Bump the all-dependencies group across 1 directory with 33 updates

[dependabot]

Bumps the all-dependencies group with 33 updates in the / directory:

Package	From	To
@amplitude/analytics-browser	2.23.7	2.42.0
@creit.tech/stellar-wallets-kit	1.9.5	2.1.0
@ledgerhq/hw-app-str	7.2.9	7.7.1
@ledgerhq/hw-transport-webhid	6.30.9	6.35.1
@next/third-parties	15.5.7	16.2.4
@sentry/nextjs	10.29.0	10.51.0
@stellar-expert/contract-wasm-interface-parser	4.0.0	4.1.0
@tanstack/react-query	5.87.4	5.100.6
@tanstack/react-query-devtools	5.87.4	5.100.6
@trezor/connect-web	9.6.4	9.7.3
bignumber.js	9.3.1	11.1.0
dompurify	3.2.6	3.4.2
html-react-parser	5.2.6	6.0.1
immer	10.1.3	11.1.4
lodash	4.17.21	4.18.1
@types/lodash	4.17.20	4.17.24
lossless-json	4.2.0	4.3.0
next	15.5.14	16.2.4
uuid	11.1.0	14.0.0
zustand-querystring	0.0.19	0.7.0
@next/eslint-plugin-next	15.5.3	16.2.4
@playwright/test	1.57.0	1.59.1
@types/node	24.3.1	25.6.0
@types/papaparse	5.3.16	5.5.2
@typescript-eslint/eslint-plugin	8.43.0	8.59.1
eslint	9.35.0	10.2.1
eslint-config-next	15.4.4	16.2.4
eslint-plugin-react-hooks	5.2.0	7.1.1
jest	30.2.0	30.3.0
lint-staged	16.1.6	16.4.0
prettier	3.6.2	3.8.3
sass	1.92.1	1.99.0
typescript	5.9.2	6.0.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.42.0

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.42.0

2.42.0 (2026-04-28)

Features

• remove experimental request body compression backdoor (#1699) (98ecb9d)

@​amplitude/analytics-browser@​2.41.1

2.41.1 (2026-04-22)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.41.0-sr-3531-rc-2.0

2.41.0-sr-3531-rc-2.0 (2026-04-20)

Features

• add long task tracking (#1622) (d995e1f)

@​amplitude/analytics-browser@​2.40.0

2.40.0 (2026-04-14)

Features

• analytics-browser: event property attribution (#1628) (6d37e79)

Commits

• 7c36345 chore(release): publish
• 98ecb9d feat: remove experimental request body compression backdoor (#1699)
• 634ac97 feat(session-replay-browser): merge consecutive mutation incremental snapshot...
• eb07611 chore(release): publish
• 9cec47c feat(session-replay-browser): expose captureAdoptedStyleSheets option (#1695)
• f84374e fix(analytics-browser): replace "blocklist" with "excludelist" in networkTrac...
• 3c43fbe chore: remove version from gtm-snippet package.json (#1694)
• 1c1321e chore: make gtm-snippet private (#1693)
• ccb16fd chore(release): publish
• 48f38da fix(session-replay-browser): use takeFullSnapshot on focus instead of full rr...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​amplitude/analytics-browser since your current version.

Updates @creit.tech/stellar-wallets-kit from 1.9.5 to 2.1.0

Release notes

Sourced from @​creit.tech/stellar-wallets-kit's releases.

v2.1.0

2.1.0 (2026-03-30)

add

• Include PR 84 - adds signAndSubmitTransaction method
• Add new method fetchAddress

v2.0.1

2.0.1 (2026-03-11)

Changes

• Update the recently included Bitget module
• Include PRs 85 and 86

v2.0.0

2.0.0 (2026-02-11)

Changes

• Full refactor of the whole repository (with breaking changes)
• Migrate into a full Deno repository with NPM builds for compatibility
• Separate the UI, the state, and the SDK
  • The UI (modal, buttons, etc) is now using Preact with HTM instead of Lit
  • The SDK (the class StellarWalletsKit) is now a regular Deno library
  • The state part of the SDK is being used by both the UI and the SDK
• The UI now uses a series of CSS variables that can be defined by developers to personalize the complete UI (the SDK makes this process easier)
• The SDK internal state is now using the small preact/signals library instead of RxJS (aiming to reduce the kit's size)
• The SDK now exports the internal state so developers can update it directly if they need to (tho, still not recommended)
• We included 3 simple examples using vite-preact, vite-react, and create-react-app so developers can see how to use the library
• The components used in the library can now be created separately if needed (but like the internal state, not recommended)
• The openModal method was removed, and we now have authModal. This new method works as a regular Promise, and it returns the address after the user has picked their selected wallet
• A new profile page is added to the kit's modal, so in the future, we will allow having multiple accounts and wallets connected, so users can switch between accounts directly from the website instead of needing to check their wallets.
• Include a new logic for events updates from the kit, developers can `subscribe ' to updates from the kit, like changes in the selected address, network, module, or disconnections.
• The kit now separates the logic between getting the address and fetching the address. This means that if the user hasn't interacted with the AuthModal before, it will throw an error. This will prevent issues with modules that have different authorization logic (for example, Freighter)
• The kit now keeps more information in the localstorage, for example, it will remember the last Wallet Connect topic it used, so when using Wallet Connect, the user doesn't need to connect again and again.
• Freighter and Lobstr are now default wallets in the wallet connect modal, this way users will see them first instead of regular EVM wallets.
• Fully remove both submit and submitUrl parameters

... (truncated)

Changelog

Sourced from @​creit.tech/stellar-wallets-kit's changelog.

2.1.0 (2026-03-30)

add

• Include PR 84 - adds signAndSubmitTransaction method
• Add new method fetchAddress

2.0.1 (2026-03-11)

Changes

• Update the recently included Bitget module
• Include PRs 85 and 86

2.0.0 (2026-02-11)

Changes

• Full refactor of the whole repository (with breaking changes)
• Migrate into a full Deno repository with NPM builds for compatibility
• Separate the UI, the state, and the SDK
  • The UI (modal, buttons, etc) is now using Preact with HTM instead of Lit
  • The SDK (the class StellarWalletsKit) is now a regular Deno library
  • The state part of the SDK is being used by both the UI and the SDK
• The UI now uses a series of CSS variables that can be defined by developers to personalize the complete UI (the SDK makes this process easier)
• The SDK internal state is now using the small preact/signals library instead of RxJS (aiming to reduce the kit's size)
• The SDK now exports the internal state so developers can update it directly if they need to (tho, still not recommended)
• We included 3 simple examples using vite-preact, vite-react, and create-react-app so developers can see how to use the library
• The components used in the library can now be created separately if needed (but like the internal state, not recommended)
• The openModal method was removed, and we now have authModal. This new method works as a regular Promise, and it returns the address after the user has picked their selected wallet
• A new profile page is added to the kit's modal, so in the future, we will allow having multiple accounts and wallets connected, so users can switch between accounts directly from the website instead of needing to check their wallets.
• Include a new logic for events updates from the kit, developers can `subscribe ' to updates from the kit, like changes in the selected address, network, module, or disconnections.
• The kit now separates the logic between getting the address and fetching the address. This means that if the user hasn't interacted with the AuthModal before, it will throw an error. This will prevent issues with modules that have different authorization logic (for example, Freighter)
• The kit now keeps more information in the localstorage, for example, it will remember the last Wallet Connect topic it used, so when using Wallet Connect, the user doesn't need to connect again and again.
• Freighter and Lobstr are now default wallets in the wallet connect modal, this way users will see them first instead of regular EVM wallets.
• Fully remove both submit and submitUrl parameters
• And many more.

Fix

... (truncated)

Commits

• d337aa5 Update to v2.1.0
• 1be3336 Include a new method in the kit fetchAddress
• 594b9e7 Update dependencies
• ec62e81 Revert changes from the nextjs example before creating a new distribution (wi...
• d0c0348 Merge branch 'main' of github.com:Creit-Tech/Stellar-Wallets-Kit
• 8a087c7 Merge pull request #84 from mihaic195/main
• ac0d5dd Fix types from the bitget module
• 02f4bd1 Update changelog and include the README in the npm build
• fc209e3 v2.0.1
• e03d17d Update bitget module
• Additional commits viewable in compare view

