[Chore] Bump dependencies

[JiahuiWho]

Summary

• Run yarn upgrade to update all dependencies to their latest semver-compatible (minor/patch) versions across the monorepo
• Pin @types/react (18.2.79) and @types/react-dom (18.2.25) via resolutions to prevent transitive v19 types from breaking the build
• Pin typescript to ~5.1.6 in all packages to stay within @typescript-eslint v6's supported range (<5.2.0)
• Replace clean-webpack-plugin with webpack 5's built-in output.clean: true, removing the stray @types/minimatch transitive dependency
• Add @babel/plugin-transform-private-property-in-object to replace the deprecated @babel/plugin-proposal-private-property-in-object

Notable upgrades

• webpack 5.88 → 5.106
• @babel/* 7.22 → 7.28-29
• react 18.2 → 18.3, react-dom 18.2 → 18.3
• react-router-dom 6.15 → 6.30
• sass 1.69 → 1.99
• styled-components 6.0 → 6.3
• dompurify 3.0 → 3.3
• prettier 3.0 → 3.8
• eslint 8.47 → 8.57
• axios (transitive) → 1.15
• All security-related transitive deps (follow-redirects, elliptic, ws, nanoid, etc.)

Socket security alerts resolved

• typescript@5.9.3 — pinned to ~5.1.6 across all packages
• @babel/plugin-proposal-private-property-in-object — replaced with non-deprecated @babel/plugin-transform-private-property-in-object
• @types/minimatch — removed entirely by dropping clean-webpack-plugin in favor of webpack 5 built-in output.clean

What's NOT included (major version bumps for future work)

• React 19, Redux Toolkit 2, react-redux 9
• ESLint 9+, @typescript-eslint 8
• Express 5, webpack-dev-server 5
• @stellar/design-system 3, @stellar/stellar-sdk 15
• marked 18, husky 9, lint-staged 16

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​eslint@​8.47.0 ⏵ 8.57.1			+1
	npm/​@​stellar/​prettier-config@​1.0.1 ⏵ 1.2.0
	npm/​@​typescript-eslint/​parser@​6.4.0 ⏵ 6.21.0
	npm/​@​types/​express@​4.17.17 ⏵ 4.17.25
	npm/​@​babel/​preset-react@​7.22.5 ⏵ 7.28.5			-1
	npm/​eslint-config-prettier@​9.0.0 ⏵ 9.1.2	+1		+1
	npm/​@​babel/​plugin-transform-private-property-in-object@​7.22.5 ⏵ 7.28.6	+1
	npm/​@​babel/​preset-typescript@​7.22.5 ⏵ 7.28.5
	npm/​@​types/​styled-components@​5.1.26 ⏵ 5.1.36
	npm/​@​types/​react-copy-to-clipboard@​5.0.4 ⏵ 5.0.7			-4
	npm/​@​types/​marked@​5.0.1 ⏵ 5.0.2	+1
	npm/​@​types/​react-redux@​7.1.25 ⏵ 7.1.34	+1
	npm/​react-router-dom@​6.15.0 ⏵ 6.30.3			+1
	npm/​@​types/​react-dom@​18.2.7 ⏵ 18.2.25			+1
	npm/​lodash@​4.17.21 ⏵ 4.18.1	+1	+19	+1
	npm/​@​types/​jest@​29.5.3 ⏵ 29.5.14
	npm/​@​babel/​preset-env@​7.22.10 ⏵ 7.29.2	+1		+1
	npm/​@​types/​react@​18.2.20 ⏵ 18.2.79	+1		+1
	npm/​@​typescript-eslint/​eslint-plugin@​6.4.0 ⏵ 6.21.0
	npm/​@​babel/​core@​7.22.10 ⏵ 7.29.0			+1
	npm/​@​types/​lodash@​4.14.197 ⏵ 4.17.24	+1
	npm/​@​types/​node@​20.5.0 ⏵ 20.19.39
	npm/​eslint-plugin-react@​7.33.1 ⏵ 7.37.5
	npm/​ts-node@​10.9.1 ⏵ 10.9.2	+1
	npm/​url@​0.11.1 ⏵ 0.11.4	+1		+1
	npm/​concurrently@​8.2.0 ⏵ 8.2.2	+1		+1
	npm/​eslint-plugin-import@​2.28.0 ⏵ 2.32.0	+1
	npm/​eslint-plugin-jsx-a11y@​6.7.1 ⏵ 6.10.2	+1		+1
	npm/​react@​18.2.0 ⏵ 18.3.1	+1		+1
	npm/​rimraf@​2.7.1 ⏵ 5.0.10			+1	+35
	npm/​react-redux@​8.1.2 ⏵ 8.1.3	+1		+1
	npm/​assert@​2.0.0 ⏵ 2.1.0	+1		+1
	npm/​tslib@​2.6.1 ⏵ 2.8.1
See 33 more rows in the dashboard

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		License policy violation: npm axe-core under MIT AND MPL-2.0 Location: Package overview From: ? → npm/eslint-plugin-jsx-a11y@6.10.2 → npm/axe-core@4.11.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axe-core@4.11.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		License policy violation: npm spdx-exceptions under CC-BY-3.0 License: CC-BY-3.0 - the applicable license policy does not allow this license (4) (npm metadata) License: CC-BY-3.0 - the applicable license policy does not allow this license (4) (package/package.json) From: ? → npm/npm-run-all@4.1.5 → npm/eslint-plugin-jsdoc@46.10.1 → npm/spdx-exceptions@2.5.0 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/spdx-exceptions@2.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @babel/plugin-proposal-private-property-in-object Reason: This proposal has been merged to the ECMAScript standard and thus this plugin is no longer maintained. Please use @babel/plugin-transform-private-property-in-object instead. From: ? → npm/eslint-config-react-app@7.0.1 → npm/@babel/plugin-proposal-private-property-in-object@7.21.11 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-proposal-private-property-in-object@7.21.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Copilot]

Pull request overview

Updates TypeScript typing configuration and dependency constraints to keep the monorepo build stable after dependency upgrades, specifically preventing accidental adoption of incompatible React v19 type packages and limiting TypeScript versions to supported ranges.

Changes:

• Restrict server TypeScript auto-discovered typings by explicitly setting types to node and express.
• Adjust @types/react / @types/react-dom ranges in the client package to stay within React 18 types.
• Add root resolutions to pin @types/react and @types/react-dom to specific React 18 patch versions.

Reviewed changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File	Description
packages/demo-wallet-server/tsconfig.json	Adds explicit types to prevent unwanted transitive @types/* auto-inclusion and related build failures.
packages/demo-wallet-client/package.json	Changes React type packages to ~18.2.x ranges to avoid pulling v19 types.
package.json	Pins @types/react and @types/react-dom via Yarn resolutions to known-good React 18 versions.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[stellar-jenkins-ci]

Preview is available here:
http://stellar-demo-wallet-client-pr459.previews.kube001.services.stellar-ops.com/

[stellar-jenkins-ci]

Preview is available here:
http://stellar-demo-wallet-client-pr459.previews.kube001.services.stellar-ops.com/