Skip to content

[WIP] Dependencies update#605

Merged
nstus merged 3 commits into
mainfrom
fix/security-vulnerabilities
May 18, 2026
Merged

[WIP] Dependencies update#605
nstus merged 3 commits into
mainfrom
fix/security-vulnerabilities

Conversation

@nstus

@nstus nstus commented Apr 29, 2026

Copy link
Copy Markdown
Collaborator

resolves https://linear.app/theopenplatform/issue/TK-964/update-stale-dependencies

Summary

  • CVE-2023-26136tough-cookie ^4.1.3 → ^4.1.4 (prototype pollution, CVSS 9.8); transitive dep in apps/desktop
  • Electron ^32 → ^41 + @electron-forge/* 7.4.0 → 7.11.1 — Electron 32.x is outside the 3-version security support window; 41.x is current
  • Floating "latest" version pins@tma.js/sdk → 2.5.1, @tma.js/sdk-react → 2.2.5, @capacitor/cli → ^6.2.0; prevents silent breaking-major pulls on fresh installs
  • crypto-browserify (unmaintained since 2021) replaced — desktop now uses node-polyfill-webpack-plugin; extension uses vite-plugin-node-polyfills (same plugin already used in web/mobile)
  • react-beautiful-dnd (archived by Atlassian, 2023) fully replaced with @dnd-kit across 7 files in packages/uikit; also removes per-platform transform-string patching workarounds (patchDragItemStyle,
    translate(0px, Ypx hacks)

What to test carefully

Desktop app (Electron)

  • App launches after Electron 32→41 upgrade — check for IPC regressions between renderer and main process
  • Keychain access still works (mnemonic unlock, sign transactions)
  • Window controls, tray icon, deep links (ton://) still function
  • No regressions in Buffer, crypto, stream usage (now via node-polyfill-webpack-plugin)

Browser extension (Chrome/Firefox)

  • Extension builds for both Chrome (MV3) and Firefox (MV2)
  • DApp connections and TonConnect still work (background ↔ popup messaging)
  • Buffer/crypto/stream polyfills work (now via vite-plugin-node-polyfills)

Drag-and-drop — sidebar (desktop + mobile manage wallets)

  • Drag accounts up/down to reorder — order persists on reload
  • Drag folders in the sidebar
  • Drag accounts within a folder (nested DnD in DesktopManageWalletsSettings)
  • Folder with exactly 1 account — no DnD wrapper, no crash
  • Single tap still navigates (no accidental drag at short distances — threshold is 5px)
  • Haptic notification fires on drag start (mobile)
  • cardModalSwipe lock/unlock still prevents swipe-to-close conflicts on mobile

Drag-and-drop — pinned browser tabs sidebar

  • Reorder pinned dapp tabs — order persists
  • Edit mode: unpin and close tabs still work
  • Pin / unpin a tab moves it between sections correctly

Drag-and-drop — Jettons settings

  • Drag pinned tokens to reorder — saved order reflected on wallet home
  • Pin/hide/show a token (non-drag interactions in the same view)

Dashboard categories modal (Pro)

  • Drag categories to reorder
  • Toggle checkbox while list is draggable
  • Pro-gated categories show PRO badge and trigger upsell on click

Telegram Mini App

  • App initialises correctly with pinned @tma.js/sdk 2.5.1 (was "latest")
  • Back button, theme, and viewport hooks from the SDK still work

@github-actions

github-actions Bot commented Apr 29, 2026

Copy link
Copy Markdown

Successful WEB deployment 🚀🚀🚀

Well done!
Link to test environment:
https://02d02413.tonkeeper-web.pages.dev

@nstus nstus force-pushed the fix/security-vulnerabilities branch from 5853d42 to bf17ebe Compare April 29, 2026 12:51
@nstus nstus changed the title Fix/security vulnerabilities [WIP] Fix/security vulnerabilities Apr 29, 2026
@nstus nstus changed the title [WIP] Fix/security vulnerabilities [WIP] Dependencies update Apr 29, 2026
@nstus nstus force-pushed the fix/security-vulnerabilities branch 3 times, most recently from eb4ac71 to 9b060a8 Compare April 29, 2026 22:07
@github-actions

github-actions Bot commented Apr 29, 2026

Copy link
Copy Markdown

Successful iPad build 🚀🚀🚀

Well done!
The app with build version: 4.6.2(2)
Uploaded to TestFlight

@nstus nstus force-pushed the fix/security-vulnerabilities branch 2 times, most recently from 76169ef to 5de03a1 Compare May 13, 2026 09:54
@nstus nstus force-pushed the fix/security-vulnerabilities branch from e4b202c to 9865ec3 Compare May 15, 2026 14:27
@nstus nstus requested a review from nvasilchuk May 15, 2026 14:48
@linear

linear Bot commented May 18, 2026

Copy link
Copy Markdown

TK-964

@nstus nstus merged commit e350eb2 into main May 18, 2026
9 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants