update package-lock.json

[grayfoxd]

No description provided.

[github-actions]

Code Review Report

Project: @bankofai/sun-cli
PR: main → update
Review Date: 2026-03-31
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

---

PR Overview

Branch Information

Property	Value
From Branch	main
To Branch	update
Commits	2 (e9f7994, 7e81a33)
Files Changed	1 (package-lock.json)
Lines Added	+6
Lines Removed	-6

Commit History

Hash	Message
e9f7994	update package-lock.json
7e81a33	Merge pull request #17 from BofAI/update

---

Review Summary

Verdict

Verdict: ✅ Approve (with suggestions)

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	0	1	2

Summary

This PR makes a single change: updating package-lock.json to synchronise it with an already-updated package.json. Specifically, it bumps the locked root package version from 1.0.2 → 1.0.3 and resolves the locked version of the @bankofai/sun-kit dependency from 1.0.0 → 1.1.0, matching the ^1.1.0 semver range already declared in package.json.

Before this PR, package.json and package-lock.json were out of sync: package.json had already been updated to 1.0.3 and to require @bankofai/sun-kit ^1.1.0, but the lock file still pinned the old resolved artifacts. This stale lock file would cause npm ci failures (integrity mismatch) and npm install would silently correct itself, making builds non-reproducible. This PR correctly resolves that inconsistency.

The change is minimal and low-risk. No application source code, tests, or configuration files are modified. The only concern worth noting is that a minor-version jump in a DeFi/blockchain dependency (@bankofai/sun-kit 1.0.0 → 1.1.0) should be accompanied by test coverage confirmation and manual verification of the new package's published integrity.

---

Change Summary

1. package-lock.json — Lock File Sync

File	Change Type	Description
package-lock.json	Modified	Syncs lock file to match package.json after prior version bump

Purpose: package.json was updated in a prior commit on main (version 1.0.2 → 1.0.3, @bankofai/sun-kit ^1.0.0 → ^1.1.0) but the lock file was not regenerated at that time. This PR regenerates the lock file to restore consistency, resulting in 6 changed lines across two locations in the file.

Specific changes in package-lock.json:

Location	Before	After
Root version field	1.0.2	1.0.3
packages[""].version	1.0.2	1.0.3
packages[""].dependencies["@bankofai/sun-kit"]	^1.0.0	^1.1.0
packages["node_modules/@bankofai/sun-kit"].version	1.0.0	1.1.0
packages["node_modules/@bankofai/sun-kit"].resolved	…/sun-kit-1.0.0.tgz	…/sun-kit-1.1.0.tgz
packages["node_modules/@bankofai/sun-kit"].integrity	sha512-nehNK+…FFg==	sha512-1aBKK…Ixw==

---

Detailed Findings

Critical

None.

---

Major

None.

---

Minor

[MN-01] Lock File Was Committed Out of Sync with Manifest

Property	Value
Severity	Minor
Category	Compatibility / Correctness
File	package-lock.json : Lines 3, 9, 12, 567–571

Description

The package-lock.json on main was in an inconsistent state relative to package.json: package.json declared version: "1.0.3" and "@bankofai/sun-kit": "^1.1.0", while package-lock.json still reflected version: "1.0.2" and locked @bankofai/sun-kit at 1.0.0. Running npm ci against the main branch prior to this PR would have failed because the lock file does not satisfy the manifest constraints. This PR fixes the immediate symptom, but the root cause — committing manifest changes without regenerating the lock file — should be addressed in the development workflow.

Recommendation

Enforce a CI check (e.g., npm ci --dry-run or npm install --frozen-lockfile equivalent verification) that fails if package.json and package-lock.json are not in sync at the time of merge. A pre-commit hook such as npm run build or a dedicated check-lockfile script can also catch this class of problem before it reaches the main branch.

---

Suggestions

[S-01] Verify Published Package Integrity for @bankofai/sun-kit@1.1.0

File: package-lock.json

Description:
@bankofai/sun-kit is a first-party DeFi utility library consumed by a TRON blockchain CLI. The lock file integrity field is:

sha512-1aBKKuvRxXWdJ7TboC2KkkaOnlzuCKJNGQdwZSZP0V3Oevq27GUCJlRoMFM+FHR3zjTAUZelYa3CKHzlMgOIxw==

While the SHA-512 hash length is well-formed, the team should independently verify this hash against the published tarball on the npm registry (npm view @bankofai/sun-kit@1.1.0 dist.integrity) to guard against supply-chain tampering — especially important for any package that handles cryptographic keys or blockchain transactions.

Suggestion:
Add an automated check in CI (e.g., npm audit signatures introduced in npm 9+) to verify the registry signatures of all packages on every install. Confirm:

npm view @bankofai/sun-kit@1.1.0 dist.integrity
# Should output the exact hash recorded in package-lock.json

---

[S-02] Document the Dependency Bump in the Changelog / Release Notes

File: package-lock.json / release documentation

Description:
@bankofai/sun-kit is bumped from 1.0.0 → 1.1.0 (a minor-version increment). Per SemVer this should be backward-compatible, but in a DeFi context even additive API changes (new swap routes, updated ABI encodings, modified permit2 interactions) can affect on-chain behaviour. There is no associated changelog entry, PR description, or test update that documents what changed between 1.0.0 and 1.1.0 of sun-kit.

Suggestion:

• Review the @bankofai/sun-kit changelog for 1.0.0 → 1.1.0 and summarise the impact in this PR or in the project's CHANGELOG.md.
• Confirm that the existing test suite (npm test) passes against the new version before merging; add a note to the PR description confirming this.

---

Positive Observations

Area	Observation
Minimal scope	The PR touches exactly one file and makes the minimum required changes — a good hygiene practice that makes the change easy to review and revert if necessary.
Lock file use	The project correctly uses package-lock.json (lockfileVersion 3) to pin resolved artifacts, ensuring reproducible installs across environments.
Integrity hashes	Both old and new @bankofai/sun-kit entries carry well-formed sha512 integrity hashes, providing tamper detection at install time.
No transitive changes	Updating @bankofai/sun-kit from 1.0.0 → 1.1.0 produced no changes to its recorded transitive dependencies (@sun-protocol/permit2-sdk, @sun-protocol/universal-router-sdk, viem), indicating a clean minor bump with stable transitive graph.

---

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	2	1	1	6	Lock file was out of sync (now fixed); no logic changes
Security	3	2	0	7	Integrity hashes present; suggest independent verification
Performance	0	0	0	7	N/A — no code changes
Code Quality	0	0	0	10	N/A — no code changes
Testing	1	0	0	6	No new tests needed; suggest confirming suite passes
Documentation	1	0	0	5	Changelog entry for dependency bump suggested
Compatibility	2	2	0	5	Minor-version bump; semver-compatible; no lockfile format change
Observability	0	0	0	4	N/A — no code changes

---

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update. Runtime behavior, integration testing, and deployment impact are not covered.

---

Report generated by Code Review Skill v1.0.0
Date: 2026-03-31