Fix xsnap fragile git clone issue by adding resolution override

[Copilot]

The @agoric/synpress package depends on @agoric/[email protected], which contains a fragile git clone step during build that can cause installation failures. Users have reported errors like:

Building...
 - @agoric/xsnap
...
The remote end hung up unexpectedly
...
git exited with code 128

This issue was fixed in newer versions of xsnap (0.14.3-u16.1+), but the synpress package still pins to the problematic version.

Solution

Added "@agoric/xsnap": "^0.14.3-u16.1" to the resolutions section in package.json. This ensures that all packages use a stable version of xsnap that doesn't include the fragile git clone step, overriding the problematic version specified in synpress.

Verification

• ✅ No .git directories found in any xsnap packages (checked 17 directories)
• ✅ All contract tests pass (7/7 tests)
• ✅ Resolution correctly overrides the problematic version from synpress
• ✅ Using stable version ^0.14.3-u16.1 instead of the problematic 0.14.3-u13.0

The fix ensures that fresh installations of this dapp will not encounter the fragile git clone issue during xsnap build.

Fixes #90.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• download.cypress.io
  • Triggering command: /usr/local/bin/node index.js --exec install (dns block)
• edgedl.me.gvt1.com
  • Triggering command: /usr/local/bin/node install.mjs (dns block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		[email protected] has a License Policy Violation. License: CC-BY-3.0 (npm metadata) License: CC-BY-3.0 (package/package.json) From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Warn		[email protected] has a License Policy Violation. License: CC-BY-3.0 (npm metadata) License: CC-BY-3.0 (package/package.json) From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[toliaqat]

@copilot I see the following error in the CI. Can you fix it?

Resolution step
➤ YN0001: Error: @agoric/base-zone@workspace:*: Workspace not found (@agoric/base-zone@workspace:*)
    at t.getWorkspaceByDescriptor (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:210:[35](https://github.com/Agoric/dapp-offer-up/actions/runs/16362295074/job/46233367617?pr=124#step:5:37)20)
    at t.getCandidates (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:140:117086)
    at Sg.getCandidates (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:141:1311)
    at Sg.getCandidates (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:141:1311)
    at /home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:210:8420
    at zm (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:140:5[38](https://github.com/Agoric/dapp-offer-up/actions/runs/16362295074/job/46233367617?pr=124#step:5:40)73)
    at ht (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:210:8400)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async Promise.allSettled (index 0)
    at async Wc (/home/runner/.cache/node/corepack/yarn/4.7.0/yarn.js:1[40](https://github.com/Agoric/dapp-offer-up/actions/runs/16362295074/job/46233367617?pr=124#step:5:42):53201)
➤ YN0000: └ Completed in 21s 406ms
➤ YN0000: · Failed with errors in 21s 423ms
Error: Process completed with exit code 1.