chore: migrate docs examples off spl-token#1476
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub. 6 Skipped Deployments
|
Greptile SummaryThis PR removes
Confidence Score: 3/5The token-lookup files and package.json changes are safe; the fee-sponsorship pair needs attention before merging. The three token-read examples and the dependency removal are clean. The fee-sponsorship migration is the problem area: legacy.ts and legacy-helper.ts now have byte-for-byte identical content, erasing the deliberate low-level vs. helper contrast the pair was built to show. The pay-fees-with-any-token file also drops its final balance check, reducing its usefulness as a verifiable example. packages/docs-examples/cookbook/transactions/fee-sponsorship/legacy.ts and legacy-helper.ts need to be differentiated; packages/docs-examples/cookbook/transactions/pay-fees-with-any-token/legacy.ts could benefit from restored balance verification. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[fee-sponsorship example] --> B[createClient]
B --> C[payer - feePayer signer]
B --> D[solanaRpc plugin]
B --> E[rpcAirdrop - fund feePayer]
B --> F[tokenProgram plugin]
F --> G[createMint instruction]
F --> H[mintToATA instruction]
G & H --> I[sendTransaction - setup]
F --> J[transferToATA instruction]
J --> K[sendTransaction - transfer]
K --> L[findAssociatedTokenPda]
L --> M[fetchToken - verify balances]
Reviews (1): Last reviewed commit: "chore: migrate docs examples off spl-tok..." | Re-trigger Greptile |
| // #region sponsor | ||
| import { createClient, generateKeyPairSigner, lamports } from "@solana/kit"; | ||
| import { rpcAirdrop, solanaRpc } from "@solana/kit-plugin-rpc"; | ||
| import { airdropPayer, payer } from "@solana/kit-plugin-signer"; | ||
| import { |
There was a problem hiding this comment.
Identical content as
legacy-helper.ts
After this migration, legacy.ts and legacy-helper.ts are byte-for-byte identical. Originally legacy.ts showed the low-level raw-instruction path (createInitializeMintInstruction, manual Transaction assembly) while legacy-helper.ts showed the high-level helper-function path (createMint, createAssociatedTokenAccount, etc.) — a deliberate side-by-side contrast. Now any reader or doc page that cites both files will see the same code twice, erasing the distinction the pair was designed to illustrate.
| ]); | ||
| console.log("Transaction Signature:", transfer.context.signature); | ||
| console.log( | ||
| "Fee Payer balance:", | ||
| Number(feePayerTokenAccount.amount) / 100, | ||
| "tokens", | ||
| ); | ||
| console.log( | ||
| "Sender balance:", | ||
| Number(senderTokenAccount.amount) / 100, | ||
| "tokens", | ||
| ); | ||
| console.log( | ||
| "Recipient balance:", | ||
| Number(recipientTokenAccount.amount) / 100, | ||
| "tokens", | ||
| "Successfully transferred 0.5 tokens to recipient + 0.5 to fee payer", | ||
| ); | ||
|
|
||
| // #endregion pay-fees |
There was a problem hiding this comment.
Final balance verification removed
The original example fetched and logged the final token balances for all three parties (feePayer, sender, and recipient), which concretely proved that the token-reimbursement flow worked. The new version omits those checks entirely, so the example no longer confirms that the fee payer's ATA was actually credited — the stated goal of the "pay fees with any token" pattern. Someone reading the code as documentation loses the concrete verification step.
Summary
@solana/spl-tokendependency from@workspace/docs-examplesand prune its lockfile graph.@solana/kitspecifier to^6.9.0.@solana/spl-tokenonto Kit /@solana-program/tokenAPIs so the package remains typecheckable and tested.Docs content was intentionally left unchanged per the package-only scope.
Why
@solana/spl-tokenbelongs to the legacy web3.js client path. The current token-2022 repo lists a Kit-generated JS client separately from the "JS-legacy client (using@solana/web3.js)" path: https://github.com/solana-program/token-2022#managing-clientsThe dependency also pulled in
bigint-buffer@1.1.5through@solana/buffer-layout-utils. GitHub Advisory GHSA-3gc7-fjrx-p6mg / CVE-2025-3194 marksbigint-buffer <= 1.1.5as high severity with no patched version, so removing the SPL Token dependency graph is the clean mitigation: GHSA-3gc7-fjrx-p6mgNote: npm does not currently expose a
deprecatedmetadata field for@solana/spl-token; this PR treats the deprecation as the legacy client path and the ecosystem move to Kit for maintained JS token clients.Validation
pnpm install --frozen-lockfile --ignore-scriptspnpm --filter @workspace/docs-examples lintpnpm --filter @workspace/docs-examples test(61 files / 61 tests passed)pnpm audit --prod --jsonstill exits non-zero for unrelated workspace advisories, but parsed output has no@solana/spl-tokenorbigint-bufferfindings and reports 0 critical vulnerabilities.