metamask-extension icon indicating copy to clipboard operation
metamask-extension copied to clipboard
verified publisher icon MetaMask

cherry-pick(v12.1.1): Bump `@metamask/eth-json-rpc-middleware` to `^14.0.0` (#26143)

Open MajorLift opened this issue 1 year ago • 28 comments

Description

Cherry-pick of #26143 for ~v12.1.0-rc~ v12.1.1-rc.

This is a very different PR from the original, as I had to remove diffs to a significant amount of code that has not yet been introduced to the release candidate.

The diffs that were excluded here will need to be reapplied to a future release. I'm also keeping an eye out for new cherry-picks that may introduce changes requiring me to restore certain diffs.

Aligning @metamask/eth-block-tracker to ^11.0.1 is deferred, as it's blocked by #26150, which is not included in this release candidate. The @metamask/transaction-controller major version bump from ^34.0.0 to ^35.1.1 is also removed for now.

See below for new changelog.

Changelog

Added

  • Add and export PPOMMiddlewareRequest type for JsonRpcRequest types that include the securityAlertResponse property.
    • securityAlertResponse is defined as both optional and nullable.
  • Add PPOMRequest type for eth-sendTransaction requests.

Changed

  • BREAKING: Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0.
  • Bump @trezor/connect-web from 9.2.2 to 9.3.0.

Fixed

  • BREAKING: Narrow Params generic parameter of createPPOMMiddleware function from JsonRpcParams to (string | { to: string })[].
  • Add Params generic parameter to handleSnapRequest function, which is constrained by Record<string, unknown> and defaults to JsonRpcParams.
    • handleSnapRequest can now be typed correctly with any params object.

Security

  • BREAKING: Typed signature validation only replaces 0X prefix with 0x, and contract address normalization is removed for decimal and octal values.
    • Threat actors have been manipulating eth_signTypedData_v4 fields to cause failures in blockaid's detectors.
    • Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address.
    • This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x".

Manual testing steps

  1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

MajorLift avatar Aug 22 '24 18:08 MajorLift

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/[email protected]

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all

socket-security[bot] avatar Aug 22 '24 18:08 socket-security[bot]

@metamaskbot update-policies

MajorLift avatar Aug 22 '24 18:08 MajorLift

@SocketSecurity ignore npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected]

Patch updates auto-applied due to caret specifier in version string: ^7.6.19.

MajorLift avatar Aug 22 '24 18:08 MajorLift

@SocketSecurity ignore npm/[email protected]

Benign author change

MajorLift avatar Aug 22 '24 18:08 MajorLift

@SocketSecurity ignore npm/[email protected]

Library functionality requires network access.

MajorLift avatar Aug 22 '24 18:08 MajorLift

Policy update failed. You can review the logs or retry the policy update here

metamaskbot avatar Aug 22 '24 18:08 metamaskbot

Policy update failed. You can review the logs or retry the policy update here

metamaskbot avatar Aug 22 '24 18:08 metamaskbot

@metamaskbot update-policies

MajorLift avatar Aug 22 '24 18:08 MajorLift

Policy update failed. You can review the logs or retry the policy update here

metamaskbot avatar Aug 22 '24 19:08 metamaskbot

@metamaskbot update-policies

MajorLift avatar Aug 22 '24 19:08 MajorLift

Policy update failed. You can review the logs or retry the policy update here

metamaskbot avatar Aug 22 '24 19:08 metamaskbot

@metamaskbot update-policies

MajorLift avatar Aug 22 '24 19:08 MajorLift

Policies updated

metamaskbot avatar Aug 22 '24 20:08 metamaskbot

We'll be targeting this for v12.1.1 instead, so I've temporarily labelled this as DO-NOT-MERGE until that RC is ready to target.

Gudahtt avatar Aug 22 '24 20:08 Gudahtt

Builds ready [44264fa]
Page Load Metrics (251 ± 259 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint76128103168
domContentLoaded115825136
load502108251539259
domInteractive115825136

metamaskbot avatar Aug 22 '24 21:08 metamaskbot

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Project coverage is 69.84%. Comparing base (0ef30b9) to head (433c309). Report is 1 commits behind head on Version-v12.1.1.

Additional details and impacted files 
@@               Coverage Diff                @@
##           Version-v12.1.1   #26626   +/-   ##
================================================
  Coverage            69.84%   69.84%           
================================================
  Files                 1371     1371           
  Lines                48791    48795    +4     
  Branches             13453    13455    +2     
================================================
+ Hits                 34074    34078    +4     
  Misses               14717    14717

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

codecov[bot] avatar Aug 22 '24 21:08 codecov[bot]

@metamaskbot update-policies

MajorLift avatar Aug 23 '24 17:08 MajorLift

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

github-actions[bot] avatar Aug 23 '24 18:08 github-actions[bot]

@SocketSecurity ignore npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected], npm/@storybook/[email protected]

Patch version bump for trusted @storybook-namespaced packages.

MajorLift avatar Aug 23 '24 18:08 MajorLift

Policies updated

metamaskbot avatar Aug 23 '24 18:08 metamaskbot

@SocketSecurity ignore npm/[email protected]

Benign author change

MajorLift avatar Aug 23 '24 18:08 MajorLift

@SocketSecurity ignore npm/[email protected]

Library functionality requires network access.

MajorLift avatar Aug 23 '24 18:08 MajorLift

@SocketSecurity ignore npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected] npm/@storybook/[email protected]

Patch version bump for trusted @storybook-namespaced packages.

MajorLift avatar Aug 23 '24 18:08 MajorLift

@metamaskbot update-policies

MajorLift avatar Aug 23 '24 19:08 MajorLift

Policies updated

metamaskbot avatar Aug 23 '24 19:08 metamaskbot

Builds ready [cf3695a]
Page Load Metrics (198 ± 218 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint703071315125
domContentLoaded10188423818
load442171198455218
domInteractive10188423818

metamaskbot avatar Aug 26 '24 17:08 metamaskbot

Builds ready [af5a270]
Page Load Metrics (607 ± 421 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint923841426230
domContentLoaded1195372612
load622248607876421
domInteractive1195372612

metamaskbot avatar Aug 27 '24 19:08 metamaskbot

Removed the DO-NOT-MERGE label as this PR is now targeting the RC branch for v12.1.1.

MajorLift avatar Aug 29 '24 12:08 MajorLift

Builds ready [5c46dea]
Page Load Metrics (305 ± 282 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint713001065325
domContentLoaded9392284
load481809305587282
domInteractive9392284

metamaskbot avatar Aug 29 '24 17:08 metamaskbot

Builds ready [d833023]
Page Load Metrics (145 ± 167 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint721911012612
domContentLoaded115625136
load471664145349167
domInteractive115625136

metamaskbot avatar Aug 30 '24 11:08 metamaskbot