chore: supply chain update - 2

[mohandast52]

Summary

Phase 2 of the supply-chain hardening rollout (see .plans/supply-chain-update.md, Tier 3). Stacked on top of #119, will rebase to main once that merges.

Converges all 13 package.json files onto a single exact-pinned toolchain — the latest stable versions on npm — and regenerates every yarn.lock to match. Eliminates version drift across subgraphs and removes all carets in favor of deterministic exact pins.

What changed

Package	Before	After
@graphprotocol/graph-cli	^0.97.0 (9 subgraphs) / ^0.98.1 (3 subgraphs)	0.98.1 (exact, all 13)
@graphprotocol/graph-ts	^0.38.0 / ^0.38.2	0.38.2 (exact, all 13)
matchstick-as	0.5.0 (9 subgraphs) / ^0.6.0 (3 subgraphs)	0.6.0 (exact, all 12 subgraphs + root)

Three subgraphs (staking, predict-omen, predict-polymarket) were already on the 0.98.1 line — they only have carets stripped, no resolution change. The other 9 subgraphs + root are bumped from 0.97 to 0.98.

Total diff: 26 files (13 × package.json, 13 × yarn.lock).

Verification

Full local CI sequence on every subgraph

Ran the same 4-step sequence CI uses (yarn install --frozen-lockfile && yarn graph codegen && yarn graph test) on all 12 subgraphs:

Subgraph	Result
liquidity	23 tests passed
tokenomics-eth	3 tests passed
governance	12 tests passed
legacy-mech-fees	15 tests passed
predict-omen	19 tests passed
predict-polymarket	96 tests passed
babydegen-optimism	10 tests passed
liquidity-l2	15 tests passed
staking	18 tests passed
tokenomics-l2	8 tests passed
service-registry	13 tests passed
new-mech-fees	15 tests passed
TOTAL	247 tests, all green

All 13 paths (root + 12 subgraphs) pass yarn install --frozen-lockfile cleanly.

yarn audit delta

Captured per-path before/after counts (raw data in audit/, gitignored).

Path	Before total / High	After total / High	Δ Total / High
root	83 / 40	79 / 36	−4 / −4
governance	69 / 37	67 / 34	−2 / −3
legacy-mech-fees	69 / 37	67 / 34	−2 / −3
liquidity	69 / 37	67 / 34	−2 / −3
service-registry	83 / 40	79 / 37	−4 / −3
liquidity-l2	46 / 15	47 / 16	+1 / +1
new-mech-fees	46 / 15	47 / 16	+1 / +1
tokenomics-l2	46 / 15	47 / 16	+1 / +1
staking	85 / 42	85 / 42	0
tokenomics-eth	28 / 12	28 / 12	0
babydegen-optimism	28 / 12	28 / 12	0
predict-omen	28 / 12	28 / 12	0
predict-polymarket	70 / 38	70 / 38	0

Honest read: modest delta. Latest stable on npm is only 0.98.1 (newer is pre-release / alpha / rc); the source plan's "37 Highs → 0" expectation was over-optimistic given the actual upstream availability. 5 paths improved by 3-4 Highs each; 3 paths gained +1 High because matchstick-as 0.6.0 pulled in a new transitive with one High advisory; 5 paths unchanged.

The real wins of this PR are not advisory clearance — they're:

1. Version consistency — single graph-cli/graph-ts/matchstick-as version across all 13 paths. Drift attack surface eliminated.
2. Caret stripping — exact pins, no surprise patch resolutions on fresh yarn install.
3. Aligning the laggards with what staking + predict-omen + predict-polymarket already use successfully (and pass CI today).

Pre-PR recon: gitleaks history scan (T5)

Ran gitleaks detect --no-banner --redact --log-opts="--all" over the full git history (374 commits, all branches/tags) as the pre-PR-recon step for T5 — historical secret leak in repo or CI logs.

Result: 0 actual leaks. Repo history is clean.

The default ruleset returned 54 raw findings; every one was confirmed a false positive by git show <sha>:<path> inspection — each redacted "secret" resolves to a public on-chain Optimism token contract address (USDC, USDT, DAI, WETH, FRAX, LUSD, DOLA, BOLD, sDAI, USDC.e) hardcoded into babydegen mappers for decimals/symbol branching, plus one Dune SQL example in subgraphs/liquidity/README.md. No credentials, tokens, or keys present in history.

The CI gitleaks workflow lands in PR #121 with a path+regex-scoped .gitleaks.toml allowlist (40-hex shape, scoped to the babydegen mapper paths and the liquidity README) so future scans surface real findings cleanly. Verified the allowlist does not silence genuine secrets — synthetic AWS / Slack / sk_live_* fixtures in a temp dir still tripped the scanner.

Operating notes

Pre-existing repo issue surfaced (not addressed in this PR)

While running yarn generate-manifests for service-registry as part of the local CI sequence, I noticed it overwrites 3 hand-crafted manifests with broken / lossy template output:

• subgraph.mainnet.yaml — uses a different ABI (ServiceRegistry 1-param CreateService vs. the L2 2-param). Template overwrites with broken {{ ServiceRegistryL2.address }} placeholders that aren't substituted because networks.json mainnet entry uses ServiceRegistry.
• subgraph.matic.yaml — loses ERC8004Agent / ERC8004Metadata entity entries.
• subgraph.optimism.yaml — loses GnosisSafe ABI registration.

CI gets away with this because CI only TESTS subgraph.gnosis.yaml after generate-manifests. None of the regenerations are committed; they're transient artifacts of running the build.

Reverted those 3 files in this PR so the diff is clean. Worth flagging for a follow-up hygiene PR — the template/manifest setup for service-registry is silently broken.