Updates @ledgerhq/hw-app-str from 7.2.9 to 7.7.1

Commits

• See full diff in compare view

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.35.1

Commits

• 73024e4 Merge branch 'release'
• ceb890a chore(release): 🚀 prepare release [skip ci]
• ee1458a chore(prerelease): 🚀 release prerelease [LLD(2.73.0-next.6), LLM(3.36....
• 18afc73 bugfix: LIVE-10429 (#5703)
• eb2ab3a chore(prerelease): 🚀 release prerelease [LLD(2.73.0-next.5), LLM(3.36....
• 0fb6cb3 [Bugfix] Fix wrong log filtering (#5709)
• 5180b79 update cryptoassets.md
• 49f4dbf update sortByMarketcap snapshot
• 12cb6c1 chore(prerelease): 🚀 release prerelease [LLD(2.73.0-next.4), LLM(3.36....
• 2287d6a Fix uncaught FirmwareNotRecognized in useAvailableLanguagesForDevice (#5701)
• Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.2.4

Release notes

Sourced from @​next/third-parties's releases.

v16.2.4

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• chore: Bump reqwest to 0.13.2 (Fixes Google Fonts with Turbopack for Windows on ARM64) (#92713)
• Turbopack: fix filesystem watcher config not applying follow_symlinks(false) (#92631)
• Scope Safari ?ts= cache-buster to CSS/font assets only (Pages Router) (#92580)
• Compiler: Support boolean and number primtives in next.config defines (#92731)
• turbo-tasks: Fix recomputation loop by allowing cell cleanup on error during recomputation (#92725)
• Turbopack: shorter error for ChunkGroupInfo::get_index_of (#92814)
• Turbopack: shorter error message for ModuleBatchesGraph::get_entry_index (#92828)
• Adding more system info to the 'initialize project' trace (#92427)

Credits

Huge thanks to @​Badbird5907, @​lukesandberg, @​andrewimm, @​sokra, and @​mischnic for helping!

v16.2.3

[!NOTE] This release is backporting security and bug fixes. For more information about the fixed security vulnerability, please see https://vercel.com/changelog/summary-of-cve-2026-23869. The release does not include all pending features/changes on canary.

Core Changes

• Ensure app-page reports stale ISR revalidation errors via onRequestError (#92282)
• Fix [Bug]: manifest.ts breaks HMR in Next.js 16.2 (#91981 through #92273)
• Deduplicate output assets and detect content conflicts on emit (#92292)
• Fix styled-jsx race condition: styles lost due to concurrent rendering (#92459)
• turbo-tasks-backend: stability fixes for task cancellation and error handling (#92254)

Credits

Huge thanks to @​icyJoseph, @​sokra, @​wbinnssmith, @​eps1lon and @​ztanner for helping!

v16.2.2

[!NOTE] This release is backporting bug fixes. It does not include all pending features/changes on canary.

Core Changes

• backport: Move expanded adapters docs to API reference (#92115) (#92129)
• Backport: TypeScript v6 deprecations for baseUrl and moduleResolution (#92130)
• [create-next-app] Skip interactive prompts when CLI flags are provided (#91840)
• next.config.js: Accept an option for serverFastRefresh (#91968)
• Turbopack: enable server HMR for app route handlers (#91466)
• Turbopack: exclude metadata routes from server HMR (#92034)
• Fix CI for glibc linux builds
• Backport: disable bmi2 in qfilter #92177
• [backport] Fix CSS HMR on Safari (#92174)

... (truncated)

Commits

• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• b856498 v16.2.0-canary.101
• 136b77e v16.2.0-canary.100
• Additional commits viewable in compare view

Updates @sentry/nextjs from 10.29.0 to 10.51.0

Release notes

Sourced from @​sentry/nextjs's releases.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.51.0

Important Changes

• feat(cloudflare): Add trace propagation for RPC method calls (#20343)

  Trace context is now propagated across Cloudflare Workers RPC calls, connecting traces between Workers and Durable Objects. This feature is opt-in and requires setting enableRpcTracePropagation: true in your SDK configuration:

  // Worker
  export default Sentry.withSentry(
    env => ({
      dsn: env.SENTRY_DSN,
      enableRpcTracePropagation: true,
    }),
    handler,
  );
  // Durable Object
  export const MyDurableObject = Sentry.instrumentDurableObjectWithSentry(
  env => ({
  dsn: env.SENTRY_DSN,
  enableRpcTracePropagation: true,
  }),
  MyDurableObjectBase,
  );

