chore: bump @polkadot/keyring from 13.4.3 to 14.0.3

[dependabot]

Bumps @polkadot/keyring from 13.4.3 to 14.0.3.

Release notes

Sourced from @​polkadot/keyring's releases.

v14.0.3

Changes:

• Fix(hw-ledger): reset transport on operation errors and add explicit disconnect API (#2024)

v14.0.2

Changes:

• Set headers to 2026 (#2021)

Contributed:

• fix(util-crypto): use correct x/y getters in secp256k1Expand (#2018) (Thanks to https://github.com/AndreasGassmann)

v14.0.1

Changes:

• fix(x-randomvalues): prioritize native RN modules over polyfilled crypto (#2013)
• sr25519: switch from wasm to micro-sr25519 (#1971)

v13.5.9

Changes:

• Bump polkadot dependencies (#2011)

v13.5.8

Changes:

• Bump @​polkadot dependencies (#2009)

v13.5.7

Changes:

• Revert "Set pbkdf2Encode rounds to default to 210,000" (#2007)

v13.5.6

Changes:

• Set pbkdf2Encode rounds to default to 210,000 (#1983)
• Bump @​polkadot/wasm deps (#2002)

Contributed:

• Add DENTNet to generic Polkadot app supported chains (#1942)

v13.5.5

Changes:

• Add ledger support for Mythos (#1969)

... (truncated)

Changelog

Sourced from @​polkadot/keyring's changelog.

14.0.3 Mar 23, 2026

Changes:

• Fix(hw-ledger): reset transport on operation errors and add explicit disconnect API (#2024)

14.0.2 Mar 16, 2026

Changes:

• Set headers to 2026 (#2021)

Contributed:

• fix(util-crypto): use correct x/y getters in secp256k1Expand (#2018) (Thanks to https://github.com/AndreasGassmann)

14.0.1 Dec 9, 2025

Changes:

• fix(x-randomvalues): prioritize native RN modules over polyfilled crypto (#2013)
• sr25519: switch from wasm to micro-sr25519 (#1971)

13.5.9 Nov 25, 2025

Changes:

• Bump polkadot dependencies (#2011)

13.5.8 Nov 11, 2025

Changes:

• Bump @​polkadot dependencies (#2009)

13.5.7 Oct 13, 2025

Changes:

• Revert "Set pbkdf2Encode rounds to default to 210,000" (#2007)

13.5.6 Aug 26, 2025

Changes:

... (truncated)

Commits

• 9281daa [CI Skip] release/stable 14.0.3
• c7ed69f 14.0.3 (#2025)
• 22a1246 [CI Skip] bump/beta 14.0.3-0-x
• 152d460 [CI Skip] release/stable 14.0.2
• 4ab957e 14.0.2 (#2023)
• 610c8bb [CI Skip] bump/beta 14.0.2-1-x
• a8732a9 [CI Skip] bump/beta 14.0.2-0-x
• 8d3cb0e Set headers to 2026 (#2021)
• fe0886b [CI Skip] release/stable 14.0.1
• bac357a 14.0.1 (#2014)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by paritytech-ci, a new releaser for @​polkadot/keyring since your current version.

[tangletools]

✅ No Blockers — 53990006

Readiness 79/100 · Confidence 70/100 · 3 findings (1 medium, 2 low)

deepseek: Correctness 79 · Security 79 · Testing 79 · Architecture 79

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

🟠 MEDIUM @polkadot/keyring v14 bumped in isolation from sibling @PolkaDot packages — package.json

package.json:73 bumps @polkadot/keyring from ^13.4.3 to ^14.0.3, but @polkadot/util (line 76), @polkadot/util-crypto (line 77), @polkadot/api (line 69), and @polkadot/types (line 75) all remain on v13. Lockfile confirms keyring@14.0.3 has strict peer deps on util@14.0.3 and util-crypto@14.0.3. This forces Yarn to install two copies of util (13.4.3 and 14.0.3) and util-crypto (s

🟡 LOW Duplicate @PolkaDot dependency trees inflate install size — package.json

As a consequence of the isolated bump, the resolved dependency tree now contains both @polkadot/util@13.4.3 and @polkadot/util@14.0.3, plus matching util-crypto and x-* sub-packages. Identicon.tsx:7 explicitly calls out keyring+util+util-crypto as ~117KB combined in the vendor chunk. With two versions, this weight may be duplicated if tree-shaking cannot deduplicate across the v13/v14 boundary.

