Skip to content

chore: bump appkit-cdn to 1.8.13 #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

chore: bump appkit-cdn to 1.8.13 #227

wants to merge 1 commit into from

Conversation

@devin-ai-integration
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot commented Nov 4, 2025

chore: bump appkit-cdn to 1.8.13

Summary

Updates the AppKit CDN version from 1.8.11 to 1.8.13 in the Unity WebGL JavaScript bridge. This update includes fixes from version 1.8.12:

  • Fixed an issue where remote config endpoint was being called when using appkit core
  • Adds ability to configure custom SIWX signing behaviors by implementing a custom SIWXSigner

Triggering commit: reown-com/appkit@a155baf

Review & Testing Checklist for Human

  • Build and test a Unity WebGL project to verify the CDN loads successfully at https://cdn.jsdelivr.net/npm/@reown/[email protected]/dist/appkit.js
  • Test wallet connection flow (WalletConnect via QR code/deep link)
  • Test social login flow (if applicable in your test setup)
  • Verify no console errors appear during AppKit initialization
  • Confirm existing Unity integration features still work (sign message, send transaction, network switching)

Notes

This is a single-line change bumping a patch version. While the risk is low, WebGL builds cannot be tested by the automated system, so manual verification is important to ensure the new CDN version is compatible with the Unity integration.

Devin session: https://app.devin.ai/sessions/09ee7ad5ac6141f184c8ec1f302abf2e
Requested by: unknown ()

@devin-ai-integration
chore: bump appkit-cdn to 1.8.13
c45631a 
Co-Authored-By: unknown <>
@devin-ai-integration
Copy link
Contributor Author

devin-ai-integration bot commented Nov 4, 2025

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment and CI monitoring

@claude
Copy link

claude bot commented Nov 4, 2025
edited
Loading

Claude finished @devin-ai-integration[bot]'s task —— View job

Code Review Complete

Change: CDN version bump from 1.8.11 to 1.8.13 in AppKit.jslib:112

Issues Found

(1) External Domain URL Detected (Non-blocking)

🔒 External Domain URL Detected
URL: https://cdn.jsdelivr.net/npm/@reown/[email protected]/dist/appkit.js
File: src/Reown.AppKit.Unity/Plugins/AppKit.jslib:112

This change introduces a URL pointing to an external domain (cdn.jsdelivr.net). Approved company domains are: reown.com, walletconnect.com, walletconnect.org. While CDN usage is common for such integrations, verify:

  • External dependency is intentional
  • CDN provider (jsDelivr) is trusted and acceptable for production
  • Consider fallback mechanisms if CDN becomes unavailable
  • Review security/compliance implications of loading third-party scripts

(2) No Subresource Integrity (SRI) Check

File: src/Reown.AppKit.Unity/Plugins/AppKit.jslib:112

Dynamic import of external CDN resource lacks Subresource Integrity (SRI) verification. If the CDN is compromised or serves malicious content, the application has no integrity check to detect tampering.

Recommendation: While dynamic imports don't natively support SRI, consider:

  • Fetching the resource with integrity verification before execution
  • Implementing checksum validation
  • Using a lock file mechanism to pin expected content hashes
  • Or document the accepted risk if integrity checking is impractical for this use case

(3) No Error Handling for CDN Load Failure

File: src/Reown.AppKit.Unity/Plugins/AppKit.jslib:112

The dynamic import statement has a .then() success handler but no .catch() error handler. If the CDN is unreachable, blocked by firewall/content policy, or returns an error, the Promise rejection will go unhandled, leaving the initialization in an inconsistent state with no user feedback.

Recommendation: Add error handling:

import("https://cdn.jsdelivr.net/npm/@reown/[email protected]/dist/appkit.js")
  .then(async (AppKit) => {
    // existing initialization code
  })
  .catch((error) => {
    console.error("[AppKit] Failed to load CDN resource", error);
    // Invoke callback with error or handle gracefully
  });

@sonarqubecloud
Copy link

sonarqubecloud bot commented Nov 4, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions
Copy link
Contributor

github-actions bot commented Nov 4, 2025

Deploy preview for unity-appkit ready!

✅ Preview
https://unity-appkit-790rce21y-reown-com.vercel.app

Built with commit c45631a.
This pull request is being automatically deployed with vercel-action

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@skibitsky skibitsky Awaiting requested review from skibitsky skibitsky is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant