Skip to content

fix(tokenlist,contracts): replace unpinned Scalar CDN with @scalar/hono-api-reference#946

Open
decofe wants to merge 4 commits into
mainfrom
fix/pin-scalar-cdn-with-sri
Open

fix(tokenlist,contracts): replace unpinned Scalar CDN with @scalar/hono-api-reference#946
decofe wants to merge 4 commits into
mainfrom
fix/pin-scalar-cdn-with-sri

Conversation

@decofe
Copy link
Copy Markdown
Member

@decofe decofe commented May 12, 2026

Motivation

The Scalar API reference docs pages in tokenlist and contract-verification loaded @scalar/api-reference from the jsdelivr CDN without version pinning or SRI hashes. Any new npm publish of that package could silently change the script running on our pages — a supply-chain risk.

Changes

  • Added @scalar/hono-api-reference (^0.10.14) to the pnpm workspace catalog and both apps' dependencies.
  • tokenlist: Replaced the raw HTML + CDN <script> tag in docs.tsx with Scalar() from @scalar/hono-api-reference. Updated index.tsx to use the returned Hono handler directly.
  • contract-verification: Replaced renderDocs() (raw HTML + CDN tag) in route.docs.tsx with the Scalar() middleware, preserving the dynamic baseUrl and all server entries.

Why this is safer

The @scalar/hono-api-reference middleware generates the docs page server-side using the version pinned in package.json / lockfile, eliminating the unpinned CDN dependency.

fix(tokenlist,contracts): replace unpinned Scalar CDN with @scalar/ho…
9321d66 
…no-api-reference

The Scalar API reference docs pages loaded `@scalar/api-reference` from
jsdelivr CDN without version pinning or SRI, meaning any new npm publish
could silently change the script running on our pages.

Migrate both apps to the official `@scalar/hono-api-reference` Hono
middleware, which pins the version via the npm dependency and generates
the docs page server-side.

Amp-Thread-ID: https://ampcode.com/threads/T-019e1c7a-506b-7059-912a-b9e2daf86379
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

Bundle Size Report

Metric Size Δ Change
Total 4.6 MB +408.9 KB (+9.4%)
Gzip 1.3 MB +121.7 KB (+9.8%)
Brotli 1.2 MB +106.5 KB (+9.8%)
Chunk changes (>1KB)
Chunk Change
assets/chains.js (removed) -360.7 KB
assets/export-rate-limit.js (removed) -177.3 KB
assets/wagmi.config.js -29.5 KB
assets/AbiItem.js (removed) -27.1 KB
assets/env.js -9.7 KB
assets/validators.js (removed) -5.1 KB
assets/call.js +1.2 KB
assets/parseAbiItem.js (new) +1.6 KB
assets/.js +1.7 KB
assets/_address.js +1.7 KB
assets/router.js +1.9 KB
assets/known-event-totals.js (new) +2.0 KB
assets/tempo-queries.js +2.7 KB
assets/Addresses.js (new) +9.1 KB
assets/schemas.js +22.7 KB
assets/structs.js (new) +23.9 KB
assets/queries.js +26.4 KB
assets/Connectors.js (new) +55.5 KB
assets/token.js +56.1 KB
assets/manifest.js (new) +173.8 KB
...and 2 more

Compared against main branch (baseline from 4/27/2026, 4:02:54 PM)

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 12, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Added@​scalar/​client-side-rendering@​0.1.7721007895100

View full report

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 12, 2026
edited
Loading

Cloudflare Deployments

App Environment Status Preview
explorer devnet [OK] Deployed View Preview
explorer mainnet [OK] Deployed View Preview
explorer testnet [OK] Deployed View Preview
fee-payer devnet [OK] Deployed View Preview
fee-payer moderato [OK] Deployed View Preview
fee-payer privy [OK] Deployed View Preview
og - [OK] Deployed View Preview
perf - [OK] Deployed View Preview
reth-snapshots-viewer - [OK] Deployed View Preview
tempo-snapshots-viewer - [OK] Deployed View Preview
tokenlist - [OK] Deployed View Preview

Centaur AI added 3 commits May 12, 2026 14:20
fix(contracts): use Scalar callback form to fix type mismatch
267125a 
Pass the config as a callback function directly to the Scalar middleware
instead of manually invoking the returned handler. This resolves the
TS2345 type error where Context<{ Bindings: Cloudflare.Env }> was not
assignable to Context<Env>.

Amp-Thread-ID: https://ampcode.com/threads/T-019e1c7a-506b-7059-912a-b9e2daf86379
fix(contracts): use inline handler to preserve Cloudflare.Env types
33dcbc2 
The Scalar callback form loses the Hono generic bindings type, causing
'context.env is possibly undefined' and 'VITE_BASE_URL does not exist'
errors. Use a typed route handler that invokes the Scalar middleware
inline instead.

Amp-Thread-ID: https://ampcode.com/threads/T-019e1c7a-506b-7059-912a-b9e2daf86379
fix: use @scalar/client-side-rendering directly to avoid type mismatch
5077e68 
The @scalar/hono-api-reference middleware returns a handler typed for
generic Env, which is incompatible with Hono<{ Bindings: Cloudflare.Env }>.

Instead, import renderApiReference from @scalar/client-side-rendering
(the underlying rendering function) and call context.html() directly.
This preserves the typed Cloudflare bindings context while still pinning
the Scalar version via npm.

Verified locally: both tokenlist and contract-verification pass
check:types and check:biome.

Amp-Thread-ID: https://ampcode.com/threads/T-019e1c7a-506b-7059-912a-b9e2daf86379
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@decofe