Support Cairo alpha version

[immrsd]

Adds support for Cairo alpha version by:

• duplicating core/cairo as core/cairo-alpha
• duplicating ui/cairo as ui/cairo-alpha
• adding a switch control to switch between the audited (stable) version and the latest alpha

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@nomicfoundation/hardhat-toolbox@5.0.0	environment Transitive: eval, filesystem, network, shell, unsafe	+444	150 MB	kanej
npm/@openzeppelin/contracts@5.2.0	None	0	2.16 MB	amxx, cairoeth, ericglau, ...2 more
npm/hardhat@2.22.19	environment, filesystem, network, shell Transitive: eval, unsafe	+256	199 MB	kanej

🚮 Removed packages: npm/@rollup/plugin-alias@5.1.1, npm/@rollup/plugin-commonjs@28.0.3, npm/@rollup/plugin-json@6.1.0, npm/@rollup/plugin-node-resolve@16.0.1, npm/@rollup/plugin-replace@6.0.2, npm/@rollup/plugin-typescript@12.1.2, npm/@types/file-saver@2.0.7, npm/@types/resize-observer-browser@0.1.11, npm/autoprefixer@10.4.21, npm/file-saver@2.0.5, npm/highlight.js@11.11.1, npm/highlightjs-cairo@0.4.0, npm/highlightjs-solidity@2.0.6, npm/path-browserify@1.0.1, npm/postcss-load-config@6.0.1, npm/postcss@8.5.3, npm/rollup-plugin-livereload@2.0.5, npm/rollup-plugin-styles@4.0.0, npm/rollup-plugin-svelte@7.2.2, npm/rollup-plugin-terser@7.0.2, npm/rollup@4.36.0, npm/sirv-cli@3.0.1, npm/svelte-check@3.8.6, npm/svelte-preprocess@5.1.4, npm/svelte@3.59.2, npm/tailwindcss@3.4.17, npm/tippy.js@6.3.7, npm/util@0.12.5

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@sentry/node@5.30.0, npm/tslib@1.14.1, npm/semver@6.3.1, npm/supports-color@8.1.1, npm/json-schema-traverse@1.0.0, npm/camelcase@6.3.0, npm/ws@7.4.6, npm/mkdirp@1.0.4, npm/ansi-regex@3.0.1, npm/prettier@2.8.8, npm/isarray@1.0.0, npm/levn@0.3.0, npm/optionator@0.8.3, npm/ansi-escapes@4.3.2, npm/type-fest@0.21.3, npm/iconv-lite@0.4.24, npm/tmp@0.0.33, npm/safer-buffer@2.1.2, npm/slash@3.0.0, npm/json5@2.2.3, npm/prompts@2.4.2, npm/ci-info@2.0.0, npm/setimmediate@1.0.5, npm/prelude-ls@1.1.2, npm/type-check@0.3.2, npm/sisteransi@1.0.5, npm/string_decoder@1.3.0, npm/caseless@0.12.0, npm/combined-stream@1.0.8, npm/json-stringify-safe@5.0.1, npm/delayed-stream@1.0.0, npm/asynckit@0.4.0, npm/kind-of@6.0.3, npm/fs-extra@9.1.0, npm/https-proxy-agent@5.0.1, npm/require-from-string@2.0.2, npm/readable-stream@2.3.8, npm/core-util-is@1.0.3, npm/process-nextick-args@2.0.1, npm/string_decoder@1.1.1, npm/split2@3.2.2, npm/at-least-node@1.0.0, npm/array-union@2.1.0, npm/dir-glob@3.0.1, npm/agent-base@6.0.2, npm/is-unicode-supported@0.1.0, npm/log-symbols@4.1.0, npm/minimatch@5.1.6, npm/deep-extend@0.6.0, npm/lodash.camelcase@4.3.0, npm/cliui@8.0.1, npm/@types/minimatch@5.1.2, npm/glob@8.1.0, npm/ini@1.3.8, npm/boxen@5.1.2, npm/flat@5.0.2, npm/fs-extra@7.0.1, npm/jsonfile@4.0.0, npm/universalify@0.1.2, npm/ansi-align@3.0.1, npm/cli-boxes@2.2.1, npm/type-fest@0.20.2, npm/widest-line@3.1.0, npm/asap@2.0.6, npm/string-width@2.1.1, npm/strip-ansi@4.0.0, npm/os-tmpdir@1.0.2, npm/neo-async@2.6.2, npm/cbor@8.1.0, npm/utf8@3.0.0, npm/heap@0.2.7, npm/glob@7.1.7, npm/lodash.truncate@4.4.2, npm/astral-regex@2.0.0, npm/fs-extra@8.1.0, npm/resolve-from@3.0.0, npm/aggregate-error@3.1.0, npm/ansi-colors@4.1.3, npm/bytes@3.1.2, npm/charenc@0.0.2, npm/clean-stack@2.2.0, npm/cliui@7.0.4, npm/command-exists@1.2.9, npm/concat-stream@1.6.2, npm/crypt@0.0.2, npm/depd@2.0.0, npm/enquirer@2.4.1, npm/he@1.2.0, npm/http-errors@2.0.0, npm/indent-string@4.0.0, npm/interpret@1.4.0, npm/p-map@4.0.0, npm/proxy-from-env@1.1.0, npm/promise@8.3.0, npm/rechoir@0.6.2, npm/setprototypeof@1.2.0, npm/shelljs@0.8.5, npm/type-fest@0.7.1, npm/statuses@2.0.1, npm/toidentifier@1.0.1, npm/typedarray@0.0.6, npm/unpipe@1.0.0, npm/wordwrap@1.0.0, npm/yargs@16.2.0, npm/yargs-parser@20.2.9, npm/globby@10.0.2, npm/@types/glob@7.2.0, npm/difflib@0.2.4, npm/slice-ansi@4.0.0, npm/through2@4.0.2, npm/@types/prettier@2.7.3, npm/memorystream@0.3.1, npm/global-modules@2.0.0, npm/global-prefix@3.0.0, npm/create-hash@1.2.0, npm/create-hmac@1.1.7, npm/pbkdf2@3.1.2, npm/browserify-aes@1.2.0, npm/evp_bytestokey@1.0.3, npm/buffer-xor@1.0.3, npm/bn.js@5.2.1, npm/elliptic@6.5.4, npm/md5.js@1.3.5, npm/ripemd160@2.0.2, npm/sha.js@2.4.11, npm/minimalistic-assert@1.0.1, npm/brorand@1.1.0, npm/hash.js@1.1.7, npm/hmac-drbg@1.0.1, npm/minimalistic-crypto-utils@1.0.1, npm/hash-base@3.1.0, npm/js-sha3@0.8.0, npm/cookie@0.4.2, npm/lru_map@0.3.3, npm/lodash.clonedeep@4.5.0, npm/@types/lru-cache@5.1.1, npm/is-plain-obj@2.1.0, npm/node-emoji@1.11.0, npm/@types/node@10.17.60, npm/@sentry/core@5.30.0, npm/@sentry/hub@5.30.0, npm/@sentry/minimal@5.30.0, npm/@sentry/tracing@5.30.0, npm/@sentry/types@5.30.0, npm/@sentry/utils@5.30.0, npm/@types/concat-stream@1.6.1, npm/fs-readdir-recursive@1.1.0, npm/raw-body@2.5.2, npm/assertion-error