• feat(hono)!: Change setup for @sentry/hono/node (init in external file) (#20497)

  To improve Node.js instrumentation, the sentry() middleware exported from @sentry/hono/node no longer accepts configuration options. Instead, you must configure the SDK by calling Sentry.init() in a dedicated instrumentation file that runs before your application code (read more in the Hono SDK readme:

  // instrument.mjs (or instrument.ts)
  import * as Sentry from '@sentry/hono/node';
  Sentry.init({
  dsn: 'DSN',
  tracesSampleRate: 1.0,
  });

• feat(nitro): Add @sentry/nitro SDK (#19224)

  A new @sentry/nitro package provides first-class Sentry support for Nitro applications, with HTTP handler and error instrumentation, middleware tracing, request isolation, and build-time source map uploading via withSentryConfig. Read more in the Nitro SDK docs and the Nitro SDK readme.

Other Changes

... (truncated)

Commits

• dc0b839 release: 10.51.0
• b3cabee Merge pull request #20599 from getsentry/prepare-release/10.51.0
• 3be99a9 meta(changelog): Update changelog for 10.51.0
• bea1aad test(browser): Unflake some more tests (#20591)
• 50aa085 test(node): Unflake postgres tests (#20593)
• 1166839 fix(hono): Distinguish .use() middleware in sub-apps from .all() handlers...
• 217ad4a test(node): Fix flaky ANR test (#20592)
• 91ffb3f test(node): Fix flaky worker thread integration test (#20588)
• c4e3902 chore(ci): Do not report flaky test issues if we cannot find a test name (#20...
• c0005cd test(node): Update timeout for cron integration tests (#20586)
• Additional commits viewable in compare view

Updates @stellar-expert/contract-wasm-interface-parser from 4.0.0 to 4.1.0

Commits

• See full diff in compare view

Updates @tanstack/react-query from 5.87.4 to 5.100.6

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.6
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query-next-experimental@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query-persist-client@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.6
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

@​tanstack/react-query-devtools@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.5
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query-next-experimental@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query-persist-client@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.5
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query@​5.100.5

Patch Changes

• Updated dependencies [a53ef97]:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

5.100.5

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

5.100.4

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

5.100.3

Patch Changes

• fix(suspense): skip calling combine when queries would suspend (#10576)

• Updated dependencies [f85d825]:

  • @​tanstack/query-core@​5.100.3

5.100.2

Patch Changes

• Updated dependencies [ea4497e, d6a7bf3, 645d5d1]:
  • @​tanstack/query-core@​5.100.2

5.100.1

Patch Changes

• Updated dependencies [1bb0d23]:
  • @​tanstack/query-core@​5.100.1

5.100.0

Patch Changes

• Updated dependencies [6540a41]:
  • @​tanstack/query-core@​5.100.0

... (truncated)

Commits

• 87f7ccf ci: Version Packages (#10604)
• 441204b ci: Version Packages (#10582)
• 55afb3e ci: Version Packages (#10581)
• fe287cc ci: Version Packages (#10579)
• f85d825 Feature/use suspense queries combine (#10576)
• 93b2845 ci: Version Packages (#10575)
• ea4497e fix(query-core): stop wrapping persister generics in NoInfer (#10510)
• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• 6540a41 feat(core): callback for retryOnMount (#10515)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.

Updates @tanstack/react-query-devtools from 5.87.4 to 5.100.6

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.6
  • @​tanstack/react-query@​5.100.6

@​tanstack/react-query-devtools@​5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.5
  • @​tanstack/react-query@​5.100.5

@​tanstack/react-query-devtools@​5.100.4

Patch Changes

• fix(devtools): change onClose callback type from () => unknown to () => void (#10118)

• Updated dependencies [3d1a62e]:

  • @​tanstack/query-devtools@​5.100.4
  • @​tanstack/react-query@​5.100.4

@​tanstack/react-query-devtools@​5.100.3

Patch Changes

• Updated dependencies [f85d825]:
  • @​tanstack/react-query@​5.100.3
  • @​tanstack/query-devtools@​5.100.3

@​tanstack/react-query-devtools@​5.100.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.2
  • @​tanstack/react-query@​5.100.2

Changelog

Sourced from @​tanstack/react-query-devtools's changelog.

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.6
  • @​tanstack/react-query@​5.100.6

5.100.5

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.5
  • @​tanstack/react-query@​5.100.5

5.100.4

Patch Changes

• fix(devtools): change onClose callback type from () => unknown to () => void (#10118)

• Updated dependencies [3d1a62e]:

  • @​tanstack/query-devtools@​5.100.4
  • @​tanstack/react-query@​5.100.4

5.100.3

Patch Changes

• Updated dependencies [f85d825]:
  • @​tanstack/react-query@​5.100.3
  • @​tanstack/query-devtools@​5.100.3

5.100.2

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.2
  • @​tanstack/react-query@​5.100.2

5.100.1

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.1
  • @​tanstack/react-query@​5.100.1

... (truncated)

Commits

• 87f7ccf ci: Version Packages (#10604)
• 441204b ci: Version Packages (#10582)
• 55afb3e ci: Version Packages (#10581)
• 3d1a62e fix(devtools): change onClose callback type from () => unknown to () … (#10118)
• fe287cc ci: Version Packages (#10579)
• 93b2845 ci: Version Packages (#10575)
• 2f9527e ci: Version Packages (#10568)
• ad517e5 ci: Version Packages (#10567)
• a3ec7b3 ci: Version Packages (#10520)
• 69d2757 ci: Version Packages (#10514)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query-devtools since your current version.

Updates @trezor/connect-web from 9.6.4 to 9.7.3

Release notes

Sourced from @​trezor/connect-web's releases.

v26.4.2@mobile

Trezor Suite 26.4.2 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.4.2

🚀 New features

• Full Ethereum staking: stake, unstake, claim rewards, with management dashboard
• Stellar (XLM) WalletConnect support
• Price quotes in buy flow and fiat deviation warnings on exchange
• Suite Sync labeling enabled by default, with custom relay option
• .onion Electrum server support (Tor)
• Device connection status card and unified Unpair/Forget flow
• Experimental Features screen in Settings

🎨 Improvements

• Discreet mode now hides amounts in send form
• “Send max” redesigned as a toggle; send flow cancels on disconnect
• Collapsed fee sections across send, trade, and staking
• Enhanced phishing protection (fake tokens, dust filtering, manual overrides)
• Dynamic XRP reserve messaging
• Improved trading UX (approval flows, fiat indicators, currency picker, UI consistency)
• Updated design system components, icons, and responsiveness
• Suite Sync analytics and quota handling improvements

🔧 Bug fixes

• Fixed UI/layout issues (keyboard overlap, clipped elements, text overflow)
• Fixed incorrect token visibility and phishing token reporting
• Fixed send flow issues (send max, balance handling)
• Fixed crashes (staking validators, rate indexing, background state)
• Fixed swap/trade issues (account mismatch, stale data, input resets, refresh failures)
• Fixed Suite Sync initialization, connection, and persistence issues
• Fixed device connectivity, onboarding, and platform-specific issues (iOS/Android)
• Fixed rendering issues (theme switching, animations, shadows)

v26.3.3@mobile

Trezor Suite 26.3.3 for Android is now available also on: https://data.trezor.io/suite/releases/mobile/v26.3.3

🚀 New features

• Fiat values are now displayed during trading for clearer transaction insights.

🎨 Improvements

• Fixed an issue where the keyboard could overlap parts of the interface.

🔧 Bug fixes

• Fixed wallet backup type selection during onboarding.
• Fixed an issue where an XPUB could be shown before confirmation.

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​trezor/connect-web since your current version.

Install script changes

This version modifies prepublish script that runs during installation. Review the package contents before updating.

Updates bignumber.js from 9.3.1 to 11.1.0

Release notes

Sourced from bignumber.js's releases.

v11.1.0 adds a few useful improvements around formatting, parsing, rounding, and interoperability.

BigNumber.sum() now returns zero when called with no arguments, which makes patterns like BigNumber.sum(...arr) work cleanly even when the array is empty.

BigNumber.sum(...[]).toString()      // "0"

toBigInt() has been added, so BigNumber values can now be converted directly to native BigInt values.

new BigNumber("123.9").toBigInt(BigNumber.ROUND_DOWN)        // 123n

There is also a new BigNumber.fromFormat() method for parsing formatted strings back into BigNumber values.

const options =  {  prefix: "€",  groupSeparator: ".",  decimalSeparator: "," }
BigNumber.fromFormat("€1.234.567,89", options).toString()      // "1234567.89"

Negative decimal places are now supported by decimalPlaces(), toFixed(), and toFormat(), making it easier to round to tens, hundreds, and thousands etc.

new BigNumber("1234.5").toFormat(-2)      // "1,200"

toFormat() has also been expanded to support minimum and maximum decimal places, and per-call formatting options now fall back to the configured global FORMAT values for anything not explicitly overridden.

new BigNumber("12.3456789").toFormat([2, 5])      // "12.34568"

This release also includes a fix for slow hexadecimal integer base conversion when DECIMAL_PLACES is very large, plus improved TypeScript API test coverage.

Changelog

Sourced from bignumber.js's changelog.

11.1.0

• 30/04/26
• #401 BigNumber.sum: return zero if there are no arguments.
• #352 Add toBigInt method.
• #286 Add fromFormat method.
• #262 decimalPlaces, toFixed and toFormat: support negative decimal places.
• #260 toFormat: support minimum/maximum decimal places.
• toFormat: fallback to FORMAT for each property not in options.
• [BUGFIX] #342 Large DECIMAL_PLACES causing slow hex integer base conversion.
• Typescript: add test_api.ts to improved typed API test coverage.

11.0.0

• 14/04/26
• Add STRICT configuration option: if true (default), throw an exception on invalid input. if false, return NaN on invalid input.
• toFraction: return [1, 0] for Infinity and [0, 0] for NaN.
• Support underscores as separators.
• If a base is supplied, reject non-finite values and base prefixes.

10.0.2

• 24/02/26
• Reinstate README.md links.

10.0.1

• 24/02/26
• Commit dist folder.

10.0.0

• 23/02/26
• Implement targeted builds for ES modules, CommonJS, and browser (global assignment).
• Add CI workflow.
• Add type declaration import tests.
• Remove BigNumber.DEBUG, so the behaviour is now always as if it was true: throw on invalid input instead of returning NaN, and always validate the c, e, and s properties of objects passed to isBigNumber
• Don't call toString on any arbitrary object passed to the constructor.
• Require a BigNumber value to be a string if a base is also passed.
• Add toObject prototype method which returns a plain object with c, e, and s properties.
• Remove .npmignore, as files in package.json is used. Add .gitignore.
• Normalise line endings and add .gitattributes.
• Add typescript to devDependencies.

Commits

• 2f0e7de v11.1.0
• e06dfc2 Implement fromFormat. toFormat: support [min, max] decimal places.
• 128ad3a #262 decimalPlaces: accept a negative decimal places count.
• 85482a3 #352 Add toBigInt method.
• aa2cfdb BigNumber.sum: return zero if there are no arguments
• 1b09c08 v11.0.0
• aceb0d2 Support underscores as separators. Refactor constructor.
• c727743 toFraction: return array for non-finite values also.
• 4a270f4 Implement STRICT configuration option.
• a56f9e0 v10.0.2
• Additional commits viewable in compare view

Updates dompurify from 3.2.6 to 3.4.2

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.2

• Fixed an issue with URI validation on attributes allowed via ADD_ATTR callback, thanks @​nelstrom
• Fixed an issue with source maps referring to non-existing files, thanks @​cmdcolin
• Updated existing workflows, fuzzer, release signing, etc., added more tests
• Bumped several dependencies where possible

DOMPurify 3.4.1

• Fixed an issue with on-handler stripping for HTML-spec-reserved custom element names (font-face, color-profile, missing-glyph, font-face-src, font-face-uri, font-face-format, font-face-name) under permissive CUSTOM_ELEMENT_HANDLING
• Fixed a case-sensitivity gap in the annotation-xml check that allowed mixed-case variants to bypass the basic-custom-element exclusion in XHTML mode
• Fixed SANITIZE_NAMED_PROPS repeatedly prefixing already-prefixed id and name values on subsequent sanitiz...

  Description has been truncated

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​15.5.14 ⏵ 16.2.4		+16		+1
	eslint-config-next@​15.4.4 ⏵ 16.2.4	+1		+3
	jest@​30.2.0 ⏵ 30.3.0	+1		+1
	@​tanstack/​react-query-devtools@​5.87.4 ⏵ 5.100.6	+1		+1	+3
	@​next/​eslint-plugin-next@​15.5.3 ⏵ 16.2.4
	@​types/​papaparse@​5.3.16 ⏵ 5.5.2	+1		+1
	@​stellar-expert/​contract-wasm-interface-parser@​4.0.0 ⏵ 4.1.0	+1		+1	+1
	lodash@​4.17.21 ⏵ 4.18.1	+1	+19	+1
	@​amplitude/​analytics-browser@​2.23.7 ⏵ 2.42.0	-21		+1
	@​types/​lodash@​4.17.20 ⏵ 4.17.24	+1		+1
	zustand-querystring@​0.0.19 ⏵ 0.7.0	+1		+10	+16
	@​typescript-eslint/​eslint-plugin@​8.43.0 ⏵ 8.59.1	+1		+1
	@​types/​node@​24.3.1 ⏵ 25.6.0
	@​next/​third-parties@​15.5.7 ⏵ 16.2.4	+1		+1
	lossless-json@​4.2.0 ⏵ 4.3.0	+1		+1
	@​creit.tech/​stellar-wallets-kit@​1.9.5 ⏵ 2.1.0	+3		-1	+2
	immer@​10.1.3 ⏵ 11.1.4	+1		+1
	bignumber.js@​11.1.0
	@​tanstack/​react-query@​5.87.4 ⏵ 5.100.6			+1
	eslint@​9.35.0 ⏵ 10.2.1	+1
	typescript@​5.9.2 ⏵ 6.0.3	+1		+1
	prettier@​3.6.2 ⏵ 3.8.3			+1
	@​trezor/​connect-web@​9.6.4 ⏵ 9.7.3				+1
	dompurify@​3.2.6 ⏵ 3.4.2	+2	+31
	@​sentry/​nextjs@​10.29.0 ⏵ 10.51.0	-6		+1
	lint-staged@​16.1.6 ⏵ 16.4.0	+1
	html-react-parser@​5.2.6 ⏵ 6.0.1			+1
	uuid@​9.0.1 ⏵ 14.0.0	+1	+2		+43
	sass@​1.92.1 ⏵ 1.99.0	+1
	@​ledgerhq/​hw-app-str@​7.2.9 ⏵ 7.7.1	-1			+1
	eslint-plugin-react-hooks@​5.2.0 ⏵ 7.1.1	+3
	@​playwright/​test@​1.57.0 ⏵ 1.59.1
See 1 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm @amplitude/plugin-autocapture-browser is 70.0% likely obfuscated Confidence: 0.70 Location: Package overview From: pnpm-lock.yaml → npm/@amplitude/analytics-browser@2.42.0 → npm/@amplitude/plugin-autocapture-browser@1.27.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@amplitude/plugin-autocapture-browser@1.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/rlp under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/rlp@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/rlp@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/tx under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/tx@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/tx@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/util under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/util@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/util@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @lobstrco/signer-extension-api under GPL-3.0 License: GPL-3.0 - The applicable license policy does not permit this license (5) (npm metadata) License: GPL-3.0 - The applicable license policy does not permit this license (5) (package/package.json) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@lobstrco/signer-extension-api@2.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lobstrco/signer-extension-api@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT License: LicenseRef-FSL-1.1-MIT - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/@sentry/nextjs@10.51.0 → npm/@sentry/cli@2.58.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/blockchain-link@2.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/blockchain-link@2.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-common under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect-common@0.5.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-common@0.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-plugin-stellar under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-plugin-stellar@9.2.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-plugin-stellar@9.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: package.json → npm/@trezor/connect-web@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect@9.7.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/transport@1.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/transport@1.6.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utils under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utils@9.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utils@9.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utxo-lib under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utxo-lib@2.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utxo-lib@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.4 → npm/axe-core@4.11.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.11.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm next Location: Package overview From: package.json → npm/next@16.2.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm rpc-websockets under LGPL-3.0-only Location: Package overview From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/rpc-websockets@9.3.8 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rpc-websockets@9.3.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript under MIT-Khronos-old License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm ua-parser-js under AGPL-3.0-or-later License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/ua-parser-js@2.0.9 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ua-parser-js@2.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm usb under GPL-1.0-only License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.h) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.c) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/fxload.c) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.1.0 → npm/@trezor/connect-web@9.7.3 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/usb@2.17.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/usb@2.17.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report