metamask-extension
metamask-extension copied to clipboard
MetaMask
Version v11.11.0
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Builds ready [6d34630]
- builds: chrome, firefox
- builds (beta): chrome
- builds (flask): chrome, firefox
- builds (MMI): chrome, firefox
- builds (test): chrome, firefox
- builds (test-flask): chrome, firefox
- build viz: Build System
- mv3: Background Module Init Stats
- mv3: UI Init Stats
- mv3: Module Load Stats
- mv3: Bundle Size Stats
- mv2: E2e Actions Stats
- code coverage: Report
- storybook: Storybook
- typescript migration: Dashboard
- all artifacts
Page Load Metrics (803 ± 47 ms)
| Platform | Page | Metric | Min (ms) | Max (ms) | Average (ms) | StandardDeviation (ms) | MarginOfError (ms) |
|---|---|---|---|---|---|---|---|
| Chrome | Home | firstPaint | 79 | 160 | 105 | 19 | 9 |
| domContentLoaded | 9 | 48 | 16 | 8 | 4 | ||
| load | 721 | 1203 | 803 | 97 | 47 | ||
| domInteractive | 9 | 48 | 16 | 8 | 4 |
Bundle size diffs [🚨 Warning! Bundle size has increased!]
- background: 1 Bytes (0.00%)
- ui: 0 Bytes (0.00%)
- common: 0 Bytes (0.00%)
Bug report for v11.11.0: https://github.com/MetaMask/MetaMask-planning/issues/2068
Manual test scenarios:
Chrome
- [x] Onboarding - create a wallet
- [x] Onboarding - import a wallet
- [x] Keyring - connect hardware wallet
- [x] Keyring - reset a wallet
- [x] Transactions - send native token origin MM
- [x] Transactions - send native token origin dapp
- [x] Transactions - send ERC20 token origin MM
- [x] Transactions - send ERC20 token origin dapp
- [x] Transactions - send ERC721 token origin MM
- [x] Transactions - send ERC721 token origin dapp
- [x] Transactions - speed up transaction
- [x] Transactions - cancel transaction
- [x] Tokens - import ERC20 token origin MM
- [x] Tokens - import ERC20 token origin dapp
- [x] Tokens - import ERC721 token origin MM
- [x] Tokens - import ERC721 token origin dapp
- [x] Tokens - import ERC1155 token origin MM
- [x] Tokens - import ERC1155 token origin dapp
- [x] Tokens - approve ERC1155 token
- [x] Tokens - approve ERC20 token
- [x] Tokens - approve ERC721 token
- [x] Tokens - autodetect tokens
- [x] Tokens - autodetect NFTs
- [x] ENS - name resolution
- [x] Phishing - warning page
- [x] Network - add custom network manually
- [x] Network - add custom network from the list of popular networks
- [x] Network - add custom network from dApp
- [x] Network - update networks
- [x] Network - switching networks
- [x] Network - delete networks from the dropdown list
- [x] Network - delete networks in Settings
- [x] Backup - backup user data
- [x] Backup - restore user data
- [x] Metrics - send event metrics
- [x] Address-book - add a contact to the address book
- [x] Address-book - remove a contact from the address book
- [x] Address-book - update a contact in the address book
- [x] Gas fee - EIP-1559 gas
- [x] Gas fee - legacy gas
- [x] Sign - eth sign
- [x] Sign - personal sign
- [x] Sign - sign in with ethereum
- [x] Sign - sign typed with data
- [x] Permissions - connecting and disconnecting from a dapp
- [x] Swap - smart swap
- [x] Swap - swap eth
- [x] Incoming transactions - receive native token
Firefox
- [x] Onboarding - create a wallet
- [x] Onboarding - import a wallet
- [x] Keyring - connect hardware wallet
- [x] Keyring - reset a wallet
- [x] Transactions - send native token origin MM
- [x] Transactions - send native token origin dapp
- [x] Transactions - send ERC20 token origin MM
- [x] Transactions - send ERC20 token origin dapp
- [x] Transactions - send ERC721 token origin MM
- [x] Transactions - send ERC721 token origin dapp
- [x] Transactions - speed up transaction
- [x] Transactions - cancel transaction
- [x] Tokens - import ERC20 token origin MM
- [x] Tokens - import ERC20 token origin dapp
- [x] Tokens - import ERC721 token origin MM
- [x] Tokens - import ERC721 token origin dapp
- [x] Tokens - import ERC1155 token origin MM
- [x] Tokens - import ERC1155 token origin dapp
- [x] Tokens - approve ERC1155 token
- [x] Tokens - approve ERC20 token
- [x] Tokens - approve ERC721 token
- [x] Tokens - autodetect tokens
- [x] Tokens - autodetect NFTs
- [x] ENS - name resolution
- [x] Phishing - warning page
- [x] Network - add custom network manually
- [x] Network - add custom network from the list of popular networks
- [x] Network - add custom network from dApp
- [x] Network - update networks
- [x] Network - switching networks
- [x] Network - delete networks from the dropdown list
- [x] Network - delete networks in Settings
- [x] Backup - backup user data
- [x] Backup - restore user data
- [x] Metrics - send event metrics
- [x] Address-book - add a contact to the address book
- [x] Address-book - remove a contact from the address book
- [x] Address-book - update a contact in the address book
- [x] Gas fee - EIP-1559 gas
- [x] Gas fee - legacy gas
- [x] Sign - eth sign
- [x] Sign - personal sign
- [x] Sign - sign in with ethereum
- [x] Sign - sign typed with data
- [x] Permissions - connecting and disconnecting from a dapp
- [x] Swap - smart swap
- [x] Swap - swap eth
- [x] Incoming transactions - receive native token
Release tracker for change validation on v11.11.0: https://docs.google.com/spreadsheets/d/1tsoodlAlyvEUpkkcNcbZ4PM9HuC9cEM80RZeoVv5OCQ/edit#gid=1705023040
We need teams' approval on 19th of Feb at the latest.
- [x] Snaps: @bowensanders / @FrederikBolding / @Montoya - There are no functional Snaps changes in v11.11.0, but please take note of the 5 Non-functional/regression possible commits.
- [x] Confirmation UX: @seaona - There are 3 functional Confirmations UX changes in v11.11.0. Please also take note of the 3 Non-functional/regression possible commits.
- [x] Confirmation Systems: @sleepytanya - There are 10 Confirmation Systems changes in v11.11.0.
- [x] Accounts: @plasmacorral - There are 3 Accounts changes in v11.11.0.
- [x] Extension UX: @darkwing / @NidhiKJha - There are 3 Extension UX changes in v11.11.0.
- [x] MMI: @zone-live / @shane-t - There are 2 MMI changes in v11.11.0.
- [x] Design/Systems: @georgewrmarshall - There are 2 Design/Systems changes in v11.11.0.
- [x] Devex: @tmashuang / @vandan - There is 1 Devex change in v11.11.0.
- [x] Hardware wallets: There is 1 Hardware wallets change in v11.11.0 - https://app.zenhub.com/workspaces/extension-release-regression-6478c62d937eaa15e95c33c5/issues/gh/metamask/metamask-extension/22931
- [x] Assets: @sahar-fehri / @alfeng6 - There is 1 Assets changes in v11.11.0.
Note: please attach all the release bugs to this bug report epic here: https://github.com/MetaMask/MetaMask-planning/issues/2068
Thank you so much!
@benjisclowder below my findings for the Manual tests on Chrome
FAILED Keyring - connect hardware wallet
Unknown error after connecting, the flow does not proceed and the device is shown as already paired
FAILED (tested on Sepolia) ENS - name resolution
No address has been set for this name
GENERAL COMMENT:
Bad formatting when importing a token
NOT tested: Tokens - autodetect tokens Tokens - autodetect NFTs Swap - smart swap Swap - swap eth
Hey @benjisclowder! Here's what I found for the manual test on Firefox.
ENS - Name Resolution
This test failed on Sepolia, as observed in the screenshot below. There's no address associated with this name. There are no issues on Ethereum Mainnet regarding this aspect.
General comment:
- For importing a token, the formatting is terrible, dragging the elements to the extreme left, as observed in the screenshot below.
- When initiating the transaction (the issue didn't manifest while making the transaction through the dApp), the 'Speed up' option disappears when the wallet closes (by clicking outside it or closing it intentionally). Only the 'cancel' option remains available.
Import ERC1155 token origin MM
- It might be related solely to the network, but when I triggered the transaction in the dApp by clicking on Deploy the ERC1155 Contract, the transaction got stuck in pending for too long (locally). I tried to speed up the transaction two times, but it remained stuck. After that, only the cancel option was still available, but it remained pending without any option available:
So I cleaned the activity and nonce data. Everything was erased except the two initial funding transactions. After that, every time I tried to retake the steps, the transaction failed instantly (locally). The issue was also happening with other similar token operations from the dApp.
I reinstalled the extension and restored my wallet. The issue of instantly failing transactions was persisting.
I talked to @A-Feder, who suggested setting the gas price to 100 and the priority fee to 25. It got through after that, but the pending issue was still happening.
I sped up the last transaction and waited approximately one hour. The transaction got through, and everything worked at a more reasonable speed after that.
But the thing related to the Metamask extension that I want to point out is that the function from the dApp was generating prompts in the wallet, but the transactions were not present in the activity log. Only the first failed transaction was present there.
NOT TESTED:
Keyring - connect hardware wallet Tokens - autodetect tokens Tokens - autodetect NFTs Swap - smart swap Swap - swap eth
🟢 Approval from Accounts team 🟢 Approval on Behalf of the hardware wallets team Several observations added to the bug report, but none are launch blocking.
