build(deps): DEP-6 — build toolchain (loaders, asset modules) (WALLET-1332)#1382
Merged
Comp0te merged 14 commits intoJul 1, 2026
Merged
Conversation
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.
- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
(CVE-2026-44705); the override is mandatory — the webpack plugins resolve
serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22
Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
… swap (WALLET-1330)
…s gcm (WALLET-1330)
… v1 hold (WALLET-1330)
…dep-2-vulnerability-remediation # Conflicts: # package-lock.json
…T-1330-dep-3-crypto-vault-modernization Brings the DEP-2 fixes: scope router to path-to-regexp v8 (unbreaks start:chrome) and the Safari xcode project path fix. DEP-3 crypto unchanged; byte-compat guard green.
…WALLET-1329) Bump all 4 Ledger transports together (hw-transport/webhid to ^6.35.4, webusb/web-ble to ^6.34.4), @zondax/ledger-casper to ^2.6.4, @bringweb3/chrome-extension-kit to 1.7.0, and @tanstack/react-query to ^5.101.2. Add an override deduping @ledgerhq/hw-transport to a single version, since @zondax/ledger-casper@2.6.4 newly pins 6.31.16. Add @ledgerhq/devices as an explicit direct dep since transport.ts imports it and deep-imports hw-transport-webusb/lib/webusb. casper-js-sdk and casper-wallet-core are untouched (held/out of scope for this phase).
…wright 1.61 (WALLET-1331) Resolves the moderate node-notifier advisory carried by the Jest 29 chain. Jest 30 drops the toThrowError matcher alias, and Playwright 1.57+ switched the default chromium channel to Chrome-for-Testing, which needs an explicit channel pin for the unpacked-extension e2e harness.
…ed RTL deps (WALLET-1331) jest.e2e.config.js and jest.tsconfig.json were unreferenced by any script or CI job; jest-environment-jsdom only existed to back that dead config's testEnvironment:'jsdom'. @testing-library/react, @testing-library/dom and @testing-library/user-event have zero imports in src or e2e-tests. @testing-library/jest-dom stays: it's wired into jest.config.js setupFilesAfterEnv and typed in src/global.d.ts.
…ALLET-1332) Bump webpack ^5.108.1, css-loader ^7.1.2, style-loader ^4.0.0, html-loader ^5.1.0, babel-loader ^10.0.0, dotenv-webpack ^9.0.0. Remove unused webpack-cli, url-loader, file-loader, @babel/plugin-proposal-class-properties (0 import sites / never invoked). Convert the file-loader rule to a native webpack 5 asset/resource module to drop the dependency without changing behavior. Also drops an unused `Page` import from e2e-tests/constants.ts.
Base automatically changed from
WALLET-1331-dep-5-test-toolchain-jest-30-testing-library-16-playwright-1-61
to
release/2.6.0
July 1, 2026 20:54
…oaders-asset-modules
Comp0te
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps the webpack loader stack and removes dead build-tooling packages, as part of the dependency modernization epic. See WALLET-1332 for the ticket.
Stacked on top of DEP-5 (#WALLET-1331) — targets that branch, not
develop.webpack^5.108.1,css-loader^7.1.2,style-loader^4.0.0,html-loader^5.1.0,babel-loader^10.0.0,dotenv-webpack^9.0.0.webpack-cli(never invoked — builds runnode utils/build.jsdirectly),url-loader(unused),file-loader(0 import sites),@babel/plugin-proposal-class-properties(unused, native in Babel 8).copy-webpack-plugin/terser-webpack-pluginwere already on target versions from DEP-1 — untouched.file-loaderrule to a native webpack 5asset/resourcemodule (generator: { filename: '[name][ext]' }) instead of just deleting it, to preserve identical output behavior while dropping the dependency.Fixed during verification
Initially added a defensive
modules: { namedExport: false }to thecss-loaderoptions per the plan doc. This turned out to break the popup layout: passing an object to css-loader'smodulesoption disables itsautodetection default (which normally scopes CSS Modules to*.module.cssonly), forcing locally-scoped/hashed class names onto every.cssimport. That desynced the plain global CSS frommac-scrollbar.cssandreact-loading-skeleton/skeleton.css(e.g..ms-container { overflow: auto }no longer matched the real DOM element, which uses the literalms-containerclass from the library's JS), so the scroll container stopped clipping and pushed content off-screen after unlocking the wallet. Reverted to the plain['style-loader', 'css-loader']rule (no config change), which is what the plan's primary recommendation already was.Test plan
build:chrome(MV3),build:firefox(MV2),build:manifest:v2:safari— all three build successfully, correct CSP per manifest.npm run e2e:chrome:headless:onboarding— 6/6 passed (exercises the wasm/crypto vault-creation path).npm run e2e:chrome:headless:popup— 46/47 passed, 1 skipped (unlock/lock, password change, dapp connect, CSS/icons render).npm run dev:chrome— webpack-dev-server@5 starts, HMR/writeToDisk intact.npm run ci-checkgreen.Pre-existing issue (not caused by this change, flagged in the ticket):
xcode-build-webpack-pluginis declared but not installed, sonpm run start:safarithrows on dev hot-reload startup. Production Safari build viabuild.jsis unaffected.