refactor(address-book): consolidate publish source list to one place

[RembrandtK]

The set of packages exported by @graphprotocol/address-book was duplicated three times: the exports map in package.json, FILES_TO_COPY in copy-addresses-for-publish.js, and SYMLINKS_TO_RESTORE in restore-symlinks.js. Drift had already crept in -- issuance was referenced everywhere but src/issuance/ was missing on disk, which would break prepublishOnly.

Collapse to a single SOURCES array in scripts/sources.js consumed by both scripts. Use a subpath pattern in package.json exports (".//addresses.json": "./src//addresses.json") so the exports map no longer enumerates names.

Both scripts now mkdir src// recursively and use rmSync({ force: true }) in place of the existsSync/unlinkSync dance, so a missing dir or stale entry is handled silently. The copy step ends with a drift check that catches src// dirs not listed in SOURCES (stale leftovers from removed entries).

Verified end-to-end: pnpm pack produces a tarball containing real files under src/{horizon,issuance,subgraph-service}/addresses.json, and restore-symlinks puts the symlinks back at the original relative targets.

[Copilot]

Pull request overview

Refactors @graphprotocol/address-book publishing to avoid duplicated “which address sources exist” lists and reduce drift between package.json exports and the publish/restore scripts.

Changes:

• Introduces a single SOURCES list (scripts/sources.js) consumed by both publish-time copy and postpublish symlink restore scripts.
• Switches package.json#exports to a subpath pattern so the exports map no longer enumerates each source explicitly.
• Makes publish/restore scripts more resilient by creating src/<name>/ as needed, using rmSync({ force: true }), and adding a drift check to fail if src/ contains unexpected source dirs.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
packages/address-book/scripts/sources.js	Centralizes the exported address source list.
packages/address-book/scripts/restore-symlinks.js	Restores symlinks based on SOURCES and ensures directories exist.
packages/address-book/scripts/copy-addresses-for-publish.js	Copies real addresses.json files based on SOURCES and checks for drift under src/.
packages/address-book/package.json	Replaces enumerated exports with a wildcard subpath pattern.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 88.62%. Comparing base (52b5356) to head (5014957).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1330   +/-   ##
=======================================
  Coverage   88.62%   88.62%           
=======================================
  Files          75       75           
  Lines        4615     4615           
  Branches      823      823           
=======================================
  Hits         4090     4090           
  Misses        504      504           
  Partials       21       21           

Flag	Coverage Δ
unittests	88.62% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​json5@​2.2.0
	@​nomiclabs/​hardhat-etherscan@​3.1.8
	arbos-precompiles@​1.0.2
	@​openzeppelin/​foundry-upgrades@​0.4.0
	@​rocketh/​export@​0.17.16
	@​rocketh/​read-execute@​0.17.8
	@​rocketh/​deploy@​0.17.8
	@​tenderly/​hardhat-tenderly@​1.11.0
	@​rocketh/​verifier@​0.17.16
	@​types/​glob@​8.1.0
	@​rocketh/​core@​0.17.8
	@​rocketh/​proxy@​0.17.12
	@​types/​sinon-chai@​3.2.12
	@​typescript-eslint/​parser@​8.53.1
	@​rocketh/​node@​0.17.16
	@​rocketh/​doc@​0.17.16
	@​tenderly/​api-client@​1.1.0
	@​rocketh/​diamond@​0.17.11
	@​nomicfoundation/​hardhat-foundry@​1.2.0
	@​wagmi/​cli@​2.5.1
	@​nomicfoundation/​hardhat-toolbox@​4.0.0
	@​types/​chai@​4.3.20
	@​types/​mocha@​10.0.10
	@​types/​mocha@​9.1.1
	@​nomicfoundation/​ignition-core@​0.15.13
	@​nomiclabs/​hardhat-waffle@​2.0.6
	@​nomiclabs/​hardhat-ethers@​2.2.3
	@​typescript-eslint/​eslint-plugin@​8.53.1
	@​types/​node@​20.19.14
	@​openzeppelin/​contracts@​3.4.2
	@​nomicfoundation/​hardhat-keystore@​3.0.3
	@​typechain/​ethers-v6@​0.5.1
See 16 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code in npm babel-traverse CVE: GHSA-67hx-6x53-jw92 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code (CRITICAL) Affected versions: >= 0 Patched version: No patched versions From: pnpm-lock.yaml → npm/babel-traverse@6.26.0 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/babel-traverse@6.26.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm @react-native/debugger-frontend is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/@react-native/debugger-frontend@0.81.4 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/debugger-frontend@0.81.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: pnpm-lock.yaml → npm/@openzeppelin/hardhat-upgrades@1.28.0 → npm/@openzeppelin/foundry-upgrades@0.4.0 → npm/buffer@4.9.2 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/buffer@4.9.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report