@1.1.0, npm/pathval@1.1.1, npm/@types/node@8.10.66, npm/browser-stdout@1.3.1, npm/yargs-unparser@2.0.0, npm/decamelize@4.0.0, npm/bs58@4.0.1, npm/bech32@1.1.4, npm/node-addon-api@2.0.2, npm/@noble/secp256k1@1.7.1, npm/array-uniq@1.0.3, npm/@types/bn.js@4.11.6, npm/async@1.5.2, npm/glob@5.0.15, npm/esprima@2.7.3, npm/amdefine@1.0.1, npm/bn.js@4.11.6, npm/blakejs@1.2.1, npm/@noble/hashes@1.3.2, npm/colors@1.4.0, npm/scrypt-js@3.0.1, npm/ethereumjs-util@6.2.1, npm/is-hex-prefixed@1.0.0, npm/tweetnacl@1.0.3, npm/aes-js@3.0.0, npm/env-paths@2.2.1, npm/abbrev@1.0.9, npm/escodegen@1.8.1, npm/estraverse@1.9.3, npm/has-flag@1.0.0, npm/nopt@3.0.6, npm/source-map@0.2.0, npm/supports-color@3.2.3, npm/bs58check@2.1.2, npm/@ethersproject/abi@5.7.0, npm/@ethersproject/abstract-provider@5.7.0, npm/@ethersproject/abstract-signer@5.7.0, npm/@ethersproject/address@5.7.0, npm/@ethersproject/base64@5.7.0, npm/@ethersproject/basex@5.7.0, npm/@ethersproject/bignumber@5.7.0, npm/@ethersproject/bytes@5.7.0, npm/@ethersproject/constants@5.7.0, npm/@ethersproject/contracts@5.7.0, npm/@ethersproject/hash@5.7.0, npm/@ethersproject/hdnode@5.7.0, npm/@ethersproject/json-wallets@5.7.0, npm/@ethersproject/keccak256@5.7.0, npm/@ethersproject/logger@5.7.0, npm/@ethersproject/networks@5.7.1, npm/@ethersproject/pbkdf2@5.7.0, npm/@ethersproject/properties@5.7.0, npm/@ethersproject/random@5.7.0, npm/@ethersproject/rlp@5.7.0, npm/@ethersproject/sha2@5.7.0, npm/@ethersproject/signing-key@5.7.0, npm/@ethersproject/solidity@5.7.0, npm/@ethersproject/strings@5.7.0, npm/@ethersproject/transactions@5.7.0, npm/@ethersproject/units@5.7.0, npm/@ethersproject/wallet@5.7.0, npm/@ethersproject/web@5.7.1, npm/@ethersproject/wordlists@5.7.0, npm/ethereumjs-util@7.1.5, npm/rlp@2.2.7, npm/strip-hex-prefix@1.0.0, npm/@ethereumjs/rlp@4.0.1, npm/@noble/hashes@1.2.0, npm/ethereum-cryptography@1.2.0, npm/@ethersproject/providers@5.7.2, npm/@ethereumjs/util@8.1.0, npm/@scure/bip32@1.1.5, npm/@scure/bip39@1.1.1, npm/@ethersproject/address@5.6.1, npm/ethereumjs-abi@0.6.8, npm/ethers@5.7.2, npm/ethjs-unit@0.1.6, npm/ethjs-util@0.1.6, npm/lodash.isequal@4.5.0, npm/micro-ftch@0.3.1, npm/number-to-bn@1.7.0, npm/tweetnacl-util@0.15.1, npm/adm-zip@0.4.16, npm/recursive-readdir@2.2.3, npm/node-addon-api@5.1.0, npm/keccak@3.0.4, npm/cli-table3@0.5.1, npm/handlebars@4.7.8, npm/array-back@3.1.0, npm/array-back@4.0.2, npm/command-line-args@5.2.1, npm/command-line-usage@6.1.3, npm/find-replace@3.0.0, npm/reduce-flatten@2.0.0, npm/table-layout@1.0.2, npm/ts-essentials@7.0.3, npm/typical@4.0.0, npm/typical@5.2.0, npm/wordwrapjs@4.0.1, npm/check-error@1.0.3, npm/get-func-name@2.0.2, npm/sha1@1.1.1, npm/ndjson@2.0.0, npm/aes-js@4.0.0-beta.5, npm/@metamask/eth-sig-util@4.0.1, npm/fp-ts@1.19.3, npm/io-ts@1.10.4, npm/mnemonist@0.38.5, npm/tsort@0.0.1, npm/@noble/curves@1.2.0, npm/@solidity-parser/parser@0.14.5, npm/@types/form-data@0.0.33, npm/antlr4ts@0.5.0-alpha.4, npm/death@1.1.0, npm/ghost-testrpc@0.0.2, npm/http-basic@8.1.3, npm/http-response-object@3.0.2, npm/markdown-table@1.1.3, npm/ordinal@1.0.3, npm/parse-cache-control@1.0.1, npm/req-cwd@2.0.0, npm/req-from@2.0.0, npm/sc-istanbul@0.4.6, npm/string-format@2.0.0, npm/sync-request@6.1.0, npm/sync-rpc@1.3.6, npm/then-request@6.0.2, npm/immer@10.0.2, npm/loupe@2.3.7, npm/workerpool@6.5.1, npm/ts-command-line