Objective
Bring the monorepo's npm dependencies up to date, sequencing upgrades by blast radius so low-risk bumps ship immediately and breaking major-version migrations (React 19, Vite 8, TypeScript 6) are handled in dedicated, reviewable PRs.
Rationale
Several dependencies trail their latest releases — React is a full major behind (18.3.1 vs 19.x), Vite is two majors behind (6 vs 8), TypeScript and the @vitejs/plugin-react plugin each have new majors, and @noble/hashes (a crypto dependency in the wallet) is a major behind. Staying current reduces security exposure, keeps us on supported release lines, and avoids compounding migration cost as the gap widens. Grouping by risk lets the team capture the easy wins now without coupling them to the larger React migration.
Scope
In scope:
- All workspaces:
canton-connect-kit, carpincho-wallet, canton-barebones/wallet-service, dapp/e2e, dapp/frontend, and root devDependencies.
- Patch/minor bumps, version-skew alignment, and the major-version migrations cataloged below.
- Updating
canton-connect-kit peer ranges and the root @canton-network/dapp-sdk override where they block bumps.
Out of scope:
- Dependencies already at the latest version satisfying their range (
@walletconnect/*, express 5, tailwindcss 4, @playwright/test, tsx, husky, etc.).
- Feature work or refactors beyond what a given upgrade strictly requires.
- Node engine baseline changes (already
>=24).
Architecture & technical considerations
- Lockfile/manager: npm workspaces (
package-lock.json). Run upgrades workspace-aware.
- React 19 coupling:
react, react-dom, @types/react, and @types/react-dom must move together. canton-connect-kit declares peerDependencies.react: "^18.0.0" — widen to ^18 || ^19 (or ^19) or downstream consumers break.
- dapp-sdk override: root
overrides pins @canton-network/dapp-sdk to 1.1.0. The 1.1→1.2 bump is silently ignored unless the override is lifted/retargeted in the same change. Bundle with the @canton-network/core-* 1.4→1.5 bumps as one SDK-family change.
- Vite 8 / plugin-react 6: two majors each; couple them and verify
@tailwindcss/vite compatibility against Vite 8 first.
- @noble/hashes 1→2: crypto dependency in
carpincho-wallet; API surface and import paths changed between majors. Highest-scrutiny item — audit every call site and test vectors.
- @types/node skew:
carpincho-wallet is on ^24 while the rest of the repo is on ^25; align to remove the split install.
Dependencies
- The SDK alignment work is gated on lifting the root
@canton-network/dapp-sdk override.
- The Vite/plugin-react upgrade depends on confirming
@tailwindcss/vite supports Vite 8.
Issue breakdown
Sub-issues are linked via GitHub's native sub-issue feature; see the Sub-issues panel.
Acceptance criteria
Objective
Bring the monorepo's npm dependencies up to date, sequencing upgrades by blast radius so low-risk bumps ship immediately and breaking major-version migrations (React 19, Vite 8, TypeScript 6) are handled in dedicated, reviewable PRs.
Rationale
Several dependencies trail their latest releases — React is a full major behind (18.3.1 vs 19.x), Vite is two majors behind (6 vs 8), TypeScript and the
@vitejs/plugin-reactplugin each have new majors, and@noble/hashes(a crypto dependency in the wallet) is a major behind. Staying current reduces security exposure, keeps us on supported release lines, and avoids compounding migration cost as the gap widens. Grouping by risk lets the team capture the easy wins now without coupling them to the larger React migration.Scope
In scope:
canton-connect-kit,carpincho-wallet,canton-barebones/wallet-service,dapp/e2e,dapp/frontend, and root devDependencies.canton-connect-kitpeer ranges and the root@canton-network/dapp-sdkoverride where they block bumps.Out of scope:
@walletconnect/*,express5,tailwindcss4,@playwright/test,tsx,husky, etc.).>=24).Architecture & technical considerations
package-lock.json). Run upgrades workspace-aware.react,react-dom,@types/react, and@types/react-dommust move together.canton-connect-kitdeclarespeerDependencies.react: "^18.0.0"— widen to^18 || ^19(or^19) or downstream consumers break.overridespins@canton-network/dapp-sdkto1.1.0. The 1.1→1.2 bump is silently ignored unless the override is lifted/retargeted in the same change. Bundle with the@canton-network/core-*1.4→1.5 bumps as one SDK-family change.@tailwindcss/vitecompatibility against Vite 8 first.carpincho-wallet; API surface and import paths changed between majors. Highest-scrutiny item — audit every call site and test vectors.carpincho-walletis on^24while the rest of the repo is on^25; align to remove the split install.Dependencies
@canton-network/dapp-sdkoverride.@tailwindcss/vitesupports Vite 8.Issue breakdown
Sub-issues are linked via GitHub's native sub-issue feature; see the Sub-issues panel.
Acceptance criteria
npm installresolves cleanly with no stale override silently blocking a bump.canton-connect-kitpeer dependencies accept the React version the repo ships.