fix: example

[ByteZhang1024]

Summary by CodeRabbit

• New Features

  • Added HTTP request capability to the Expo example.

• Refactor

  • Switched CDN/source handling to use an environment variable with a stable default.
  • Removed a shared workspace package and its exported helper.
  • Changed XRP address derivation to a new encoding pipeline and per-item processing.

• Chores

  • Added Rollup node-resolve tooling.
  • Forced HTTP client imports to use a compatibility shim.
  • Removed several Ripple-related dependencies across examples and core.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Removed the shared-constants workspace and its getConnectSrc export; added @rollup/plugin-node-resolve to root deps/devDeps; swapped ripple-keypairs/xrpl for ripple-address-codec and noble hashes; added axios plus a shim and webpack alias; XrpGetAddress batch path and related imports removed.

Changes

Cohort / File(s)	Summary
Root workspace & deps package.json	Removed packages/connect-examples/shared-constants from workspaces.packages; added @rollup/plugin-node-resolve to both dependencies and devDependencies.
Expo example: axios shim & alias packages/connect-examples/expo-example/shim-axios.js, packages/connect-examples/expo-example/webpack.config.js, packages/connect-examples/expo-example/package.json	New shim-axios.js that requires and normalizes axios (ensures .default and interceptors); webpack resolve.alias maps axios to the shim; axios dependency added (1.12.2).
Expo example: connect src constant packages/connect-examples/expo-example/src/constants/connect.ts	Replaced getConnectSrc() import with `CONNECT_SRC = process.env.CONNECT_SRC
Ripple libs replaced in expo example packages/connect-examples/expo-example/package.json, packages/connect-examples/expo-example/src/utils/mockDevice/method/xrpGetAddress.ts	Removed xrpl and ripple-keypairs deps; added ripple-address-codec and noble hash utilities; xrpGetAddress now derives addresses using hexToBytes → sha256 → ripemd160 → encodeAccountID.
Shared-constants package removed packages/connect-examples/shared-constants/constants.js, packages/connect-examples/shared-constants/package.json	Deleted package manifest and removed getConnectSrc() implementation and related comments.
Other packages: ripple-keypairs removals packages/connect-examples/expo-playground/package.json, packages/core/package.json	Removed ripple-keypairs from dependencies/peerDependencies/devDependencies where present.
Core XRP API change (batch removal) packages/core/src/api/xrp/XrpGetAddress.ts	Removed batch-optimized path and related imports; code now processes each request item individually and fetches per-item public keys; batch public-key shortcut removed.

Sequence Diagram

sequenceDiagram
    rect rgb(230,240,255)
    participant App as App / Bundler
    participant Webpack as Webpack
    participant Shim as shim-axios.js
    participant Axios as axios
    end

    App->>Webpack: import axios
    Webpack->>Webpack: resolve alias -> shim-axios.js
    Webpack->>Shim: load shim
    Shim->>Axios: require('axios')
    Axios-->>Shim: axios object
    Shim->>Shim: ensure `.default` and `interceptors`
    Shim-->>Webpack: export augmented axios
    Webpack-->>App: provide shimmed axios module

Loading

sequenceDiagram
    opt Previous (batched)
    participant Core as Core XrpGetAddress (old)
    participant Device as Device
    Core->>Device: BatchGetPublickeys (bundle)
    Device-->>Core: multiple public keys
    Core->>Core: derive addresses via deriveAddress
    end

    opt New (per-item)
    participant CoreN as Core XrpGetAddress (new)
    participant DeviceN as Device
    CoreN->>DeviceN: RippleGetAddress for each item
    CoreN->>DeviceN: BatchGetPublickeys for each secp256k1 item
    DeviceN-->>CoreN: public key per item
    CoreN->>CoreN: compute address using sha256→ripemd160→encodeAccountID
    end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Inspect any remaining references to @onekey-internal/shared-constants across the repo.
• Validate shim-axios.js for side effects and correct interop in Rollup and webpack builds.
• Confirm webpack alias affects nested node_modules imports as intended.
• Review xrp address derivation correctness (hash choice, byte order, and test vectors).
• Review XrpGetAddress.ts for behavioral changes due to removal of the batch path and ensure callers handle per-item behavior.

