npm-release: @trezor/connect 9.2.4-beta.1

[trezor-ci]

@trezor/connect release

This is an automatically created PR.

• Bump @trezor/connect and @trezor/connect-web version using yarn workspace @trezor/connect version:<beta|patch|minor|major>
• Bump all connect dependencies that need to be released into npm. If unsure run node ./ci/scripts/check-npm-dependencies.js connect. Please note that this script will report unreleased dependencies even for changes that do not affect runtime (READMEs etc.)
• Released bumped npm dependencies you should into npm. This still needs to be done in gitlab. @mroz22
• Make sure CHANGELOG file has been updated @mroz22
• Changelogs checked @Hannsek
• Confirm that this release does not introduce any breaking changes @mroz22
• Contact 3rd parties if needed @Hannsek
• Merge this PR into develop
• Run release job in github actions. This will create a new branch release/connect/<version> and trigger Gitlab pipeline. that prepares builds.
• Tested and approved by @trezor/qa. Typically using this build.
• Click connect v9 deploy production job in Gitlab. In case something went wrong there is connect v9 rollback production job which reverts current deploy. @mroz22
• Release npm packages for @trezor/connect and @trezor/connect-web from gitlab @mroz22
• Post a release bulletin into Slack @Hannsek

[trezor-ci]

• @trezor/blockchain-link-utils
• @trezor/blockchain-link-types
• @trezor/analytics
• @trezor/connect-common
• @trezor/env-utils
• @trezor/protobuf
• @trezor/schema-utils
• @trezor/protocol

[trezor-ci]

• npm-release: @trezor/connect-common 0.0.33-beta.1 (a74f002)
• fix(connect-popup): update text in selectAccount (21f4382)
• fix(connect-explorer): use connect-web for dev server (8f956b4)
• chore(connect): add new TS3 CA pubkeys and update timestamp (3ae06ac)
• fix(connect): BackupDevice now has params (4120912)
• test(connect): add changeLanguage test (f5a3207)
• chore(connect): remove deprecated code (8af325a)
• chore(connect): bump required fw to 1.8.1/2.1.0 (2f14ff6)
• test(connect-popup): increase general timeout to 60 seconds (f7e3f59)
• fix(connect-explorer-theme): issue with tailwind in prod build (b71cb93)
• chore(connect): fix typo in log (649a197)
• chore(connect): rename firmwareUpdate_v2 to firmwareUpdate (b39030c)
• chore(connect-explorer): fully replace old explorer with nextra (139214b)
• test(connect): fix e2e tests (b67170c)
• refactor(connect): popupPromise improvement (320c5a9)
• refactor(connect): improved analytics enhancing (6515f13)
• refactor(connect): requestPermissions improved (7666994)
• refactor(connect): method confirmation improved (99ac0e5)
• refactor(connect): invalidDeviceState retries improved (4aa2b46)
• refactor(connect): checkFirmwareRange without isUsingPopup (fa0974d)
• refactor(connect): noBackupConfirmation improved (9188727)
• refactor(connect): pin retries improved (08a093b)
• refactor(connect): flattened onCall/inner (dd6437e)
• refactor(connect): separating UI promises (27d5a44)
• chore(deps-dev): bump next from 13.5.6 to 14.1.1 (a925660)
• fix(connect-explorer-nextra): change MTT layout (f366ba6)
• fix(connect-explorer-nextra): error icon rendering issue (421371e)
• fix(connect-explorer-nextra): overlap of menu and theme switcher (9f862c3)
• fix(connect): intermediary reconnect improved (115c718)
• fix(connect): add intermediary reconnect param (de1b969)
• test(connect-popup): nextra tests for webextension (247d888)
• fix(blockchain-link-utils): fix solana token definitions url (5b29898)
• fix(connect-web): increase popup open timeout from 3s to 5s (9313eb3)
• fix(connect-popup): add delay before popup bootstrap to allow contentscript load (00b2056)
• fix(connect-popup): webextension example e2e (b9cce02)
• test(connect-popup): finetune popup close test (452d3ab)
• fix(connect-popup): typo in a comment (8e21eeb)
• fix(connect): fix device authenticity config timestamp and debug rootPubKey for T3T1 (140ec9a)
• fix(connect-popup): queue messages sent before init (8850665)
• fix(connect-popup): delay popup.js loading to allow content script to init (92d15bc)
• fix(connect-popup): wait for POPUP.LOADED in webextension (cb18673)
• fix(connect): multi-apps synchronization when device is connected (a881142)
• feat(connect): update protobuf messages (41bff13)
• feat(connect-explorer-nextra): use codemirror for json fields in form (17521ee)
• feat(connect-explorer-nextra): method json params editor (09086d0)
• fix(connect-explorer-nextra): move images to subdirectory (dc85a6c)
• fix(connect-explorer-nextra): invalid json in some methods (d7fc752)
• feat(connect-explorer-nextra): hide settings behind clicking Miscellaneous (6d9845f)
• feat(connect-explorer-nextra): improve changelog (d06b4c5)
• feat(connect-explorer-nextra): sidebar icons (778b10b)
• fix(connect): add favicon to log.html (e2b6d94)
• test(connect-popup): make tests work with nextra explorer (765e5d4)
• fix(connect-explorer-nextra): add missing page for ethereumGetPublicKey (97fa620)
• chore(connect-explorer-nextra): speed up build (2f3039c)
• test(connect): cancel after every call (e496aec)
• fix(connect): fix reading translations of undefined when there is only one record in releases.json (88d7608)
• chore(connect-common): fix bootloader_version in the first t3t1 record (6ebae70)
• fix(connect): bin_outputs in txcache (0bb13d3)
• fix(connect): changelog for 9.2.3 beta release (731c899)
• chore(connect): changelog for 9.2.3 beta release (9cfe830)

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Alert	Package	Note	Source
Filesystem access	npm/[email protected]	Module: fs Location: Package overview	Source
Shell access	npm/[email protected]	Module: child_process Location: Package overview	Source
Filesystem access	npm/[email protected]	Module: fs Location: Package overview	Source
Trivial Package	npm/[email protected]	Location: Package overview	Source
Filesystem access	npm/[email protected]	Module: fs Location: Package overview	suite-native/app/package.json

View full report↗︎

Next steps

What is filesystem access?

Accesses the file system, and could potentially read sensitive data.

If a package must read the file system, clarify what it will read and ensure it reads only what it claims to. If appropriate, packages can leave file system access to consumers and operate on data passed to it instead.

What is shell access?

This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.

Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

What are trivial packages?

Packages less than 10 lines of code are easily copied into your own project and may not warrant the additional supply chain risk of an external dependency.

Removing this package as a dependency and implementing its logic will reduce supply chain risk.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]
• @SocketSecurity ignore npm/[email protected]