Bump the all-dependencies group across 1 directory with 32 updates

[dependabot]

Bumps the all-dependencies group with 28 updates in the / directory:

Package	From	To
@amplitude/analytics-browser	2.23.7	2.42.3
@creit.tech/stellar-wallets-kit	1.9.5	2.2.0
@ledgerhq/hw-app-str	7.2.9	7.7.2
@ledgerhq/hw-transport-webhid	6.30.9	6.35.2
@next/third-parties	15.5.7	16.2.6
@sentry/nextjs	10.29.0	10.53.1
@stellar/stellar-sdk	15.0.1	15.1.0
@tanstack/react-query	5.87.4	5.100.10
@tanstack/react-query-devtools	5.87.4	5.100.10
@trezor/connect-web	9.6.4	9.7.3
bignumber.js	9.3.1	11.1.1
html-react-parser	5.2.6	6.1.0
immer	10.1.3	11.1.8
lossless-json	4.2.0	4.3.0
zustand-querystring	0.0.19	0.7.0
@next/eslint-plugin-next	15.5.3	16.2.6
@playwright/test	1.57.0	1.60.0
@types/node	24.3.1	25.8.0
@types/papaparse	5.3.16	5.5.2
@typescript-eslint/eslint-plugin	8.43.0	8.59.3
eslint	9.35.0	10.4.0
eslint-config-next	15.4.4	16.2.6
eslint-plugin-react-hooks	5.2.0	7.1.1
jest	30.2.0	30.4.2
lint-staged	16.1.6	17.0.4
prettier	3.6.2	3.8.3
sass	1.92.1	1.99.0
typescript	5.9.2	6.0.3

Updates @amplitude/analytics-browser from 2.23.7 to 2.42.3

Release notes

Sourced from @​amplitude/analytics-browser's releases.

@​amplitude/analytics-browser@​2.42.3

2.42.3 (2026-05-13)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.42.2

2.42.2 (2026-05-11)

Bug Fixes

• analytics-browser: remove plugin-session-replay-browser template (#1746) (809abdc)

@​amplitude/analytics-browser@​2.42.1

2.42.1 (2026-05-05)

Bug Fixes

• analytics-browser: make autocapture opt-in within Chrome Extension (#1710) (de5ff6e)

@​amplitude/analytics-browser@​2.42.1-sr-idb-multitab-test-rc.0

2.42.1-sr-idb-multitab-test-rc.0 (2026-05-04)

Bug Fixes

• analytics-browser: make autocapture opt-in within Chrome Extension (#1710) (de5ff6e)

@​amplitude/analytics-browser@​2.42.0

2.42.0 (2026-04-28)

Features

• remove experimental request body compression backdoor (#1699) (98ecb9d)

@​amplitude/analytics-browser@​2.41.1

2.41.1 (2026-04-22)

Note: Version bump only for package @​amplitude/analytics-browser

@​amplitude/analytics-browser@​2.39.2

2.39.2 (2026-05-06)

Bug Fixes

• analytics-browser: dummy patch (#1734) (9ebc9de)

... (truncated)

Commits

• e41b5de chore(release): publish
• 27d4ddd fix(analytics-react-native): use node test environment for mobile and bump an...
• a736be2 fix(autocapture): fix stale URL storage for MPAs, also for leave-and-returns ...
• b95e10e chore(release): publish
• cf8f806 fix(session-replay-browser): wait for remote config to avoid stale cache race...
• e944a13 fix(plugin-session-replay-browser): forward crossOriginIframes to underlying ...
• 3b5e0ce chore(release): publish
• 809abdc fix(analytics-browser): remove plugin-session-replay-browser template (#1746)
• 2074862 chore(release): publish
• 1ef7bc8 fix(session-replay-browser): honor X-Session-Replay-Event-Skipped server back...
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​amplitude/analytics-browser since your current version.

Updates @creit.tech/stellar-wallets-kit from 1.9.5 to 2.2.0

Release notes

Sourced from @​creit.tech/stellar-wallets-kit's releases.

v2.2.0

2.2.0 (2026-05-08)

Add

• Adds Fordefi module
• Adds Cactus Link module

Changes

• Update WalletConnect Freighter's ID

v2.1.0

2.1.0 (2026-03-30)

add

• Include PR 84 - adds signAndSubmitTransaction method
• Add new method fetchAddress

v2.0.1

2.0.1 (2026-03-11)

Changes

• Update the recently included Bitget module
• Include PRs 85 and 86

v2.0.0

2.0.0 (2026-02-11)

Changes

• Full refactor of the whole repository (with breaking changes)
• Migrate into a full Deno repository with NPM builds for compatibility
• Separate the UI, the state, and the SDK
  • The UI (modal, buttons, etc) is now using Preact with HTM instead of Lit
  • The SDK (the class StellarWalletsKit) is now a regular Deno library
  • The state part of the SDK is being used by both the UI and the SDK
• The UI now uses a series of CSS variables that can be defined by developers to personalize the complete UI (the SDK makes this process easier)
• The SDK internal state is now using the small preact/signals library instead of RxJS (aiming to reduce the kit's size)
• The SDK now exports the internal state so developers can update it directly if they need to (tho, still not recommended)
• We included 3 simple examples using vite-preact, vite-react, and create-react-app so developers can see how to use the library
• The components used in the library can now be created separately if needed (but like the internal state, not recommended)
• The openModal method was removed, and we now have authModal. This new method works as a regular Promise, and it returns the address after the user has picked their selected wallet

... (truncated)

Changelog

Sourced from @​creit.tech/stellar-wallets-kit's changelog.

2.2.0 (2026-05-08)

Add

• Adds Fordefi module
• Adds Cactus Link module

Changes

• Update WalletConnect Freighter's ID

2.1.0 (2026-03-30)

add

• Include PR 84 - adds signAndSubmitTransaction method
• Add new method fetchAddress

2.0.1 (2026-03-11)

Changes

• Update the recently included Bitget module
• Include PRs 85 and 86

2.0.0 (2026-02-11)

Changes

• Full refactor of the whole repository (with breaking changes)
• Migrate into a full Deno repository with NPM builds for compatibility
• Separate the UI, the state, and the SDK
  • The UI (modal, buttons, etc) is now using Preact with HTM instead of Lit
  • The SDK (the class StellarWalletsKit) is now a regular Deno library
  • The state part of the SDK is being used by both the UI and the SDK
• The UI now uses a series of CSS variables that can be defined by developers to personalize the complete UI (the SDK makes this process easier)
• The SDK internal state is now using the small preact/signals library instead of RxJS (aiming to reduce the kit's size)
• The SDK now exports the internal state so developers can update it directly if they need to (tho, still not recommended)
• We included 3 simple examples using vite-preact, vite-react, and create-react-app so developers can see how to use the library
• The components used in the library can now be created separately if needed (but like the internal state, not recommended)
• The openModal method was removed, and we now have authModal. This new method works as a regular Promise, and it returns the address after the user has picked their selected wallet
• A new profile page is added to the kit's modal, so in the future, we will allow having multiple accounts and wallets connected, so users can switch between accounts directly from the website instead of needing to check their wallets.
• Include a new logic for events updates from the kit, developers can `subscribe ' to updates from the kit, like changes in the selected address, network, module, or disconnections.

... (truncated)

Commits

• ae75e0b Update to v2.2.0
• b882f46 Adding requestAccess logic to the cactus link module
• cef6bbc Merge pull request #87 from olekon/fordefi-wallet-module
• f7f7da0 Merge branch 'main' into fordefi-wallet-module
• 5a0786f Merge pull request #88 from mycactus/cactuslink-wallet-module
• 5c6fafb Merge pull request #89 from CassioMG/fix/freighter-wc-explorer-id
• 73d3f84 fix: update Freighter WalletConnect Explorer id to match live listing
• f501f0c Feat: Add Cactus Link wallet module
• a296016 Add fordefi wallet module
• a5b29ec Fix wallet-connect.module.ts
• Additional commits viewable in compare view

