test(swing-store): fix AVA teardown flake; bump ava to ^7.0.0 by turadg · Pull Request #12667 · Agoric/agoric-sdk

turadg · 2026-05-14T22:21:00Z

Closes #12587

Description

Three changes addressing CI flake in packages/swing-store and dependency alignment:

test(swing-store): disable AVA worker threads — Swing-store CI flakes after all tests pass, with AVA exiting during teardown before the job completes. A focused Node 20 / NODE_V8_COVERAGE CI matrix (run 25888073450) isolated the cause:
- ava@6.4.1 + worker threads: 1/20 failed, exit 139
- ava@6.4.0 + worker threads: 2/20 failed, exit 139
- ava@6.4.1 + workerThreads: false: 0/20 failed
Disable AVA worker threads for swing-store, consistent with other Agoric packages. I think we tried that before and it didn't fix it. So maybe running more instances would have gotten a failure. Still worth a try.
chore(deps): bump ava to ^7.0.0 across workspaces — AVA 7.0 dropped Node 18 support, which agoric-sdk already dropped. See https://github.com/avajs/ava/releases/tag/v7.0.0. Bump applies to all workspace packages (packages/*, services/*) plus root devDep. SwingSet's peerDependencies.ava range widened to include ^7.0.0. a3p-integration/proposals/* and packages/create-dapp/demo/contract are intentionally left pinned (not workspaces).
chore(deps): bump @fast-check/ava to ^3.0.1 — Aligns the peer ava range with the workspace-wide ava ^7.0.0 bump. @fast-check/ava@3.x declares ava ^7 || ^8 as a peer (see CHANGELOG); previous ranges ^1.1.5 (ERTP, inter-protocol) and ^2.0.1 (fast-usdc, fast-usdc-contract, internal, portfolio-contract) only supported ava 5/6 (see CHANGELOG_2.X.md). a3p-integration/proposals/* occurrences are intentionally left at ^2.0.1.

Security Considerations

None — test-only dependency bump and AVA configuration change.

Scaling Considerations

None.

Documentation Considerations

None. AVA 7 is a test-runner dep; no user-facing API impact.

Testing Considerations

The disable-worker-threads change was validated in the diagnostics CI matrix cited above. @endo/ses-ava declares an ava peer range that doesn't yet include ^7; Yarn warns (YN0060) but this is known-benign since ses-ava only uses a thin slice of the t API.

Upgrade Considerations

None.

🤖 Generated with Claude Code

socket-security · 2026-05-14T22:23:15Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		License policy violation: npm `@chain-registry/types` under SEE LICENSE IN LICENSE License: SEE LICENSE IN LICENSE - This license classifier is not allowed by the applicable policy (package/package.json) From: `?` → `npm/@chain-registry/client@1.47.4` → `npm/@chain-registry/types@0.50.194` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@chain-registry/types@0.50.194`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `@chain-registry/utils` under SEE LICENSE IN LICENSE License: SEE LICENSE IN LICENSE - This license classifier is not allowed by the applicable policy (package/package.json) From: `?` → `npm/@chain-registry/client@1.47.4` → `npm/@chain-registry/utils@1.51.194` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@chain-registry/utils@1.51.194`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: `?` → `npm/@endo/bundle-source@4.1.2` → `npm/typescript@5.7.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.7.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm `typescript` under CC-BY-4.0 License: CC-BY-4.0 - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: `?` → `npm/@nick134-bit/noblejs@0.0.2` → `npm/typescript@5.9.3` ℹ Read more on: This package \| This alert \| What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/typescript@5.9.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Copilot

Pull request overview

This PR updates the repository’s AVA test dependency to AVA 7 across root, package, and service workspaces, and adjusts swing-store AVA configuration to avoid worker-thread teardown flakes.

Changes:

Bumps AVA devDependency ranges from ^6.4.1 to ^7.0.0 across workspaces and updates yarn.lock.
Widens packages/SwingSet’s AVA peer dependency to include AVA 7.
Disables AVA worker threads for packages/swing-store.

Reviewed changes

Copilot reviewed 52 out of 53 changed files in this pull request and generated 5 comments.

