Chore/21410 bump trends deps v2025.11

[cermakjiri]

Description

Major

• chore: upgrade Jest to v30
  • @types/[email protected],
  • [email protected],
  • @jest/[email protected]
  • @jest/[email protected]
  • [email protected]
  • [email protected]
• chore: update @stellar/stellar-sdk to v14.2.0
  • No relevant breaking change: https://github.com/stellar/js-stellar-sdk/blob/master/CHANGELOG.md#v1400

Minors & patches

• chore: update xrpl to v4.4.2
• chore: jest-watch-typeahead to v3.0.1
• chore(suite-build): react-refresh to v0.18.0
• chore: @testing-library/jest-dom to v6.9.1
• chore: patch-package to v8.0.1
• chore(suite): immer to v10.1.3
• chore: @babel packages to latest versions (patch)
• chore: html-webpack-plugin to v5.6.4
• chore: webpack to v5.102.1
• chore: @reduxjs/toolkit to v2.9.0

Security alert

The Socket.dev security report didn't reveal something dangerous.

https://socket.dev/dashboard/org/trezor/diff-scan/18b1ef02-71c3-4883-a0f9-5d2fd86fa0fc?tab=alerts&action=error%2Cwarn&difftype=added

Related Issue

Resolve #21410

Screenshots:

🔍🖥️ Suite web test results: View in Currents

🔍🖥️ Suite desktop test results: View in Currents

🔍🖥️ Suite native android test results: View in Currents

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Web e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[trezor-bot]

✅ Previously successful run of [Test] PR Suite Desktop e2e tests workflow has been found.
⏭️ Skipping tests for this run.
💡 If you are unsure about your latest changes, please rerun the workflow manually. (Use the Re-run all jobs option)

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		npm/@emnapi/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@emnapi/[email protected] ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@emnapi/[email protected] Uses eval. Eval Type: Function Location: Package overview From: yarn.lock → npm/@emnapi/[email protected] ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@jest/[email protected] Uses eval. Eval Type: Function Location: Package overview From: yarn.lock → npm/@jest/[email protected] ℹ Read more on: This package | This alert | What is dynamic code execution? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Avoid packages that use dynamic code execution like eval(), since this could potentially execute any code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@jest/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@tybys/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@tybys/[email protected] ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@unrs/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@unrs/[email protected] ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/[email protected] ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has Shell access. Module: child_process Location: Package overview From: yarn.lock → npm/[email protected] ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@emnapi/[email protected] is a AI-detected potential code anomaly. Notes: This file implements a WASM/N-API runtime bridge (emnapi) exposing many napi_* functions, memory-view and buffer helpers, thread/worker management and threadsafe function queues. It uses dynamic function creation via new Function (with identifier validation), direct WebAssembly memory reads/writes (DataView/Uint8Array), Atomics/SharedArrayBuffer for cross-thread signaling, and postMessage transfers of ArrayBuffers. There is no evidence of malicious behavior (no network callbacks, no shell or file operations, no hard-coded secrets), but these powerful primitives can enable unexpected code execution or data movement if untrusted inputs reach them. Confidence: 1.00 Severity: 0.60 From: yarn.lock → npm/@emnapi/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[tomasklim]

No need to mention across multiple packages in commit message. The missing (package) says the same