Merge pull request #323 from tronprotocol/release/4.6.0

Release/4.6.0

Author: unicornonea

CHANGELOG.md

@@ -1,3 +1,34 @@
+**4.6.0**
+
+### Features
+
+- Enhanced `flatten` command
+  - Unified SPDX license header generation across all input files
+  - Unified `pragma abicoder` handling and normalization
+  - Added dependency library version information in build output
+
+### Breaking Changes
+
+- **BREAKING CHANGE**: Removed EPM (Ethereum Package Manager) support
+- **BREAKING CHANGE**: Configuration directory paths (`build_directory`, `contracts_directory`, `contracts_build_directory`, `migrations_directory`, `test_directory`) are now constrained to the project root
+- **BREAKING CHANGE**: Disallowed running and importing files outside the project directory
+- **BREAKING CHANGE**: Removed global config injection
+
+### Bug Fixes & Improvements
+
+- Added checksum validation for downloaded soljson compiler files
+- Improved error capturing and unhandled promise rejection handling
+- Normalized error output formatting and added explicit exit codes
+- Enhanced runtime stability with null-safety checks on deployment and contract interactions
+
+### Dependencies
+
+- Upgraded `tronweb` from 6.1.1 to 6.2.2
+- Upgraded `axios` from 1.12.0 to 1.13.6
+- Upgraded `glob` to 13.0.6
+- Upgraded `ajv` to 6.14.0
+- Upgraded `yauzl` to 3.2.1
+
 **4.5.0**
 
 ### Major Refactoring

package-lock.json

@@ -1,7 +1,7 @@
 {
   "name": "tronbox",
   "namespace": "tronprotocol",
-  "version": "4.5.0",
+  "version": "4.6.0",
   "description": "TronBox - Simple development framework for Tron",
   "keywords": [
     "TronBox",
@@ -19,9 +19,9 @@
   },
   "dependencies": {
     "@solidity-parser/parser": "0.20.2",
-    "ajv": "6.12.6",
+    "ajv": "6.14.0",
     "async": "2.6.4",
-    "axios": "1.12.0",
+    "axios": "1.13.6",
     "bignumber.js": "7.2.1",
     "chai": "4.1.2",
     "chalk": "2.4.2",
@@ -31,7 +31,7 @@
     "ethers": "6.15.0",
     "find-up": "4.1.0",
     "fs-extra": "8.1.0",
-    "glob": "11.1.0",
+    "glob": "13.0.6",
     "graphlib": "2.1.8",
     "homedir": "0.6.0",
     "lodash": "4.17.23",
@@ -42,11 +42,10 @@
     "solc": "0.8.25",
     "source-map-support": "0.5.21",
     "tmp": "0.0.33",
-    "tronweb": "6.1.1",
-    "tsort": "0.0.1",
+    "tronweb": "6.2.2",
     "vcsurl": "0.1.1",
     "yargs": "15.4.1",
-    "yauzl": "3.2.0"
+    "yauzl": "3.2.1"
   },
   "devDependencies": {
     "@babel/cli": "7.28.3",
@@ -59,6 +58,11 @@
     "prettier": "2.8.8",
     "tslib": "2.8.1"
   },
+  "overrides": {
+    "mocha": {
+      "serialize-javascript": "7.0.3"
+    }
+  },
   "bin": {
     "tronbox": "build/tronbox.js"
   },

package.json

@@ -20,6 +20,9 @@ contract MetaCoin is ERC20 {
   // Unlock time for TRX locking feature
   uint256 public unlockTime;
 
+  // Tracks whether lock() has ever been called
+  bool public isLocked;
+
   /**
    * @param _initialSupply The initial supply.
    */
@@ -51,7 +54,12 @@ contract MetaCoin is ERC20 {
     require(block.timestamp < _unlockTime, 'Unlock time should be in the future');
     require(msg.sender == owner, "You aren't the owner");
 
