From cdb171dc4d5bfa599e702ce81144a91632f9fb25 Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 12:06:39 +0000 Subject: [PATCH 1/7] audit fix --- .yarnrc.yml | 2 ++ package.json | 3 ++- yarn.lock | 8 ++++---- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/.yarnrc.yml b/.yarnrc.yml index 5026a136c7f9..607fffabcd7d 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -78,3 +78,5 @@ npmPreapprovedPackages: - 'lavamoat-browserify' - 'lavamoat-tofu' - 'lavamoat-node' + # Required to install the patched package to unblock audit. Delete this after three days have passed from the package release date. + - 'node-forge' diff --git a/package.json b/package.json index 739d49c97415..dfbe417bc68e 100644 --- a/package.json +++ b/package.json @@ -246,7 +246,8 @@ "@endo/env-options@npm:^1.1.8": "patch:@endo/env-options@npm%3A1.1.11#~/.yarn/patches/@endo-env-options-npm-1.1.11-1b7fae374a.patch", "@metamask/jazzicon@npm:^2.0.0": "patch:@metamask/jazzicon@npm%3A2.0.0#~/.yarn/patches/@metamask-jazzicon-npm-2.0.0-36957be38d.patch", "@rive-app/canvas@npm:2.31.5": "patch:@rive-app/canvas@patch%3A@rive-app/canvas@patch%253A@rive-app/canvas@npm%25253A2.31.5%2523~/.yarn/patches/@rive-app-canvas-npm-2.31.5-df519c6e0f.patch%253A%253Aversion=2.31.5&hash=1ed092%23~/.yarn/patches/@rive-app-canvas-patch-9b746e9393.patch%3A%3Aversion=2.31.5&hash=19c5d0#~/.yarn/patches/@rive-app-canvas-patch-03752f0c3b.patch", - "addons-linter/glob": "^10.5.0" + "addons-linter/glob": "^10.5.0", + "node-forge": "^1.3.2" }, "dependencies": { "@babel/runtime": "patch:@babel/runtime@npm%3A7.25.9#~/.yarn/patches/@babel-runtime-npm-7.25.9-fe8c62510a.patch", diff --git a/yarn.lock b/yarn.lock index abc8d788c2f4..72269a65c16e 100644 --- a/yarn.lock +++ b/yarn.lock @@ -34216,10 +34216,10 @@ __metadata: languageName: node linkType: hard -"node-forge@npm:^1, node-forge@npm:^1.2.1": - version: 1.3.1 - resolution: "node-forge@npm:1.3.1" - checksum: 10/05bab6868633bf9ad4c3b1dd50ec501c22ffd69f556cdf169a00998ca1d03e8107a6032ba013852f202035372021b845603aeccd7dfcb58cdb7430013b3daa8d +"node-forge@npm:^1.3.2": + version: 1.3.2 + resolution: "node-forge@npm:1.3.2" + checksum: 10/dcc54aaffe0cf52367214a20c0032aa9b209d9095dd14526504f1972d1900a07e96046b3684cb0c8d0cc3d48744dd18e02b7b447ab28fac615ffb850beeabf18 languageName: node linkType: hard From d7a93f7e902ab0e760554ead1c195253493e099e Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 12:16:05 +0000 Subject: [PATCH 2/7] remove exception --- .yarnrc.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.yarnrc.yml b/.yarnrc.yml index 607fffabcd7d..5026a136c7f9 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -78,5 +78,3 @@ npmPreapprovedPackages: - 'lavamoat-browserify' - 'lavamoat-tofu' - 'lavamoat-node' - # Required to install the patched package to unblock audit. Delete this after three days have passed from the package release date. - - 'node-forge' From 47b56754206aedd700e08779941d273f450369c1 Mon Sep 17 00:00:00 2001 From: Florin Dzeladini Date: Thu, 27 Nov 2025 13:17:16 +0100 Subject: [PATCH 3/7] fix: sei and mon native token swap selection --- ...dge-controller-npm-61.0.0-8c413c463f.patch | 13 +++++++ package.json | 2 +- yarn.lock | 36 +++++++++++++++++-- 3 files changed, 48 insertions(+), 3 deletions(-) create mode 100644 .yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch diff --git a/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch b/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch new file mode 100644 index 000000000000..d837189fe0e4 --- /dev/null +++ b/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch @@ -0,0 +1,13 @@ +diff --git a/dist/types.cjs b/dist/types.cjs +index a83a797b8f01747a6d51eb1219669c729955f039..ea9eb54bf3a0ae7ed3c75a8bb9904dd925a50a16 100644 +--- a/dist/types.cjs ++++ b/dist/types.cjs +@@ -47,6 +47,8 @@ var ChainId; + ChainId[ChainId["SOLANA"] = 1151111081099710] = "SOLANA"; + ChainId[ChainId["BTC"] = 20000000000001] = "BTC"; + ChainId[ChainId["TRON"] = 728126428] = "TRON"; ++ ChainId[ChainId["SEI"] = 1329] = "SEI"; ++ ChainId[ChainId["MONAD"] = 143] = "MONAD"; + })(ChainId || (exports.ChainId = ChainId = {})); + var RequestStatus; + (function (RequestStatus) { diff --git a/package.json b/package.json index 739d49c97415..2ab7beef103d 100644 --- a/package.json +++ b/package.json @@ -277,7 +277,7 @@ "@metamask/assets-controllers": "patch:@metamask/assets-controllers@patch%3A@metamask/assets-controllers@npm%253A89.0.1%23~/.yarn/patches/@metamask-assets-controllers-npm-89.0.1-02fa7acd54.patch%3A%3Aversion=89.0.1&hash=6be0d3#~/.yarn/patches/@metamask-assets-controllers-patch-7c7d711c8c.patch", "@metamask/base-controller": "^9.0.0", "@metamask/bitcoin-wallet-snap": "^1.7.0", - "@metamask/bridge-controller": "^61.0.0", + "@metamask/bridge-controller": "patch:@metamask/bridge-controller@npm%3A61.0.0#~/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch", "@metamask/bridge-status-controller": "^61.0.0", "@metamask/browser-passworder": "^4.3.0", "@metamask/chain-agnostic-permission": "^1.2.2", diff --git a/yarn.lock b/yarn.lock index abc8d788c2f4..0bba66df1135 100644 --- a/yarn.lock +++ b/yarn.lock @@ -5887,7 +5887,7 @@ __metadata: languageName: node linkType: hard -"@metamask/bridge-controller@npm:^61.0.0": +"@metamask/bridge-controller@npm:61.0.0": version: 61.0.0 resolution: "@metamask/bridge-controller@npm:61.0.0" dependencies: @@ -5919,6 +5919,38 @@ __metadata: languageName: node linkType: hard +"@metamask/bridge-controller@patch:@metamask/bridge-controller@npm%3A61.0.0#~/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch": + version: 61.0.0 + resolution: "@metamask/bridge-controller@patch:@metamask/bridge-controller@npm%3A61.0.0#~/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch::version=61.0.0&hash=f88d28" + dependencies: + "@ethersproject/address": "npm:^5.7.0" + "@ethersproject/bignumber": "npm:^5.7.0" + "@ethersproject/constants": "npm:^5.7.0" + "@ethersproject/contracts": "npm:^5.7.0" + "@ethersproject/providers": "npm:^5.7.0" + "@metamask/base-controller": "npm:^9.0.0" + "@metamask/controller-utils": "npm:^11.15.0" + "@metamask/gas-fee-controller": "npm:^25.0.0" + "@metamask/keyring-api": "npm:^21.0.0" + "@metamask/messenger": "npm:^0.3.0" + "@metamask/metamask-eth-abis": "npm:^3.1.1" + "@metamask/multichain-network-controller": "npm:^2.0.0" + "@metamask/polling-controller": "npm:^15.0.0" + "@metamask/utils": "npm:^11.8.1" + bignumber.js: "npm:^9.1.2" + reselect: "npm:^5.1.1" + uuid: "npm:^8.3.2" + peerDependencies: + "@metamask/accounts-controller": ^34.0.0 + "@metamask/assets-controllers": ^89.0.0 + "@metamask/network-controller": ^25.0.0 + "@metamask/remote-feature-flag-controller": ^2.0.0 + "@metamask/snaps-controllers": ^14.0.0 + "@metamask/transaction-controller": ^61.0.0 + checksum: 10/8ad4ed2d6cbfa09aa42394b6c61a97fec9401fd3d26f6f90c8f4d0afd9f736f2eef45c5f71be6baf009f008a51452badb32aee38c029bb0a905792f6da84afe5 + languageName: node + linkType: hard + "@metamask/bridge-status-controller@npm:^61.0.0": version: 61.0.0 resolution: "@metamask/bridge-status-controller@npm:61.0.0" @@ -32791,7 +32823,7 @@ __metadata: "@metamask/auto-changelog": "npm:^5.1.0" "@metamask/base-controller": "npm:^9.0.0" "@metamask/bitcoin-wallet-snap": "npm:^1.7.0" - "@metamask/bridge-controller": "npm:^61.0.0" + "@metamask/bridge-controller": "patch:@metamask/bridge-controller@npm%3A61.0.0#~/.yarn/patches/@metamask-bridge-controller-npm-61.0.0-8c413c463f.patch" "@metamask/bridge-status-controller": "npm:^61.0.0" "@metamask/browser-passworder": "npm:^4.3.0" "@metamask/build-utils": "npm:^3.0.0" From 0d410391fba073660c169ca2c098db3cf803015a Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 13:34:42 +0000 Subject: [PATCH 4/7] Update package.json Co-authored-by: Mark Stacey --- package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/package.json b/package.json index dfbe417bc68e..739d49c97415 100644 --- a/package.json +++ b/package.json @@ -246,8 +246,7 @@ "@endo/env-options@npm:^1.1.8": "patch:@endo/env-options@npm%3A1.1.11#~/.yarn/patches/@endo-env-options-npm-1.1.11-1b7fae374a.patch", "@metamask/jazzicon@npm:^2.0.0": "patch:@metamask/jazzicon@npm%3A2.0.0#~/.yarn/patches/@metamask-jazzicon-npm-2.0.0-36957be38d.patch", "@rive-app/canvas@npm:2.31.5": "patch:@rive-app/canvas@patch%3A@rive-app/canvas@patch%253A@rive-app/canvas@npm%25253A2.31.5%2523~/.yarn/patches/@rive-app-canvas-npm-2.31.5-df519c6e0f.patch%253A%253Aversion=2.31.5&hash=1ed092%23~/.yarn/patches/@rive-app-canvas-patch-9b746e9393.patch%3A%3Aversion=2.31.5&hash=19c5d0#~/.yarn/patches/@rive-app-canvas-patch-03752f0c3b.patch", - "addons-linter/glob": "^10.5.0", - "node-forge": "^1.3.2" + "addons-linter/glob": "^10.5.0" }, "dependencies": { "@babel/runtime": "patch:@babel/runtime@npm%3A7.25.9#~/.yarn/patches/@babel-runtime-npm-7.25.9-fe8c62510a.patch", From f69e4db30f40ec4fd1c977d6940144559b4087a8 Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 13:42:34 +0000 Subject: [PATCH 5/7] fix for e2e --- test/e2e/page-objects/pages/home/homepage.ts | 4 ++++ test/e2e/tests/account/incremental-security.spec.ts | 2 ++ test/e2e/tests/settings/change-password.spec.ts | 3 +++ 3 files changed, 9 insertions(+) diff --git a/test/e2e/page-objects/pages/home/homepage.ts b/test/e2e/page-objects/pages/home/homepage.ts index bded6942b47f..3a99a663884e 100644 --- a/test/e2e/page-objects/pages/home/homepage.ts +++ b/test/e2e/page-objects/pages/home/homepage.ts @@ -196,6 +196,10 @@ class HomePage { ); } + async clickBackupRemindMeLaterButtonSafe(): Promise { + await this.driver.clickElementSafe(this.backupRemindMeLaterButton); + } + async closeSurveyToast(surveyName: string): Promise { console.log(`Close survey toast for ${surveyName}`); await this.driver.waitForSelector({ diff --git a/test/e2e/tests/account/incremental-security.spec.ts b/test/e2e/tests/account/incremental-security.spec.ts index 1ef720fcf360..8bd885dfbd03 100644 --- a/test/e2e/tests/account/incremental-security.spec.ts +++ b/test/e2e/tests/account/incremental-security.spec.ts @@ -96,6 +96,8 @@ describe('Incremental Security', function (this: Suite) { // copy the wallet address const homePage = new HomePage(driver); await homePage.checkPageIsLoaded(); + // TODO: This is a temporary fix to unblock CI. Remove this once the issue is fixed. + await homePage.clickBackupRemindMeLaterButtonSafe(); await homePage.headerNavbar.clickAddressCopyButton(); // switched to Dapp and send eth to the current account diff --git a/test/e2e/tests/settings/change-password.spec.ts