release: 7.64.1#25799
Merged
Merged
Conversation
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
## Summary This PR syncs the latest changes from `stable` into `release/7.64.1`. ## Why is this needed? A release branch (`release/7.64.0`) was merged into `stable`. This PR brings those changes (hotfixes, etc.) into `release/7.64.1`. ## Action Required **Please review and resolve any merge conflicts manually.** If there are conflicts, they will appear in this PR. Resolve them to ensure the release branch has all the latest fixes from stable. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Documentation-only change to the changelog with no runtime or behavioral impact. > > **Overview** > Updates `CHANGELOG.md` for `7.64.0` by adding an entry noting the CardHome button color change (`#25737`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 13e2756. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: João Loureiro <175489935+joaoloureirop@users.noreply.github.com>
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
…IDGE_CHAIN_IDS (#25808) - fix: check chainRanking against ALLOWED_BRIDGE_CHAIN_IDS (#25788) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** When new networks are added to the chainRanking remote feature flag in LaunchDarkly, older app versions that don't support those networks would still surface them in the UI (destination network pills, source chain checks). This creates a forward-compatibility gap where users could see unsupported networks. This change adds client-side filtering of chainRanking against ALLOWED_BRIDGE_CHAIN_IDS — the hardcoded allowlist in @metamask/bridge-controller that defines which chains this version of the client actually supports. This ensures that chains added to the remote flag in the future are silently ignored by older app versions that lack support for them. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches bridge network selection/enablement selectors, so a mistake could hide valid networks or incorrectly disable bridging, but the change is narrow and well-covered by unit tests. > > **Overview** > Adds a client-side allowlist check (`isAllowedBridgeChainId`) so `chainRanking` entries are filtered against `ALLOWED_BRIDGE_CHAIN_IDS` before being surfaced. > > `selectSourceChainRanking` now filters by *both* supported chains and user-configured networks, `selectDestChainRanking` filters to supported chains only, and `selectIsBridgeEnabledSourceFactory` now treats a source chain as enabled only if it exists in the filtered `chainRanking`. Tests are expanded to cover EVM/non-EVM unsupported chains and the new source/dest filtering behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 557c0e3. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> [2726418](2726418) Co-authored-by: Bryan Fullam <bryan.fullam@consensys.net>
Contributor
🚀 RC Builds Ready for Testing
More Info
|
joaoloureirop
removed
the
auto-rc-builds
joaoloureirop
approved these changes
Feb 9, 2026
joaoloureirop
previously approved these changes
Feb 9, 2026
joaoloureirop
added
the
skip-sonar-cloud
metamaskbot
added
the
release-7.64.1
7 tasks
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** **Reason for change:** `yarn audit:ci` was failing due to a high-severity vulnerability in `axios` (GHSA-43fc-jf86-j433): Denial of Service via the `__proto__` key in `mergeConfig`. Affected versions are ≤1.13.4; the project was on 1.12.2. **Solution:** - Bumped axios resolutions to `^1.13.5` in root `package.json` (both resolution entries) and in `.github/scripts/package.json`. - Added `axios` to `npmPreapprovedPackages` in `.yarnrc.yml` so Yarn’s 3-day minimal age gate allows the new release. - Ran `yarn install --no-immutable` to update the lockfile to axios 1.13.5. No code changes; dependency upgrade only. `yarn audit:ci` now passes. ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: N/A ## **Manual testing steps** ```gherkin Feature: Security audit and dependency usage after axios upgrade Scenario: CI audit passes after axios upgrade Given the repo has axios resolved to 1.13.5 When I run yarn audit:ci Then the command exits with code 0 and reports no audit suggestions Scenario: App and scripts still run with upgraded axios Given the branch is checked out and dependencies are installed When I run yarn install and then run any flow that uses axios (e.g. scripts or app network calls) Then no runtime errors occur and behavior is unchanged ``` ## **Screenshots/Recordings** Not applicable (dependency-only change; no UI changes). ### **Before** N/A ### **After** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Dependency upgrade plus bundler resolution changes could affect runtime networking behavior or Metro module resolution, especially if any code relied on Axios’ Node build. > > **Overview** > Bumps `axios` to `^1.13.5` (and updates both root `yarn.lock` and `.github/scripts/yarn.lock`) to address the reported security advisory. > > Updates `metro.config.js` resolver logic to always redirect `axios` (and `axios/dist/node/*`) imports to `axios/dist/browser/axios.cjs`, while preserving the existing E2E-only Sentry module mocking behavior under the new unified `resolveRequest` handler. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 520829a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: sethkfman <10342624+sethkfman@users.noreply.github.com> Co-authored-by: Mark Stacey <markjstacey@gmail.com> Co-authored-by: Cal-L <cal.leung@consensys.net>
Contributor
🔍 Smart E2E Test Selection⏭️ Smart E2E selection skipped - base branch is not main (base: stable) All E2E tests pre-selected. |
Contributor
|
@SocketSecurity ignore npm/async-function@1.0.0 |
|
joaoloureirop
approved these changes
Feb 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
🚀 v7.64.1 Testing & Release Quality Process
Hi Team,
As part of our new MetaMask Release Quality Process, here’s a quick overview of the key processes, testing strategies, and milestones to ensure a smooth and high-quality deployment.
📋 Key Processes
Testing Strategy
Conduct regression and exploratory testing for your functional areas, including automated and manual tests for critical workflows.
Focus on exploratory testing across the wallet, prioritize high-impact areas, and triage any Sentry errors found during testing.
Validate new functionalities and provide feedback to support release monitoring.
GitHub Signoff
Issue Resolution
Cherry-Picking Criteria
🗓️ Timeline and Milestones
✅ Signoff Checklist
Each team is responsible for signing off via GitHub. Use the checkbox below to track signoff completion:
Team sign-off checklist
This process is a major step forward in ensuring release stability and quality. Let’s stay aligned and make this release a success! 🚀
Feel free to reach out if you have questions or need clarification.
Many thanks in advance
Reference