Skip to content

Commit f980535

Browse files
rivjc1025walker27devchenyandependabot[bot]github-actions[bot]
authored
Backport v0.204.1 to develop (#3471)
* Rc/v0.204.0 (#3431) * fix: Issues of release v0.201.0 regression testing (#3365) fix: Issues of release v0.201.0 regression * chore(deps): bump tar-fs from 2.1.2 to 2.1.3 (#3368) Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.2 to 2.1.3. - [Commits](https://github.com/mafintosh/tar-fs/commits) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update ckb client versions (#3371) feat: update ckb client versions Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * feat: Identify and prompt for multisig transaction (#3370) * feat: Identify and prompt for multisig transaction * fix: error message * fix: Full node in mainnet can not change data path (#3382) * chore(deps): bump pbkdf2 from 3.1.2 to 3.1.3 (#3379) Bumps [pbkdf2](https://github.com/crypto-browserify/pbkdf2) from 3.1.2 to 3.1.3. - [Changelog](https://github.com/browserify/pbkdf2/blob/master/CHANGELOG.md) - [Commits](browserify/pbkdf2@v3.1.2...v3.1.3) --- updated-dependencies: - dependency-name: pbkdf2 dependency-version: 3.1.3 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * feat: Optimize receive address handling for hardware wallets (#3394) * fix: compatible with "Ledger Nano S+" (#3402) Co-authored-by: zhengzhou <zhengzhou@rivtower.com> * Update ckb client versions (#3403) feat: update ckb client versions Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * chore(deps-dev): bump electron from 36.6.0 to 36.8.1 in /packages/neuron-ui (#3404) chore(deps-dev): bump electron in /packages/neuron-ui Bumps [electron](https://github.com/electron/electron) from 36.6.0 to 36.8.1. - [Release notes](https://github.com/electron/electron/releases) - [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md) - [Commits](electron/electron@v36.6.0...v36.8.1) --- updated-dependencies: - dependency-name: electron dependency-version: 36.8.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps-dev): bump electron from 36.6.0 to 36.8.1 in /packages/neuron-wallet (#3405) chore(deps-dev): bump electron in /packages/neuron-wallet Bumps [electron](https://github.com/electron/electron) from 36.6.0 to 36.8.1. - [Release notes](https://github.com/electron/electron/releases) - [Changelog](https://github.com/electron/electron/blob/main/docs/breaking-changes.md) - [Commits](electron/electron@v36.6.0...v36.8.1) --- updated-dependencies: - dependency-name: electron dependency-version: 36.8.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore(deps): bump sha.js from 2.4.11 to 2.4.12 (#3406) Bumps [sha.js](https://github.com/crypto-browserify/sha.js) from 2.4.11 to 2.4.12. - [Changelog](https://github.com/browserify/sha.js/blob/master/CHANGELOG.md) - [Commits](browserify/sha.js@v2.4.11...v2.4.12) --- updated-dependencies: - dependency-name: sha.js dependency-version: 2.4.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update ckb client versions (#3408) feat: update ckb client versions Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * chore(deps-dev): bump vite from 6.2.7 to 6.3.6 (#3409) Bumps [vite](https://github.com/vitejs/vite/tree/HEAD/packages/vite) from 6.2.7 to 6.3.6. - [Release notes](https://github.com/vitejs/vite/releases) - [Changelog](https://github.com/vitejs/vite/blob/v6.3.6/packages/vite/CHANGELOG.md) - [Commits](https://github.com/vitejs/vite/commits/v6.3.6/packages/vite) --- updated-dependencies: - dependency-name: vite dependency-version: 6.3.6 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update bug_report.yml change default assignees * Update ckb client versions (#3416) feat: update ckb client versions Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * chore: remove font ProximaNova * fix: spell fix * chore: fix github actions node version * Update ckb client versions (#3422) feat: update ckb client versions Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * chore: fix broken url (#3413) Signed-off-by: yajianggroup <yajianggroup@outlook.com> Co-authored-by: zhangyaning <zhangyaning1985@gmail.com> Co-authored-by: 郑州 <wzszhengzhou@hotmail.com> * chore: update AppId (#3426) * chore(deps): bump qs from 6.14.0 to 6.14.1 (#3425) Bumps [qs](https://github.com/ljharb/qs) from 6.14.0 to 6.14.1. - [Changelog](https://github.com/ljharb/qs/blob/main/CHANGELOG.md) - [Commits](ljharb/qs@v6.14.0...v6.14.1) --- updated-dependencies: - dependency-name: qs dependency-version: 6.14.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: 郑州 <wzszhengzhou@hotmail.com> * chore(deps): bump tar-fs from 2.1.3 to 2.1.4 (#3412) Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * chore: update neuron version * chore: Update ckb node assume valid target (#3428) chore: Update ckb node assume valid target for rc/v0.204.0. Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * Update ckb client versions (#3429) (#3430) feat: update ckb client versions Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> * chore: update CHANGELOG * chore: update CHANGELOG * chore: update CHANGELOG --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: yajianggroup <yajianggroup@outlook.com> Co-authored-by: devchenyan <sgt39007@163.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> Co-authored-by: zhengzhou <zhengzhou@rivtower.com> Co-authored-by: yajianggroup <yajianggroup@outlook.com> Co-authored-by: zhangyaning <zhangyaning1985@gmail.com> * fix: harden release notes window handling * fix: correct navbar compatibility typo * chore: release v0.204.1 * chore: Update ckb node assume valid target (#3466) chore: Update ckb node assume valid target for rc/v0.204.1. Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> * feat: Update Neuron compatibility table --------- Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: yajianggroup <yajianggroup@outlook.com> Co-authored-by: 郑州 <wzszhengzhou@hotmail.com> Co-authored-by: devchenyan <sgt39007@163.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Keith-CY <7271329+Keith-CY@users.noreply.github.com> Co-authored-by: zhengzhou <zhengzhou@rivtower.com> Co-authored-by: yajianggroup <yajianggroup@outlook.com> Co-authored-by: zhangyaning <zhangyaning1985@gmail.com>
1 parent e4a20e5 commit f980535