Updates @ledgerhq/hw-app-str from 7.2.9 to 7.7.2

Commits

• See full diff in compare view

Updates @ledgerhq/hw-transport-webhid from 6.30.9 to 6.35.2

Commits

• 74f4ff1 Merge hotfix into main
• f943585 chore(hotfix): 🔥 hotfix release [skip ci]
• ccd56ec Merge pull request #17220 from LedgerHQ/fix/mise-sparse-checkout
• de61ee7 fix(ci): add .mise/tasks to mobile workflow sparse checkouts
• b931873 chore(hotfix): 🔥 hotfix prerelease [LLD(4.3.1-hotfix.0), LLM(4.3.1-hotfi...
• 44bbc5c Merge pull request #17154 from LedgerHQ/fix/live-30269
• 202cc42 fix: handle new bootloader CLA_NOT_SUPPORTED error code in LWM
• a7bbcb8 chore(hotfix) 🚀 entering hotfix mode
• d0f0192 Merge release into main
• bb2fa99 chore(release): 🚀 prepare release [skip ci]
• Additional commits viewable in compare view

Updates @next/third-parties from 15.5.7 to 16.2.6

Release notes

Sourced from @​next/third-parties's releases.

v16.2.6

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-26hh-7cqf-hhc6: Middleware / Proxy bypass in App Router applications via segment-prefetch routes - Incomplete Fix Follow-Up
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades
• GHSA-36qx-fr4f-26g5: Middleware / Proxy bypass in Pages Router applications using i18n

Moderate:

• GHSA-ffhc-5mcf-pf4q: Cross-site scripting in App Router applications using CSP nonces
• GHSA-gx5p-jg67-6x7h: Cross-site scripting in beforeInteractive scripts with untrusted input
• GHSA-h64f-5h5j-jqjh: Denial of Service in the Image Optimization API
• GHSA-wfc6-r584-vfw7: Cache poisoning in React Server Component responses

Low:

• GHSA-vfv6-92ff-j949: Cache poisoning via collisions in React Server Component cache-busting
• GHSA-3g8h-86w9-wvmq: Middleware / Proxy redirects can be cache-poisoned

Core Changes

• fix: preserve HTTP access fallbacks during prerender recovery (#92231)
• Fix fallback route params case in app-page handler (#91737)
• Fix invalid HTML response for route-level RSC requests in deployment adapter (#91541)
• Patch setHeader for direct route handlers (#93101)
• Include deployment id in cacheHandlers keys (#93453)
• Fix double-encoding of URL pathname parts in client param parsing (#93491)

v16.2.5

[!NOTE] This release contains security fixes and backported bug fixes. It does not include all pending features/changes on canary.

Security Fixes

The following advisories have been addressed:

High:

• GHSA-8h8q-6873-q5fj: Denial of Service with Server Components
• GHSA-267c-6grr-h53f: Middleware / Proxy bypass in App Router applications via segment-prefetch routes
• GHSA-mg66-mrh9-m8jx: Denial of Service via connection exhaustion in applications using Cache Components
• GHSA-492v-c6pp-mqqv: Middleware / Proxy bypass through dynamic route parameter injection
• GHSA-c4j6-fc7j-m34r: Server-side request forgery in applications using WebSocket upgrades

... (truncated)

Commits

• ee6e79b v16.2.6
• 766148f v16.2.5
• 2275bd8 v16.2.4
• d5f649b v16.2.3
• 52faae3 v16.2.2
• ed7d2ce v16.2.1
• c5c94df v16.2.0
• 3683192 v16.2.0-canary.104
• 6689814 v16.2.0-canary.103
• ad66dbc v16.2.0-canary.102
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​next/third-parties since your current version.

Updates @sentry/nextjs from 10.29.0 to 10.53.1

Release notes

Sourced from @​sentry/nextjs's releases.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

