Chore/bump foundation deps 2025.02

[Lemonexe]

Description

Update most Foundation-related dependencies.

major version:

• electron
• electron-builder

minor version:

• webpack
• @eslint/js
• eslint
• eslint-plugin-jest
• eslint-plugin-react
• typescript-eslint
• openpgp

patch version:

• idb
• systeminformation
• uuid

not updated:

• tiny-secp256k1 TODO in #12261
• electron-store blocked by #14482

ℹ️ For reference, last bump foundation deps PR was #16258
👁️ I skimmed through all code changes except eslint-related packages and electron; found nothing suspicious ✅

Related Issue

Resolve #16615

QA

👁️ Besides CI checks, I have tested locally:

• suite dev web
  • app builds & runs
  • resetting app storage (test idb persistence)
• suite dev desktop
  • app builds & runs
  • systeminformation output in debug logs
  • tor
• suite desktop linux build & windows build
  • app builds & runs
  • app update works
  • resetting app storage (test idb persistence)

@coderabbitai ignore

[github-actions]

🚀 Expo preview is ready!

• Project → trezor-suite-preview
• Platforms → android, ios
• Scheme → trezorsuitelite
• Runtime Version → 24
• More info

Learn more about 𝝠 Expo Github Action

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@electron/fuses@1.8.0, npm/electron-winstaller@5.4.0, npm/@electron/windows-sign@1.2.0, npm/@electron/rebuild@3.7.0

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[Lemonexe]

@SocketSecurity ignore npm/@electron/fuses@1.8.0
Ok, it's a legitimate usage of child_process

@SocketSecurity ignore npm/electron-winstaller@5.4.0
Ok, it's a legitimate usage of child_process

@SocketSecurity ignore npm/@electron/windows-sign@1.2.0
Ok, it's a legitimate usage of child_process

@SocketSecurity ignore npm/@electron/rebuild@3.7.0
The Http dependency in question is a fork of node-gyp, comes from @electron/rebuild, with this reason. TL;DR: temporary monkeypatch to support Node12 until they cut it off in next major ver.
I checked the fork since they diverged from nodejs/node-gyp, looks OK.

[peter-sanderson]

gfo 
gco chore/bump-foundation-deps-2025.02 
git checkout origin/develop -- yarn.lock # to revert yarn to the develop
yarn
yarn dedupe
git add .

=> produces empty diff ✔️

[Lemonexe]

settings moved to signtoolOptions in electron-userland/electron-builder#8582
signDlls setting was removed -> now it behaves as always true (see the diff)