Skip to content

feat: ledger dmk#30794

Draft
montelaidev wants to merge 17 commits into
mainfrom
feat/ledger-dmk
Draft

feat: ledger dmk#30794
montelaidev wants to merge 17 commits into
mainfrom
feat/ledger-dmk

fix: update dep

b2d79c8
Select commit
Loading
Failed to load commit list.
Socket Security / Socket Security: Pull Request Alerts failed Jul 13, 2026 in 56s

Pull Request #30794 Alerts: Complete with warnings

Report Status Message
PR #30794 Alerts ⚠️ Found 15 project alerts

Pull request alerts notify when new issues are detected between the diff of the pull request and it's target branch.

Details

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm ethers is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/@ledgerhq/context-module@2.0.0npm/@ledgerhq/device-signer-kit-ethereum@1.16.0npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477fnpm/ethers@6.14.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask-previews/eth-ledger-bridge-keyring in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477f

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477f. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @sentry/utils in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2npm/@ledgerhq/device-management-kit@1.5.0npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477fnpm/@sentry/utils@6.19.7

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-module-imports is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation.

Confidence: 0.78

Severity: 0.55

From: ?npm/expo@55.0.26npm/@babel/helper-module-imports@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 80.0% likely to have a medium risk anomaly

Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling.

Confidence: 0.80

Severity: 0.50

From: ?npm/expo@55.0.26npm/@babel/helper-module-transforms@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/helper-string-parser is 78.0% likely to have a medium risk anomaly

Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet.

Confidence: 0.78

Severity: 0.55

From: ?npm/@react-native/metro-config@0.83.0npm/@react-native/babel-preset@0.83.0npm/react-native@0.83.6npm/expo@55.0.26npm/depcheck@1.4.7npm/@babel/preset-env@7.26.9npm/@babel/core@7.27.1npm/babel-jest@29.7.0npm/metro-react-native-babel-preset@0.76.9npm/metro-react-native-babel-transformer@0.76.9npm/@babel/helper-string-parser@7.27.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @babel/plugin-syntax-typescript is 72.0% likely to have a medium risk anomaly

Notes: The code is a standard Babel plugin fragment that configures syntax support for TypeScript by manipulating parser plugins. There is no malicious logic, no data exfiltration, and no unsafe operations. It appears to be a legitimate helper for enabling TypeScript syntax in Babel pipelines.

Confidence: 0.72

Severity: 0.50

From: ?npm/expo@55.0.26npm/@babel/plugin-syntax-typescript@7.25.9

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/plugin-syntax-typescript@7.25.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @sentry/utils is 68.0% likely to have a medium risk anomaly

Notes: The code is a conventional utility module for an error-tracking SDK. No malicious behavior detected. The only notable concern is the Math.random() fallback in UUID generation when crypto is unavailable, which is a known compromise and should be documented if cryptographic strength is required in a given deployment. Overall security risk is low to moderate depending on use case, with no external data leakage evident in this fragment.

Confidence: 0.68

Severity: 0.50

From: ?npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2npm/@ledgerhq/device-management-kit@1.5.0npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477fnpm/@sentry/utils@6.19.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @sentry/utils is 61.0% likely to have a medium risk anomaly

Notes: The code provides environment detection and dynamic module loading designed to support mixed bundler environments. It does not itself implement malicious logic, but its dynamic loading paths present a non-trivial supply-chain risk: if moduleName is influenced by untrusted input, arbitrary modules may be loaded at runtime. A critical reliability issue is the undefined 'module' reference in loadModule’s first call, which should be addressed. Implement input validation, restrict loading to a whitelist of allowed modules, explicitly pass a safe module context, and ensure 'module' is defined or replaced with a controlled loader interface.

Confidence: 0.61

Severity: 0.52

From: ?npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2npm/@ledgerhq/device-management-kit@1.5.0npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477fnpm/@sentry/utils@6.19.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ethers is 68.0% likely to have a medium risk anomaly

Notes: The analyzed code fragment appears to be a conventional ABI interface utility (likely from a library like ethers.js) used to parse, encode, and decode Ethereum function calls, events, and errors. There is no evidence of malicious behavior such as data exfiltration, remote control, or code injection. Minor anomalies (typo in an error message and a partially commented/unfinished block) are present but do not constitute malicious activity. Overall security risk from this fragment is low, assuming it is used as intended within a trusted library context.

Confidence: 0.68

Severity: 0.55

From: ?npm/@ledgerhq/context-module@2.0.0npm/@ledgerhq/device-signer-kit-ethereum@1.16.0npm/@metamask-previews/eth-ledger-bridge-keyring@12.3.0-1fa477fnpm/ethers@6.14.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report