Merge branch 'main' into mikesposito/chore/update-keyring-controller

Author: mikesposito

.depcheckrc.yml

@@ -44,8 +44,6 @@ ignores:
   - 'wait-on'
   - 'tsx' # used in .devcontainer
   - 'prettier-eslint' # used by the Prettier ESLint VSCode extension
-  - 'tar' # used by foundryup.ts
-  - 'minipass' # used by foundryup.ts
   - 'tweetnacl' # used by solana-wallet-standard
   - 'bs58' # used by solana-wallet-standard
   # storybook

.github/CODEOWNERS

@@ -117,7 +117,9 @@ ui/components/app/metamask-template-renderer @MetaMask/confirmations @MetaMask/s
 ui/components/app/whats-new-popup     @MetaMask/wallet-ux
 ui/css                                @MetaMask/wallet-ux
 ui/pages/home                         @MetaMask/wallet-ux
-ui/pages/onboarding-flow              @MetaMask/wallet-ux
+
+# Web3Auth / Onboarding
+ui/pages/onboarding-flow              @MetaMask/web3auth
 
 # Confirmations team to own code for confirmations on UI.
 app/scripts/controller-init/confirmations                         @MetaMask/confirmations

.github/workflows/cla.yml

@@ -23,7 +23,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         with:
           path-to-signatures: 'cla.json'
-          url-to-cladocument: 'https://metamask.io/cla.html'
+          url-to-cladocument: 'https://metamask.io/cla'
           # This branch can't have protections, commits are made directly to the specified branch.
           branch: 'cla-signatures'
           allowlist: 'dependabot[bot],metamaskbot,crowdin-bot,runway-github[bot]'

.github/workflows/main.yml

@@ -12,6 +12,8 @@ on:
       - opened
       - reopened
       - synchronize
+    branches-ignore:
+      - master
   merge_group:
 
 concurrency:
@@ -328,7 +330,6 @@ jobs:
 
   publish-prerelease:
     name: Publish prerelease
-    if: ${{ github.event_name == 'pull_request' }}
     needs:
       - build-dist-browserify
       - build-dist-mv2-browserify

.github/workflows/publish-prerelease.yml

@@ -10,6 +10,20 @@ jobs:
   publish-prerelease:
     name: Publish prerelease
     runs-on: ubuntu-latest
+    env:
+      PR_COMMENT_TOKEN: ${{ secrets.PR_COMMENT_TOKEN }}
+      OWNER: ${{ github.repository_owner }}
+      REPOSITORY: ${{ github.event.repository.name }}
+      RUN_ID: ${{ github.run_id }}
+      # For a `pull_request` event, the branch is `github.head_ref`.
+      # For a `push` event, the branch is `github.ref_name`.
+      BRANCH: ${{ github.head_ref || github.ref_name }}
+      PR_NUMBER: ${{ github.event.pull_request.number }}
+      BASE_COMMIT_HASH: ${{ github.event.pull_request.base.sha }}
+      HEAD_COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
+      MERGE_BASE_COMMIT_HASH: '' # placeholder so that we have autocomplete and logs
+      CLOUDFRONT_REPO_URL: ${{ vars.AWS_CLOUDFRONT_URL }}/${{ github.event.repository.name }}
+      HOST_URL: ${{ vars.AWS_CLOUDFRONT_URL }}/${{ github.event.repository.name }}/${{ github.run_id }}
     steps:
       - name: Checkout and setup high risk environment
         uses: MetaMask/action-checkout-and-setup@v1
@@ -19,26 +33,33 @@ jobs:
           fetch-depth: 0 # This is needed to get merge base to calculate bundle size diff
           yarn-custom-url: ${{ vars.YARN_URL }}
 
+      - name: Find the associated PR
+        if: ${{ startsWith(env.BRANCH, 'Version-v') && (!env.PR_NUMBER || !env.BASE_COMMIT_HASH || !env.HEAD_COMMIT_HASH) }}
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const prs = await github.rest.pulls.list({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              head: `${context.repo.owner}:${process.env.BRANCH}`
+              base: 'master',
+            });
+            if (prs.data.length > 0) {
+              core.exportVariable("PR_NUMBER", prs.data[0].number);
+              core.exportVariable("BASE_COMMIT_HASH", prs.data[0].base.sha);
+              core.exportVariable("HEAD_COMMIT_HASH", prs.data[0].head.sha);
+              core.info(`The pull request number is '${process.env.PR_NUMBER}', the base commit hash is '${process.env.BASE_COMMIT_HASH}', and the head commit hash is '${process.env.HEAD_COMMIT_HASH}'`);
+            } else {
+              core.info(`No pull request detected for branch '${process.env.BRANCH}'`);
+            }
+
       - name: Get merge base commit hash
-        id: get-merge-base
-        env:
-          BASE_SHA: ${{ github.event.pull_request.base.sha }}
-          HEAD_SHA: ${{ github.event.pull_request.head.sha }}
+        if: ${{ env.BASE_COMMIT_HASH && env.HEAD_COMMIT_HASH }}
         run: |
-          merge_base="$(git merge-base "${BASE_SHA}" "${HEAD_SHA}")"
-          echo "MERGE_BASE=${merge_base}" >> "$GITHUB_OUTPUT"
-          echo "Merge base is '${merge_base}'"
+          merge_base_commit_hash="$(git merge-base "${BASE_COMMIT_HASH}" "${HEAD_COMMIT_HASH}")"
+          echo "MERGE_BASE_COMMIT_HASH=${merge_base_commit_hash}" >> "${GITHUB_ENV}"
+          echo "The merge base commit hash is '${merge_base_commit_hash}'"
 
       - name: Publish prerelease
-        if: ${{ env.PR_COMMENT_TOKEN && vars.AWS_CLOUDFRONT_URL }}
-        env:
-          PR_COMMENT_TOKEN: ${{ secrets.PR_COMMENT_TOKEN }}
-          OWNER: ${{ github.repository_owner }}
-          REPOSITORY: ${{ github.event.repository.name }}
-          RUN_ID: ${{ github.run_id }}
-          PR_NUMBER: ${{ github.event.pull_request.number }}
-          HEAD_COMMIT_HASH: ${{ github.event.pull_request.head.sha }}
-          MERGE_BASE_COMMIT_HASH: ${{ steps.get-merge-base.outputs.MERGE_BASE }}
-          CLOUDFRONT_REPO_URL: ${{ vars.AWS_CLOUDFRONT_URL }}/${{ github.event.repository.name }}
-          HOST_URL: ${{ vars.AWS_CLOUDFRONT_URL }}/${{ github.event.repository.name }}/${{ github.run_id }}
+        if: ${{ env.MERGE_BASE_COMMIT_HASH && env.PR_NUMBER && env.PR_COMMENT_TOKEN && vars.AWS_CLOUDFRONT_URL }}
         run: yarn tsx ./development/metamaskbot-build-announce.ts

.github/workflows/run-benchmarks.yml

@@ -33,7 +33,7 @@ jobs:
 
       # not installed by checkout-and-setup when cache is restored
       - name: Install anvil
-        run: yarn foundryup
+        run: yarn mm-foundryup
 
       - name: Download artifact '${{ env.ARTIFACT_NAME }}'
         uses: actions/download-artifact@v4

.github/workflows/run-e2e.yml

@@ -69,7 +69,7 @@ jobs:
 
       # not installed by checkout-and-setup when cache is restored
       - name: Install anvil
-        run: yarn foundryup
+        run: yarn mm-foundryup
 
       - name: Download build artifact
         if: ${{ inputs.build-artifact != '' }}

.yarn/patches/@metamask-network-controller-npm-23.5.1-42017cc4f5.patch renamed to .yarn/patches/@metamask-network-controller-npm-23.6.0-9e4332461a.patch

@@ -13,150 +13,48 @@ logFilters:
 nodeLinker: node-modules
 
 npmAuditIgnoreAdvisories:
-  ### Advisories:
-
-  # Issue: yargs-parser Vulnerable to Prototype Pollution
-  # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
-  # The affected version (<5.0.0) is only included via @ensdomains/ens via
-  # 'solc' which is not used in the imports we use from this package.
   - 1088783
-
-  # Issue: protobufjs Prototype Pollution vulnerability
-  # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
-  # Not easily patched. Minimally effects the extension due to usage of
-  # LavaMoat lockdown. Additional id added that resolves to the same advisory
-  # but has a different entry due to it being a new dependency of
-  # @trezor/connect-web. Upgrading
   - 1092429
   - 1095136
-
-  # Issue: Regular Expression Denial of Service (ReDOS)
-  # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
-  # color-string is listed as a dependency of 'color' which is brought in by
-  # @metamask/jazzicon v2.0.0 but there is work done on that repository to
-  # remove the color dependency. We should upgrade
   - 1089718
-
-  # Issue: semver vulnerable to Regular Expression Denial of Service
-  # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
-  # semver is used in the solidity compiler portion of @truffle/codec that does
-  # not appear to be used.
   - 1092461
-
-  # Issue: Malware in @solana/web3.js
-  # URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m
-  # we patched this to ensure the vulnerable versions are not included, but the advisory
-  # was mistakenly originally created to flag all versions as vulnerable
   - 1101059
-
-  # Issue: axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
-  # URL: https://github.com/advisories/GHSA-jr5f-v2jv-69x6
-  # We are ignoring this on March 11, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1102472
-
-  # Issue: Issue: Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
-  # We are ignoring this on March 12, 2025 and April 24, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1103026
   - 1104001
-
-  # Issue: ses's global contour bindings leak into Compartment lexical scope
-  # URL: https://github.com/advisories/GHSA-h9w6-f932-gq62
-  # We are ignoring this on April 24, 2025 as it does not affect the codebase.
   - 1103932
-
-  # Issue: React Router allows pre-render data spoofing on React-Router framework mode
-  # URL: https://github.com/MetaMask/metamask-extension/security/dependabot/228
-  # will be fixed in https://github.com/MetaMask/MetaMask-planning/issues/3261
   - 1104031
   - 1104032
-
-  # Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
-  # This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
-  - 'ts-custom-error (deprecation)'
-  - 'text-encoding (deprecation)'
-
-  ### Package Deprecations:
-
-  # React-tippy brings in popper.js and react-tippy has not been updated in
-  # three years.
-  - 'popper.js (deprecation)'
-
-  # React-router is out of date and brings in the following deprecated package
-  - 'mini-create-react-context (deprecation)'
-
-  # The affected version, which is less than 7.0.0, is brought in by
-  # ethereumjs-wallet version 0.6.5 used in the extension but only in a single
-  # file app/scripts/account-import-strategies/index.js, which may be easy to
-  # upgrade.
-  - 'uuid (deprecation)'
-
-  # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
-  # main.js file, which can be upgraded to remove this dependency in favor of
-  # @npmcli/fs
+  - ts-custom-error (deprecation)
+  - text-encoding (deprecation)
+  - popper.js (deprecation)
+  - mini-create-react-context (deprecation)
+  - uuid (deprecation)
   - '@npmcli/move-file (deprecation)'
-
-  # Upgrading babel will result in the following deprecated packages being
-  # updated:
-  - 'core-js (deprecation)'
-
-  # Material UI dependencies are planned for removal
+  - core-js (deprecation)
   - '@material-ui/core (deprecation)'
   - '@material-ui/styles (deprecation)'
   - '@material-ui/system (deprecation)'
-
-  # @ensdomains/ens should be explored for upgrade. The following packages are
-  # deprecated and would be resolved by upgrading to newer versions of
-  # ensdomains packages:
   - '@ensdomains/ens (deprecation)'
   - '@ensdomains/resolver (deprecation)'
-  - 'testrpc (deprecation)'
-
-  # Dependencies brought in by @truffle/decoder that are deprecated:
-  - 'cids (deprecation)' # via @ensdomains/content-hash
-  - 'multibase (deprecation)' # via cids
-  - 'multicodec (deprecation)' # via cids
-
-  # MetaMask owned repositories brought in by other MetaMask dependencies that
-  # can be resolved by updating the versions throughout the dependency tree
-  - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
-  - '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller
-  - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
-
-  # @metamask-institutional relies upon crypto which is deprecated
-  - 'crypto (deprecation)'
-
-  # @metamask/providers uses webextension-polyfill-ts which has been moved to
-  # @types/webextension-polyfill
-  - 'webextension-polyfill-ts (deprecation)'
-
-  # Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on
-  # by MetaMask
-  - 'ripple-lib (deprecation)'
-
-  # Brought in by ethereumjs-utils, which is used in the extension and in many
-  # other dependencies. At the time of this exclusion, the extension has three
-  # old versions of ethereumjs-utils which should be upgraded to
-  # @ethereumjs/utils throughout our owned repositories. However even doing
-  # that may be insufficient due to dependencies we do not own still relying
-  # upon old versions of ethereumjs-utils.
-  - 'ethereum-cryptography (deprecation)'
-
-  # Currently in use for the network list drag and drop functionality.
-  # Maintenance has stopped and the project will be archived in 2025.
-  - 'react-beautiful-dnd (deprecation)'
-  # New package name format for new versions: @ethereumjs/wallet.
-  - 'ethereumjs-wallet (deprecation)'
-
-  # The new trezor version breaks the webpack build due to issues with ESM and CommonJS
-  # Leading to this error on start: `Uncaught ReferenceError: exports is not defined`
-  # We temporarily ignore the audit failure until we can safely upgrade to the new version without breaking the webpack build
-  # Check Trezor 9.5.X Changelog for more info: https://github.com/trezor/trezor-suite/blob/develop/packages/connect/CHANGELOG.md
+  - testrpc (deprecation)
+  - cids (deprecation)
+  - multibase (deprecation)
+  - multicodec (deprecation)
+  - eth-sig-util (deprecation)
+  - '@metamask/controller-utils (deprecation)'
+  - safe-event-emitter (deprecation)
+  - crypto (deprecation)
+  - webextension-polyfill-ts (deprecation)
+  - ripple-lib (deprecation)
+  - ethereum-cryptography (deprecation)
+  - react-beautiful-dnd (deprecation)
+  - ethereumjs-wallet (deprecation)
   - '@trezor/connect-web (deprecation)'
-
-  # We temporarily ignore the deprecation notice to unblock ci
-  # Issue: @solana/web3.js version 2.0 is now @solana/kit! Remove @solana/web3.js@2 from your dependencies and replace it with @solana/kit.
-  # As needed, upgrade all of your @solana-program/* dependencies to the latest versions that use Kit.
   - '@solana/web3.js (deprecation)'
+
+npmRegistryServer: 'https://registry.npmjs.org/'
+
 plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
     spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'