Release: v2.18.0 prep

[kvhnuke]

Summary by CodeRabbit

• Chores

  • Updated development and runtime dependencies across many packages to newer patch/minor versions.
  • Bumped the extension package to 2.18.0.
  • Upgraded TypeScript/ESLint tooling, testing utilities, and formatting tools project-wide.

• Bug Fixes

  • Geo-restriction checks now run on-demand and cache results to avoid redundant calls.
  • Ethereum block explorer links now use Etherscan for transactions and addresses.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: ff473154-d4b3-4f7e-8e86-212d8d26240c

📥 Commits

Reviewing files that changed from the base of the PR and between 24382cd and 6b5605a.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• packages/extension/package.json

🚧 Files skipped from review as they are similar to previous changes (1)

• packages/extension/package.json

---

Walkthrough

This PR updates dev/runtime dependency versions across workspace packages, bumps packages/extension to 2.18.0, changes the extension geo-restriction endpoint to an enkrypt partners path, makes the background handler cache and lazily call the geo check, removes a debug log in the EIP-1559 flow, and switches Ethereum explorer templates to etherscan.io.

Changes

Dependency and Configuration Updates

Layer / File(s)	Summary
Root and bridge build tooling package.json, packages/extension-bridge/package.json	Root and extension-bridge devDependencies bumped for @commitlint, @swc/core, vite-plugin-node-polyfills, @types/node, @typescript-eslint/*, prettier, type-fest, and typescript-eslint.
Extension package version and dependencies packages/extension/package.json	packages/extension version -> 2.18.0; runtime deps and a broad set of dev/build/test tooling were updated.
Extension runtime and network templates packages/extension/src/libs/utils/screening.ts, packages/extension/src/libs/background/index.ts, packages/extension/src/providers/ethereum/libs/transaction/index.ts, packages/extension/src/providers/ethereum/networks/eth.ts	isGeoRestricted now uses the enkrypt partners endpoint; background externalHandler caches #geoRestricted and only calls the check when undefined; removed console.log from fee-market transaction finalization; Ethereum explorer templates updated to etherscan.io.
Hardware wallets and signer packages packages/hw-wallets/package.json, packages/signers/*/package.json	Hardware wallet runtime deps and signer package dev tooling (Node types, @typescript-eslint/*, prettier, vitest, etc.) were version-bumped across packages.
Service and utility packages packages/keyring/package.json, packages/name-resolution/package.json, packages/request/package.json, packages/storage/package.json, packages/swap/package.json, packages/types/package.json, packages/utils/package.json	Dev tooling synchronized and select runtime deps updated (uuid, ws, @1inch/*, @bonfida/spl-name-service); no script or structural manifest changes.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• enkryptcom/enKrypt#758: Related changes to Ethereum/Etherscan URL handling.
• enkryptcom/enKrypt#771: Related geo-restriction and restricted UX flow changes.
• enkryptcom/enKrypt#600: Also modifies packages/extension/package.json version field.

Suggested reviewers

• NickKelly1
• gamalielhere
• SemajaM

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately reflects the main objective of the PR: preparing for the v2.18.0 release through package and dependency updates.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch devop/package-updates-2-18

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

💼 Build Files
chrome: enkrypt-chrome-6b5605ad.zip
firefox: enkrypt-firefox-6b5605ad.zip

💉 Virus total analysis
chrome: 6b5605ad
firefox: 6b5605ad

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

packages/extension/src/libs/utils/screening.ts (1)

2-10: ⚠️ Potential issue | 🟠 Major | ⚡ Quick win

Geo-restriction check is fail-open, which can bypass compliance gating on endpoint errors.

With the new /o/ipcomply/enkrypt endpoint, any non-OK response or fetch failure currently returns false, effectively allowing restricted traffic when the service is unavailable.

Suggested hardening

 const isGeoRestricted = async (): Promise<boolean> => {
   return fetch('https://partners.mewapi.io/o/ipcomply/enkrypt')
     .then(async res => {
       if (res.ok) {
         const json = await res.json();
         return json.isRestricted;
       }
-      return false;
+      return true;
     })
-    .catch(() => false);
+    .catch(() => true);
 };

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/extension/src/libs/utils/screening.ts` around lines 2 - 10, The
current fetch to 'https://partners.mewapi.io/o/ipcomply/enkrypt' is fail-open
(non-OK responses and fetch errors return false), which can bypass restrictions;
change the behavior to fail-closed by returning true (or throwing) on non-ok
responses and in the catch block so failures default to "restricted". Locate the
fetch call in screening.ts (the block that awaits res.json() and returns
json.isRestricted) and modify both the "if (!res.ok) ..." path and the
.catch(...) to return true (or rethrow an error) and optionally add a
processLogger/console.error message including the response status/error to aid
debugging. Ensure the rest of the codebase expects a boolean or handles thrown
errors and update callers if needed.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/signers/polkadot/package.json`:
- Line 25: The package.json for the polkadot signer lists the dev tool
"`@commitlint/cli`" under "dependencies"; move the "`@commitlint/cli`": "^20.5.3"
entry from the dependencies section into devDependencies so it is not shipped as
a production dependency (edit the packages/signers/polkadot package.json, remove
the entry under "dependencies" and add it under "devDependencies").

---

Outside diff comments:
In `@packages/extension/src/libs/utils/screening.ts`:
- Around line 2-10: The current fetch to
'https://partners.mewapi.io/o/ipcomply/enkrypt' is fail-open (non-OK responses
and fetch errors return false), which can bypass restrictions; change the
behavior to fail-closed by returning true (or throwing) on non-ok responses and
in the catch block so failures default to "restricted". Locate the fetch call in
screening.ts (the block that awaits res.json() and returns json.isRestricted)
and modify both the "if (!res.ok) ..." path and the .catch(...) to return true
(or rethrow an error) and optionally add a processLogger/console.error message
including the response status/error to aid debugging. Ensure the rest of the
codebase expects a boolean or handles thrown errors and update callers if
needed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 90fc22ee-1f38-4c35-a4fb-3fed0e9b8d8c

📥 Commits

Reviewing files that changed from the base of the PR and between 519816a and 22ddb20.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (17)

• package.json
• packages/extension-bridge/package.json
• packages/extension/package.json
• packages/extension/src/libs/utils/screening.ts
• packages/hw-wallets/package.json
• packages/keyring/package.json
• packages/name-resolution/package.json
• packages/request/package.json
• packages/signers/bitcoin/package.json
• packages/signers/ethereum/package.json
• packages/signers/kadena/package.json
• packages/signers/massa/package.json
• packages/signers/polkadot/package.json
• packages/storage/package.json
• packages/swap/package.json
• packages/types/package.json
• packages/utils/package.json

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@packages/extension/src/libs/background/index.ts`:
- Around line 92-96: The geo-check currently only caches the resolved boolean in
this.#geoRestricted, causing repeated calls while the first promise is pending;
change the logic to store the in-flight promise (e.g., a new private field like
`#geoRestrictedPromise` or reuse `#geoRestricted` to hold Promise<boolean> until
resolution), set that promise when calling isGeoRestricted(), have all callers
await that shared promise, and when it resolves assign the final boolean to
this.#geoRestricted (or a separate boolean field) and clear the promise; also
handle promise rejection by logging/setting a safe default so subsequent calls
can retry.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 06d9401f-e01c-4784-916e-8496ff421041

📥 Commits

Reviewing files that changed from the base of the PR and between 22ddb20 and 3f05785.

📒 Files selected for processing (1)

• packages/extension/src/libs/background/index.ts