metamask-mobile icon indicating copy to clipboard operation
metamask-mobile copied to clipboard
verified publisher icon MetaMask

feat: @lavamoat/react-native-lockdown

Open leotm opened this issue 6 months ago • 4 comments

Description

Introduce Hardened JavaScript now on both iOS (RN JSC) and Android (Hermes) via Metro (@lavamoat/react-native-lockdown beta) instead of RN patch

TODO

  • [x] Remove stale SES shim (now via @lavamoat/react-native-lockdown)
  • [x] Remove stale RN iOS patch
  • [x] Add temp @lavamoat/react-native-lockdown .tar.gz
  • [x] Add temp SES patch https://github.com/endojs/endo/pull/2855
  • [ ] Replace temp .tar.gz and SES patch with official @lavamoat/react-native-lockdown once https://github.com/LavaMoat/LavaMoat/pull/1716 merged
  • [ ] Remove experimental feature toggle UI
  • [ ] Fix smoke/regression e2e test timeouts
    • https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/2b384037-b417-4259-b263-ad6ce3c35a41
    • nightly regression tests currently failing on main, once passing check those on this branch

Related issues

Fixes:

Manual testing steps

  1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

leotm avatar Jun 12 '25 17:06 leotm

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​lavamoat/​react-native-lockdown@​0.0.2100100100100100

View full report

socket-security[bot] avatar Jun 12 '25 17:06 socket-security[bot]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

github-actions[bot] avatar Jun 17 '25 20:06 github-actions[bot]

Passing Smoke E2E: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/f209fd93-e170-49a2-b908-44fbee9dc124

sethkfman avatar Jun 17 '25 21:06 sethkfman

Passing Smoke E2E: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/606d9216-a472-4e4f-92ce-b08ada66743b

leotm avatar Jun 19 '25 14:06 leotm

Failing Regression E2E: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/6b1a7d83-e953-4d96-b15d-a21366ccdbbf

  • iOS: 6/14
  • Android: 8/14

NB: passed on main May 27 https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/4697868f-2919-4d5d-b643-a6a34cb7d3bc so currently expected

leotm avatar Jun 19 '25 14:06 leotm

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: b70bd0e342a3f72465b20676b3ddf772042ec1bc Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/67ac3cac-80c5-482f-bf99-7233cf87c537

[!NOTE]

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

github-actions[bot] avatar Jun 26 '25 16:06 github-actions[bot]

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 7981b5f3082655d8938b586ce233a0f1ce076cba Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/487374e2-0f35-4631-9359-8d631ab7e1ab

[!NOTE]

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

github-actions[bot] avatar Jun 30 '25 10:06 github-actions[bot]

Bug: Metro Bundler Crashes on Missing Positional Arguments

The Metro configuration attempts to call .includes('android') on parsedArgs.positionals[0] without checking if the positional argument exists. If no positional arguments are provided (e.g., when running expo start), parsedArgs.positionals[0] will be undefined, resulting in a TypeError that crashes the Metro bundler.

metro.config.js#L27-L30 Fix in Cursor

Was this report helpful? Give feedback by reacting with 👍 or 👎

Screenshot 2025-07-02 at 2 56 51 pm

our Cursor system prompt is either too lazy or overly confident atm, resulting in false bug reports ⚠️

however it's worth guarding against undefined anyway to be on the safe side cursor suggests logical operator && however we support optional chaining (since TS 3.7) so parsedArgs.positionals[0]?.includes('android'); is nicer ✅

(legit feedback on draft PRs would be ideal too to catch things earlier)

leotm avatar Jul 02 '25 14:07 leotm

merge conflict resolved: app/components/Views/Settings/ExperimentalSettings/snapshots/index.test.tsx.snap

flakey CI (test:tgz-check, unit-tests (10)) https://github.com/MetaMask/metamask-mobile/actions/runs/16075406159/attempts/1?pr=16341 resolved with remote reruns, passing locally

Screenshot 2025-07-04 at 4 52 15 pm

leotm avatar Jul 04 '25 15:07 leotm

https://bitrise.io/ Bitrise

❌❌❌ pr_smoke_e2e_pipeline failed on Bitrise! ❌❌❌

Commit hash: 431a97e98fc487588e678ec826ea30f786a391ee Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/d72e08a6-74c1-48d1-82f7-dae28ae60c6d

[!NOTE]

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[!TIP]

  • Check the documentation if you have any doubts on how to understand the failure on bitrise

All passing except 1 failure run_wallet_platform_swimlane_android_smoke, currently expected as failing on main

See: https://app.bitrise.io/app/be69d4368ee7e86d?workflow=pipeline-pr_smoke_e2e_pipeline&branch=main

github-actions[bot] avatar Jul 08 '25 16:07 github-actions[bot]

https://bitrise.io/ Bitrise

❌❌❌ pr_smoke_e2e_pipeline failed on Bitrise! ❌❌❌

Commit hash: c74d8d0a2c76bd59bbfc12f3f025457410c10d6a Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/146c3dba-c4fc-4f21-910f-aea530b3db73

[!NOTE]

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[!TIP]

  • Check the documentation if you have any doubts on how to understand the failure on bitrise

All passing except 1 failure run_wallet_platform_swimlane_android_smoke, currently expected as failing on main

See: https://app.bitrise.io/app/be69d4368ee7e86d?workflow=pipeline-pr_smoke_e2e_pipeline&branch=main

github-actions[bot] avatar Jul 08 '25 17:07 github-actions[bot]

https://bitrise.io/ Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 1fd2dd170ce16272b124685383f944bf704d7dcf Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/2caf7571-9df8-448b-a8f6-7a002e93070a

[!NOTE]

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

github-actions[bot] avatar Jul 08 '25 18:07 github-actions[bot]

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

sonarqubecloud[bot] avatar Jul 08 '25 18:07 sonarqubecloud[bot]