Skip to content

feat: bump @metamask/eip-5792-middleware to ^3.0.4#26664

Open
jiexi wants to merge 34 commits into
mainfrom
jl/eip-5792-middleware-3-0-0
Open

feat: bump @metamask/eip-5792-middleware to ^3.0.4#26664
jiexi wants to merge 34 commits into
mainfrom
jl/eip-5792-middleware-3-0-0

Conversation

@jiexi
Copy link
Copy Markdown
Member

@jiexi jiexi commented Feb 26, 2026
edited by cursor Bot
Loading

Description

Bump @metamask/eip-5792-middleware to ^3.0.4

Open in GitHub Codespaces

Changelog

CHANGELOG entry: null

Please ping with any questions

Related issues

Fixes:

Manual testing steps

  1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Medium Risk
Updates EIP-5792 request handling to use origin-scoped permitted accounts, which can affect which accounts dapps see/use for wallet_sendCalls/capabilities. Dependency bump pulls in newer transaction/controller utils versions, so behavior changes are possible even though the surface-area diff is small.

Overview
Bumps @metamask/eip-5792-middleware from ^2.0.0 to ^3.0.4 (with updated lockfile).

Updates the EIP-5792 RPC wiring so wallet_getCapabilities and wallet_sendCalls derive accounts via getPermittedAccounts(origin) rather than listing all accounts, aligning these methods with the permissions system; the unit test is adjusted accordingly.

Cleans up INTERNAL_ORIGINS by filtering out falsy entries to avoid leaking undefined origins into internal-origin checks.

Reviewed by Cursor Bugbot for commit c1b28e2. Bugbot is set up for automated code reviews on this repo. Configure here.

@jiexi jiexi requested a review from a team as a code owner February 26, 2026 21:43
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Feb 26, 2026

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@metamaskbot metamaskbot added the team-wallet-integrations Wallet Integrations team label Feb 26, 2026
@jiexi jiexi added the no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed label Feb 26, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Feb 26, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​metamask/​eip-5792-middleware@​2.0.0 ⏵ 3.0.49910076 +195 +1100

View full report

cursor[bot]
cursor Bot reviewed Feb 26, 2026
View reviewed changes
Comment thread app/core/BackgroundBridge/BackgroundBridge.js Outdated
cursor[bot]
cursor Bot reviewed Feb 26, 2026
View reviewed changes
Comment thread app/core/RPCMethods/createEip5792Middleware.ts Outdated
@jiexi jiexi changed the title feat: bump @metamask/eip-5792-middleware to ^3.0.0 bump: @metamask/eip-5792-middleware to ^3.0.0 Feb 27, 2026
@jiexi jiexi changed the title bump: @metamask/eip-5792-middleware to ^3.0.0 feat: bump @metamask/eip-5792-middleware to ^3.0.0 Feb 27, 2026
ffmcgee725
ffmcgee725 previously approved these changes Mar 17, 2026
View reviewed changes
@github-actions github-actions Bot added the risk-high Extensive testing required · High bug introduction risk label Mar 18, 2026
adonesky1
adonesky1 reviewed Mar 18, 2026
View reviewed changes
Comment thread app/constants/transaction.ts
TransactionTypes.MMM_CARD,
ORIGIN_METAMASK,
];
].filter(Boolean);
Copy link
Copy Markdown
Contributor

@adonesky1 adonesky1 Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🤔 ok sure

Copy link
Copy Markdown
Member Author

@jiexi jiexi Mar 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor bot complaining that process.env.MM_FOX_CODE could be undefined which would result in INTERNAL_ORIGINS.includes(value) to return true if value === undefined. I think it complained about it in the other PR as well. I guess i listened to it here. Doesn't really matter. Can undo it as well

adonesky1
adonesky1 previously approved these changes Mar 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@adonesky1 adonesky1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions Bot added risk-high Extensive testing required · High bug introduction risk and removed risk-high Extensive testing required · High bug introduction risk labels Mar 18, 2026
@github-actions github-actions Bot added risk-high Extensive testing required · High bug introduction risk and removed risk-high Extensive testing required · High bug introduction risk labels Apr 9, 2026
@github-actions github-actions Bot added risk-high Extensive testing required · High bug introduction risk and removed risk-high Extensive testing required · High bug introduction risk labels Apr 13, 2026
cursor[bot]
cursor Bot reviewed Apr 30, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 6e30641. Configure here.