[Bug]: Upon swap completion if user clicks away then returns to extension, a draft swap of what was just completed is presented-confirmed in Prod 11.10.0 [Bug]: Swap exceeding spending approval-confirmed in Prod 11.10.0 [Bug]: alignment issues on Add suggested tokens confirmation [Bug]: Incorrect account name in receive flow [Bug]: Not observing QR progress bar as expected in RC11.11.0 [Bug]: Max Gwei value from transaction on account A, persists across send tx on account B and C- CLOSED as resolved
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@choojs/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@jest/[email protected], npm/@metamask/[email protected], npm/@storybook/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
| Alert | Package | Note | Source |
|---|---|---|---|
| New author | npm/@npmcli/[email protected] |
| |
| Network access | npm/[email protected] |
| |
| Network access | npm/[email protected] |
| |
| Network access | npm/[email protected] |
| |
| Network access | npm/[email protected] |
| |
| New author | npm/[email protected] | ||
| New author | npm/[email protected] |
| |
| New author | npm/[email protected] |
| |
| Shell access | npm/[email protected] |
| |
| Deprecated | npm/[email protected] |
| |
| New author | npm/[email protected] |
|
Next steps
What is new author?
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
What is network access?
This module accesses the network.
Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.
What is shell access?
This module accesses the system shell. Accessing the system shell increases the risk of executing arbitrary code.
Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.
What is a deprecated package?
The maintainer of the package marked it as deprecated. This could indicate that a single version should not be used, or that the package is no longer maintained and any new vulnerabilities will not be fixed.
Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/@npmcli/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]@SocketSecurity ignore npm/[email protected]
🟢 QA Sign Off from Confirmations UX team
- Move security alerts out of Experimental settings on Extension (#22813)
- [test] PPOM - Run Simple Send Eth test against Multichain build (#22829)
- feat: BlockaidBannerAlert update Failed type false positive support (#22742)
- Confirmation redesign: adding title to personal sign component (#22749)
- Refactor and update blockaid banner alert (#22625)
- [Bug|Feat] blockaid external link clicked metric update (#22631)
- feat: create ConfirmTitle component (#22270)
- test: adds blockaid multiple network support test (#22691)
Note: there's one issue that needs more investigation, as I'm unsure on its impact. However, it's not a release blocker, as it started appearing in 11.10 and no evident metrics functionality seems to be broken: [Bug]: MetaMetricsController: no userTraits found
Builds ready [a482941]
- builds: chrome, firefox
- builds (beta): chrome
- builds (flask): chrome, firefox
- builds (MMI): chrome, firefox
- builds (test): chrome, firefox
- builds (test-flask): chrome, firefox
- build viz: Build System
- mv3: Background Module Init Stats
- mv3: UI Init Stats
- mv3: Module Load Stats
- mv3: Bundle Size Stats
- mv2: E2e Actions Stats
- code coverage: Report
- storybook: Storybook
- typescript migration: Dashboard
- all artifacts
Page Load Metrics (1828 ± 88 ms)
| Platform | Page | Metric | Min (ms) | Max (ms) | Average (ms) | StandardDeviation (ms) | MarginOfError (ms) |
|---|---|---|---|---|---|---|---|
| Chrome | Home | firstPaint | 104 | 229 | 139 | 34 | 16 |
| domContentLoaded | 10 | 78 | 27 | 19 | 9 | ||
| load | 1438 | 2273 | 1828 | 183 | 88 | ||
| domInteractive | 10 | 78 | 27 | 19 | 9 |
Builds ready [75015bd]
- builds: chrome, firefox
- builds (beta): chrome
- builds (flask): chrome, firefox
- builds (MMI): chrome, firefox
- builds (test): chrome, firefox
- builds (test-flask): chrome, firefox
- build viz: Build System
- mv3: Background Module Init Stats
- mv3: UI Init Stats
- mv3: Module Load Stats
- mv3: Bundle Size Stats
- mv2: E2e Actions Stats
- code coverage: Report
- storybook: Storybook
- typescript migration: Dashboard
- all artifacts
Page Load Metrics (1953 ± 83 ms)
| Platform | Page | Metric | Min (ms) | Max (ms) | Average (ms) | StandardDeviation (ms) | MarginOfError (ms) |
|---|---|---|---|---|---|---|---|
| Chrome | Home | firstPaint | 105 | 191 | 136 | 22 | 11 |
| domContentLoaded | 15 | 49 | 27 | 11 | 5 | ||
| load | 1473 | 2149 | 1953 | 173 | 83 | ||
| domInteractive | 15 | 49 | 27 | 11 | 5 |
@SocketSecurity ignore-all
There are 11 warnings.
4 are new author warnings where the author is a github staff and a known contributor to npm related projects, and 1 is an author warning for vs-codebot, which is maintained by microsoft and used for microsoft maintained packages.
1 is for a new package simple-git, which uses shell access as a dev tool
1 is for the deprecated gulp-postcss, which we should update but need not block release.
4 are for network access in make-fetch-happen, which is needed for its usage in node-gyp, which is a widely used build tool