Pre-merge checks and finishing touches

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.
Title check	❓ Inconclusive	The title 'fix: example' is too vague and generic. It doesn't describe what the actual changes accomplish or which examples were modified.	Use a more specific title that captures the main change, such as 'fix: refactor expo example to use ripple-address-codec' or 'fix: remove shared-constants workspace and update dependencies'.

✅ Passed checks (1 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch fix/exampleLoad

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[revan-zhang]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scanner	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​babel/​plugin-proposal-object-rest-spread@​7.20.7
	@​babel/​plugin-proposal-optional-chaining@​7.21.0
	@​radix-ui/​react-separator@​1.1.7
	@​tamagui/​babel-plugin@​1.90.2
	@​radix-ui/​react-progress@​1.1.7
	@​radix-ui/​react-slot@​1.2.3
	@​nexajs/​script@​23.12.13
	@​types/​bchaddrjs@​0.4.3
	@​radix-ui/​react-checkbox@​1.3.2
	@​babel/​preset-react@​7.28.5 ⏵ 7.22.15
	@​radix-ui/​react-dropdown-menu@​2.1.15
	@​radix-ui/​react-dialog@​1.1.14
	@​tamagui/​toast@​1.90.2
	@​radix-ui/​react-tooltip@​1.2.7
	@​react-navigation/​bottom-tabs@​6.5.12
	@​radix-ui/​react-toast@​1.2.14
	@​babel/​preset-typescript@​7.28.5 ⏵ 7.23.3
	@​types/​bytebuffer@​5.0.43
	@​radix-ui/​react-scroll-area@​1.2.9
	@​onekeyfe/​cross-inpage-provider-core@​0.0.17
	@​react-navigation/​native-stack@​6.9.18
	@​alephium/​web3-wallet@​1.5.2
	@​types/​elliptic@​6.4.18
	@​nexajs/​address@​23.12.25
	@​radix-ui/​react-select@​2.2.5
	@​types/​bn.js@​5.1.5
	@​react-navigation/​native@​6.1.10
	@​tamagui/​config@​1.90.2
	@​babel/​core@​7.28.5 ⏵ 7.23.9	+1
	@​polkadot/​util-crypto@​13.1.1
	@​ckb-lumos/​helpers@​0.23.0
	@​ton/​core@​0.57.0
	@​rollup/​plugin-json@​4.1.0
See 17 more rows in the dashboard

View full report

[coderabbitai]

Actionable comments posted: 3

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between fc9276c and c34d816.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (7)

• package.json (1 hunks)
• packages/connect-examples/expo-example/package.json (1 hunks)
• packages/connect-examples/expo-example/shim-axios.js (1 hunks)
• packages/connect-examples/expo-example/src/constants/connect.ts (1 hunks)
• packages/connect-examples/expo-example/webpack.config.js (1 hunks)
• packages/connect-examples/shared-constants/constants.js (0 hunks)
• packages/connect-examples/shared-constants/package.json (0 hunks)

💤 Files with no reviewable changes (2)

• packages/connect-examples/shared-constants/constants.js
• packages/connect-examples/shared-constants/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: deploy_preview
• GitHub Check: lint (22)
• GitHub Check: build (22)

🔇 Additional comments (4)

packages/connect-examples/expo-example/src/constants/connect.ts (1)

3-3: Environment-based config is cleaner than the old shared function.

The fallback URL version (1.1.17) matches the package version. Logic is clear.

packages/connect-examples/expo-example/webpack.config.js (1)

58-63: Axios alias configuration looks correct.

Using require.resolve ensures the shim path is resolved correctly. Spreading existing aliases prevents conflicts.

packages/connect-examples/expo-example/shim-axios.js (1)

9-12: The .default property fix handles Rollup interop correctly.