b/test/e2e/tests/settings/change-password.spec.ts index 150e3782f275..b62b74dc310f 100644 --- a/test/e2e/tests/settings/change-password.spec.ts +++ b/test/e2e/tests/settings/change-password.spec.ts @@ -73,6 +73,9 @@ describe('Change wallet password', function () { const homePage = new HomePage(driver); await homePage.checkPageIsLoaded(); + // TODO: This is a temporary fix to unblock CI. Remove this once the issue is fixed. + await homePage.clickBackupRemindMeLaterButtonSafe(); + await doPasswordChangeAndLockWallet(driver, OLD_PASSWORD, NEW_PASSWORD); const loginPage = new LoginPage(driver); From 3e3fbff3f5755e743e177fe6522e7521abeedc63 Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 13:44:30 +0000 Subject: [PATCH 6/7] revert resolution --- package.json | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/package.json b/package.json index 739d49c97415..dfbe417bc68e 100644 --- a/package.json +++ b/package.json @@ -246,7 +246,8 @@ "@endo/env-options@npm:^1.1.8": "patch:@endo/env-options@npm%3A1.1.11#~/.yarn/patches/@endo-env-options-npm-1.1.11-1b7fae374a.patch", "@metamask/jazzicon@npm:^2.0.0": "patch:@metamask/jazzicon@npm%3A2.0.0#~/.yarn/patches/@metamask-jazzicon-npm-2.0.0-36957be38d.patch", "@rive-app/canvas@npm:2.31.5": "patch:@rive-app/canvas@patch%3A@rive-app/canvas@patch%253A@rive-app/canvas@npm%25253A2.31.5%2523~/.yarn/patches/@rive-app-canvas-npm-2.31.5-df519c6e0f.patch%253A%253Aversion=2.31.5&hash=1ed092%23~/.yarn/patches/@rive-app-canvas-patch-9b746e9393.patch%3A%3Aversion=2.31.5&hash=19c5d0#~/.yarn/patches/@rive-app-canvas-patch-03752f0c3b.patch", - "addons-linter/glob": "^10.5.0" + "addons-linter/glob": "^10.5.0", + "node-forge": "^1.3.2" }, "dependencies": { "@babel/runtime": "patch:@babel/runtime@npm%3A7.25.9#~/.yarn/patches/@babel-runtime-npm-7.25.9-fe8c62510a.patch", From 846d2a14a55740b0b07d042522582f33bb36bb67 Mon Sep 17 00:00:00 2001 From: Bernardo Garces Chapero Date: Thu, 27 Nov 2025 14:00:14 +0000 Subject: [PATCH 7/7] fix --- package.json | 3 +-- yarn.lock | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/package.json b/package.json index dfbe417bc68e..739d49c97415 100644 --- a/package.json +++ b/package.json @@ -246,8 +246,7 @@ "@endo/env-options@npm:^1.1.8": "patch:@endo/env-options@npm%3A1.1.11#~/.yarn/patches/@endo-env-options-npm-1.1.11-1b7fae374a.patch", "@metamask/jazzicon@npm:^2.0.0": "patch:@metamask/jazzicon@npm%3A2.0.0#~/.yarn/patches/@metamask-jazzicon-npm-2.0.0-36957be38d.patch", "@rive-app/canvas@npm:2.31.5": "patch:@rive-app/canvas@patch%3A@rive-app/canvas@patch%253A@rive-app/canvas@npm%25253A2.31.5%2523~/.yarn/patches/@rive-app-canvas-npm-2.31.5-df519c6e0f.patch%253A%253Aversion=2.31.5&hash=1ed092%23~/.yarn/patches/@rive-app-canvas-patch-9b746e9393.patch%3A%3Aversion=2.31.5&hash=19c5d0#~/.yarn/patches/@rive-app-canvas-patch-03752f0c3b.patch", - "addons-linter/glob": "^10.5.0", - "node-forge": "^1.3.2" + "addons-linter/glob": "^10.5.0" }, "dependencies": { "@babel/runtime": "patch:@babel/runtime@npm%3A7.25.9#~/.yarn/patches/@babel-runtime-npm-7.25.9-fe8c62510a.patch", diff --git a/yarn.lock b/yarn.lock index 72269a65c16e..2f35fe3cd29d 100644 --- a/yarn.lock +++ b/yarn.lock @@ -34216,7 +34216,7 @@ __metadata: languageName: node linkType: hard -"node-forge@npm:^1.3.2": +"node-forge@npm:^1, node-forge@npm:^1.2.1": version: 1.3.2 resolution: "node-forge@npm:1.3.2" checksum: 10/dcc54aaffe0cf52367214a20c0032aa9b209d9095dd14526504f1972d1900a07e96046b3684cb0c8d0cc3d48744dd18e02b7b447ab28fac615ffb850beeabf18