🟡 LOW No evidence tests or typecheck passed with new resolution — package.json

The PR contains only package.json (+1/-1) and yarn.lock (+206/-3). No CI output, test results, or typecheck results are included. While this is normal for a lockfile-only shot, the KeyringPair type imported from @polkadot/keyring/types in scripts/util.ts:3 is now from v14, while the Keyring class used at runtime (scripts/util.ts:1, via @polkadot/api) resolves to keyring v13. A typecheck (yarn typecheck) would confirm no interface breakage between KeyringPair v13 and v14.

---

_{tangletools · 2026-06-03T17:42:18Z · trace}

[tangletools]

✅ Approved — 3 non-blocking findings — 53990006

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Latest PR review status: sticky summary

---

_{tangletools · 2026-06-03T17:42:18Z · immutable trace}

[tangletools]

✅ Auto-approved PR — 6501d8f0

Blanket team auto-approval is enabled for this reviewer service.
The full PR reviewer audit still runs separately and will publish findings if it detects issues.

_{tangletools · auto-approval · reason: blanket_auto_approve · 2026-06-21T20:01:57Z}

[tangletools]

⚪ Value Audit — audit-incomplete

Verdict	audit-incomplete
Concerns	0 (none)
Heuristic	0.0s
Duplication	0.0s
Interrogation	180.9s (2 bridge agents)
Total	180.9s

💰 Value — error

value agent produced no parseable value-audit JSON.

• Model: opencode/deepseek/deepseek-v4-pro
• Bridge attempts: 3
• Bridge error: opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content; opencode/zai-coding-plan/glm-5.2: bridge stream ended without value-audit content; opencode/deepseek/deepseek-v4-pro: bridge stream ended without value-audit content

🎯 Usefulness — error

usefulness agent produced no parseable value-audit JSON.

• Model: opencode/deepseek/deepseek-v4-pro
• Bridge attempts: 3
• Bridge error: opencode/zai-coding-plan/glm-5.2: bridge stream ended without value-audit content; opencode/kimi-for-coding/k2p7: bridge stream ended without value-audit content; opencode/deepseek/deepseek-v4-pro: bridge stream ended without value-audit content

No PR concerns were produced because the value/usefulness agent pass did not complete. Treat this audit as incomplete, not as approval.

---

What this audit checks

It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.

Pass	What it asks
Heuristic	Vague title? Whitespace-only or cruft-bearing diff? (content signals only)
Duplication	Do added function/class names already exist elsewhere in the repo?
Value Audit	What does it do? What goal does it achieve? Is it good? Better architecture or already-exists?
Usefulness Audit	Does it integrate and fit? Will it hold up in real use and actually get used?

Findings are concerns, not blocks — the human reviewer decides what to do with them.

_{value-audit · 20260621T201009Z}

[tangletools]

❌ Needs Work — 6501d8f0

Readiness 45/100 · Confidence 70/100 · 6 findings (2 high, 1 medium, 3 low)

	opencode-kimi	glm	deepseek	aggregate
Readiness	45	79	92	45
Confidence	70	70	70	70
Correctness	45	79	92	45
Security	45	79	92	45
Testing	45	79	92	45
Architecture	45	79	92	45

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Blocking

🔴 HIGH Incomplete Polkadot JS major-version upgrade causes peer-dependency mismatch — package.json

Line 77 bumps @polkadot/keyring to ^14.0.3, but lines 80-81 leave @polkadot/util and @polkadot/util-crypto at ^13.4.3. yarn.lock:8373-8378 shows @polkadot/keyring@14.0.3 has both dependencies and peerDependencies pinned to @polkadot/util 14.0.3 and @polkadot/util-crypto 14.0.3. This forces two major versions of util/util-crypto into the tree. Polkadot JS packages require strict major-version alignment; this can produce crypto/keyring type mismatches and runtime errors. scripts/util.ts imports Keyring from @polkadot/api (v13, which transitively uses keyring v13 per yarn.lock:8630)

