Pin exact dependency versions

[gtsonevv]

Pre-flight checklist

• I have read the Contributing Guidelines on pull requests.
• Commit messages follow the conventional commits spec
• If this is a code change: I have written unit tests.
• If this changes code in a published package: I have run pnpm changeset to create a changeset JSON document appropriate for this change.
• If this is a new API or substantial change: the PR has an accompanying issue (closes #0000) and the maintainers have approved on my working plan.

Motivation

Test Plan

Related issues/PRs

#1200

[changeset-bot]

⚠️ No Changeset found

Latest commit: 90bec46

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[paulmillr]

why is elliptic used here in ed25519 context? elliptic's implementation of the curve is buggy and produces invalid outputs, which means in blockchain context "someone will lose money"

[frol]

From the library usage perspective, it is not great to pin all the dependencies down to a single version as that may block deduplicating the dependencies if two libraries of slightly different versions are used (1.0.1 and 1.0.2). I am wondering if there is some middle ground that we can find here.

Also, this PR only resolves the first part of #1200, so it will be too early to close that issue without reviewing and removing buggy dependencies.

[paulmillr]

deduplicating the dependencies

Just walk through every dependency in the lockfile and see which are duplicated, then resolve every one separately - that's what I do.

https://npmgraph.js.org/?q=near-api-js

[gtsonevv]

Hey guys, thank you for the replies. Based on them these are the next steps that we can take:

1. Our team will go through the dependency graph and resolve duplications.
2. We will try to reduce the bundle size. Looking at https://bundlephobia.com/package/[email protected] we can see that 10% is bn.js which should be replaceable by native JS BigNumber. 7% is tweetnacl which is already replaced. We will try to find a comparable replacement for ajv because it’s biggest library by far(30%).

[paulmillr]

others:

• js-sha256 => noble-hashes (already used)
• elliptic => noble-curves (already used)
• borsch deps
  • remove bn.js (native BigInt)
  • remove text-encoding-utf-8 (native TextEncoder)
  • bs58 should be upgraded upstream to remove safe-buffer, or replaced with scure-base
• re-evaluate need for node-fetch
• re-evaluate need for error-polyfill

[frol]

As suggested offline, let's merge this PR with the pinned dependencies, and then work on a separate PR that will slim down the dependencies.