Show a summary per file

File	Description
`package.json`	Updates root AVA devDependency.
`yarn.lock`	Refreshes AVA 7 and transitive dependency resolutions.
`services/ymax-planner/package.json`	Updates AVA devDependency.
`packages/access-token/package.json`	Updates AVA devDependency.
`packages/agoric-cli/package.json`	Updates AVA devDependency.
`packages/async-flow/package.json`	Updates AVA devDependency.
`packages/base-zone/package.json`	Updates AVA devDependency.
`packages/boot/package.json`	Updates AVA devDependency.
`packages/builders/package.json`	Updates AVA devDependency.
`packages/cache/package.json`	Updates AVA devDependency.
`packages/casting/package.json`	Updates AVA devDependency.
`packages/client-utils/package.json`	Updates AVA devDependency.
`packages/cosmic-proto/package.json`	Updates AVA devDependency.
`packages/cosmic-swingset/package.json`	Updates AVA devDependency.
`packages/create-dapp/package.json`	Updates AVA devDependency.
`packages/deploy-script-support/package.json`	Updates AVA devDependency.
`packages/ERTP/package.json`	Updates AVA devDependency.
`packages/fast-usdc/package.json`	Updates AVA devDependency.
`packages/fast-usdc-contract/package.json`	Updates AVA devDependency.
`packages/fast-usdc-deploy/package.json`	Updates AVA devDependency.
`packages/governance/package.json`	Updates AVA devDependency.
`packages/import-manager/package.json`	Updates AVA devDependency.
`packages/inter-protocol/package.json`	Updates AVA devDependency.
`packages/internal/package.json`	Updates AVA devDependency.
`packages/kmarshal/package.json`	Updates AVA devDependency.
`packages/network/package.json`	Updates AVA devDependency.
`packages/notifier/package.json`	Updates AVA devDependency.
`packages/orchestration/package.json`	Updates AVA devDependency.
`packages/pegasus/package.json`	Updates AVA devDependency.
`packages/pola-io/package.json`	Updates AVA devDependency.
`packages/portfolio-api/package.json`	Updates AVA devDependency.
`packages/portfolio-contract/package.json`	Updates AVA devDependency.
`packages/portfolio-deploy/package.json`	Updates AVA devDependency.
`packages/smart-wallet/package.json`	Updates AVA devDependency.
`packages/solo/package.json`	Updates AVA devDependency.
`packages/spawner/package.json`	Updates AVA devDependency.
`packages/store/package.json`	Updates AVA devDependency.
`packages/swing-store/package.json`	Updates AVA and disables worker threads.
`packages/swingset-liveslots/package.json`	Updates AVA devDependency.
`packages/swingset-runner/package.json`	Updates AVA devDependency.
`packages/swingset-xsnap-supervisor/package.json`	Updates AVA devDependency.
`packages/SwingSet/package.json`	Updates AVA and widens AVA peer range.
`packages/telemetry/package.json`	Updates AVA devDependency.
`packages/time/package.json`	Updates AVA devDependency.
`packages/vat-data/package.json`	Updates AVA devDependency.
`packages/vats/package.json`	Updates AVA devDependency.
`packages/vm-config/package.json`	Updates AVA devDependency.
`packages/vow/package.json`	Updates AVA devDependency.
`packages/wallet/api/package.json`	Updates AVA devDependency.
`packages/xsnap/package.json`	Updates AVA devDependency.
`packages/xsnap-lockdown/package.json`	Updates AVA devDependency.
`packages/zoe/package.json`	Updates AVA devDependency.
`packages/zone/package.json`	Updates AVA devDependency.

    "@endo/ses-ava": "^1.3.2",
    "@fast-check/ava": "^2.0.1",
-    "ava": "^6.4.1",
+    "ava": "^7.0.0",


Dropped support for Node 18, which agoric-sdk already dropped as well. https://github.com/avajs/ava/releases/tag/v7.0.0

Swing-store CI flakes after all tests pass, with AVA exiting during teardown before the job completes. Diagnostics showed the failure is not specific to AVA 6.4.1: a focused Node 20 / NODE_V8_COVERAGE CI matrix failed with worker threads enabled on both AVA 6.4.1 and 6.4.0, while AVA 6.4.1 with workerThreads disabled passed all 20 iterations. Results from Swing-Store Diagnostics run 25888073450: - ava@6.4.1 + worker threads: 1/20 failed, exit 139 - ava@6.4.0 + worker threads: 2/20 failed, exit 139 - ava@6.4.1 + workerThreads false: 0/20 failed This matches the observed flake shape: all swing-store tests pass, then the AVA process dies during worker-thread teardown. Run swing-store AVA tests in child-process mode for this package, consistent with other Agoric packages that already disable AVA worker threads.

It's also hitting: Process completed with exit code 129.

