Skip to content

Update dependencies#112

Merged
MoMannn merged 13 commits into
mainfrom
chore/dependency-updates
Jul 25, 2025
Merged

Update dependencies#112
MoMannn merged 13 commits into
mainfrom
chore/dependency-updates

Conversation

@MoMannn

@MoMannn MoMannn commented Jul 16, 2025

Copy link
Copy Markdown
Member

Description

Updating dependency version to resolve security vulnerabilities at the same time pinning dependency version to reduce risk of supply chain attacks.

Manual testing steps

  1. Go to localhost:8000
  2. Make sure that all functionalities still work same as they did before

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@MoMannn MoMannn self-assigned this Jul 16, 2025
@MoMannn MoMannn requested a review from a team as a code owner July 16, 2025 07:02
@MoMannn MoMannn changed the title [Draft] Update dependencies Update dependencies Jul 17, 2025
@MoMannn MoMannn requested a review from jeffsmale90 July 17, 2025 11:07
@socket-security

socket-security Bot commented Jul 17, 2025

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jul 17, 2025

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • @npmcli/agent@2.2.2
  • @npmcli/agent@3.0.0
  • foreground-child@3.3.1
  • @metamask/snaps-sandbox@1.0.0
  • fast-diff@1.3.0
  • diff@5.2.0
  • react-dom@18.2.0
  • validate-npm-package-name@5.0.1
  • unique-slug@5.0.0
  • @npmcli/fs@4.0.0
  • unique-filename@4.0.0
  • abbrev@2.0.0
  • agent-base@7.1.4

View full report

cursor[bot]

This comment was marked as outdated.

jeffsmale90
jeffsmale90 previously approved these changes Jul 22, 2025

@jeffsmale90 jeffsmale90 left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

jeffsmale90
jeffsmale90 previously approved these changes Jul 22, 2025
@jeffsmale90

jeffsmale90 commented Jul 25, 2025

Copy link
Copy Markdown
Contributor

@SocketSecurity ignore @npmcli/agent@2.2.2 @npmcli/agent@3.0.0 agent-base@7.1.4 foreground-child@3.3.1 @npmcli/fs@4.0.0 abbrev@2.0.0 diff@5.2.0 fast-diff@1.3.0 react-dom@18.2.0 unique-filename@4.0.0 unique-slug@5.0.0 validate-npm-package-name@5.0.1

The New Authors were investigated, and found to likely be legitimate contributors. The various access endowments were investigated and found to be legitimate.

+----------------------------------------------+----------------+--------------------------------------------+
| Package                                      | Reason         | Finding                                    |
+----------------------------------------------+----------------+--------------------------------------------+
| @npmcli/agent@2.2.2                          | Network access | Networking utility                         |
| @npmcli/agent@3.0.0                          | Network access | Networking utility                         |
| agent-base@7.1.4                             | Network access | Networking utility                         |
| foreground-child@3.3.1                       | Shell access   | Used by glob CLI, not glob lib             |
| @npmcli/fs@4.0.0                             | New Author     | npm-cli-ops                                |
| abbrev@2.0.0                                 | New Author     | lukekarrys                                 |
| diff@5.2.0                                   | New Author     | explodingcabbage                           |
| fast-diff@1.3.0                              | New Author     | luin                                       |
| react-dom@18.2.0                             | New Author     | gnoff                                      |
| unique-filename@4.0.0                        | New Author     | npm-cli-ops                                |
| unique-slug@5.0.0                            | New Author     | npm-cli-ops                                |
| validate-npm-package-name@5.0.1              | New Author     | npm-cli-ops                                |
+----------------------------------------------+----------------+--------------------------------------------+

@MoMannn

MoMannn commented Jul 25, 2025

Copy link
Copy Markdown
Member Author

@SocketSecurity ignore @metamask/snaps-sandbox@1.0.0 We trust packages we produce :)

@MoMannn MoMannn merged commit 3e7e95e into main Jul 25, 2025
16 checks passed
@MoMannn MoMannn deleted the chore/dependency-updates branch July 25, 2025 10:01
github-merge-queue Bot pushed a commit to MetaMask/metamask-extension that referenced this pull request Aug 25, 2025
## **Description**

This is a version bump for the preinstalled
@metamask/message-signing-snap to v1.1.3

This version solves some security vulnerabilities caused by out of date
dependencies.

## **Related issues**

Relates to: MetaMask/message-signing-snap#131
Required by: MetaMask/snap-7715-permissions#112

## **Manual testing steps**

No user facing tests


## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
github-merge-queue Bot pushed a commit to MetaMask/metamask-extension that referenced this pull request Aug 26, 2025
## **Description**

This is a version bump for the preinstalled
@metamask/message-signing-snap to v1.1.3

This version solves some security vulnerabilities caused by out of date
dependencies.

## **Related issues**

Relates to: MetaMask/message-signing-snap#131
Required by: MetaMask/snap-7715-permissions#112

## **Manual testing steps**

No user facing tests


## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants