Feat/optimize code

[ByteZhang1024]

Summary by CodeRabbit

• Chores
  • Updated package versions across multiple projects to 1.0.36-alpha.1 pre-release.
  • Synchronized dependency versions for related packages to 1.0.36-alpha.1.
  • Changed the main entry point in one web SDK package to use the minified build.

[coderabbitai]

Walkthrough

This update bumps version numbers from 1.0.35 to 1.0.36-alpha.1 across multiple packages. It also updates internal dependency versions to match. One package switches its main entry point to a minified build. No code, API, or public interface changes are present—only metadata and dependency adjustments.

Changes

Files	Summary
.../electron-example/package.json, .../expo-example/package.json	Updated package version from 1.0.35 to 1.0.36-alpha. Expo example also updates four dependencies.
.../core/package.json, .../hd-ble-sdk/package.json, .../hd-common-connect-sdk/package.json	Bumped package and internal dependency versions from 1.0.35 to 1.0.36-alpha.
.../hd-transport-http/package.json, .../hd-transport-lowlevel/package.json	Updated package and dependency versions from 1.0.35 to 1.0.36-alpha.
.../hd-transport-react-native/package.json, .../hd-transport-webusb/package.json	Bumped package and dependency versions from 1.0.35 to 1.0.36-alpha.
.../hd-transport/package.json, .../shared/package.json	Increased version from 1.0.35 to 1.0.36-alpha. No other changes.
.../hd-web-sdk/package.json	Bumped version to 1.0.36-alpha, updated dependencies, and set main entry to minified build.

Sequence Diagram(s)

No sequence diagram is necessary for these metadata and dependency version updates.

✨ Finishing Touches

🧪 Generate Unit Tests

• Create PR with Unit Tests
• Post Copyable Unit Tests in Comment
• Commit Unit Tests in branch feat/optimizeCode

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai auto-generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary or Summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	parse-url@​6.0.2
	number-is-nan@​1.0.1
	node-releases@​2.0.19 ⏵ 2.0.14
	isarray@​2.0.5
	iterator.prototype@​1.1.2
	object.groupby@​1.0.1
	is-set@​2.0.2
	is-weakmap@​2.0.1
	is-map@​2.0.2
	object.hasown@​1.1.3
	path-parse@​1.0.7
	is-negative-zero@​2.0.2
	indent-string@​4.0.0
	object.getownpropertydescriptors@​2.1.3
	is-date-object@​1.0.5
	is-shared-array-buffer@​1.0.2
	is-bigint@​1.0.4
	is-weakset@​2.0.2
	internal-slot@​1.0.6
	is-generator-function@​1.0.10
	is-weakref@​1.0.2
	is-string@​1.0.7
	is-symbol@​1.0.4
	is-number-object@​1.0.7
	is-regex@​1.1.4
	object.assign@​4.1.4
	is-boolean-object@​1.1.2
	reflect.getprototypeof@​1.0.4
	is-core-module@​2.13.1
	is-arrayish@​0.2.1
See 207 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		parse-url@6.0.2 has a Critical CVE. CVE: GHSA-j9fq-vwqv-2fm2 Server-Side Request Forgery (SSRF) in GitHub repository ionicabizau/parse-url (CRITICAL) Affected versions: < 8.1.0 Patched version: 8.1.0 From: yarn.lock → npm/parse-url@6.0.2 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/parse-url@6.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[coderabbitai]

Actionable comments posted: 2

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 30632f1 and 0232387.

📒 Files selected for processing (12)

• packages/connect-examples/electron-example/package.json (1 hunks)
• packages/connect-examples/expo-example/package.json (2 hunks)
• packages/core/package.json (2 hunks)
• packages/hd-ble-sdk/package.json (2 hunks)
• packages/hd-common-connect-sdk/package.json (2 hunks)
• packages/hd-transport-http/package.json (2 hunks)
• packages/hd-transport-lowlevel/package.json (2 hunks)
• packages/hd-transport-react-native/package.json (2 hunks)
• packages/hd-transport-webusb/package.json (2 hunks)
• packages/hd-transport/package.json (1 hunks)
• packages/hd-web-sdk/package.json (2 hunks)
• packages/shared/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (5)

