try to fix dev timeout

[open-junius]

Description

Noticed the dev test timeout in ts-tests, check if it is from multithread parameter.

Related Issue(s)

• Closes #[issue number]

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Other (please describe):

Breaking Change

If this PR introduces a breaking change, please provide a detailed description of the impact and the migration path for existing applications.

Checklist

• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have run ./scripts/fix_rust.sh to ensure my code is formatted and linted correctly
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published in downstream modules

Screenshots (if applicable)

Please include any relevant screenshots or GIFs that demonstrate the changes made.

Additional Notes

Please provide any additional information or context that may be helpful for reviewers.

[github-actions]

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: open-junius has write permission, >1 year old account, substantial prior contribution history, and no Gittensor allowlist match found; branch fix-dev-timeout -> devnet-ready.

The diff does not touch runtime/pallet code, Cargo dependencies, workflows, trusted AI-review files, or .github/copilot-instructions.md. The remaining security issue is confined to the ts-tests pnpm dependency graph.

Findings

Sev	File	Finding
HIGH	ts-tests/pnpm-lock.yaml:4163	Unvetted GitHub tarball dependency remains in lockfile	inline

Prior-comment reconciliation

• e9f817e2: not addressed — The current diff still adds toml@https://codeload.github.com/pepoviola/toml-node/... and still rewires @zombienet/utils snapshots to use that tarball.

Conclusion

Block until the lockfile no longer resolves toml from an unvetted GitHub tarball, or that source is explicitly justified and vetted. No evidence of malicious intent, but this is a concrete supply-chain regression.

---

📜 Previous run (superseded)

Sev	File	Finding	Status
HIGH	ts-tests/pnpm-lock.yaml:4163	Unvetted GitHub tarball dependency introduced in lockfile	➡️ Carried forward to current findings The current diff still adds toml@https://codeload.github.com/pepoviola/toml-node/... and still rewires @zombienet/utils snapshots to use that tarball.

---

🔍 AI Review — Auditor (domain review)

VERDICT: 👎

LIKELY gittensor / established contributor: no allowlist match, but open-junius has repo write permission and substantial recent subtensor PR activity.

The Auditor proposed a replacement PR description, but the current body is non-trivial; not overwriting. Maintainers: ask the Auditor to regenerate if you want it.

No spec_version bump is required because this only changes ts-tests/moonwall.config.json.

Auto-fix: not needed. I did not run the Moonwall E2E suite because the concurrency issue is visible from the config and existing dev tests.

Duplicate-work check: PRs #2728, #2716, and #2715 overlap on ts-tests/moonwall.config.json, but the prefetched metadata indicates broader or orthogonal scopes; none clearly supersedes this narrow dev-timeout PR.

Findings

Sev	File	Finding
MEDIUM	ts-tests/moonwall.config.json:15	Do not parallelize the shared dev chain tests	inline

Conclusion

Block for now. The only behavioral change enables concurrent execution for stateful dev E2E suites that share accounts and chain state, which is likely to make the timeout/flakiness problem worse rather than safer.

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👍

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[MEDIUM] Do not parallelize the shared dev chain tests

The dev Moonwall suite is not isolated per test file: the existing files under suites/dev reuse shared keyring accounts such as Alice/Bob, mutate global chain state, register subnets, sudo-set parameters, and manually create blocks against the configured dev foundation. Enabling multiThreads lets those files run concurrently against that same environment, so nonce reads, block creation, subnet IDs, balances, and pallet state can race each other. That makes the timeout fix non-deterministic and can turn passing tests into flakes.

Keep this disabled unless the suite is first split so each worker gets an isolated node/state snapshot or the tests are made concurrency-safe.

Suggested change

	"multiThreads": true,
	"multiThreads": false,

[github-actions]

🔄 AI review updated — Skeptic: SAFE Auditor: 👎

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Unvetted GitHub tarball dependency introduced in lockfile

The PR removes the toml: 3.0.0 override and changes @moonwall/* resolution from the npm toml@3.0.0 package with integrity metadata to a GitHub codeload tarball (pepoviola/toml-node at a commit). That is a new git-hosted supply-chain input for CI/test installs, unrelated to the stated timeout/config change, and the lockfile entry has no registry integrity hash. Restore the override/regenerate the lockfile so toml resolves to the npm package, or provide an explicit security review/justification for this source change.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE

[github-actions]

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.

[github-actions]

[HIGH] Unvetted GitHub tarball dependency remains in lockfile

This adds a reachable toml package resolution from codeload.github.com; the snapshots later resolve @zombienet/utils to this tarball instead of the npm registry toml@3.0.0. GitHub tarball dependencies bypass the normal registry integrity/provenance path and would be fetched when CI installs the test dependencies. Restore the workspace/lockfile override that pins toml to the registry package, or provide explicit vetting and justification for this source before merging.

[github-actions]

🔄 AI review updated — Skeptic: VULNERABLE