Bundle size 📦

Path	Size
@​sentry/browser	26.22 KB
@​sentry/browser - with treeshaking flags	24.69 KB
@​sentry/browser (incl. Tracing)	43.69 KB
@​sentry/browser (incl. Tracing + Span Streaming)	45.62 KB
@​sentry/browser (incl. Tracing, Profiling)	48.56 KB
@​sentry/browser (incl. Tracing, Replay)	82.4 KB
@​sentry/browser (incl. Tracing, Replay) - with treeshaking flags	72.08 KB
@​sentry/browser (incl. Tracing, Replay with Canvas)	86.99 KB
@​sentry/browser (incl. Tracing, Replay, Feedback)	99.33 KB
@​sentry/browser (incl. Feedback)	43 KB
@​sentry/browser (incl. sendFeedback)	30.92 KB
@​sentry/browser (incl. FeedbackAsync)	35.91 KB
@​sentry/browser (incl. Metrics)	27.27 KB
@​sentry/browser (incl. Logs)	27.42 KB
@​sentry/browser (incl. Metrics & Logs)	28.08 KB
@​sentry/react	27.92 KB
@​sentry/react (incl. Tracing)	45.9 KB
@​sentry/vue	31.01 KB
@​sentry/vue (incl. Tracing)	45.5 KB
@​sentry/svelte	26.24 KB
CDN Bundle	28.55 KB
CDN Bundle (incl. Tracing)	46.04 KB
CDN Bundle (incl. Logs, Metrics)	29.89 KB
CDN Bundle (incl. Tracing, Logs, Metrics)	47.14 KB
CDN Bundle (incl. Replay, Logs, Metrics)	68.3 KB
CDN Bundle (incl. Tracing, Replay)	82.55 KB
CDN Bundle (incl. Tracing, Replay, Logs, Metrics)	83.6 KB
CDN Bundle (incl. Tracing, Replay, Feedback)	88.23 KB
CDN Bundle (incl. Tracing, Replay, Feedback, Logs, Metrics)	89.3 KB
CDN Bundle - uncompressed	83.97 KB
CDN Bundle (incl. Tracing) - uncompressed	138.12 KB
CDN Bundle (incl. Logs, Metrics) - uncompressed	88.07 KB
CDN Bundle (incl. Tracing, Logs, Metrics) - uncompressed	141.5 KB
CDN Bundle (incl. Replay, Logs, Metrics) - uncompressed	209.97 KB

... (truncated)

Changelog

Sourced from @​sentry/nextjs's changelog.

10.53.1

• fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• fix(core): Include subpath type shims in published package (#20835)
• ref(hono): Consolidate route patching and add clarification comments (#20829)

• chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/test-applications/nextjs-15-intl (#20821)

10.53.0

Important Changes

• feat(core): Add streamGenAiSpans options to stream gen_ai spans (#20785)

  Adds a new streamGenAiSpans option that controls how gen_ai spans are sent to Sentry. When set, the SDK extracts all gen_ai spans out of a transaction and sends them as v2 envelope items.

  Enable this option if gen_ai spans are being dropped because the transaction payload exceeds size limits.

  Sentry.init({
    dsn: 'https://examplePublicKey@o0.ingest.sentry.io/0',
    streamGenAiSpans: true,
  });

Other Changes

• feat(browser): Migrate browser profiling thread data to span attributes (#20800)
• feat(core): Add addConsoleInstrumentationFilter utility (#20790)
• feat(core): Add applicationKey to BuildTimeOptionsBase (#20789)
• feat(core): split exports by browser/server for bundle size (#20435)
• feat(nextjs): Add top-level applicationKey option (#20794)
• feat(node): Support Node 26 (#20710)
• feat(profiling-node): Bump @sentry-internal/node-cpu-profiler to 2.4.0 (#20720)
• fix(cloudflare): avoid flush lock self-wait (#20719)
• fix(hono): Capture transaction name on request for correct culprit (#20801)
• fix(mcp): retroactively wrap handlers registered before wrapMcpServerWithSentry (#20699)
• fix(node-core): Guard against undefined util.getSystemErrorMap (#20660)
• fix(replay): Capture aborted/errored fetch requests in replay network tab (#20722)

... (truncated)

Commits

• cd97408 release: 10.53.1
• 66cfb25 Merge pull request #20838 from getsentry/prepare-release/10.53.1
• df8fd38 meta(changelog): Update changelog for 10.53.1
• 5881009 fix(core): Include subpath type shims in published package (#20835)
• 6a7d179 fix(core): Don't gate user data for streamed spans at scope read time (#20827)
• ad47c3c ref(hono): Consolidate route patching and add clarification comments (#20829)
• 28d6fe5 Merge pull request #20826 from getsentry/master
• 46aca45 Merge branch 'release/10.53.0'
• b5cbc9c chore(deps): Bump next from 15.5.15 to 15.5.18 in /dev-packages/e2e-tests/tes...
• 05489b8 release: 10.53.0
• Additional commits viewable in compare view

Updates @stellar/stellar-sdk from 15.0.1 to 15.1.0

Release notes

Sourced from @​stellar/stellar-sdk's releases.

v15.1.0

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

Full Changelog: stellar/js-stellar-sdk@v15.0.1...v15.1.0

Changelog

Sourced from @​stellar/stellar-sdk's changelog.

v15.1.0

Fixed

• Security: FederationServer.createForDomain and the FederationServer constructor now validate domains per RFC 1035, rejecting malformed domains before issuing federation or stellar.toml requests. Port numbers are also accepted (#1393).
• RpcServer.pollTransaction off-by-one: the polling loop used < instead of <=, causing one fewer attempt than configured(#1373).
• requestAirdrop error path: fixed incorrect property access (error.response.detail instead of error.response.data.detail) when checking for createAccountAlreadyExist (#1373).
• Operator precedence bug in parseSuccessful: sim.results?.length ?? 0 > 0 was parsed as ?? (0 > 0), causing simulation results and state changes to never be included in the parsed response (#1373).
• Spec.typeRef now properly handles scSpecTypeResult by returning the JSON schema for the okType, instead of silently breaking out of the switch (#1373).
• structToJsonSchema now places additionalProperties: false on the schema object itself rather than incorrectly nesting it inside properties (#1373).
• Fixed bigint-to-U32/I32 conversion in Spec using Number(val) instead of val as number (a no-op for bigints) (#1373).
• Fixed missing template literal $ in two Spec error messages that were not interpolated (#1373).
• WASM custom section parser: when a section was skipped (invalid name length), the offset was not advanced, causing an infinite loop or incorrect parsing of subsequent sections (#1373).
• FederationServer URL mutation: resolveAddress, resolveAccountId, and resolveTransactionId mutated the shared serverURL by appending query params on each call. Fixed by cloning the URL before modifying (#1373).
• CallBuilder.stream() URL mutation: stream() mutated the shared this.url by adding query params, corrupting the builder for subsequent calls. Fixed by cloning the URL (#1373).
• AssembledTransaction restore path: when buildWithOp was used and automatic state restoration was needed, the rebuild incorrectly reconstructed the operation via contract.call() instead of reusing the original operation (#1373).
• SERVER_TIME_MAP port collision: the Horizon time-sync cache keyed entries by hostname only, so two servers on different ports of the same host shared a cache entry. Fixed by including the port in the key (#1373).
• Spec.funcResToNative now correctly returns an Err instance when a contract function with a Result return type returns an error, instead of throwing while decoding it as the Ok type (#1373).
• SEP-10: verifyChallengeTxSigners now rejects challenges signed only by the server and client_domain key with no actual client signer, instead of returning an empty signers list (#1372).
• getAssetBalance used incorrect flag bitmask constants (AuthRequiredFlag, AuthRevocableFlag, AuthClawbackEnabledFlag) which are account-level flags, not trustline-level flags. Replaced with the correct trustline flag bitmasks (0x1, 0x2, 0x4) (#1372).
• AssembledTransaction.simulate did not clear this.built before re-simulating after a state restoration rebuild, causing it to assemble stale transaction data (#1372).
• AssembledTransaction.signAndSend mutated the shared this.options.submit flag to prevent double submission. Replaced with a wrapper around signTransaction that injects submit: false without mutating shared state (#1372).
• Fetch HTTP client: async request interceptors were not awaited — the synchronous try/catch loop passed unresolved promise objects as the config. Replaced with a proper .then() chain matching Axios interceptor semantics (#1372).
• Fetch HTTP client: cancellation now preserves custom cancel reasons and isCancel no longer depends on exact error-message text (#1390).
• Fetch HTTP client: instance default headers and params now merge correctly with per-request overrides on the no-axios / minimal builds, including requests that use bounded options (#1390).
• Fetch HTTP client: maxRedirects and maxContentLength were silently ignored on the no-axios / minimal builds, turning SDK-set SSRF and DoS guards (StellarToml.Resolver.resolve, FederationServer) into no-ops. A new bounded adapter activates when either option is set, refusing redirects past maxRedirects and streaming the response body with a running-total check so oversized responses abort mid-stream (#1390).
• Fetch HTTP client: the no-axios bounded path now more closely matches Axios behavior for object request bodies, baseURL, timeout errors, redirect method/body handling, and stripping credential-bearing headers on cross-origin redirects (#1390).
• src/bindings/config.ts imported ../../package.json with a relative path that resolved incorrectly for the lib/no-axios/ and lib/minimal/ build outputs, making those libs unloadable. Replaced with the __PACKAGE_VERSION__ compile-time define (#1390).
• Updated the production axios dependency from 1.14.0 to 1.15.0 (#1381).