• GitHub Check: build (18.x)
• GitHub Check: lint (18.x)
• GitHub Check: Socket Security: Pull Request Alerts
• GitHub Check: Analyze (javascript-typescript)
• GitHub Check: Analyze (actions)

🔇 Additional comments (17)

packages/connect-examples/electron-example/package.json (1)

5-5: Version bump acknowledged

No issues found. Thanks for keeping the example in sync.

packages/hd-transport/package.json (1)

3-3: Sync lock-file before release

After changing the version, re-run the package manager to refresh the lock file. This prevents mismatched installs.

packages/core/package.json (1)

3-3: Let's check dependency versions across all workspaces:

#!/bin/bash
# Search for hd-shared dependency versions in all package.json files
rg -H -n '"@onekeyfe/hd-shared":' -g '*.json'

# Search for hd-transport dependency versions in all package.json files
rg -H -n '"@onekeyfe/hd-transport":' -g '*.json'

packages/hd-transport-webusb/package.json (1)

3-3: WebUSB package in sync

Version and internal deps line up with the rest of the bump. Looks good.

Also applies to: 23-24

packages/hd-transport-lowlevel/package.json (2)

3-3: Version bump looks good
Bumping to 1.0.36 keeps the package in lock-step with the monorepo.

---

22-24: Deps bumped in sync – nice
Internal dependencies now use ^1.0.36, matching this package. No further action.

packages/hd-transport-http/package.json (2)

3-3: Package version aligned
1.0.36 tag is consistent with the fleet.

---

27-28: Internal deps updated correctly
hd-shared and hd-transport both point to ^1.0.36. Looks good.

packages/hd-ble-sdk/package.json (2)

3-3: Version bump accepted
1.0.36 keeps everything consistent.

---

23-25: Dependency matrix stays in sync
Core, shared, and RN transport all updated to ^1.0.36. 👍

packages/connect-examples/expo-example/package.json (2)

3-3: Example app version updated
Good to see the example tracking the SDK version.

---

22-25: SDK refs updated
All four OneKey packages now target ^1.0.36 – consistent with the rest of the repo.

packages/hd-transport-react-native/package.json (2)

3-3: RN transport version bump OK
1.0.36 aligns with sibling packages.

---

22-23: Deps bumped in tandem
hd-shared and hd-transport moved to ^1.0.36. Looks good.

packages/hd-common-connect-sdk/package.json (2)

3-3: Version bump looks good.

1.0.36 lines up with the rest of the repo.

---

23-27: Lock-file and changelog check.

Run yarn install (or npm install) and commit the regenerated lock-file, and add an entry to your CHANGELOG.

packages/hd-web-sdk/package.json (1)

24-27: Sync lock-file and CI cache.

Bump the lock-file so CI and consumers pull ^1.0.36 consistently.

[coderabbitai]

🧹 Nitpick (assertive)

Add CHANGELOG entry for 1.0.36

Bump looks fine, but the repo lacks a note that explains what changed in 1.0.36. Add a line to the changelog before publishing.

🤖 Prompt for AI Agents

In packages/shared/package.json at line 3, the version has been bumped to 1.0.36
but there is no corresponding entry in the changelog. Add a new entry to the
changelog file describing the changes introduced in version 1.0.36 before
publishing the package.

[coderabbitai]

🧹 Nitpick (assertive)

Minified file as “main” may hurt debug-ability.

Exposing the minified bundle as main will give users obfuscated stack traces. Consider:

-  "main": "build/onekey-js-sdk.min.js",
+  "main": "build/onekey-js-sdk.js",
+  "browser": "build/onekey-js-sdk.min.js",

Ship source maps if you choose to keep the minified entry.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	"main": "build/onekey-js-sdk.min.js",
	"main": "build/onekey-js-sdk.js",
	"browser": "build/onekey-js-sdk.min.js",

🤖 Prompt for AI Agents

In packages/hd-web-sdk/package.json at line 8, the "main" field points to the
minified bundle which reduces debug-ability due to obfuscated stack traces. To
fix this, either change the "main" entry to point to the unminified build file
or ensure that source maps are generated and shipped alongside the minified file
to enable proper debugging.

