Bump lerna to 8.1.3, ejs to 3.1.10

[ChiaMineJP]

This PR looks like just updating lerna version but it does not such simple.

Steps to reproduce this change

1. Check out main branch
2. Delete the root package-lock.json and node_modules.
3. Run npm cache clean -f
4. Update the root package.json like below then run npm i
   • Update lerna version to "8.1.3"
   • Update nx version to 19.0.1
   • Add the following section to package.json.

     "overrides": {
     "@walletconnect/keyvaluestorage": "1.0.2",
     "tslib": "2.6.2"
     },

Why such complicated?

My environment: m1 Mac 14.3.1, NodeJS 18.20.3, npm 10.8.0

At first I just incremented lerna version to 8.1.3. From that point, npm run build keeps failing with the strange message

After some investigation, I found that the version of node_modules/tar/node_modules/minipass was incorrectly set to 3.3.6 where tar specifies the version to ^5.0.0.

I suspect that with workspace and multiple child package dependencies, npm was confused and set wrong versions when creating package-lock.json.

Failed challenge

Challenge 1

1. check out main
2. Delete the root node_modules
3. Set "lerna": "8.1.3", in the root package.json
4. Run npm i
5. Run npm run build <-- This fails

Challenge 2

1. check out main
2. Delete the root node_modules and package-lock.json
3. In the root package.json, set "lerna": "8.1.3", remove "nx": "16.7.2"
4. Run npm i
5. Run npm run build <-- This succeeds
6. Run npx lerna run dev:skipLocales --scope=@chia-network/gui to start GUI <-- GUI crashes with an error (0 , tslib__WEBPACK_IMPORTED_MODULE_4__.__spreadArray) is not a function

Lessons learned

• Even if the content of package.json is the same, the content of package-lock.json differs according to previous package-lock.json and node_modules content.
• lerna depends on nx and nx has several optional dependencies for various OSes. This messes up package-lock.json. When I removed nx from top-level dependencies in the root package.json and ran npm i, it generated package-lock.json which specifies one of the optional dependencies only for MacOS. Of cource, this package-lock.json fails except for macOS.

[socket-security[bot]]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/electron-playwright-helpers@1.7.1	filesystem Transitive: environment, shell	+13	433 kB	jjeff
npm/lerna@8.1.3	environment, filesystem, network, unsafe Transitive: eval, shell	+479	51.4 MB	jameshenry
npm/nx@19.0.1	environment, filesystem, network, shell, unsafe Transitive: eval	+103	91.7 MB	nrwl-jason
npm/source-map-loader@4.0.2	None	+2	218 kB	evilebottnawi
npm/typescript@5.4.5	None	0	32.4 MB	typescript-bot
npm/victory@36.9.2	None	+54	32.4 MB	formidablelabs

🚮 Removed packages: npm/electron-playwright-helpers@1.6.0, npm/lerna@7.1.5, npm/nx@16.7.2, npm/source-map-loader@4.0.1

View full report↗︎

[socket-security[bot]]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

[ChiaMineJP]

I tested the following items and confirmed all ok.

• npm i
• npm run build
• npx lerna run dev:skipLocales --scope=@chia-network/gui (Launch GUI)
• Connect sample dApp with walletconnect, tested some APIs then disconnect.

Tested OSes

• m1 Mac 14.3
• Windows 10
• Ubuntu 24.04 (encountered a known issue https://github.com/Chia-Network/chia-blockchain/issues/17956 but this can be fixed via chown root:root node_modules/electron/dist/chrome-sandbox; chmod 4755 node_modules/electron/dist/chrome-sandbox)
• Fedora 39