What's deferred to PR3

• CI gates: audit wrapper, install-hooks, lockfile-lint, supply-chain.yml, gitleaks.
• Governance: SUPPLY-CHAIN-SECURITY.md, Dependabot, CLAUDE.md supply-chain pointer, expanded CODEOWNERS.
• Hygiene: Node version drift fix (.nvmrc + corepack), service-registry template/manifest fix.

Test plan

• yarn install --frozen-lockfile succeeds for all 13 paths.
• yarn graph codegen && yarn graph test succeeds for all 12 subgraphs (247/247 tests green).
• Audit baseline + delta captured per-path.
• No pre-existing functionality broken (the 3 already-on-0.98 subgraphs continue to pass).
• Reviewer: trigger CI on this branch; confirm matrix matches local results.
• After PR1 merges: rebase this PR onto main.

Rollback

Single commit. git revert <sha> restores all 26 files. No infrastructure change; pure dep-version edit.

Stacked on

Depends on #119 (PR1) being on main before this can rebase cleanly. While #119 is open, this PR's base is mohan/supply-chain-update-1 so the diff stays scoped to the bump only.

[atepem]

Review: PR #120 — chore: supply chain update - 2

Overview

Phase 2 of supply-chain hardening: converges all 13 package.json files onto exact-pinned versions of the Graph toolchain (@graphprotocol/graph-cli@0.98.1, @graphprotocol/graph-ts@0.38.2, matchstick-as@0.6.0) and regenerates every yarn.lock accordingly. Pure dependency edit — no source/manifest/schema changes.

Verification (independently re-checked)

• ✅ Manifest convergence — all 13 package.json files declare the three pins identically and without carets.
• ✅ Lockfile convergence — all 13 yarn.lock files resolve to 0.98.1 / 0.38.2 / 0.6.0 with matching integrity hashes (e.g. matchstick-as resolves to sha512-E36fWsC1AbCkBFt05VsDDRoFvGSdcZg6oZJrtIe/YDBbuFh8SKbR5FcoqDhNWqSN+F7bN/iS2u8Md0SM+4pUpw== in every lock). True drift elimination.
• ✅ CI uses --frozen-lockfile at .github/workflows/test.yaml:69, so the pins are enforced for tests.
• ✅ No source/test/manifest code touched — diff is exactly the 26 expected files. Risk of behavior change is bounded by what graph-cli 0.97.0→0.98.1 and matchstick-as 0.5.0→0.6.0 themselves change.

Strengths

• Caret stripping is the highest-value change here. Even where the resolved version doesn't move, killing ^ removes the risk of a fresh yarn install silently pulling a poisoned patch — exactly the threat model the supply-chain plan targets.
• Low-blast-radius rollout. Three subgraphs (staking, predict-omen, predict-polymarket) were already running on 0.98.1 / 0.6.0 in production, so the new versions aren't unproven for this codebase.
• Honest PR description. The "+1 High advisory on three l2 paths" trade-off is called out rather than buried, and the over-optimistic "37 → 0 Highs" expectation from the source plan is corrected. Easy to evaluate the actual deal.
• Clean scope. Reverting the unintended service-registry template regenerations keeps the diff to what the PR title says it is.

Issues / risks

Worth fixing (low effort, related to PR's stated goal)

• Deploy workflow does not enforce the lockfile. .github/workflows/deploy-subgraph.yaml:151 runs yarn install (no --frozen-lockfile). The exact-pin manifest closes most of the gap, but a deploy can still resolve different transitives than CI tested against. Pre-existing — not strictly this PR's job — but it directly undercuts this PR's "deterministic install" win and should be addressed in PR3 alongside the other CI gates.

Worth acknowledging (no action required)

• Net audit delta on three l2 paths is +1 High (liquidity-l2, new-mech-fees, tokenomics-l2) due to a transitive pulled in by matchstick-as 0.6.0. The trade — accepting one new High in exchange for version unification across all 13 paths — is reasonable given those three were the holdouts and staking/predict-* already ship with this stack. Just make sure reviewers don't merge expecting the headline supply-chain win to be advisory clearance; the win here is consistency + caret elimination.

• service-registry template/manifest is silently broken (overwrites hand-crafted subgraph.mainnet.yaml/matic.yaml/optimism.yaml with lossy template output). Already flagged in PR description and deferred. Reasonable to defer, but worth an issue so it doesn't get lost — running yarn generate-manifests locally on main will produce broken manifests for any future contributor who doesn't know to revert them.

Minor

• PR body promises "single commit / git revert restores all 26 files", but the branch actually contains 3 commits (84102f0 refactor, 13fa993 changelog cleanup, 485ed4c the bump) plus a merge. The first two look unrelated to the supply-chain work — git log main..HEAD --oneline shows them. Worth confirming whether they belong on this PR or on the previously-merged chore: supply chain update - 1 #119; if they're stragglers, a squash before merge would match the PR description.

Test coverage

Adequate. yarn test matrix is unchanged and exercises the new toolchain on all 12 subgraphs. PR-local sequence (247/247 green) plus CI re-running the same commands gives high confidence. Nothing additional needed.

Security

Net-positive. Three concrete improvements: caret elimination kills install-time drift; integrity hash now identical across all lockfiles, so a single tampered tarball would mismatch 13 paths simultaneously; advisory count drops on 5 of 13 paths. The +1 High on three l2 paths is documented and a known trade.

Recommendation

Approve, with one ask: confirm the two non-bump commits (84102f0, 13fa993) are intentional on this branch — if they are, fine; if not, squash. Everything else is solid and ready to merge once CI mirrors the local 247/247 result.