Compression libraries: FastLZ, LZ4 and Snappy

[Amxx]

Addresses #5817

Done:

• FastLZ
• Snappy
• LZ4

Todo:

• LibZip breaks lint. Do we want to ignore it somehow (how?) of run lint:fix on it ?
  • Use solady's npm package as a dev-dependency for its JS folder
• Lorem ipsum breaks codespell. What do we do about that.

PR Checklist

• Tests
• Documentation
• Changeset entry (run npx changeset add)

[changeset-bot]

⚠️ No Changeset found

Latest commit: d10eaad

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​lz4js@​0.2.0
	npm/​snappy@​7.3.0
	npm/​solady@​0.1.24

View full report

[Amxx]

Current gas comparaison (update 5b39ebf)

Test	lowest gas cost	extra cost (Fastlz)	extra cost (Snappy)	extra cost (LZ4)
0	22228	+0.00%	+1.60%	+3.62%
1	22555	+0.00%	+1.38%	+4.07%
2	22579	+0.00%	+1.38%	+4.02%
3	22591	+0.00%	+1.38%	+4.01%
4	24830	+0.00%	+4.33%	+7.02%
5	40980	+0.00%	+8.24%	+6.73%
6	163724	+0.00%	+12.47%	+4.33%
7	4543657	+0.00%	+13.79%	+3.62%
8	4543889	+0.00%	+13.81%	+3.62%
9	23405	+0.00%	+1.72%	+5.70%
10	23677	+0.00%	+2.50%	+6.92%
11	23813	+0.00%	+1.47%	+6.37%
12	24015	+0.00%	+2.53%	+7.57%
13	269620	+0.00%	+2.34%	+0.44%
14	185750	+2.50%	+0.00%	+0.06%

Note:

• FastLZ is the simplest, and most efficient decompression implementation
• FastLZ is the least standard (LZ4 is the more widelly available)
• Case 0 et 12 are artifficially compressible. We should pmrobably comme up with more realistic blocks of data (historical blobs from L2s?)
• Maybe we should cosider the compressed size as well (not just the decompression cost)

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		pypi/[email protected] is a AI-detected potential code anomaly. Notes: This module is a build backend shim that intentionally executes a project's setup.py to perform legacy builds. The use of exec() to run setup.py is the main security concern: it allows arbitrary code execution from the project being built. That is expected for this kind of tool but represents a moderate security risk when building untrusted projects. There is no evidence of covert malicious behavior inside this module itself (no network exfiltration, no hardcoded secrets, no obfuscation). Treat running this code against untrusted packages as dangerous because it will execute their setup.py in-process. Confidence: 1.00 Severity: 0.60 From: ? → pypi/[email protected] → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		pypi/[email protected] is a AI-detected potential code anomaly. Notes: This script is a mutation-testing harness that intentionally overwrites a source file with mutant variants and executes a user-supplied test command for each mutant. I found no signs of obfuscated or intentionally malicious code (no hard-coded secrets, no exfiltration, no reverse-shell/backdoor). The main security risk is that it executes arbitrary shell commands (shell=True) and runs untrusted mutant source code by design — so if mutants or the test command come from untrusted or attacker-controlled sources, they can execute arbitrary code on the machine running this script. Use only with trusted inputs and consider sanitizing/avoiding shell=True and running tests in an isolated environment (containers or VMs) to reduce risk. Confidence: 1.00 Severity: 0.60 From: ? → pypi/[email protected] → pypi/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore pypi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report