[coderabbitai]

Actionable comments posted: 5

♻️ Duplicate comments (2)

packages/shared/package.json (1)

3-3: CHANGELOG reminder already raised earlier

Same note as the last review: add an entry for 1.0.36-alpha.1.

packages/hd-web-sdk/package.json (1)

8-8: Minified bundle set as main – same concern as last round

Pointing main to the minified build will still give users obfuscated stack traces. Either expose the un-minified file as main and keep the minified one under browser, or ship reliable source-maps.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Cache: Disabled due to data retention organization setting
Knowledge Base: Disabled due to data retention organization setting

📥 Commits

Reviewing files that changed from the base of the PR and between 0232387 and 3c637e4.

📒 Files selected for processing (12)

• packages/connect-examples/electron-example/package.json (1 hunks)
• packages/connect-examples/expo-example/package.json (2 hunks)
• packages/core/package.json (2 hunks)
• packages/hd-ble-sdk/package.json (2 hunks)
• packages/hd-common-connect-sdk/package.json (2 hunks)
• packages/hd-transport-http/package.json (2 hunks)
• packages/hd-transport-lowlevel/package.json (2 hunks)
• packages/hd-transport-react-native/package.json (2 hunks)
• packages/hd-transport-webusb/package.json (2 hunks)
• packages/hd-transport/package.json (1 hunks)
• packages/hd-web-sdk/package.json (2 hunks)
• packages/shared/package.json (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms (4)

• GitHub Check: build (18.x)
• GitHub Check: lint (18.x)
• GitHub Check: Analyze (actions)
• GitHub Check: Analyze (javascript-typescript)

🔇 Additional comments (11)

packages/connect-examples/electron-example/package.json (1)

5-5: Let’s list every version string in all package.json files to be sure:

#!/bin/bash
# Count unique version entries across all package.json
rg -o '"version": "[^"]*"' -g 'package.json' \
  | sed -E 's/"version": "([^"]*)"/\1/' \
  | sort \
  | uniq -c

packages/hd-transport-lowlevel/package.json (1)

3-3: Confirm caret-range works with pre-releases

^1.0.36-alpha.1 is allowed, but some tooling mis-resolves pre-release ranges. Please run an install in each supported package manager (npm, pnpm, yarn) to ensure no version drift.

You can script a quick check:

#!/bin/bash
set -e
for m in npm pnpm yarn; do
  echo "Testing with $m"
  $m --version || continue
  rm -rf node_modules && $m install --silent
done

Also applies to: 22-24

packages/hd-transport-http/package.json (1)

3-3: Same caret-range caution

Repeat the install check here to catch any mismatch early.

Also applies to: 27-28

packages/hd-transport-webusb/package.json (1)

3-3: Same caret-range caution

Verify the prerelease caret resolves as expected across toolchains.

Also applies to: 23-24

packages/core/package.json (1)

3-3: Guard against accidental stable-upgrade by dropping ^ for pre-release.

^1.0.36-alpha.1 lets npm jump to the first stable 1.x once published (e.g., 1.1.0). That may pull in breaking changes before you’re ready. Pin the exact alpha or switch to ~.

-    "@onekeyfe/hd-shared": "^1.0.36-alpha.1",
-    "@onekeyfe/hd-transport": "^1.0.36-alpha.1",
+    "@onekeyfe/hd-shared": "1.0.36-alpha.1",
+    "@onekeyfe/hd-transport": "1.0.36-alpha.1",

packages/connect-examples/expo-example/package.json (2)

3-3: Example app version looks fine.

Only metadata changed; no action needed.

---

22-25: Consider exact pins for alpha deps.

Same risk as core package—^ will float to stable unexpectedly. Lock or tilde-pin if the example must track the alpha series.

packages/hd-ble-sdk/package.json (1)

3-3: Version bump acknowledged.

No issues spotted.

packages/hd-transport-react-native/package.json (1)

3-3: Metadata update accepted.