🔴 HIGH @polkadot/keyring v14 bump conflicts with locked @polkadot/util/util-crypto v13 — yarn.lock

yarn.lock:34216 bumps the workspace root to '@polkadot/keyring': 'npm:^14.0.3', but @polkadot/keyring@14.0.3 (yarn.lock:8369-8378) has peerDependencies on @polkadot/util@14.0.3 and @polkadot/util-crypto@14.0.3. The workspace root still provides @polkadot/util@13.4.3 and @polkadot/util-crypto@13.4.3 (yarn.lock:9369-9380), and @polkadot/api@13.2.1 (yarn.lock:8207) still depends on @polkadot/keyring ^13.1.1. yarn install --immutable emits YN0060 peer warnings and yarn explain peer-requirements pe9a79 reports the requested ranges have no overlap. This duplicates major versions of crypto/keyring packages and is a known source of runtime type/instanceof incompatibilities in polkadot-js. Fix by either reverting keyring to ^13.4.3 in yarn.lock/package.json, or bumping the full polkadot suite (

Other

🟠 MEDIUM Major-version bump of @polkadot/keyring without lockstep bump of other @polkadot/* packages creates version misalignment — package.json

package.json:77 changes @polkadot/keyring from ^13.4.3 to ^14.0.3 while @polkadot/api (^13.2.1, line 73), @polkadot/types (^13.2.1, line 79), @polkadot/util (^13.4.3, line 80), and @polkadot/util-crypto (^13.4.3, line 81) remain on v13. yarn.lock:8369-8378 shows keyring@14.0.3 declares exact peer deps @polkadot/util:14.0.3 and @polkadot/util-crypto:14.0.3, which it pulls in tra

🟡 LOW @polkadot/* version mix: keyring v14 with api/util/util-crypto at v13 — package.json

Line 77 bumps @polkadot/keyring to ^14.0.3 while @polkadot/api (line 73), @polkadot/types (line 79), @polkadot/util (line 80), and @polkadot/util-crypto (line 81) remain at v13.x. The @polkadot/* monorepo releases in lockstep — mixing major versions risks peer-dep mismatch a

🟡 LOW Duplicate @polkadot/util/util-crypto/keyring installed; bundle bloat and latent singleton risk — package.json

Because keyring@14.0.3 pins exact peer deps util@14.0.3 and util-crypto@14.0.3, yarn installs both v13.x and v14.0.3 copies. Node_modules and any bundler that fails to dedupe across majors will carry the extra ~117KB (matches the comment at libs/ui-components/src/components/Avatar/Identicon.tsx:7). Any future code that does a runtime import from '@polkadot/keyring' at root will instantiate the v14 crypto singletons, which are isolated from the v13 singletons used by @polkadot/api — known root cause of 'multiple instances of @polkadot/util-crypto' runtime errors in the polkadot-js ecosystem. No runtime import exists today, so impact is latent.

🟡 LOW Type-only import crosses major versions; typecheck may regress — package.json

scripts/util.ts:3 imports KeyringPair from @polkadot/keyring/types (now resolved to v14 type defs), while the runtime Keyring instance comes from @polkadot/api (v13, which wraps keyring@13.5.9). addFromUri() returns a v13 KeyringPair but is annotated against the v14 KeyringPair type. If v14 introduced required fields, removed fields, or renamed members on KeyringPair, yarn typecheck (nx typecheck) will fail. No typecheck run is shown in the PR. Mitigation: run yarn typecheck against this change before merge; if it fails, either align all @polkadot/* on v14 or revert.

---

_{tangletools · 2026-06-21T20:20:43Z · trace}

[tangletools]

❌ 2 Blocking Findings — 6501d8f0

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision. | Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Summary comment for this run: full summary

---

_{tangletools · 2026-06-21T20:20:43Z · immutable trace}