Bump foundation deps 2026.2

[5K1PY]

Description

Update most Foundation-related dependencies.

major version:

• @eslint/js: Quite a few, but since it's only linting, tests should cover that.
• globals: Only breaking change concerns some audioWorklet variables, and search fot them shows nothing suspicious.
• electron: Following breaking changes
  • clipboard API access from renderer processes — Couldn't find any usage.
  • debug symbols use .tar.xz instead of .zip on mac — It's only debug symbols, so it should be fine.

minor version:

• typescript-eslint
• eslint-plugin-jest
• core-js
• prettier
• @sentry/browser, @sentry/core, @sentry/electron, @sentry/react, @sentry/node, @sentry/node-core, @sentry/react, @sentry/react-native, @sentry/type, @sentry/webpack-plugin
• electron-builder
• nx
• react-native-mmkv
• react-native-nitro-modules
• webpack-bundle-analyzer

patch version:

• @babel/cli, @babel/core, @babel/node, @babel/plugin-proposal-decorators, @babel/preset-env, @babel/runtime
• sort-package-json
• html-webpack-plugin
• @braintree/sanitize-url

not updated:

• evolu & expo-sqlite: WIP
• set.prototype.intersection: Needed by evolu for now
• cors: We should be able to get rid of it after evolu

ℹ️ For reference, last bump foundation deps PR was #24168

Notes for QA

Areas to test:

• webpack related, electron, electron-builder: Suite Web and Desktop on all three platforms builds and runs (I have somewhat tested web+linux.)
• sentry: Sentry error on mobile (I have tested web & desktop.)
• react-native-mmkv: Settings persistency on mobile (after app restart)

Related Issue

Resolve #24411

🔍🖥️ Suite desktop test results: View in Currents

🔍🖥️ Suite web test results: View in Currents

🔍🖥️ Suite native android test results: View in Currents

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• npm/@electron/get@3.1.0
• npm/@babel/plugin-transform-explicit-resource-management@7.28.6
• npm/@babel/plugin-transform-block-scoping@7.28.6
• npm/@babel/core@7.28.6
• npm/@babel/plugin-transform-async-generator-functions@7.28.6
• npm/core-js@3.48.0
• npm/@typescript-eslint/eslint-plugin@8.54.0
• npm/react-native-mmkv@4.1.2
• npm/@sentry-internal/replay-canvas@10.38.0
• npm/@sentry/browser@10.36.0
• npm/@sentry/browser@10.38.0
• npm/@sentry/browser@10.37.0
• npm/@nx/nx-linux-arm64-musl@22.4.3
• npm/nx@22.4.3

View full report

[greptile-apps]

Greptile Overview

Greptile Summary

Foundation dependencies updated across 34 package.json files with major bumps to electron 40.1.0, @eslint/js 10.0.0, and globals 17.2.0. Breaking changes reviewed:

• Electron 40: Clipboard API renderer restrictions don't affect codebase (clipboard usage is browser-native via navigator.clipboard.writeText)
• @eslint/js 10: Config uses standard pluginJs.configs.recommended - compatible
• globals 17: audioWorklet breaking change irrelevant (no usage found)

Minor/patch updates include Sentry packages (10.38.0), Babel (7.28.6), prettier (3.8.1), webpack tooling, nx, and react-native packages. All resolutions properly aligned in yarn.lock.

Important Files Changed

Filename	Overview
package.json	Updated resolutions for electron 40.1.0, prettier 3.8.1, sentry 10.38.0, and babel 7.28.6 - standard dependency bumps
packages/eslint/package.json	Bumped @eslint/js to 10.0.0, globals to 17.2.0, typescript-eslint to 8.54.0, eslint-plugin-jest to 29.12.1 - no breaking changes affecting codebase
packages/suite-desktop/package.json	Updated electron to 40.1.0 and electron-builder to 26.6.0 - no clipboard renderer usage detected
packages/suite-build/package.json	Updated webpack-related packages: html-webpack-plugin 5.6.6, webpack-bundle-analyzer 5.2.0, @sentry/webpack-plugin 4.8.0 - minor updates
packages/suite-desktop-core/package.json	Updated @sentry/electron to 7.7.1, @sentry/webpack-plugin to 4.8.0, electron to 40.1.0
suite-native/storage/package.json	Updated react-native-mmkv to 4.1.2 and @sentry/react-native to 7.11.0
yarn.lock	Lockfile updated with all dependency resolutions - 1110 additions, 1037 deletions

_{Last reviewed commit: 0d63b16}

[komret]

I rerun all tests, let's see if it helps. But that was a lot of failures...

[Lemonexe]

I force pushed to solve git conflict, let's see the CI now. If it still fails, needs investigation.
FWIW I ran locally E2E both Web & Desktop general/wallet-discovery.test.ts and works ✔️

EDIT: all green ✔️

[Lemonexe]

LGTM. Thank you very much for thorough maintenance work 👍
We still have to sort through the socket.dev warning, but that blocks merging so I'm approving ✔️

[Lemonexe]

I was a bit worried how would it work when you have mismatched major versions of @eslint/js and eslint. But no CI failure → seems alright ✔️

Well, false positive is only one possible bug, there is also false negative → I tested locally if eslint still catches, and it does ✔️

[Lemonexe]

Ok, but now I see in Socket.dev report that @eslint/js@10.0.0 is deprecated ❌
There is 10.0.1 but it's 10 days old, does not pass age gate.
I'm gonna edit this (revert to 9.39.2 which is the latest 9.x.x)
We'll bump both @eslint/js and eslint next month 🙂
I amended 7116463

[Lemonexe]

@SocketSecurity ignore npm/@babel/core@7.28.6
@SocketSecurity ignore npm/@babel/plugin-transform-async-generator-functions@7.28.6
@SocketSecurity ignore npm/@babel/plugin-transform-block-scoping@7.28.6
@SocketSecurity ignore npm/@babel/plugin-transform-explicit-resource-management@7.28.6
@SocketSecurity ignore npm/@electron/get@3.1.0
@SocketSecurity ignore npm/react-native-mmkv@4.1.2
OK, legitimate usage

@SocketSecurity ignore npm/nx@22.4.3
@SocketSecurity ignore npm/@nx/nx-linux-arm64-musl@22.4.3
low adoption OK, it's official nx package, and it's optional, conditioned only to arm64 linux with musl, so most setups won't even install it

@SocketSecurity ignore npm/@sentry/browser@10.37.0
low adoption OK, it's official sentry package

@SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.54.0
OK, usage only in examples & external tools, not in the plugin itself

@sentry-internal/replay-canvas
OK, we don't use replays at all, it's very privacy-intrusive feature

@SocketSecurity ignore npm/core-js@3.48.0
OK, legitimate usage (wrapping native fetch for polyfill)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Web e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Desktop e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[Lemonexe]

@SocketSecurity ignore npm/@sentry/browser@10.36.0
@SocketSecurity ignore npm/@sentry/browser@10.38.0
@SocketSecurity ignore npm/@sentry-internal/replay-canvas@10.38.0
See comment above. Sentry browser has resolution for 10.38.0, other versions are not installed.