/^[\^~]?5\./);
      expect(typescriptVersion).toMatch(/^[\^~]?5\./);
    });
  });

  describe('Performance and Optimization Tests', () => {
    test('should not have excessive number of dependencies', () => {
      const totalDeps = Object.keys(pkg.dependencies).length + Object.keys(pkg.devDependencies).length;
      expect(totalDeps).toBeLessThan(100); // Reasonable limit for a focused project
    });

    test('should prefer specific version ranges for stability', () => {
      const criticalDeps = ['react', 'ethers', 'typescript'];
      criticalDeps.forEach(dep => {
        if (pkg.dependencies[dep]) {
          expect(pkg.dependencies[dep]).toMatch(/^\^/);
        }
        if (pkg.devDependencies[dep]) {
          expect(pkg.devDependencies[dep]).toMatch(/^\^/);
        }
      });
    });
  });
});

tests/README.md

This is a new file.

# Package.json Test Suite

This comprehensive test suite validates the package.json configuration file for the primary-drop-sale-721-boilerplate project.

## Testing Framework

**Framework Used**: Jest v29.7.0
- Jest is a popular, well-maintained testing framework for JavaScript/Node.js projects
- Provides excellent assertion methods, mocking capabilities, and test reporting
- Zero-configuration setup with sensible defaults

## Test Categories

### 1. Basic Structure Validation (`package.json.test.js`)
- JSON structure validity
- Required fields presence
- Field type validation
- Naming convention compliance
- Version format validation

### 2. Scripts Validation
- Script command syntax
- Development workflow scripts (dev, build, lint)
- Custom blockchain-specific scripts
- Security validation of script commands
- Cross-platform compatibility

### 3. Dependencies Validation
- Version range validation
- Dependency consistency checks
- Security vulnerability detection
- Blockchain ecosystem compatibility
- React ecosystem version alignment

### 4. Schema Validation (`package.json.schema.test.js`)
- JSON syntax correctness
- Proper indentation and formatting
- Quote consistency
- Field type validation
- Semantic validation

### 5. Security Tests (`package.json.security.test.js`)
- Vulnerable dependency detection
- Sensitive information exposure checks
- Secure protocol enforcement
- Configuration security validation

### 6. Script Execution Tests (`package.json.scripts.test.js`)
- Script syntax validation
- Command availability checks
- Performance optimization tests
- Security command validation

## Running Tests

\`\`\`bash
# Run all tests
npm test

# Run tests in watch mode
npm run test:watch

# Generate coverage report
npm run test:coverage
\`\`\`

## Test Coverage

The test suite provides comprehensive coverage of:
- Package configuration validation (100%)
- Dependency security and compatibility
- Script functionality and security
- JSON format and schema compliance
- Best practices enforcement

## Edge Cases Covered

- Malformed JSON handling
- Missing optional fields
- Version range conflicts
- Security vulnerability patterns
- Cross-platform script compatibility
- Performance optimization checks

## Integration with CI/CD

These tests are designed to be integrated into continuous integration pipelines to:
- Validate package.json changes in pull requests
- Ensure dependency security compliance
- Maintain configuration consistency
- Prevent deployment of invalid configurations