feat(updates): general consolidation

[sean-sqds]

This pull request introduces several improvements and refactors to the CLI codebase, focusing on developer experience, runtime reliability, and user feedback. The most significant changes include adding TypeScript linting support, improving dependency management, enhancing CLI robustness, and refactoring the API layer to provide better error handling and user warnings.

Developer tooling and dependency management:

• Added a new .eslintrc.json configuration to enable TypeScript-aware linting, with recommended rules and ignore patterns for generated and external files.
• Updated package.json to add scripts for building, type checking, and linting, and pinned all dependencies and devDependencies to exact versions for improved reproducibility. [1] [2] [3]

CLI reliability and user experience:

• Refactored version reporting in src/index.ts to read the version from package.json at runtime, ensuring the --version output always matches the published package.
• Improved CLI robustness by normalizing the Ledger wallet path to handle case-insensitive inputs, and added graceful handling of Ctrl+C and unhandled promise rejections for a better user experience. [1] [2]
• Updated the menu state machine to use an asynchronous run() method instead of top().

API layer enhancements:

• Refactored src/lib/api.ts to:
  • Add warnings when the fee-paying wallet has a low SOL balance before transactions, and provide clearer error messages for insufficient funds. [1] [2]
  • Replace inefficient client-side filtering of multisigs with parallel on-chain queries, greatly improving performance when fetching multisigs for a wallet.
  • Add utility methods for common authority/vault lookups and refactor transaction submission logic for better code clarity and error handling.
  • Ensure that multisig creation always returns the created object, even if initial vault funding fails, and provide user guidance if funding fails.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint@​8.57.0
	lodash@​4.18.0
	@​metaplex-foundation/​js@​0.18.3 ⏵ 0.20.1			+1
	@​types/​clui@​0.3.4 ⏵ 0.3.1	-1		-1	-4
	@​typescript-eslint/​parser@​6.21.0
	@​sqds/​sdk@​2.0.4 ⏵ 2.0.2			-2	-2
	@​types/​clear@​0.1.4 ⏵ 0.1.2	+1		+4
	@​types/​figlet@​1.5.8 ⏵ 1.5.5			+1	-1
	@​types/​bn.js@​5.1.5 ⏵ 5.1.1	+1		+1
	@​types/​yargs@​17.0.31 ⏵ 17.0.22			+1
	@​types/​inquirer@​9.0.7 ⏵ 9.0.3	+1		+1
	@​typescript-eslint/​eslint-plugin@​6.21.0
	@​solana/​spl-token@​0.3.8 ⏵ 0.3.6
	@​types/​lodash@​4.14.201 ⏵ 4.14.191	+1		+2
	@​octokit/​rest@​19.0.13 ⏵ 20.0.2
	@​types/​node@​18.18.9 ⏵ 18.14.6	+1		+1
	yargs@​17.7.2 ⏵ 17.6.2
	minimist@​1.2.6
	@​solana/​web3.js@​1.87.6 ⏵ 1.66.2	+4			+6
	tslib@​1.14.1 ⏵ 2.5.0
	bn.js@​5.2.0 ⏵ 5.2.3	+1	+2
	figlet@​1.7.0 ⏵ 1.5.2
	axios@​1.14.0 ⏵ 1.15.2	-1	+40
	simple-git@​3.20.0 ⏵ 3.36.0	+2	+75	+1
	inquirer@​8.2.6 ⏵ 8.2.7

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @sqds/sdk under AGPL-3.0-or-later License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) From: package.json → npm/@sqds/sdk@2.0.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sqds/sdk@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm argparse under Python-2.0.1 License: Python-2.0.1 - The applicable license policy does not permit this license (5) (package/LICENSE) From: ? → npm/eslint@8.57.0 → npm/argparse@2.0.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/argparse@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Protestware or unwanted behavior: npm es5-ext Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: ? → npm/clui@0.3.6 → npm/es5-ext@0.10.64 ℹ Read more on: This package | This alert | What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es5-ext@0.10.64. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report