Commit 00be8fd
build(deps): DEP-5 — test toolchain: Jest 30 + testing-library 16 + Playwright 1.61 (WALLET-1331) (#1381)
* build(deps): bump Node 18 → 22 LTS + build-time RCE fix (WALLET-1327)
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
* fix(deps): remediate npm audit vulnerabilities (WALLET-1328)
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.
- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
(CVE-2026-44705); the override is mandatory — the webpack plugins resolve
serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22
Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
* test(crypto): pin vault AES-GCM blob byte-format before micro-aes-gcm swap (WALLET-1330)
* refactor(crypto): replace deprecated micro-aes-gcm with @noble/ciphers gcm (WALLET-1330)
* build(deps): migrate @lapo/asn1js to v2 ESM named exports (WALLET-1330)
* build(deps): bump @noble/ciphers to v2 + libsodium floor; record @Scure v1 hold (WALLET-1330)
* fix(deps): scope router to path-to-regexp v8 to unbreak start:chrome (WALLET-1328)
* build(deps): bump Ledger transports, zondax, bringweb3, react-query (WALLET-1329)
Bump all 4 Ledger transports together (hw-transport/webhid to ^6.35.4,
webusb/web-ble to ^6.34.4), @zondax/ledger-casper to ^2.6.4,
@bringweb3/chrome-extension-kit to 1.7.0, and @tanstack/react-query to
^5.101.2. Add an override deduping @ledgerhq/hw-transport to a single
version, since @zondax/ledger-casper@2.6.4 newly pins 6.31.16. Add
@ledgerhq/devices as an explicit direct dep since transport.ts imports
it and deep-imports hw-transport-webusb/lib/webusb. casper-js-sdk and
casper-wallet-core are untouched (held/out of scope for this phase).
* build(deps): bump test toolchain to Jest 30, testing-library 16, Playwright 1.61 (WALLET-1331)
Resolves the moderate node-notifier advisory carried by the Jest 29 chain.
Jest 30 drops the toThrowError matcher alias, and Playwright 1.57+ switched
the default chromium channel to Chrome-for-Testing, which needs an explicit
channel pin for the unpacked-extension e2e harness.
* chore(deps): drop dead jest.e2e.config.js/jest.tsconfig.json and unused RTL deps (WALLET-1331)
jest.e2e.config.js and jest.tsconfig.json were unreferenced by any script or
CI job; jest-environment-jsdom only existed to back that dead config's
testEnvironment:'jsdom'. @testing-library/react, @testing-library/dom and
@testing-library/user-event have zero imports in src or e2e-tests.
@testing-library/jest-dom stays: it's wired into jest.config.js
setupFilesAfterEnv and typed in src/global.d.ts.
---------
Co-authored-by: Dmytro Vynnyk <simbiatoff@gmail.com>1 parent 8e50c3b commit 00be8fd
6 files changed
Lines changed: 1161 additions & 4008 deletions
File tree
- e2e-tests
- src/libs/crypto
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
28 | 28 | | |
29 | 29 | | |
30 | 30 | | |
| 31 | + | |
31 | 32 | | |
32 | 33 | | |
33 | 34 | | |
| |||
This file was deleted.
This file was deleted.
0 commit comments