Skip to content

build(deps): DEP-3 — crypto / vault modernization (WALLET-1330)#1379

Merged
Comp0te merged 12 commits into
release/2.6.0from
WALLET-1330-dep-3-crypto-vault-modernization
Jul 1, 2026
Merged

build(deps): DEP-3 — crypto / vault modernization (WALLET-1330)#1379
Comp0te merged 12 commits into
release/2.6.0from
WALLET-1330-dep-3-crypto-vault-modernization

Conversation

@ost-ptk

@ost-ptk ost-ptk commented Jul 1, 2026

Copy link
Copy Markdown
Member

DEP-3 — Crypto / vault modernization

Jira: WALLET-1330

Part of the dependency-modernization epic (WALLET-1326). Stacked on DEP-2 (WALLET-1328-dep-2-vulnerability-remediation) — this PR targets that branch; the DEP-2 commits already merged in are shared ancestors, so the diff below is the crypto scope only.

What changed

  • Replaced the deprecated micro-aes-gcm (author-deprecated) vault AES-256-GCM primitive with @noble/ciphers gcm. The on-disk vault blob layout — base64(iv[12] || ciphertext[N] || tag[16]) — is byte-identical, so existing user vaults keep decrypting. micro-aes-gcm is removed from package.json and the jest.config.js transform exception.
  • @noble/ciphers 1.3.0 → ^2.2.0 (ESM-only; every @noble/ciphers/* subpath specifier now carries .js). Note: v2 relocated randomBytes from webcrypto.js to utils.js — same crypto.getRandomValues CSPRNG, no behaviour change. @noble/hashes/* is a separate package and stays v1/CJS (untouched).
  • @lapo/asn1js 1.2.4 → ^2.1.3 (pure ESM, named exports): parse-secret-key-string.ts switched to { ASN1 } / { Base64 } from @lapo/asn1js/base64.js; ambient types in src/@types/lapo/lapo.d.ts tightened.
  • libsodium-wrappers-sumo floor → ^0.8.4 (patch; no source change).
  • @scure/bip32 / @scure/bip39 intentionally held at v1 (1.6.2 / 1.2.1). casper-js-sdk@5.0.12 pins @scure/* ^1 and shares the top-level copy; bumping to v2 would fork BIP32/39 into two implementations (wrong-address risk) with no upside. A //dependencyNotes note in package.json records this; bump only in lockstep when the SDK/core move off @scure ^1.

Byte-compat guard

A new characterization test src/libs/crypto/aes.back-compat.test.ts pins the blob format: it decrypts a real legacy micro-aes-gcm cipher fixture, asserts the iv[12] || ciphertext || tag[16] layout, and cross-checks against an independent Node createCipheriv('aes-256-gcm') oracle. It stays green across the swap. The MOCK_STATE e2e popup suite additionally decrypts a static legacy vault fixture through the real bundled unlock worker under @noble/ciphers v2.

Verification

  • npm run ci-check: green — tsc clean, 32/32 tests, 100% coverage, 0 lint errors.
  • Builds: chrome / firefox clean; safari JS bundle clean (no ESM resolution errors). The Safari Xcode-packaging step fails only on a local CoreSimulator version mismatch, unrelated to this change.
  • e2e: onboarding (6 passed) + popup / MOCK_STATE (46 passed) — exercise vault create + unlock/decrypt.
  • crypto-security-reviewer gate: PASS, byte-compat verified, 0 findings (no key/nonce leaks, CSPRNG nonce, constant-time GCM tag check).
  • dependency:circular: no new cycles.

Merge order

Draft while parents are open. Merge-forward (no force) once DEP-1/DEP-2 land; retarget as the train advances.

ost-ptk added 11 commits June 30, 2026 13:27
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.

- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
  change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
  (CVE-2026-44705); the override is mandatory — the webpack plugins resolve
  serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
  CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22

Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
…dep-2-vulnerability-remediation

# Conflicts:
#	package-lock.json
…T-1330-dep-3-crypto-vault-modernization

Brings the DEP-2 fixes: scope router to path-to-regexp v8 (unbreaks start:chrome)
and the Safari xcode project path fix. DEP-3 crypto unchanged; byte-compat guard green.
It's a build-time-only CLI used solely by locale:extract_pot and never
shipped in the extension bundle. Keeping it in dependencies made the
audit:ci gate (npm audit --omit=dev) treat its subtree (undici,
node-fetch, cross-fetch) as runtime, which is why undici had to be
floated to 7.28.0 and why any future advisory in that tree would have
failed the gate as a false positive.
…T-1330-dep-3-crypto-vault-modernization

Brings DEP-2 commit: move i18next-parser to devDependencies (audit:ci gate fix).
DEP-3 crypto unchanged.
@ost-ptk ost-ptk marked this pull request as ready for review July 1, 2026 10:48
@ost-ptk ost-ptk requested a review from Comp0te July 1, 2026 10:48
Base automatically changed from WALLET-1328-dep-2-vulnerability-remediation to release/2.6.0 July 1, 2026 12:34
…rnization

Integrate release/2.6.0 (DEP-2 squash-merged as #1377) into the DEP-3 branch.
Net content unchanged: DEP-3 already carried the same DEP-2 changes via individual
commits, so the 3-way merge keeps the DEP-3 crypto deps and resolves the package-lock
conflict to the equivalent tree. Records release/2.6.0 as an ancestor so the PR can be
retargeted to release/2.6.0 and merge cleanly.
@ost-ptk ost-ptk changed the title DEP-3: Crypto / vault modernization (WALLET-1330) build(deps): DEP-3 — crypto / vault modernization (WALLET-1330) Jul 1, 2026
@Comp0te Comp0te merged commit 27d8580 into release/2.6.0 Jul 1, 2026
@Comp0te Comp0te deleted the WALLET-1330-dep-3-crypto-vault-modernization branch July 1, 2026 20:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants