Release: v2.18.0 prep

[kvhnuke]

Summary by CodeRabbit

• Chores

  • Updated development and runtime dependencies across packages to newer patch/minor versions.
  • Bumped the extension package version to 2.18.0.
  • Upgraded TypeScript/ESLint tooling, testing utilities, and formatting tools project-wide.

• Bug Fixes

  • Adjusted geo-screening behavior to call and cache checks on-demand and use the cached result for related flows.

[coderabbitai]

Walkthrough

This PR updates development and runtime dependency versions across the monorepo and bumps the extension package to 2.18.0. It also changes the extension geo-restriction request endpoint to an enkrypt-specific partners path and caches the result, calling the check only when unset.

Changes

Dependency and Configuration Updates

Layer / File(s)	Summary
Root and bridge build tooling package.json, packages/extension-bridge/package.json	Root and extension-bridge devDependencies bumped for @commitlint, @swc/core, vite-plugin-node-polyfills, @types/node, @typescript-eslint/*, prettier, type-fest, and typescript-eslint.
Extension package version and dependencies packages/extension/package.json	packages/extension version -> 2.18.0; runtime deps (analytics, ledger transport, echarts, lodash, qrcode.vue, uuid, vue) and a broad set of dev/build/test tooling (prettier, rollup, vite, vitest, vue-tsc, vite-plugin-node-polyfills, etc.) were updated.
Extension geo-screening and background handler packages/extension/src/libs/utils/screening.ts, packages/extension/src/libs/background/index.ts	isGeoRestricted now requests the enkrypt-specific partners endpoint; background externalHandler caches #geoRestricted and calls the check only when undefined.
Hardware wallets and signer packages packages/hw-wallets/package.json, packages/signers/*/package.json	Hardware wallet runtime deps and signer package dev tooling (Node types, @typescript-eslint/*, prettier, vitest, etc.) were version-bumped across packages.
Service and utility packages packages/keyring/package.json, packages/name-resolution/package.json, packages/request/package.json, packages/storage/package.json, packages/swap/package.json, packages/types/package.json, packages/utils/package.json	Dev tooling synchronized and select runtime deps updated (uuid, ws, @1inch/*, @bonfida/spl-name-service); no script or structural manifest changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Possibly related PRs

• enkryptcom/enKrypt#600: Also modifies packages/extension/package.json version field.

Suggested reviewers

• NickKelly1
• olgakup

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Release: v2.18.0 prep' directly corresponds to the main purpose of the PR: preparing for the v2.18.0 release through coordinated dependency updates across the monorepo and version bumps.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devop/package-updates-2-18

Warning

There were issues while running some tools. Please review the errors and either fix the tool's configuration or disable the tool if it's a critical failure.

🔧 ESLint

If the error stems from missing dependencies, add them to the package.json file. For unrecoverable errors (e.g., due to private dependencies), disable the tool in the CodeRabbit configuration.

ESLint skipped: no ESLint configuration detected in root package.json. To enable, add eslint to devDependencies.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

💼 Build Files
chrome: enkrypt-chrome-3f057857.zip
firefox: enkrypt-firefox-3f057857.zip

💉 Virus total analysis
chrome: 3f057857
firefox: 3f057857

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/extension/src/libs/utils/screening.ts (1)

2-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Geo-restriction check is fail-open, which can bypass compliance gating on endpoint errors.

With the new /o/ipcomply/enkrypt endpoint, any non-OK response or fetch failure currently returns false, effectively allowing restricted traffic when the service is unavailable.

Suggested hardening

 const isGeoRestricted = async (): Promise<boolean> => {
   return fetch('https://partners.mewapi.io/o/ipcomply/enkrypt')
     .then(async res => {
       if (res.ok) {
         const json = await res.json();
         return json.isRestricted;
       }
-      return false;
+      return true;
     })
-    .catch(() => false);
+    .catch(() => true);
 };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/extension/src/libs/utils/screening.ts` around lines 2 - 10, The
current fetch to 'https://partners.mewapi.io/o/ipcomply/enkrypt' is fail-open
(non-OK responses and fetch errors return false), which can bypass restrictions;
change the behavior to fail-closed by returning true (or throwing) on non-ok
responses and in the catch block so failures default to "restricted". Locate the
fetch call in screening.ts (the block that awaits res.json() and returns
json.isRestricted) and modify both the "if (!res.ok) ..." path and the
.catch(...) to return true (or rethrow an error) and optionally add a
processLogger/console.error message including the response status/error to aid
debugging. Ensure the rest of the codebase expects a boolean or handles thrown
errors and update callers if needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/signers/polkadot/package.json`:
- Line 25: The package.json for the polkadot signer lists the dev tool
"`@commitlint/cli`" under "dependencies"; move the "`@commitlint/cli`": "^20.5.3"
entry from the dependencies section into devDependencies so it is not shipped as
a production dependency (edit the packages/signers/polkadot package.json, remove
the entry under "dependencies" and add it under "devDependencies").

---

Outside diff comments:
In `@packages/extension/src/libs/utils/screening.ts`:
- Around line 2-10: The current fetch to
'https://partners.mewapi.io/o/ipcomply/enkrypt' is fail-open (non-OK responses
and fetch errors return false), which can bypass restrictions; change the
behavior to fail-closed by returning true (or throwing) on non-ok responses and
in the catch block so failures default to "restricted". Locate the fetch call in
screening.ts (the block that awaits res.json() and returns json.isRestricted)
and modify both the "if (!res.ok) ..." path and the .catch(...) to return true
(or rethrow an error) and optionally add a processLogger/console.error message
including the response status/error to aid debugging. Ensure the rest of the
codebase expects a boolean or handles thrown errors and update callers if
needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 90fc22ee-1f38-4c35-a4fb-3fed0e9b8d8c

📥 Commits

Reviewing files that changed from the base of the PR and between 519816a and 22ddb20.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (17)

• package.json
• packages/extension-bridge/package.json
• packages/extension/package.json
• packages/extension/src/libs/utils/screening.ts
• packages/hw-wallets/package.json
• packages/keyring/package.json
• packages/name-resolution/package.json
• packages/request/package.json
• packages/signers/bitcoin/package.json
• packages/signers/ethereum/package.json
• packages/signers/kadena/package.json
• packages/signers/massa/package.json
• packages/signers/polkadot/package.json
• packages/storage/package.json
• packages/swap/package.json
• packages/types/package.json
• packages/utils/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "== scripts in packages/signers/polkadot/package.json =="
cat packages/signers/polkadot/package.json | jq '.scripts // {}'

echo
echo "== runtime/import references under packages/signers/polkadot =="
rg -n --type-add 'json:*.json' --type ts --type js --type json \
  '`@commitlint/cli`|from\s+["'\'']`@commitlint/cli`["'\'']|require\(["'\'']`@commitlint/cli`["'\'']\)' \
  packages/signers/polkadot

echo
echo "== workspace-level commitlint usage (likely CI/dev tooling) =="
rg -n --type-add 'json:*.json' --type json --type yaml --type toml --type md \
  'commitlint' .

Repository: enkryptcom/enKrypt

Length of output: 643

---

Move @commitlint/cli to devDependencies in packages/signers/polkadot
packages/signers/polkadot/package.json lists @commitlint/cli in dependencies (line 25), but there are no import/require references under packages/signers/polkadot—only the manifest entry. Since the workspace root already includes @commitlint/cli, this package shouldn’t ship the CLI as a production dependency.

"dependencies": {
  "`@commitlint/cli`": "^20.5.3",
}

Move that entry to devDependencies.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/signers/polkadot/package.json` at line 25, The package.json for the
polkadot signer lists the dev tool "`@commitlint/cli`" under "dependencies"; move
the "`@commitlint/cli`": "^20.5.3" entry from the dependencies section into
devDependencies so it is not shipped as a production dependency (edit the
packages/signers/polkadot package.json, remove the entry under "dependencies"
and add it under "devDependencies").

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/extension/src/libs/background/index.ts`:
- Around line 92-96: The geo-check currently only caches the resolved boolean in
this.#geoRestricted, causing repeated calls while the first promise is pending;
change the logic to store the in-flight promise (e.g., a new private field like
`#geoRestrictedPromise` or reuse `#geoRestricted` to hold Promise<boolean> until
resolution), set that promise when calling isGeoRestricted(), have all callers
await that shared promise, and when it resolves assign the final boolean to
this.#geoRestricted (or a separate boolean field) and clear the promise; also
handle promise rejection by logging/setting a safe default so subsequent calls
can retry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 06d9401f-e01c-4784-916e-8496ff421041

📥 Commits

Reviewing files that changed from the base of the PR and between 22ddb20 and 3f05785.

📒 Files selected for processing (1)

• packages/extension/src/libs/background/index.ts

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Cache the in-flight geo check, not only the resolved value.

this.#geoRestricted === undefined remains true until the first promise resolves, so repeated init/unload messages can still fire multiple isGeoRestricted() requests. Store a pending promise (or await a shared one) to truly dedupe calls.

Suggested adjustment

+ `#geoRestrictedPromise`: Promise<boolean> | undefined;
...
- if (this.#geoRestricted === undefined) {
-   isGeoRestricted().then(restricted => {
-     this.#geoRestricted = restricted;
-   });
- }
+ if (this.#geoRestricted === undefined && !this.#geoRestrictedPromise) {
+   this.#geoRestrictedPromise = isGeoRestricted().then(restricted => {
+     this.#geoRestricted = restricted;
+     this.#geoRestrictedPromise = undefined;
+     return restricted;
+   });
+ }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/extension/src/libs/background/index.ts` around lines 92 - 96, The
geo-check currently only caches the resolved boolean in this.#geoRestricted,
causing repeated calls while the first promise is pending; change the logic to
store the in-flight promise (e.g., a new private field like
`#geoRestrictedPromise` or reuse `#geoRestricted` to hold Promise<boolean> until
resolution), set that promise when calling isGeoRestricted(), have all callers
await that shared promise, and when it resolves assign the final boolean to
this.#geoRestricted (or a separate boolean field) and clear the promise; also
handle promise rejection by logging/setting a safe default so subsequent calls
can retry.