-args@2.5.1, npm/typechain@8.3.2, npm/@typechain/ethers-v6@0.5.1, npm/@typechain/hardhat@9.1.0, npm/eth-gas-reporter@0.2.27, npm/@types/chai-as-promised@7.1.8, npm/@types/pbkdf2@3.1.2, npm/@types/secp256k1@4.0.6, npm/@adraffy/ens-normalize@1.10.1, npm/hardhat-gas-reporter@1.0.10, npm/web3-utils@1.10.4, npm/diff@5.2.0, npm/@nomicfoundation/ethereumjs-common@4.0.4, npm/@nomicfoundation/ethereumjs-rlp@5.0.4, npm/@nomicfoundation/ethereumjs-tx@5.0.4, npm/@nomicfoundation/ethereumjs-util@9.0.4, npm/@fastify/busboy@2.1.1, npm/@noble/hashes@1.4.0, npm/@nomicfoundation/hardhat-toolbox@5.0.0, npm/@scure/bip32@1.4.0, npm/@scure/bip39@1.3.0, npm/hardhat-sample@0.0.1, npm/chai-as-promised@7.1.2, npm/solc@0.8.26, npm/deep-eql@4.1.4, npm/@nomicfoundation/solidity-analyzer-darwin-arm64@0.1.2, npm/@nomicfoundation/solidity-analyzer-darwin-x64@0.1.2, npm/@nomicfoundation/solidity-analyzer-linux-arm64-gnu@0.1.2, npm/@nomicfoundation/solidity-analyzer-linux-arm64-musl@0.1.2, npm/@nomicfoundation/solidity-analyzer-linux-x64-gnu@0.1.2, npm/@nomicfoundation/solidity-analyzer-linux-x64-musl@0.1.2, npm/@nomicfoundation/solidity-analyzer-win32-x64-msvc@0.1.2, npm/@nomicfoundation/solidity-analyzer@0.1.2, npm/ws@8.17.1, npm/@noble/curves@1.4.2, npm/ethereum-cryptography@2.2.1, npm/base-x@3.0.10, npm/ajv@8.17.1, npm/immutable@4.3.7, npm/type-detect@4.1.0, npm/chai@4.5.0, npm/ethereum-bloom-filters@1.2.0, npm/undici-types@6.19.8, npm/tslib@2.7.0, npm/uglify-js@3.19.3, npm/@nomicfoundation/hardhat-ethers@3.0.8, npm/follow-redirects@1.15.9, npm/@types/bn.js@5.1.6, npm/@scure/base@1.1.9, npm/@nomicfoundation/hardhat-chai-matchers@2.0.8, npm/@nomicfoundation/hardhat-network-helpers@1.0.12, npm/@types/chai@4.3.20, npm/json-stream-stringify@3.1.6, npm/@types/node@22.7.5, npm/undici-types@6.20.0, npm/secp256k1@4.0.4, npm/mocha@10.8.2, npm/elliptic@6.6.1, npm/@types/mocha@10.0.10, npm/solidity-coverage@0.8.14, npm/@solidity-parser/parser@0.19.0, npm/cipher-base@1.0.6, npm/table@6.9.0, npm/side-channel-map@1.0.1, npm/side-channel-list@1.0.0, npm/side-channel-weakmap@1.0.2, npm/side-channel@1.1.0, npm/chokidar@4.0.3, npm/es-set-tostringtag@2.1.0, npm/ethers@6.13.5, npm/obliterator@2.0.5, npm/jsonschema@1.5.0, npm/@openzeppelin/contracts@5.2.0, npm/@types/qs@6.9.18, npm/qs@6.14.0, npm/undici@5.28.5, npm/@noble/hashes@1.7.1, npm/fast-uri@3.0.6, npm/@nomicfoundation/edr@0.8.0, npm/@nomicfoundation/edr-darwin-x64@0.8.0, npm/@nomicfoundation/edr-darwin-arm64@0.8.0, npm/@nomicfoundation/edr-linux-arm64-gnu@0.8.0, npm/@nomicfoundation/edr-linux-arm64-musl@0.8.0, npm/@nomicfoundation/edr-linux-x64-gnu@0.8.0, npm/@nomicfoundation/edr-linux-x64-musl@0.8.0, npm/@nomicfoundation/edr-win32-x64-msvc@0.8.0, npm/object-inspect@1.13.4, npm/readdirp@4.1.2, npm/form-data@2.5.3, npm/form-data@4.0.2, npm/stacktrace-parser@0.1.11, npm/tinyglobby@0.2.12, npm/@types/node@22.13.5, npm/hardhat@2.22.19, npm/@nomicfoundation/hardhat-verify@2.0.13, npm/@nomicfoundation/hardhat-ignition@0.15.10, npm/@nomicfoundation/ignition-core@0.15.10, npm/@nomicfoundation/ignition-ui@0.15.10, npm/@nomicfoundation/hardhat-ignition-ethers@0.15.10, npm/axios@1.8.1, npm/commander@8.3.0, npm/get-port@3.2.0, npm/pify@4.0.1, npm/kleur@3.0.3, npm/serialize-javascript@6.0.2, npm/@jridgewell/trace-mapping@0.3.9, npm/resolve@1.17.0, npm/resolve@1.1.7, npm/call-bound@1.0.3

