Prevent Broken ledger live for celo users

[aaronmgdr]

✅ Checklist

• npx changeset was attached.
• Covered by automatic tests. => dependency update no function change
• Impact of the changes:
  • celo specific features. such as voting for validators, and staking

📝 Description

It is necessary to upgrade celo dependencies for ledger live to continue working with Celo once the Celo transition to Layer 2 happens. This is because early versions of celo blockchain used a custom transaction type and older versions of celo sdks only build transictions using this deprecated transaction format. However cel2 will not support this transaction format.

❓ Context

closes #7551

---

🧐 Checklist for the PR Reviewers

• The code aligns with the requirements described in the linked JIRA or GitHub issue.
• The PR description clearly documents the changes made and explains any technical trade-offs or design decisions.
• There are no undocumented trade-offs, technical debt, or maintainability issues.
• The PR has been tested thoroughly, and any potential edge cases have been considered and handled.
• Any new dependencies have been justified and documented.
• Performance considerations have been taken into account. (changes have been profiled or benchmarked if necessary)

[vercel]

@aaronmgdr is attempting to deploy a commit to the LedgerHQ Team on Vercel.

A member of the Team first needs to authorize it.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
web-tools	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	Sep 17, 2024 11:39am

3 Skipped Deployments

Name	Status	Preview	Comments	Updated (UTC)
ledger-live-docs	⬜️ Ignored (Inspect)	Visit Preview		Sep 17, 2024 11:39am
native-ui-storybook	⬜️ Ignored (Inspect)	Visit Preview		Sep 17, 2024 11:39am
react-ui-storybook	⬜️ Ignored (Inspect)	Visit Preview		Sep 17, 2024 11:39am

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@celo/connect@6.0.1	Transitive: environment, eval, filesystem, network	+158	23.4 MB	app-tooling
npm/@celo/contractkit@8.1.1	filesystem, network Transitive: environment, eval, shell	+267	44.7 MB	app-tooling
npm/@celo/utils@7.0.0	Transitive: environment, network	+38	9.11 MB	app-tooling
npm/@celo/wallet-base@6.0.1	Transitive: environment, eval, filesystem, network, shell	+263	36.7 MB	app-tooling
npm/@celo/wallet-ledger@6.0.1	None	+20	2.81 MB	app-tooling

🚮 Removed packages: npm/@celo/connect@3.2.0, npm/@celo/contractkit@3.2.0, npm/@celo/utils@3.2.0, npm/@celo/wallet-base@3.2.0, npm/@celo/wallet-ledger@3.2.0

View full report↗︎

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source	CI
Git dependency	npm/@celo/wallet-ledger@6.0.1	Dependency: @ledgerhq/hw-app-eth@git+https://github.com:celo-org/ledgerjs-hw-app-eth.git Location: Package overview	libs/ledger-live-common/package.json pnpm-lock.yaml	⚠︎

View full report↗︎

Next steps

What are git dependencies?

Contains a dependency which resolves to a remote git URL. Dependencies fetched from git URLs are not immutable can be used to inject untrusted code or reduce the likelihood of a reproducible install.

Publish the git dependency to npm or a private package repository and consume it from there.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/@celo/wallet-ledger@6.0.1

[aaronmgdr]

this is no longer necessary and in fact breaks install as celo deps no longer locked together their versions

[aaronmgdr]

perplexed as to why in the ledger live environment calling toChecksumAddress results in eventually the @noble/hash library asserting that the Buffer of the address is a Uint8Array and (this is the crucial part) it gives false. whereas i can trace the same code path in a different environment and it will return true. I made an empty electron repo with just ContractKit as I thought it could be the differenc but received no issue.

[aaronmgdr]

This fails because in JSDom Buffer does not inherit from Uint8Array. this causes a cascade of failures starting in @noble/hashes and bubbling up to web3.js new Contract() which is called from newKit (from contractkit)

Its a bit of a bummer. And im not sure of the best approach to fix it.

As an alternative I played around with removing contractkit completely. But that too requires a bit more to get it working, and will change a substantial amount of files. So i wont do more on that just yet.

[aaronmgdr]

@Wozacosta id love to talk more about how we can get this working.

[github-actions]

There as been no activity on this PR for the last 14 days. Please consider closing this PR.

[aaronmgdr]

do not close this pr