+    if (isLocked) {
+      require(_unlockTime >= unlockTime, 'Unlock time can only be extended');
+    }
+
     unlockTime = _unlockTime;
+    isLocked = true;
   }
 
   /**
@@ -62,8 +70,11 @@ contract MetaCoin is ERC20 {
     require(block.timestamp >= unlockTime, "You can't withdraw yet");
     require(msg.sender == owner, "You aren't the owner");
     require(_to != address(0), 'Invalid address');
+    require(isLocked, 'Funds are not locked yet');
 
-    payable(_to).transfer(address(this).balance);
+    isLocked = false;
+    (bool success, ) = payable(_to).call{ value: address(this).balance }('');
+    require(success, 'Transfer failed');
   }
 
   /**

sample-projects/javascript-metacoin/contracts/MetaCoin.sol

@@ -26,8 +26,13 @@ Artifactor.prototype.save = function (object, options) {
     let output_path = object.contractName;
 
     // Create new path off of destination.
-    output_path = path.join(self.destination, output_path);
+    const destinationPath = path.resolve(self.destination);
+    output_path = path.join(destinationPath, output_path);
     output_path = path.resolve(output_path);
+    const relative = path.relative(destinationPath, output_path);
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
+      return reject(new Error(`Invalid contractName "${object.contractName}"`));
+    }
 
     // Add json extension.
     output_path = output_path + '.json';
@@ -43,7 +48,7 @@ Artifactor.prototype.save = function (object, options) {
         try {
           existingObjDirty = JSON.parse(json);
         } catch (e) {
-          reject(e);
+          return reject(e);
         }
 
         // normalize existing and merge into final

src/components/Artifactor.js

@@ -16,6 +16,7 @@ const axios = require('axios');
 const path = require('path');
 const fs = require('fs-extra');
 const util = require('util');
+const crypto = require('crypto');
 
 const cwd = process.cwd();
 
@@ -76,7 +77,7 @@ GithubDownloader.prototype.start = function () {
           .catch(err => _this.emit('error', err));
       });
     } else {
-      _this.emit('Error', new Error(JSON.stringify(item, null, 2) + '\n does not have type.'));
+      _this.emit('error', new Error(JSON.stringify(item, null, 2) + '\n does not have type.'));
     }
   }
 
@@ -152,6 +153,15 @@ function extractZip(zipFile, outputDir, callback) {
           if (err) return _this.emit('error', err);
 
           const file = path.resolve(outputDir, entry.fileName);
+          const normalizedOutputDir = path.resolve(outputDir);
+          const relative = path.relative(normalizedOutputDir, file);
+          if (relative.startsWith('..') || path.isAbsolute(relative)) {
+            return _this.emit(
+              'error',
+              new Error(`Refusing to extract unsafe zip entry outside destination: ${entry.fileName}`)
+            );
+          }
+
           fs.ensureDir(path.dirname(file), err => {
             if (err) return _this.emit('error', err);
 
@@ -188,7 +198,7 @@ function downloadZip() {
   _this._getZip = true;
 
   _this._log.forEach(function (file) {
-    fs.remove(file);
+    fs.removeSync(file);
   });
 
   const tmpdir = generateTempDir();
@@ -221,5 +231,5 @@ function downloadZip() {
 }
 
 function generateTempDir() {
-  return path.join(cwd, Date.now().toString() + '-' + Math.random().toString().substring(2));
+  return path.join(cwd, Date.now().toString() + '-' + crypto.randomBytes(16).toString('hex'));
 }

src/components/Box/lib/utils/download.js

@@ -15,18 +15,22 @@ module.exports = {
       .then(function () {
         return unbox.setupTempDirectory();
       })
-      .then(function (dir, func) {
+      .then(function ({ dir, cleanupCallback }) {
         // save tmpDir result
         tmpDir = dir;
-        tmpCleanup = func;
+        tmpCleanup = cleanupCallback;
       })
       .then(function () {
         return unbox.fetchRepository(url, tmpDir);
       })
       .then(function () {
         return unbox.copyTempIntoDestination(tmpDir, destination);
       })
-      .then(tmpCleanup);
+      .then(tmpCleanup)
+      .catch(error => {
+        if (tmpCleanup) tmpCleanup();
+        throw error;
+      });
   },
 
