chore(suite): update mission dependencies

[Lemonexe]

Description

Update most Mission-related dependencies:

• electron-builder
• simple-git
  • moved to usability dependencies, as it pertains Suite Guide
• electron-updater
• varuint-bitcoin

These were not updated:

• electron 31
  • it is supported by nixos, but not properly, could break build unexpectedly in future, see comment
• tiny-secp256k1 WIP in #12261
• electron-store requires refactoring our electron main process to ES
  • that is possible since electron 28, which we have since #13795, but is out of scope

Besides CI checks ✔️ , I have tested: local suite:dev, suite:dev:desktop, linux build ✔️

ℹ️ For reference, last bump mission deps PR was #13938

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@electron/rebuild@3.6.0, npm/builder-util@25.0.3

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[Lemonexe]

They also added bigint support, so the lib fn no longer throws error when out of range, but instead returns null number (and non-null bigint number).
In this PR I wanted to keep the same functionality, not refactor our utxo-lib to support bigints (I don't even know if it's needed), so the error is thrown.

[Lemonexe]

Concerning socket-security:

• read-binary-file-arch@1.0.6, a new a transitive dep of electron-builder, code seems legit
• @electron/rebuild@3.6.0 is a new transitive dep directly from @electron, so I'd trust that?
• builder-util@25.0.3 is an update of existing dep from electron-builder
  • owned by the same authors as electron-builder, so I'd trust that?

[Lemonexe]

@SocketSecurity ignore npm/read-binary-file-arch@1.0.6 npm/@electron/rebuild@3.6.0 npm/builder-util@25.0.3

Discussed with @komret , see comment above with explanation

[Lemonexe]

Not entirely sure if we want to use it, if it doesn't have specific version... Could it break in future?

[szymonlesisz]

i think it breaks desktop builds on nixos, but 31.4 should be there already

[Lemonexe]

Well, there is electron-chromedriver_31 listed, but not electron_31. They did add it, but only named as electron. At first I thought it's no problem, but you're right, it will break desktop builds when they bump to 32 at nixos repository.

So I'm gonna drop the electron bump from this PR and finish that later. I'll write an email to the maintainers to ask about it 🙂

[szymonlesisz]

update of varuint-bitcoin looks ok 👍