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[ericglau]

Thanks @immrsd!

EDITED:
Added the following:

• Moved version switcher to the language bar.
• Added tag aliases stable and alpha for the URL, so that the URLs can be long-lived and always point to the most relevant version.
  • Tag aliases only work from the main Wizard website: /cairo#version=stable and /cairo#version=alpha
  • Tag aliases are not supported for the embed. Embed must use specific versions (see below).
• Added dynamic updates for the URL params when changing the version alias and contract tab, so that the same page can be accessed by copy/pasting the URL.
  • Example: /cairo#erc1155&version=alpha
• For the embed, the version switcher will not be visible and will use the default version, unless a version is specified. This is intended to allow embedding on version-specific docs sites, which should specify a version.
  • Example: Embed without version param: /embed?lang=cairo
  • Example: Embed with specific version param: /embed?lang=cairo&version=2.0.0-alpha
• Evaluates app selection based on semver matching.
  • Example: Requesting version 2.0.0 which is compatible with the alpha: /embed?lang=cairo&version=2.0.0
  • Example: Requesting version 1.0.0 which is compatible with stable: /embed?lang=cairo&version=1.0.0
  • Example: Requesting version 3.0.0 which not compatible with any supported range: /embed?lang=cairo&version=3.0.0

[ericnordelo]

LGTM!

[ericglau]

LGTM. Can we revert the package-lock.json changes? That has a lot of changes and shouldn't be needed for this PR.

[ericnordelo]

Let's wait until the alpha gets released before merging this. And we should target this branch for the alpha wizard update @immrsd. So that gets merged to main at the same time after the release.

[ericglau]

Merged updates from master's cairo UI into cairo_alpha UI

[ericglau]

@SocketSecurity ignore npm/ws@7.4.6
Unrelated to this PR, see #421 (comment)

[ericglau]

@SocketSecurity ignore-all
Unrelated to this PR.