This ensures axios__default["default"] resolves properly when Rollup compiles the code.

packages/connect-examples/expo-example/package.json (1)

42-42: Axios 1.12.2 is valid and has no known vulnerabilities.

Version 1.12.2 exists on npm (released Sep 14, 2025) and is only one minor version behind the latest (1.13.2). None of the known HIGH or MODERATE severity advisories affect this version—all reported vulnerabilities were patched in earlier updates that 1.12.2 includes.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @polkadot/util-crypto is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: packages/connect-examples/expo-example/package.json → npm/@polkadot/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@polkadot/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 095d4b8 and 402d486.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• packages/connect-examples/expo-example/package.json (2 hunks)
• packages/connect-examples/expo-example/src/utils/mockDevice/method/xrpGetAddress.ts (1 hunks)
• packages/connect-examples/expo-playground/package.json (0 hunks)
• packages/core/package.json (1 hunks)
• packages/core/src/api/xrp/XrpGetAddress.ts (0 hunks)

💤 Files with no reviewable changes (2)

• packages/core/src/api/xrp/XrpGetAddress.ts
• packages/connect-examples/expo-playground/package.json

🧰 Additional context used

🧬 Code graph analysis (1)

packages/connect-examples/expo-example/src/utils/mockDevice/method/xrpGetAddress.ts (1)

packages/core/src/api/helpers/hexUtils.ts (2)

• bytesToHex (57-65)
• hexToBytes (70-84)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: lint (22)
• GitHub Check: build (22)

🔇 Additional comments (2)

packages/core/package.json (1)

37-46: Peer + dev dependency choice looks fine, but confirm version alignment

Using @noble/hashes in both peerDependencies and devDependencies is a reasonable pattern for a library that expects consumers to bring their own runtime copy but still needs it for builds/tests. The bump to @types/web-bluetooth also looks safe on its own, but please confirm everything still compiles and runs cleanly across all packages that depend on these types and hashes.

packages/connect-examples/expo-example/package.json (1)

41-87: New axios and ripple-address-codec deps look consistent with usage

Adding [email protected] here lines up with the same version used in @onekeyfe/hd-core, which should help avoid duplicate installs. Introducing ripple-address-codec@^5.0.0 also matches the new XRP address derivation logic in xrpGetAddress.ts.

Please just confirm that:

• The axios shim/alias wiring for Expo and Webpack still resolves to the shim as intended.
• There are no version conflicts with other packages in the monorepo that also use these libs.

[coderabbitai]

Actionable comments posted: 1

📜 Review details

Configuration used: CodeRabbit UI

Review profile: ASSERTIVE

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to data retention organization setting

Disabled knowledge base sources:

• Jira integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 402d486 and bafdb2c.

📒 Files selected for processing (3)

• packages/connect-examples/expo-example/package.json (2 hunks)
• packages/connect-examples/expo-playground/package.json (0 hunks)
• packages/core/package.json (1 hunks)

💤 Files with no reviewable changes (1)

• packages/connect-examples/expo-playground/package.json

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: lint (22)
• GitHub Check: build (22)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (2)

packages/core/package.json (1)

27-36: Verify axios integration with shim and webpack alias.

axios is now a core dependency. Per the PR context, a webpack alias and shim (shim-axios.js) are configured in expo-example. Ensure the shim properly handles the interop and that axios works as expected in bundled environments (Rollup, webpack).

packages/connect-examples/expo-example/package.json (1)

42-42: Verify ripple-keypairs migration and axios shim integration.

You've swapped ripple-keypairs and xrpl for ripple-address-codec and added axios. Ensure:

1. Migration complete: All code formerly using ripple-keypairs/xrpl now uses ripple-address-codec or the new custom derivation logic (mentioned in PR context). Check that both packages are removed from devDependencies too, not just dependencies.

2. axios shim working: The webpack alias and shim-axios.js need to properly handle axios for both browser and Node bundling. Verify bundled output includes axios correctly.

Also applies to: 86-86

[ByteZhang1024]

@coderabbitai resolve

[coderabbitai]

✅ Actions performed

Comments resolved.