build(deps): DEP-3 — crypto / vault modernization (WALLET-1330)#1379
Merged
Comp0te merged 12 commits intoJul 1, 2026
Conversation
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.
- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
(CVE-2026-44705); the override is mandatory — the webpack plugins resolve
serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22
Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
… swap (WALLET-1330)
…s gcm (WALLET-1330)
… v1 hold (WALLET-1330)
…dep-2-vulnerability-remediation # Conflicts: # package-lock.json
…T-1330-dep-3-crypto-vault-modernization Brings the DEP-2 fixes: scope router to path-to-regexp v8 (unbreaks start:chrome) and the Safari xcode project path fix. DEP-3 crypto unchanged; byte-compat guard green.
It's a build-time-only CLI used solely by locale:extract_pot and never shipped in the extension bundle. Keeping it in dependencies made the audit:ci gate (npm audit --omit=dev) treat its subtree (undici, node-fetch, cross-fetch) as runtime, which is why undici had to be floated to 7.28.0 and why any future advisory in that tree would have failed the gate as a false positive.
…T-1330-dep-3-crypto-vault-modernization Brings DEP-2 commit: move i18next-parser to devDependencies (audit:ci gate fix). DEP-3 crypto unchanged.
Base automatically changed from
WALLET-1328-dep-2-vulnerability-remediation
to
release/2.6.0
July 1, 2026 12:34
…rnization Integrate release/2.6.0 (DEP-2 squash-merged as #1377) into the DEP-3 branch. Net content unchanged: DEP-3 already carried the same DEP-2 changes via individual commits, so the 3-way merge keeps the DEP-3 crypto deps and resolves the package-lock conflict to the equivalent tree. Records release/2.6.0 as an ancestor so the PR can be retargeted to release/2.6.0 and merge cleanly.
Comp0te
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
DEP-3 — Crypto / vault modernization
Jira: WALLET-1330
Part of the dependency-modernization epic (WALLET-1326). Stacked on DEP-2 (
WALLET-1328-dep-2-vulnerability-remediation) — this PR targets that branch; the DEP-2 commits already merged in are shared ancestors, so the diff below is the crypto scope only.What changed
micro-aes-gcm(author-deprecated) vault AES-256-GCM primitive with@noble/ciphersgcm. The on-disk vault blob layout —base64(iv[12] || ciphertext[N] || tag[16])— is byte-identical, so existing user vaults keep decrypting.micro-aes-gcmis removed frompackage.jsonand thejest.config.jstransform exception.@noble/ciphers1.3.0 → ^2.2.0 (ESM-only; every@noble/ciphers/*subpath specifier now carries.js). Note: v2 relocatedrandomBytesfromwebcrypto.jstoutils.js— samecrypto.getRandomValuesCSPRNG, no behaviour change.@noble/hashes/*is a separate package and stays v1/CJS (untouched).@lapo/asn1js1.2.4 → ^2.1.3 (pure ESM, named exports):parse-secret-key-string.tsswitched to{ ASN1 }/{ Base64 }from@lapo/asn1js/base64.js; ambient types insrc/@types/lapo/lapo.d.tstightened.libsodium-wrappers-sumofloor → ^0.8.4 (patch; no source change).@scure/bip32/@scure/bip39intentionally held at v1 (1.6.2 / 1.2.1).casper-js-sdk@5.0.12pins@scure/* ^1and shares the top-level copy; bumping to v2 would fork BIP32/39 into two implementations (wrong-address risk) with no upside. A//dependencyNotesnote inpackage.jsonrecords this; bump only in lockstep when the SDK/core move off@scure ^1.Byte-compat guard
A new characterization test
src/libs/crypto/aes.back-compat.test.tspins the blob format: it decrypts a real legacymicro-aes-gcmcipher fixture, asserts theiv[12] || ciphertext || tag[16]layout, and cross-checks against an independent NodecreateCipheriv('aes-256-gcm')oracle. It stays green across the swap. TheMOCK_STATEe2e popup suite additionally decrypts a static legacy vault fixture through the real bundled unlock worker under@noble/ciphersv2.Verification
npm run ci-check: green — tsc clean, 32/32 tests, 100% coverage, 0 lint errors.chrome/firefoxclean;safariJS bundle clean (no ESM resolution errors). The Safari Xcode-packaging step fails only on a local CoreSimulator version mismatch, unrelated to this change.crypto-security-reviewergate: PASS, byte-compat verified, 0 findings (no key/nonce leaks, CSPRNG nonce, constant-time GCM tag check).dependency:circular: no new cycles.Merge order
Draft while parents are open. Merge-forward (no force) once DEP-1/DEP-2 land; retarget as the train advances.