Comment thread app/core/RPCMethods/createEip5792Middleware.ts
adonesky1
adonesky1 previously approved these changes May 6, 2026
View reviewed changes
@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 8, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jiexi jiexi changed the title feat: bump @metamask/eip-5792-middleware to ^3.0.0 feat: bump @metamask/eip-5792-middleware to ^3.0.4 May 15, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 15, 2026

🔍 Smart E2E Test Selection

  • Selected E2E tags: SmokeConfirmations, SmokeMultiChainAPI, SmokeNetworkExpansion, SmokeNetworkAbstractions, SmokeWalletPlatform, SmokeBrowser
  • Selected Performance tags: None (no tests recommended)
  • Risk Level: high
  • AI Confidence: 82%
click to see 🤖 AI reasoning details

E2E Test Selection:

The changes in this PR affect several critical areas:

  1. EIP-5792 Middleware refactor (createEip5792Middleware.ts, BackgroundBridge.js): The middleware now uses getPermittedAccounts(origin) instead of returning all accounts. This is a behavioral change for wallet_sendCalls and wallet_getCapabilities - they now correctly scope to origin-permitted accounts. The batch-transaction.spec.ts test (tagged SmokeConfirmations) directly uses tapSendCallsButton() which invokes wallet_sendCalls. This warrants SmokeConfirmations.

  2. Major version bump of @metamask/eip-5792-middleware (v2→v3): A major version bump could introduce breaking API changes in walletGetCapabilities, walletSendCalls, walletGetCallsStatus hooks. This affects all EIP-5792 flows.

  3. BackgroundBridge.js changes: BackgroundBridge is used by BrowserTab, WalletConnect2Session, SDKConnect, and DeeplinkProtocolService. Changes here can affect all dApp connection flows - SmokeBrowser (BrowserTab), SmokeMultiChainAPI (CAIP-25 sessions), SmokeNetworkExpansion (Solana/multi-chain), SmokeNetworkAbstractions (chain permissions).

  4. INTERNAL_ORIGINS.filter(Boolean): This affects WalletConnect, SDKConnect, and DeeplinkProtocol origin checks. The .filter(Boolean) removes undefined values (e.g., when process.env.MM_FOX_CODE is not set), which could change behavior for internal origin detection in WalletConnect and SDK connections. This affects SmokeWalletPlatform (EVM provider events, dApp communication) and SmokeNetworkExpansion.

  5. SmokeMultiChainAPI: The wallet_invokeMethod.failing.ts test covers EIP-5792 methods in the multichain context. The permission change (getPermittedAccounts) directly affects how accounts are exposed to dApps in multi-chain sessions.

Tags selected:

  • SmokeConfirmations: batch-transaction.spec.ts uses wallet_sendCalls; EIP-5792 confirmations flow
  • SmokeMultiChainAPI: CAIP-25 sessions affected by BackgroundBridge and permission changes
  • SmokeNetworkExpansion: Multi-chain provider affected by BackgroundBridge changes; Solana flows
  • SmokeNetworkAbstractions: Chain permissions affected by getPermittedAccounts change
  • SmokeWalletPlatform: EVM provider events, dApp communication, BackgroundBridge used by BrowserTab
  • SmokeBrowser: BrowserTab directly imports BackgroundBridge; browser dApp interactions affected

Performance Test Selection:
The changes are focused on RPC middleware logic (EIP-5792), permission checks, and a dependency version bump. These are not UI rendering, data loading, or app startup changes that would impact measurable performance metrics. No performance tests are warranted.

View GitHub Actions results

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud Bot commented May 15, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@adonesky1 adonesky1 adonesky1 left review comments

@ffmcgee725 ffmcgee725 ffmcgee725 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

no-changelog no-changelog Indicates no external facing user changes, therefore no changelog documentation needed risk-high Extensive testing required · High bug introduction risk size-S team-wallet-integrations Wallet Integrations team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@jiexi @adonesky1 @ffmcgee725 @metamaskbot