Skip to content

build(deps): DEP-6 — build toolchain (loaders, asset modules) (WALLET-1332)#1382

Merged
Comp0te merged 14 commits into
release/2.6.0from
WALLET-1332-dep-6-build-toolchain-loaders-asset-modules
Jul 1, 2026
Merged

build(deps): DEP-6 — build toolchain (loaders, asset modules) (WALLET-1332)#1382
Comp0te merged 14 commits into
release/2.6.0from
WALLET-1332-dep-6-build-toolchain-loaders-asset-modules

Conversation

@ost-ptk

@ost-ptk ost-ptk commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Bumps the webpack loader stack and removes dead build-tooling packages, as part of the dependency modernization epic. See WALLET-1332 for the ticket.

Stacked on top of DEP-5 (#WALLET-1331) — targets that branch, not develop.

  • Bump webpack ^5.108.1, css-loader ^7.1.2, style-loader ^4.0.0, html-loader ^5.1.0, babel-loader ^10.0.0, dotenv-webpack ^9.0.0.
  • Remove webpack-cli (never invoked — builds run node utils/build.js directly), url-loader (unused), file-loader (0 import sites), @babel/plugin-proposal-class-properties (unused, native in Babel 8).
  • copy-webpack-plugin/terser-webpack-plugin were already on target versions from DEP-1 — untouched.
  • Converted the file-loader rule to a native webpack 5 asset/resource module (generator: { filename: '[name][ext]' }) instead of just deleting it, to preserve identical output behavior while dropping the dependency.

Fixed during verification

Initially added a defensive modules: { namedExport: false } to the css-loader options per the plan doc. This turned out to break the popup layout: passing an object to css-loader's modules option disables its auto detection default (which normally scopes CSS Modules to *.module.css only), forcing locally-scoped/hashed class names onto every .css import. That desynced the plain global CSS from mac-scrollbar.css and react-loading-skeleton/skeleton.css (e.g. .ms-container { overflow: auto } no longer matched the real DOM element, which uses the literal ms-container class from the library's JS), so the scroll container stopped clipping and pushed content off-screen after unlocking the wallet. Reverted to the plain ['style-loader', 'css-loader'] rule (no config change), which is what the plan's primary recommendation already was.

Test plan

  • build:chrome (MV3), build:firefox (MV2), build:manifest:v2:safari — all three build successfully, correct CSP per manifest.
  • npm run e2e:chrome:headless:onboarding — 6/6 passed (exercises the wasm/crypto vault-creation path).
  • npm run e2e:chrome:headless:popup — 46/47 passed, 1 skipped (unlock/lock, password change, dapp connect, CSS/icons render).
  • Manually verified popup layout after unlock (computed styles + screenshot) — scroll container clips correctly, no more content pushed below the viewport.
  • npm run dev:chrome — webpack-dev-server@5 starts, HMR/writeToDisk intact.
  • npm run ci-check green.

Pre-existing issue (not caused by this change, flagged in the ticket): xcode-build-webpack-plugin is declared but not installed, so npm run start:safari throws on dev hot-reload startup. Production Safari build via build.js is unaffected.

ost-ptk added 13 commits June 30, 2026 13:27
Bump .nvmrc to v22.23.1 (Jod LTS, >=22.18 for future Babel 8) and Node in all 4 CI workflows; add engines field. Land the Node-gated build-tool bumps that transitively resolve the serialize-javascript advisory: web-ext 8->10.4, copy-webpack-plugin 11->14, terser-webpack-plugin 5.3.6->5.6.1 (serialize-javascript now 7.0.6 only). Switch ci-check install to npm ci. No app-code changes.
Only one finding reaches the shipped bundle — i18next-http-backend's
path-traversal via unsanitised lng/ns — so it is upgraded outright; the
build-time serializer is treated as production-impacting and pinned via
overrides. Everything else is dev/build-toolchain and accepted dev-only.

- i18next-http-backend 2.5.0 -> ^3.0.5 (v3 uses global fetch; zero source
  change — i18n.ts has no backend:{} options block)
- overrides += serialize-javascript ^7.0.5 (CVE-2026-34043), tmp ^0.2.7
  (CVE-2026-44705); the override is mandatory — the webpack plugins resolve
  serialize-javascript to a vulnerable 6.x with no patch
- add audit:ci script (npm audit --omit=dev --audit-level=high) wired into
  CI as a blocking runtime gate plus a non-blocking full-tree audit
- regenerate package-lock.json under Node 22

Runtime audit clean (0). Residual is 16 dev-only advisories (0 critical),
all under @redux-devtools/* and webpack-dev-server — never bundled.
…dep-2-vulnerability-remediation

# Conflicts:
#	package-lock.json
…T-1330-dep-3-crypto-vault-modernization

Brings the DEP-2 fixes: scope router to path-to-regexp v8 (unbreaks start:chrome)
and the Safari xcode project path fix. DEP-3 crypto unchanged; byte-compat guard green.
…WALLET-1329)

Bump all 4 Ledger transports together (hw-transport/webhid to ^6.35.4,
webusb/web-ble to ^6.34.4), @zondax/ledger-casper to ^2.6.4,
@bringweb3/chrome-extension-kit to 1.7.0, and @tanstack/react-query to
^5.101.2. Add an override deduping @ledgerhq/hw-transport to a single
version, since @zondax/ledger-casper@2.6.4 newly pins 6.31.16. Add
@ledgerhq/devices as an explicit direct dep since transport.ts imports
it and deep-imports hw-transport-webusb/lib/webusb. casper-js-sdk and
casper-wallet-core are untouched (held/out of scope for this phase).
…wright 1.61 (WALLET-1331)

Resolves the moderate node-notifier advisory carried by the Jest 29 chain.
Jest 30 drops the toThrowError matcher alias, and Playwright 1.57+ switched
the default chromium channel to Chrome-for-Testing, which needs an explicit
channel pin for the unpacked-extension e2e harness.
…ed RTL deps (WALLET-1331)

jest.e2e.config.js and jest.tsconfig.json were unreferenced by any script or
CI job; jest-environment-jsdom only existed to back that dead config's
testEnvironment:'jsdom'. @testing-library/react, @testing-library/dom and
@testing-library/user-event have zero imports in src or e2e-tests.
@testing-library/jest-dom stays: it's wired into jest.config.js
setupFilesAfterEnv and typed in src/global.d.ts.
…ALLET-1332)

Bump webpack ^5.108.1, css-loader ^7.1.2, style-loader ^4.0.0, html-loader
^5.1.0, babel-loader ^10.0.0, dotenv-webpack ^9.0.0. Remove unused
webpack-cli, url-loader, file-loader, @babel/plugin-proposal-class-properties
(0 import sites / never invoked). Convert the file-loader rule to a native
webpack 5 asset/resource module to drop the dependency without changing
behavior.

Also drops an unused `Page` import from e2e-tests/constants.ts.
@ost-ptk ost-ptk requested a review from Comp0te July 1, 2026 14:24
@ost-ptk ost-ptk marked this pull request as ready for review July 1, 2026 14:24
Base automatically changed from WALLET-1331-dep-5-test-toolchain-jest-30-testing-library-16-playwright-1-61 to release/2.6.0 July 1, 2026 20:54
@Comp0te Comp0te merged commit d646104 into release/2.6.0 Jul 1, 2026
@Comp0te Comp0te deleted the WALLET-1332-dep-6-build-toolchain-loaders-asset-modules branch July 1, 2026 21:26
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants