security: fix npm audit vulnerabilities in dependencies#4
Open
bernie-developer wants to merge 22 commits intogmonchain:mainfrom
Open
security: fix npm audit vulnerabilities in dependencies#4bernie-developer wants to merge 22 commits intogmonchain:mainfrom
bernie-developer wants to merge 22 commits intogmonchain:mainfrom
Conversation
- Add CoinMarketCap API integration with 24h server-side caching - Create FilterBar component for Top 100 and Active coins filtering - Add useMarketData hook to fetch and cache market data - Update .gitignore to protect API keys from being committed - Add .env.local.example as template for environment variables - Implement efficient caching (1 API call per day) Features: - Top 100 Market Cap filter button - Active coins filter (enabled by default) - Server-side caching to minimize API usage (~30 calls/month) - Secure API key handling Security: - API keys stored in .env.local (never committed to git) - Added comprehensive .gitignore rules for environment files
- App now works fully without CoinMarketCap API key - Filter buttons are disabled when API key is missing - Show helpful message explaining how to enable filters - No API requests made when key is not configured - Detect placeholder API keys and treat as not configured User experience: - Browse all icons without API key - Clear visual feedback when filters are unavailable - Small info message guides users to configure API key - No errors or broken functionality Security: - No unnecessary API calls - API key validation improved
- Top 100 filter: Hide icons without symbols (can't verify) - Active filter: Show icons without symbols (benefit of doubt) - Clarify behavior in code comments - Fix edge case where icons were incorrectly filtered
- Remove incorrect comment syntax causing text to render on page - Add debug logging to see actual CoinMarketCap API response - Default is_active to 1 if field not provided by API
- Create new /api/coinmarketcap/active-coins endpoint - Use /v1/cryptocurrency/map with listing_status=active - Batch 100 symbols per request (12 calls/day for 1152 icons) - Check ALL coins, not just top 100 - Cache results for 24 hours server-side - Update useMarketData to use active coins data Efficiency: - ~12 API calls per day (360/month out of 10k limit) - Accurate active status for all 1152 coins - Shared cache across all users Benefits: - Active filter now works correctly - Shows only coins still listed on CoinMarketCap - No more guessing active status
- Change cache duration from 24 hours to 7 days - Add CMC_ACTIVE_COINS_CACHE_DURATION env variable - Active coin status rarely changes, weekly is sufficient API efficiency improvement: - Before: 12 calls/day = 360 calls/month - After: 12 calls/week = ~52 calls/month - Savings: 96% reduction in API usage - Remaining budget: 9,948 calls/month available
CoinMarketCap returns both active and inactive coins even with listing_status=active parameter. We must explicitly filter for is_active === 1.
All batches were returning 400 errors. Likely hitting CoinMarketCap API limit for number of symbols per request. Reducing from 100 to 10. New stats: - Batch size: 10 symbols - Expected calls: ~84 per week (instead of 12) - Still well within limits
CoinMarketCap free tier allows ~30 calls/minute. With 84 batches, we need 2+ seconds between calls. Timing: - First request (weekly): ~3.5 minutes total - Subsequent requests: instant (cached for 7 days) - Trade-off: slow first load vs accurate data
Major architectural improvement: - Replace live API calls with static JSON files - Manual update script: npm run update-active-coins - No blocking page loads - Graceful degradation when no data Changes: - Add scripts/update-active-coins.cjs - manual script - Add /api/active-coins - simple static file API - Update useMarketData to use new API - Update FilterBar to hide buttons when no data - Filter symbols with special chars (CMC requirement) Benefits: - ⚡ Instant page loads (no 3.5min wait) - 🛡️ Robust fallback behavior - 🔧 Manual control over updates - 📁 JSON files can be committed to repo - ✅ Active Only button auto-hides if no data Usage: npm run update-active-coins (run manually when needed)
- Install dotenv package for update script - Generate initial active coins JSON files - 335 active coins identified - 486 inactive/unknown coins - 821 total symbols checked - JSON files ready for static consumption
- Add individual symbol retry when batch fails - Fixes missing major coins like BTC - Improved from 335 to 534 active coins detected - Major coins now properly identified (BTC, ETH, ADA, etc.)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
This PR fixes security vulnerabilities found by
npm auditin the project's dependencies.Changes
package-lock.jsonwith secure versions of dependencies@eslintpackages and their sub-dependenciesnpm audit fixSecurity Impact
npm audit)Testing
npm auditshows 0 vulnerabilitiesDetails
Key dependency updates include:
@eslint-community/eslint-utils: 4.4.0 → 4.9.0@eslint-community/regexpp: 4.11.1 → 4.12.2@eslint/config-array: 0.18.0 → 0.21.1This is a low-risk change that only updates the lock file to use more secure versions within the existing version ranges defined in package.json.