Bump foundation deps 2025.05

[Lemonexe]

Description

Update most Foundation-related dependencies.

major version:

• electron (stack changes)
• globals (only for eslint)
• minimatch (node 20 requirement)

minor version:

• bignumber.js (TS-only changes)
• @eslint/js
• eslint
• eslint
• typescript-eslint

patch version:

• electron-builder
• electron-updater
• idb
• react-hook-form
• bn.js

not updated:

• tiny-secp256k1 TODO in #12261
• electron-store + chalk TODO in #14482
• react-router + react-router-dom + history TODO in #4649
• nx TODO in #18812

ℹ️ For reference, last bump foundation deps PR was #18087 + #18682 + #18107 + #18704 + #18680
👁️ I skimmed through all code changes except eslint-related packages and electron ; found nothing suspicious ✅

Related Issue

Resolve #18774

Dev QA

👁️ Besides CI checks, I have tested locally:

• suide dev web
  • app builds & runs
  • resetting app storage works (idb)
• suite dev desktop
  • app builds & runs
  • tor works
  • resetting app storage works (idb)
  • send form & sign/verify form works
• suite native dev on android emu
  • trading form works
• yarn refs && yarn verify-project-references work correctly (minimatch)
• yarn generate-package works correctly (sort-package-json)

🔍🖥️ Suite web test results: View in Currents

🔍🖥️ Suite desktop test results: View in Currents

🔍🖥️ Suite native android test results: View in Currents

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• express-rate-limit@7.5.0
• zod-to-json-schema@3.24.5
• eventsource-parser@3.0.1
• eventsource@3.0.6
• pkce-challenge@5.0.0
• @modelcontextprotocol/sdk@1.11.1
• @electron/osx-sign@1.3.3
• ts-api-utils@2.1.0
• @electron/asar@3.4.1
• @electron/rebuild@3.7.2
• builder-util@26.0.13
• electron-publish@26.0.13
• @eslint-community/eslint-utils@4.7.0
• @electron/universal@2.0.3
• @eslint/js@9.26.0
• eslint@9.26.0
• electron-updater@6.6.4
• app-builder-lib@26.0.15
• @typescript-eslint/scope-manager@8.32.0
• @typescript-eslint/types@8.32.0
• @typescript-eslint/typescript-estree@8.32.0
• @typescript-eslint/utils@8.32.0
• @typescript-eslint/visitor-keys@8.32.0
• @typescript-eslint/type-utils@8.32.0
• @typescript-eslint/eslint-plugin@8.32.0
• @typescript-eslint/parser@8.32.0
• typescript-eslint@8.32.0
• globals@16.1.0
• electron-builder@26.0.15
• dmg-builder@26.0.15
• electron-builder-squirrel-windows@26.0.15
• electron@36.2.0

View full report

[Lemonexe]

@SocketSecurity ignore npm/express-rate-limit@7.5.0 — only uses net.isIP, nothing else.
@SocketSecurity ignore npm/@modelcontextprotocol/sdk@1.11.1 — does provides access to arbitrarily configured server, seems to be no hardcoded URLs there

These two packages are only conditionally required if eslint is started with --mcp flag so it's ok for the time being.
Model Context Protocol server integration was done in eslint/eslint#19592 and several developers quickly expressed displeasure that this feature is included in core eslint!
There is a WIP PR eslint/eslint#19699 to externalize it → these packages will be only peerDependencies in future eslint versions.

TL;DR: they added AI stuff to ESlint, but it will be removed again in future.

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Web e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Desktop e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[Lemonexe]

bn.js was pinned in #12133 to explicitly dedupe it even across major versions. Looking at yarn.lock, this is still relevant ✔️

Similar situation is now with bignumber.js:
Library @everstake/wallet-sdk@npm:1.0.15 requires exactly 9.1.2.
The changes from 9.1.2 to 9.3.0 are TS-only changes so let's deduplicate it too.

[Lemonexe]

Also why do we have two different BigNumber libraries? 🙈
Some legacy reasons as always, maybe they could be unified, but that's very very low priority 🧊

[Lemonexe]

BigNumber.comparedTo now returns null if any of the operands is NaN, which is not accepted by Array.sort.
I don't like this change; as per IEEE 754 NaN is a valid number, and all comparisons are false, so it shall not be sorted but stay in place.
→ I believe it's sensible to fallback to 0 in Array.sort, as it was before.

Maybe NaN can't even happen here, idk, but TS does not distinguish NaN from number (after all why should it, this makes sense)

The same applies to other similar diffs.

[Lemonexe]

I tried reverting both fixes I made in #18677, because I've read the changes in the lib and it seemed related. But no, both fixes are still necessary.

[Lemonexe]

I'll look into this when I get back to playing around with Electron Main ESM – I will bump webpack then.

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Web e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Desktop e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Desktop e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Web e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[Lemonexe]

@SocketSecurity ignore-all
Those are all electron-builder. Code checked, known and legit 🙂

[Lemonexe]

Will merge despite failing Releases revision Checks
See slack