13 files changed

Lines changed: 178 additions & 42 deletions

File tree

CHANGELOG.md

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,22 @@
1+
# 0.204.1 (2026-04-10)
2+
3+
### CKB Node & Light Client
4+
5+
- [CKB@v0.204.0](https://github.com/nervosnetwork/ckb/releases/tag/v0.204.0) was released on Dec. 15th, 2025. This version of CKB node is now bundled and preconfigured in Neuron.
6+
- [CKB Light Client@v0.5.4](https://github.com/nervosnetwork/ckb-light-client/releases/tag/v0.5.4) was released on Jan. 2nd, 2026. This version of CKB Light Client is now bundled and preconfigured in Neuron
7+
8+
### Assumed valid target
9+
10+
Block before `0xa76ecc34238a30151211f63a09e6063ac7e7e760866b9be73b7560e3a95d3a50`(at height `18,298,596`) will be skipped in validation.(https://github.com/nervosnetwork/neuron/pull/3428)
11+
12+
---
13+
14+
## Bug fixes
15+
16+
- #3465: Harden release notes rendering and privileged window navigation.(@zhangyaning)
17+
18+
**Full Changelog**: https://github.com/nervosnetwork/neuron/compare/v0.204.0...v0.204.1
19+
120
# 0.204.0 (2026-01-12)
221

322
### Caveat

lerna.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"packages": ["packages/*"],
3-
"version": "0.204.0",
3+
"version": "0.204.1",
44
"npmClient": "yarn",
55
"$schema": "node_modules/lerna/schemas/lerna-schema.json"
66
}

package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@
22
"name": "neuron",
33
"productName": "Neuron",
44
"description": "CKB Neuron Wallet",
5-
"version": "0.204.0",
5+
"version": "0.204.1",
66
"private": true,
77
"author": {
88
"name": "Nervos Core Dev",

packages/neuron-ui/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
{
22
"name": "neuron-ui",
3-
"version": "0.204.0",
3+
"version": "0.204.1",
44
"private": true,
55
"author": {
66
"name": "Nervos Core Dev",

packages/neuron-ui/src/components/GeneralSetting/index.tsx

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,6 +12,7 @@ import { uniformTimeFormatter, bytesFormatter, clsx, wakeScreen, releaseWakeLock
1212
import Switch from 'widgets/Switch'
1313
import { keepScreenAwake } from 'services/localCache'
1414
import { LanguageSelect, UnLock } from 'widgets/Icons/icon'
15+
import { sanitizeReleaseNotes } from 'utils/sanitizeReleaseNotes'
1516
import styles from './generalSetting.module.scss'
1617
import { useCheckUpdate, useUpdateDownloadStatus } from './hooks'
1718
import LockWindowDialog from './LockWindowDialog'
@@ -67,7 +68,7 @@ const UpdateDownloadStatus = ({
6768

6869
if (available) {
6970
const releaseNotesHtml = () => {
70-
return { __html: releaseNotes }
71+
return { __html: sanitizeReleaseNotes(releaseNotes) }
7172
}
7273

7374
/* eslint-disable react/no-danger */

packages/neuron-ui/src/tests/sanitizeReleaseNotes/index.test.ts

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,24 @@
1+
import { describe, expect, it } from 'vitest'
2+
import { sanitizeReleaseNotes } from 'utils/sanitizeReleaseNotes'
3+
4+
describe('sanitizeReleaseNotes', () => {
5+
it('removes interactive markup and keeps basic formatting', () => {
6+
const sanitized = sanitizeReleaseNotes(`
7+
<p>safe</p>
8+
<button data-method="open-in-window" onclick="window.electron.ipcRenderer.invoke('open-in-window')">open</button>
9+
<img src="x" onerror="alert('xss')" />
10+
<script>alert('xss')</script>
11+
<pre><code>const ok = true</code></pre>
12+
`)
13+
14+
expect(sanitized).toContain('<p>safe</p>')
15+
expect(sanitized).toContain('<pre><code>const ok = true</code></pre>')
16+
expect(sanitized).not.toContain('<button')
17+
expect(sanitized).not.toContain('<img')
18+
expect(sanitized).not.toContain('<script')
19+
expect(sanitized).not.toContain('onclick')
20+
expect(sanitized).not.toContain('data-method')
21+
expect(sanitized).not.toContain('onerror')
22+
expect(sanitized).not.toContain("alert('xss')")
23+
})
24+
})