   unpackBox: function (destination) {

src/components/Box/lib/utils/index.js

@@ -3,7 +3,7 @@ const path = require('path');
 const axios = require('axios');
 const vcsurl = require('vcsurl');
 const tmp = require('tmp');
-const exec = require('child_process').exec;
+const { spawnSync } = require('child_process');
 const ghdownload = require('./download');
 const cwd = process.cwd();
 
@@ -59,7 +59,7 @@ function setupTempDirectory() {
     tmp.dir({ dir: cwd, unsafeCleanup: true }, function (err, dir, cleanupCallback) {
       if (err) return reject(err);
 
-      accept(path.join(dir, 'box'), cleanupCallback);
+      accept({ dir: path.join(dir, 'box'), cleanupCallback });
     });
   });
 }
@@ -68,7 +68,7 @@ function fetchRepository(url, dir) {
   return new Promise(function (accept, reject) {
     // Download the package from github.
     ghdownload(url, dir)
-      .on('err', function (err) {
+      .on('error', function (err) {
         reject(err);
       })
       .on('end', function () {
@@ -98,18 +98,26 @@ function readBoxConfig(destination) {
 
 function cleanupUnpack(boxConfig, destination) {
   const needingRemoval = boxConfig.ignore || [];
+  const workingDirectoryPath = path.resolve(destination);
 
   // remove box config file
   needingRemoval.push('tronbox.json');
   needingRemoval.push('tronbox-init.json');
+  needingRemoval.push('post-unpack.sh');
 
   const promises = needingRemoval
     .map(function (file_path) {
       return path.join(destination, file_path);
     })
     .map(function (file_path) {
       return new Promise(function (accept, reject) {
-        fs.remove(file_path, function (err) {
+        const resolvedPath = path.resolve(workingDirectoryPath, file_path);
+        const relative = path.relative(workingDirectoryPath, resolvedPath);
+        if (relative.startsWith('..') || path.isAbsolute(relative)) {
+          return accept();
+        }
+
+        fs.remove(resolvedPath, function (err) {
           if (err) return reject(err);
           accept();
         });
@@ -119,28 +127,33 @@ function cleanupUnpack(boxConfig, destination) {
   return Promise.all(promises);
 }
 
-function installBoxDependencies(boxConfig, destination) {
-  const postUnpack = boxConfig.hooks['post-unpack'];
-
+function installBoxDependencies(_boxConfig, destination) {
   return new Promise(function (accept, reject) {
-    if (postUnpack.length === 0) {
+    const packageJsonPath = path.join(destination, 'package.json');
+    if (!fs.existsSync(packageJsonPath)) {
       return accept();
     }
 
-    exec(postUnpack, { cwd: destination }, function (err, stdout, stderr) {
-      if (err) return reject(err);
-      accept(stdout, stderr);
-    });
+    const result = spawnSync('npm', ['install'], { cwd: destination, stdio: 'ignore', shell: true });
+    if (result.error) {
+      return reject(result.error);
+    }
+
+    if (result.status !== 0) {
+      return reject(new Error('Failed to install box dependencies using npm install'));
+    }
+
+    accept();
   });
 }
 
 module.exports = {
-  checkDestination: checkDestination,
-  verifyURL: verifyURL,
-  setupTempDirectory: setupTempDirectory,
-  fetchRepository: fetchRepository,
-  copyTempIntoDestination: copyTempIntoDestination,
-  readBoxConfig: readBoxConfig,
-  cleanupUnpack: cleanupUnpack,
-  installBoxDependencies: installBoxDependencies
+  checkDestination,
+  verifyURL,
+  setupTempDirectory,
+  fetchRepository,
+  copyTempIntoDestination,
+  readBoxConfig,
+  cleanupUnpack,
+  installBoxDependencies
 };