Aligns the peer ava range with the workspace-wide ava ^7.0.0 bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

fast-check v4 (pulled in transitively by @fast-check/ava@^3.0.1) made two changes that broke property tests in this repo: - `fc.bigUint` was removed; use `fc.bigInt({ min: 0n, max })` instead. - `fc.record` now returns null-prototype objects, which Endo pass-style classifies as Remotables — so `harden(x)` on the raw record fails when fields like `brand`/`value` are non-method properties. Rebuild records as plain objects (`harden({ brand, value })`) before harden. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

mhofman

Some minor nits. LGTM, let's see if it helps.

Edit: removed automerge label to let you address the dedup if you want.

mhofman · 2026-05-15T12:34:54Z

    ],
-    "timeout": "2m"
+    "timeout": "2m",
+    "workerThreads": false


I remain convinced that reducing the parallelism would help for this package, as I suspect the underlying problem is a OOM.

Wouldn't an OOM segfault?

mhofman · 2026-05-15T12:36:50Z

+// fast-check v4's `fc.record` returns null-prototype objects, which Endo
+// pass-style refuses to classify as CopyRecords. Restore `Object.prototype`
+// so `harden` yields a valid CopyRecord.


@gibson042 @erights I thought endo accepted null prototype objects as copy record. Did that change?

Right, that was dropped in 2022: endojs/endo#1324

mhofman · 2026-05-15T12:37:29Z

Looks like some new dep versions could be dedup.

turadg · 2026-05-15T14:20:19Z

I'm merging now to reduce flakiness but I may follow with another PR. Definitely if the CopyRecord comment is wrong.

Copilot AI review requested due to automatic review settings May 14, 2026 22:21

Copilot started reviewing on behalf of turadg May 14, 2026 22:21 View session

Copilot AI reviewed May 14, 2026

View reviewed changes

turadg force-pushed the ta/swing-store-flake branch from 813df93 to b20c162 Compare May 14, 2026 22:48

turadg and others added 5 commits May 14, 2026 16:27

chore(deps): bump ava to ^7.0.0 across workspaces

51cb8ec

Dropped support for Node 18, which agoric-sdk already dropped as well. https://github.com/avajs/ava/releases/tag/v7.0.0

test(boot): disable AVA worker threads

9923227

It's also hitting: Process completed with exit code 129.

chore(deps): bump @fast-check/ava to ^3.0.1

513c205

Aligns the peer ava range with the workspace-wide ava ^7.0.0 bump. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

turadg force-pushed the ta/swing-store-flake branch from 677b0c2 to e8fbe6d Compare May 14, 2026 23:27

turadg requested review from gibson042 and mhofman May 14, 2026 23:28

turadg added automerge:rebase Automatically rebase updates, then merge bypass:integration Prevent integration tests from running on PR labels May 14, 2026

turadg mentioned this pull request May 15, 2026

ci: add swing-store AVA diagnostics for flaky test exits #12507

Closed

mhofman approved these changes May 15, 2026

View reviewed changes

mhofman removed the automerge:rebase Automatically rebase updates, then merge label May 15, 2026

turadg added the automerge:rebase Automatically rebase updates, then merge label May 15, 2026

mergify Bot merged commit fb5babf into master May 15, 2026
143 of 153 checks passed

mergify Bot deleted the ta/swing-store-flake branch May 15, 2026 14:20

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

test(swing-store): fix AVA teardown flake; bump ava to ^7.0.0#12667

test(swing-store): fix AVA teardown flake; bump ava to ^7.0.0#12667
mergify[bot] merged 5 commits into
masterfrom
ta/swing-store-flake

turadg commented May 14, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented May 14, 2026 •

edited

Loading

Uh oh!

Copilot AI left a comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mhofman left a comment •

edited

Loading

Uh oh!

mhofman May 15, 2026

Uh oh!

turadg May 15, 2026

Uh oh!

mhofman May 15, 2026

Uh oh!

gibson042 May 15, 2026

Uh oh!

mhofman May 15, 2026

Uh oh!

turadg commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

turadg commented May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Security Considerations

Scaling Considerations

Documentation Considerations

Testing Considerations

Upgrade Considerations

Uh oh!

socket-security Bot commented May 14, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

mhofman left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

mhofman May 15, 2026

Choose a reason for hiding this comment

Uh oh!

turadg May 15, 2026

Choose a reason for hiding this comment

Uh oh!

mhofman May 15, 2026

Choose a reason for hiding this comment

Uh oh!

gibson042 May 15, 2026

Choose a reason for hiding this comment

Uh oh!

mhofman May 15, 2026

Choose a reason for hiding this comment

Uh oh!

turadg commented May 15, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

turadg commented May 14, 2026 •

edited

Loading

socket-security Bot commented May 14, 2026 •

edited

Loading

mhofman left a comment •

edited

Loading