Looks good.

packages/hd-common-connect-sdk/package.json (1)

3-3: Package version bump is consistent.

No issues here.

packages/hd-web-sdk/package.json (1)

24-27: Caret on pre-release locks you out of stable 1.0.36

Using ^1.0.36-alpha.1 pins you to alpha builds only; npm will not upgrade to 1.0.36 once it lands. If the intention is to stick with this exact tag, drop the caret for clarity. If you want the first stable ≥ 1.0.36, remove the pre-release suffix instead.

Example fix:

-    "@onekeyfe/hd-core": "^1.0.36-alpha.1",
-    "@onekeyfe/hd-shared": "^1.0.36-alpha.1",
-    "@onekeyfe/hd-transport-http": "^1.0.36-alpha.1",
-    "@onekeyfe/hd-transport-webusb": "^1.0.36-alpha.1"
+    "@onekeyfe/hd-core": "1.0.36-alpha.1",
+    "@onekeyfe/hd-shared": "1.0.36-alpha.1",
+    "@onekeyfe/hd-transport-http": "1.0.36-alpha.1",
+    "@onekeyfe/hd-transport-webusb": "1.0.36-alpha.1"

Double-check the desired upgrade path before publishing.

[coderabbitai]

🧹 Nitpick (assertive)

Add a matching CHANGELOG note for 1.0.36-alpha.1

The bump is fine, but users will look for release notes. Drop a one-liner in the changelog before publishing.

🤖 Prompt for AI Agents

In packages/hd-transport/package.json at line 3, the version has been bumped to
1.0.36-alpha.1 but there is no corresponding entry in the CHANGELOG file. Add a
one-line note describing the changes or purpose of this release in the CHANGELOG
file before publishing to provide users with release information.

[coderabbitai]

🛠️ Refactor suggestion

Mirror the bump in peerDependencies.

Users embedding this lib may hit a mismatch warning. Add the same 1.0.36-alpha.1 range to peerDependencies or drop peers if no longer needed.

🤖 Prompt for AI Agents

In packages/core/package.json around lines 28 to 29, the versions of
@onekeyfe/hd-shared and @onekeyfe/hd-transport have been updated in dependencies
but not in peerDependencies. To avoid version mismatch warnings for users,
update the peerDependencies section to include the same version range
"^1.0.36-alpha.1" for these packages, or remove them from peerDependencies if
they are no longer required.

[coderabbitai]

🧹 Nitpick (assertive)

Pin alpha dependencies.

Replicate the advice from hd-core—drop the caret to avoid surprise upgrades.

🤖 Prompt for AI Agents

In packages/hd-ble-sdk/package.json around lines 23 to 26, the alpha
dependencies use caret (^) version ranges which can lead to unexpected upgrades.
Remove the caret (^) from the version strings of "@onekeyfe/hd-core",
"@onekeyfe/hd-shared", and "@onekeyfe/hd-transport-react-native" to pin them to
exact versions, matching the approach used in hd-core.

[coderabbitai]

🧹 Nitpick (assertive)

Lock down alpha versions.

Use exact versions for @onekeyfe/hd-shared and @onekeyfe/hd-transport or be ready for automatic jumps.

🤖 Prompt for AI Agents

In packages/hd-transport-react-native/package.json at lines 22 to 23, the
dependencies for @onekeyfe/hd-shared and @onekeyfe/hd-transport use caret (^)
version ranges which allow automatic updates to newer minor or patch versions.
To lock down alpha versions and prevent unintended automatic version jumps,
replace the version strings with exact versions by removing the caret prefix,
specifying the exact version numbers instead.

[coderabbitai]

🧹 Nitpick (assertive)

Prevent unintended upgrades from alpha to stable.

Swap ^1.0.36-alpha.1 for an exact version or ~ across these deps.

🤖 Prompt for AI Agents

In packages/hd-common-connect-sdk/package.json around lines 23 to 27, the
dependencies use caret (^) version specifiers with alpha versions, which can
unintentionally upgrade to stable releases. Replace the caret (^) with either
exact version numbers or tilde (~) to restrict upgrades to patch versions within
the alpha release, preventing unintended upgrades to stable versions.