Tonkeeper 4.7.0: release-candidate changelog breakdown

Tonkeeper has cut v4.7.0-rc.2, the second release candidate of the 4.7 line. Two headlines dominate the changelog: a security fix for the signData flow (TK-1104) and the introduction of an in-wallet analytics layer (TK-1046). The rest is UX polish — CLDR-correct plural forms for wallet counts, a balance-loading skeleton instead of a misleading $0, a reworked swap token search, and the removal of the legacy web-swap-widget.

Just before this branch the team shipped a small v4.6.1 hotfix that corrected a fee-calculation bug (TK-1026) and tidied up deeplinks. Below is a line-by-line read of the official GitHub release notes — what shipped, what it means for users, and why 4.7.0 is not yet stable.

TL;DR

TK-1104 closes a manifest-domain bypass and a signData origin-spoofing path used by malicious dApps.
TK-1046 adds telemetry scaffolding (analytics + schema + transfer events) — infrastructure, not a user-facing feature.
Swap rework: new API client and search-result sorting; the standalone web-swap-widget is gone.
Correct plural forms for wallet counts via CLDR — important for languages with rich plural rules.
Skeleton placeholder while balance is loading instead of flashing $0.

What landed in 4.7.0-rc.2

The list below tracks the exact bullets in the GitHub release notes, regrouped by theme.

Security

fix(TK-1104): isLocalhost manifest bypass and signData domain spoofing. The attack worked like this: a malicious site could bypass the check that a TON Connect manifest is hosted on the legitimate domain (by impersonating localhost) and submit a signData request carrying a forged origin. Both bypasses are now blocked. From a user perspective this is the single most important reason to install the eventual stable tag.

Analytics (TK-1046)

Tk 1046/analytics — base event-tracking implementation.
TK-1046/analytics schema — the schema describing which fields are emitted.
Tk 1046/analytics transfer — analytics events tied to the transfer flow.

The release notes do not describe what metrics are collected or where they are sent. Privacy-sensitive users should wait for a public statement from Tonkeeper or for an opt-out toggle to appear in settings. Telemetry is not the same as data exfiltration, but it is a new surface that deserves its own audit.

Swap

chore(web-swap-widget): remove widget from the codebase. The embeddable swap widget — previously installable on third-party sites — has been removed from the repository. Core swap functionality remains inside the main wallet UI.
swap tokens search sorting + API client — the in-wallet swap now has new token-search sort logic and a new backing API client. This was the headline change in rc.1 and carries over to rc.2.

UX polish

fix(uikit): Show skeleton instead of $0 while balance is loading. While the wallet is pulling balances, a skeleton placeholder appears instead of a literal $0. Previously the zero could flash long enough to look like a drained wallet.
fix(uikit): prevent click event propagation on address copy. Tapping the copy-address button no longer bubbles the click up to the parent — previously the action could accidentally open the wallet card.
fix(i18n): pluralize wallet count strings via CLDR rules. Wallet-count strings now respect CLDR plural rules — important for languages where the plural form depends on the number (Russian, Polish, Arabic, etc.) rather than a simple singular/plural split.

Assets and protocols

TK-1096: Handle asset parsing for unstake tsTON. The asset parser now recognises an unstake tsTON operation (Tonstakers liquid staking). Previously the transaction could surface as a raw payload string instead of a human-readable action.
fix(core): tk-1101 — an internal core-package bug fix; release notes do not detail the symptom.

Infrastructure

Dependencies update — routine bump.
Chore/release workflows — CI/CD pipeline changes for release builds.

What 4.6.1 fixed

Just before the 4.7.0 feature branch opened, Tonkeeper shipped a short stabilisation release, v4.6.1. Three items:

TK-1038 (PR #616): request wallets with pubkeys — wallet listings now also return their public keys, which integrations need for signature verification.
Feature/deeplinks (PR #613): an expansion of the deeplink protocol. Release notes do not enumerate the new schemes, but the PR scope suggests broader handling of external command-style links.
TK-1026 (PR #612): fee calculation bug — the main fix of the release. In specific scenarios the wallet was reporting an incorrect fee, leading either to underpaid transactions or to overpaying.

About 70 commits then landed in main between the 4.6.1 tag and the 4.7.0-rc cut — that body of work is what makes up the new release candidate.

What it means for users

If Tonkeeper is your primary wallet: wait for the stable 4.7.0 tag, then install promptly. The main reason to update is TK-1104 — the signData spoofing fix. You are unlikely to encounter this in normal usage (it requires targeted phishing), but the “malicious dApp forges its origin” class of issue is not one to leave unpatched.

If you use the in-wallet swap: check whether the new search-result sorting suits your workflow. If you previously embedded web-swap-widget on a third-party site, that integration path is gone — you’ll need an alternative flow (a deep-link into Tonkeeper is the obvious replacement).

If you stake tsTON: unstake transactions will now show up with a human-readable action instead of a raw payload (TK-1096).

Privacy note. The arrival of analytics (TK-1046) is neutral infrastructure on its own, but watch for two things from Tonkeeper: a published privacy policy describing what events are collected, and an opt-out toggle in settings. Non-custodial wallet users tend to be sensitive to this and the team will need to address it explicitly.

When stable ships

v4.7.0-rc.2 is a release candidate, not the stable cut. Tonkeeper does not publish a roadmap date, but historically the gap between a final rc and a stable tag has run from a few days to a couple of weeks. Until then:

you do not need to install rc.2 on your main wallet;
if you want to try the new swap and UX fixes, install rc.2 as a secondary profile (a separate seed-phrase import) but do not move large balances into it;
watch for the v4.7.0 tag (no -rc.* suffix) on the tonkeeper-web releases page.

It is also entirely possible that an rc.3 lands between rc.2 and the stable cut — that is normal practice, especially when a critical fix like TK-1104 needs additional regression testing.