metamask-extension chore: update `@trezor/connect-web` to `v9.2.2`

Description

The user experience for trezor connection on mv2 is this:

Click through the hardware wallet connect screen for trezor
Trezor popup tab opens
User can connect the trezor device without having to install other software

Before this PR, on mv3, the flow was:

Click through the hardware wallet connect screen for trezor
Trezor popup tab opens
User has to install the trezor bridge
Once installed, the user can connect their trezor device to MetaMask

The solution to the problem required two parts.

First, we needed the connect-web module (called TrezorConnectSDK in the offscreen trezor file) to specify the env variable communicated to the trezor connect iframe and popup to be "webextension" and not just "web". This is because the iframe/popup code assumes that if the iframe origin does not match the origin of popup (e.g. metamask vs connect.trezor.io), and if environment is not "webextension", then webusb cannot be available: https://github.com/trezor/trezor-suite/blob/bb2e075024c8d8316fa016b7b20a0421b1a1f7d0/packages/connect-iframe/src/connectSettings.ts#L74-L84.

In theory, this could be set when the trezor module is initialized, but if the env is set to "webextension" in the connect-web code, then it attempts to open the popup via chrome apis that are not available in the offscreen document. So the solution is a patch which just tells the iframe and the popup that the environment is "webextension", while leave the environment setting within the trezor code that runs in the offscreen context as "web".

With that fix in place, there was another problem of metamask being able to connect to the webusb device and the popup being able to read that connection (or vice-versa). If the requestDevice call happens from the popup, then the webusb permission will be granted to the trezor.io origin, and metamask is unable to communicate with those devices. However, if the requestDevice call happens from metamask, then the devices can be communicated from metamask to the popup, and metamask (in particular the offscreen document) can communicate directly with the devices. Specifically, this code https://github.com/trezor/trezor-suite/blob/bb2e075024c8d8316fa016b7b20a0421b1a1f7d0/packages/transport/src/api/usb.ts#L98, when run within the offscreen document, returns null when requestDevice was called from the trezor popup, but returns a correctly populated array if requestDevice was called from MetaMask. To fix this, we can call requestDevice explicitly within the MetaMask ui flow, instead of having the trezor popup call it for us

Finally, and independent of the above two fixes, this PR updates trezor connect packages, which was necessary to get trezor working properly with Snow.

Related issues

Fixes:

Manual testing steps

Build this branch with yarn start:mv3
Go through the regular trezor connect flow
Trezor should connect and sign as normal

Screenshots/Recordings

https://github.com/MetaMask/metamask-extension/assets/7499938/29533595-f16f-4492-be21-f9bc3698fe70

Pre-merge author checklist

[ ] I’ve followed MetaMask Coding Standards.
[ ] I've completed the PR template to the best of my ability
[ ] I’ve included tests if applicable
[ ] I’ve documented my code using JSDoc format if applicable
[ ] I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

[ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
[ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Mar 27 '24 15:03 danjm

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

Mar 27 '24 15:03 github-actions[bot]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

Mar 27 '24 15:03 socket-security[bot]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@trezor/[email protected]	Transitive: environment, eval, filesystem, network, shell, unsafe	`+115`	56 MB	trezor-ci
npm/[email protected]	filesystem, network	`+13`	5.1 MB	google-wombot

View full report↗︎

Mar 28 '24 16:03 socket-security[bot]

@metamaskbot update-policies

Apr 25 '24 17:04 danjm

Policies updated

Apr 25 '24 17:04 metamaskbot

@metamaskbot update-policies

Apr 30 '24 13:04 danjm

Policies updated

Apr 30 '24 14:04 metamaskbot

Builds ready [abfcc55]

builds: chrome, firefox
builds (beta): chrome
builds (flask): chrome, firefox
builds (MMI): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
build viz: Build System
mv3: Background Module Init Stats
mv3: UI Init Stats
mv3: Module Load Stats
mv3: Bundle Size Stats
mv2: E2e Actions Stats
code coverage: Report
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8
- content-script: 0
- ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (1169 ± 590 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	72	163	100	28	13
		domContentLoaded	9	40	16	8	4
		load	59	2778	1169	1228	590
		domInteractive	9	40	16	8	4

Bundle size diffs [🚨 Warning! Bundle size has increased!]

background: 32.82 KiB (0.98%)
ui: 575 Bytes (0.01%)
common: 141.73 KiB (2.30%)

May 21 '24 01:05 metamaskbot

Codecov Report

Attention: Patch coverage is 33.33333% with 6 lines in your changes are missing coverage. Please review.

Project coverage is 67.42%. Comparing base (0d1dc5e) to head (e167e9a). Report is 1 commits behind head on develop.

Files	Patch %	Lines
...create-account/connect-hardware/select-hardware.js	33.33%	6 Missing :warning:

Additional details and impacted files

@@             Coverage Diff             @@
##           develop   #23763      +/-   ##
===========================================
- Coverage    67.43%   67.42%   -0.01%     
===========================================
  Files         1290     1290              
  Lines        50308    50316       +8     
  Branches     13034    13037       +3     
===========================================
+ Hits         33922    33924       +2     
- Misses       16386    16392       +6

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

May 21 '24 13:05 codecov[bot]

Builds ready [1e820a7]

builds: chrome, firefox
builds (beta): chrome
builds (flask): chrome, firefox
builds (MMI): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
build viz: Build System
mv3: Background Module Init Stats
mv3: UI Init Stats
mv3: Module Load Stats
mv3: Bundle Size Stats
mv2: E2e Actions Stats
code coverage: Report
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8
- content-script: 0
- ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (633 ± 468 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	57	205	87	31	15
		domContentLoaded	8	129	19	26	12
		load	45	2443	633	974	468
		domInteractive	8	129	19	26	12

Bundle size diffs [🚨 Warning! Bundle size has increased!]

background: 32.82 KiB (0.98%)
ui: 575 Bytes (0.01%)
common: 141.73 KiB (2.30%)

May 21 '24 14:05 metamaskbot

Builds ready [650dc3d]

builds: chrome, firefox
builds (beta): chrome
builds (flask): chrome, firefox
builds (MMI): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
build viz: Build System
mv3: Background Module Init Stats
mv3: UI Init Stats
mv3: Module Load Stats
mv3: Bundle Size Stats
mv2: E2e Actions Stats
code coverage: Report
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8
- content-script: 0
- ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (1390 ± 584 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	64	143	98	25	12
		domContentLoaded	9	49	15	11	5
		load	51	3213	1390	1216	584
		domInteractive	9	49	15	11	5

Bundle size diffs [🚨 Warning! Bundle size has increased!]

background: 32.82 KiB (0.97%)
ui: 575 Bytes (0.01%)
common: 141.73 KiB (2.30%)

May 21 '24 22:05 metamaskbot

The implementation looks good to me. Approved ~

May 22 '24 10:05 DDDDDanica

Builds ready [e167e9a]

builds: chrome, firefox
builds (beta): chrome
builds (flask): chrome, firefox
builds (MMI): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
build viz: Build System
mv3: Background Module Init Stats
mv3: UI Init Stats
mv3: Module Load Stats
mv3: Bundle Size Stats
mv2: E2e Actions Stats
code coverage: Report
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
- content-script: 0
- ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (506 ± 422 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	60	178	92	32	16
		domContentLoaded	9	62	16	14	7
		load	49	2441	506	878	422
		domInteractive	9	62	16	14	7

Bundle size diffs [🚨 Warning! Bundle size has increased!]

background: 32.82 KiB (0.95%)
ui: 575 Bytes (0.01%)
common: 141.73 KiB (2.30%)

May 22 '24 12:05 metamaskbot

@SocketSecurity ignore-all

All of the dependencies that socket security is warning us about are dependencies of trezor, but not of them are used in our applications code

May 22 '24 15:05 danjm

Missing release label release-11.16.6 on PR. Adding release label release-11.16.6 on PR and removing other release labels(release-11.18.0), as PR was cherry-picked in branch 11.16.6.

Jun 04 '24 20:06 metamaskbot

metamask-extension metamask-extension copied to clipboard

chore: update `@trezor/connect-web` to `v9.2.2`

Description

Related issues

Manual testing steps

Screenshots/Recordings

Pre-merge author checklist

Pre-merge reviewer checklist

Next steps

Codecov Report

metamask-extension
metamask-extension copied to clipboard