packages/neuron-ui/src/utils/sanitizeReleaseNotes.ts

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
const ALLOWED_TAGS = new Set(['p', 'br', 'ul', 'ol', 'li', 'strong', 'em', 'b', 'i', 'code', 'pre'])
2+
const DROP_CONTENT_TAGS = new Set(['script', 'style', 'iframe', 'object', 'embed'])
3+
4+
const sanitizeNodes = (doc: Document, nodes: ChildNode[]): Node[] => {
5+
return nodes.flatMap(node => {
6+
if (node.nodeType === Node.TEXT_NODE) {
7+
return [doc.createTextNode(node.textContent ?? '')]
8+
}
9+
10+
if (node.nodeType !== Node.ELEMENT_NODE) {
11+
return []
12+
}
13+
14+
const element = node as HTMLElement
15+
const tagName = element.tagName.toLowerCase()
16+
17+
if (DROP_CONTENT_TAGS.has(tagName)) {
18+
return []
19+
}
20+
21+
const children = sanitizeNodes(doc, Array.from(element.childNodes))
22+
23+
if (!ALLOWED_TAGS.has(tagName)) {
24+
return children
25+
}
26+
27+
const sanitizedElement = doc.createElement(tagName)
28+
children.forEach(child => {
29+
sanitizedElement.appendChild(child)
30+
})
31+
return [sanitizedElement]
32+
})
33+
}
34+
35+
export const sanitizeReleaseNotes = (releaseNotes: string) => {
36+
const template = document.createElement('template')
37+
template.innerHTML = releaseNotes
38+
39+
const container = document.createElement('div')
40+
sanitizeNodes(document, Array.from(template.content.childNodes)).forEach(node => {
41+
container.appendChild(node)
42+
})
43+
return container.innerHTML
44+
}
45+
46+
export default sanitizeReleaseNotes

packages/neuron-wallet/.env

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -121,6 +121,6 @@ MAINNET_MULTISIG_TXHASH=0x6888aa39ab30c570c2c30d9d5684d3769bf77265a7973211a3c087
121121
TESTNET_MULTISIG_TXHASH=0x2eefdeb21f3a3edf697c28a52601b4419806ed60bb427420455cc29a090b26d5
122122

123123
# CKB NODE OPTIONS
124-
CKB_NODE_ASSUME_VALID_TARGET='0xa76ecc34238a30151211f63a09e6063ac7e7e760866b9be73b7560e3a95d3a50'
125-
CKB_NODE_ASSUME_VALID_TARGET_BLOCK_NUMBER=18298596
126-
CKB_NODE_DATA_SIZE=135
124+
CKB_NODE_ASSUME_VALID_TARGET='0x510c9a883f0a4d0a66b26056a08274b6d5276a0a457e303b79f235bf2645239b'
125+
CKB_NODE_ASSUME_VALID_TARGET_BLOCK_NUMBER=19039735
126+
CKB_NODE_DATA_SIZE=139

packages/neuron-wallet/package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
"productName": "Neuron",
44
"description": "CKB Neuron Wallet",
55
"homepage": "https://www.nervos.org/",
6-
"version": "0.204.0",
6+
"version": "0.204.1",
77
"private": true,
88
"author": {
99
"name": "Nervos Core Dev",
@@ -92,7 +92,7 @@
9292
"electron-builder": "24.13.3",
9393
"electron-devtools-installer": "3.2.1",
9494
"jest-when": "3.6.0",
95-
"neuron-ui": "^0.204.0",
95+
"neuron-ui": "^0.204.1",
9696
"typescript": "5.3.3"
9797
},
9898
"resolutions": {

packages/neuron-wallet/src/controllers/app/resolve-window-url.ts

Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
import env from '../../env'
2+
3+
export const resolveInternalWindowTarget = (url: string) => {
4+
const normalizedUrl = url.trim()
5+
6+
if (normalizedUrl.startsWith('#/')) {
7+
return {
8+
navigationUrl: normalizedUrl.replace(/^#/, ''),
9+
windowUrl: `${env.mainURL}${normalizedUrl}`,
10+
}
11+
}
12+
13+
if (normalizedUrl.startsWith('/')) {
14+
return {
15+
navigationUrl: normalizedUrl,
16+
windowUrl: `${env.mainURL}#${normalizedUrl}`,
17+
}
18+
}
19+
20+
return null
21+
}

0 commit comments

Comments
 (0)