Added

• AccountResponse constructor now uses explicit field-by-field assignment instead of Object.entries dynamic assignment for type safety (#1373).
• Added transactions collection to Api.AccountRecord and AccountResponse (#1373).
• Added range checks for U32/I32 values in Spec: bigint values are now validated against min/max bounds before conversion, throwing a RangeError instead of silently truncating (#1373).
• rpc.Server.getLatestLedger() now includes closeTime, headerXdr, and metadataXdr in the typed response, with headerXdr/metadataXdr parsed into XDR objects instead of raw base64 strings (#1389).

Deprecated

• BalanceResponse.revocable is deprecated in favor of authorizedToMaintainLiabilities, which correctly reflects the trustline flag semantics (#1372).

Commits

• c5eafa2 release v15.1.0 (#1405)
• ee81ed2 Federation domain validation (#1393)
• 7ad2b0a Fix fetch implementation (#1390)
• 8db146e Update Server.getLatestLedger response fields (#1389)
• da2f95b Bump axios from 1.14.0 to 1.15.0 (#1381)
• 9ec7ffd Internal agent bug fixes 2 (#1373)
• cbb53ed Internal agent bug fixes 1 (#1372)
• 2f049ab Stop unpublishing a prior version on every publish run (#1370)
• See full diff in compare view

Updates @tanstack/react-query from 5.87.4 to 5.100.10

Release notes

Sourced from @​tanstack/react-query's releases.

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

• Updated dependencies [3d21cac]:
  • @​tanstack/query-devtools@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-next-experimental@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-persist-client@​5.100.9

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query@​5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

@​tanstack/react-query-devtools@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.8
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query-next-experimental@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query-persist-client@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-persist-client-core@​5.100.8
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query@​5.100.8

Patch Changes

• Updated dependencies []:

... (truncated)

Changelog

Sourced from @​tanstack/react-query's changelog.

5.100.10

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.10

5.100.9

Patch Changes

• Updated dependencies [fcee7bd]:
  • @​tanstack/query-core@​5.100.9

5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.8

5.100.7

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.7

5.100.6

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.6

5.100.5

Patch Changes

• Updated dependencies [a53ef97]:
  • @​tanstack/query-core@​5.100.5

5.100.4

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-core@​5.100.4

5.100.3

... (truncated)

Commits

• See full diff in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​tanstack/react-query since your current version.

Updates @tanstack/react-query-devtools from 5.87.4 to 5.100.10

Release notes

Sourced from @​tanstack/react-query-devtools's releases.

@​tanstack/react-query-devtools@​5.100.9

Patch Changes

• Updated dependencies [3d21cac]:
  • @​tanstack/query-devtools@​5.100.9
  • @​tanstack/react-query@​5.100.9

@​tanstack/react-query-devtools@​5.100.8

Patch Changes

• Updated dependencies []:
  • @​tanstack/query-devtools@​5.100.8
  • @​tanstack/react-query@​5.100.8

@​tanstack/react-query-devtools@​5.100.7

Patch Changes

• docs(devtools): align logo, panel, and 'buttonPosition' union descriptions across docs and JSDoc (#10617)

• Description has been truncated

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	next@​15.5.14 ⏵ 16.2.6		+75
	eslint-config-next@​16.2.6
	@​amplitude/​analytics-browser@​2.42.3
	jest@​30.4.2
	@​tanstack/​react-query-devtools@​5.100.10
	@​next/​eslint-plugin-next@​16.2.6
	@​types/​papaparse@​5.5.2
	lodash@​4.18.1
	zustand-querystring@​0.7.0
	@​typescript-eslint/​eslint-plugin@​8.59.3
	@​types/​node@​25.8.0
	@​next/​third-parties@​16.2.6
	lossless-json@​4.3.0
	@​creit.tech/​stellar-wallets-kit@​2.2.0
	immer@​11.1.8
	@​tanstack/​react-query@​5.100.10
	typescript@​6.0.3
	prettier@​3.8.3
	bignumber.js@​11.1.1
	@​trezor/​connect-web@​9.7.3
	dompurify@​3.4.3
	sass@​1.99.0
	@​sentry/​nextjs@​10.53.1
	html-react-parser@​6.1.0
	uuid@​14.0.0
	@​ledgerhq/​hw-app-str@​7.7.2
	eslint-plugin-react-hooks@​7.1.1
	lint-staged@​17.0.4
	@​stellar/​stellar-sdk@​13.3.0 ⏵ 15.1.0	+1		+1	+2
	@​playwright/​test@​1.60.0
	@​ledgerhq/​hw-transport-webhid@​6.35.2
	eslint@​10.4.0

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm @ethereumjs/rlp under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/rlp@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/rlp@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/tx under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/tx@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/tx@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @ethereumjs/util under MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@ethereumjs/util@10.1.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ethereumjs/util@10.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @lobstrco/signer-extension-api under GPL-3.0 License: GPL-3.0 - The applicable license policy does not permit this license (5) (npm metadata) License: GPL-3.0 - The applicable license policy does not permit this license (5) (package/package.json) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@lobstrco/signer-extension-api@2.0.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lobstrco/signer-extension-api@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @sentry/cli under LicenseRef-FSL-1.1-MIT License: LicenseRef-FSL-1.1-MIT - The applicable license policy does not permit this license (5) (package/LICENSE) From: pnpm-lock.yaml → npm/@sentry/nextjs@10.53.1 → npm/@sentry/cli@2.58.5 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/cli@2.58.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/blockchain-link@2.6.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/blockchain-link under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/blockchain-link@2.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/blockchain-link@2.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-common under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect-common@0.5.1 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-common@0.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-plugin-stellar under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-plugin-stellar@9.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-web@9.7.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect-web under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: package.json → npm/@trezor/connect-web@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect-web@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect@9.7.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/connect under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/connect@9.7.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/connect@9.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/transport@1.6.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/transport under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/transport@1.6.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/transport@1.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utils under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utils@9.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utils@9.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm @trezor/utxo-lib under LicenseRef-T-RSL License: LicenseRef-T-RSL - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/@trezor/utxo-lib@2.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/utxo-lib@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: pnpm-lock.yaml → npm/eslint-config-next@16.2.6 → npm/axe-core@4.11.4 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.11.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm next Location: Package overview From: pnpm-lock.yaml → npm/next@16.2.6 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/next@16.2.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm rpc-websockets under LGPL-3.0-only Location: Package overview From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/rpc-websockets@9.3.9 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rpc-websockets@9.3.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm typescript under MIT-Khronos-old License: MIT-Khronos-old - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) License: LicenseRef-W3C-Community-Final-Specification-Agreement - The applicable license policy does not permit this license (5) (package/ThirdPartyNoticeText.txt) From: package.json → npm/typescript@6.0.3 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/typescript@6.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm ua-parser-js under AGPL-3.0-or-later License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (npm metadata) License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/package.json) License: AGPL-3.0-or-later - The applicable license policy does not permit this license (5) (package/LICENSE.md) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/ua-parser-js@2.0.9 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ua-parser-js@2.0.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm usb under GPL-1.0-only License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.h) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/ezusb.c) License: GPL-1.0-only - The applicable license policy does not permit this license (5) (package/libusb/examples/fxload.c) From: pnpm-lock.yaml → npm/@trezor/connect-web@9.7.3 → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@trezor/connect-plugin-stellar@9.2.3 → npm/usb@2.17.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/usb@2.17.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @safe-global/safe-gateway-typescript-sdk Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info. From: pnpm-lock.yaml → npm/@creit.tech/stellar-wallets-kit@2.2.0 → npm/@safe-global/safe-gateway-typescript-sdk@3.23.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@safe-global/safe-gateway-typescript-sdk@3.23.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report