metamask-mobile icon indicating copy to clipboard operation
metamask-mobile copied to clipboard
verified publisher icon MetaMask

release: 7.61.0

Open metamaskbot opened this issue 1 month ago • 6 comments

🚀 v7.61.0 Testing & Release Quality Process

Hi Team,
As part of our new MetaMask Release Quality Process, here’s a quick overview of the key processes, testing strategies, and milestones to ensure a smooth and high-quality deployment.

📋 Key Processes

Testing Strategy

  • Developer Teams:
    Conduct regression and exploratory testing for your functional areas, including automated and manual tests for critical workflows.
  • QA Team:
    Focus on exploratory testing across the wallet, prioritize high-impact areas, and triage any Sentry errors found during testing.
  • Customer Success Team:
    Validate new functionalities and provide feedback to support release monitoring.

GitHub Signoff

  • Each team must sign off on the Release Candidate (RC) via GitHub by the end of the validation timeline (Tuesday EOD PT).
  • Ensure all tests outlined in the Testing Plan are executed, and any identified issues are addressed.

Issue Resolution

  • Resolve all Release Blockers (Sev0 and Sev1) by Tuesday EOD PT.
  • For unresolved blockers, PRs may be reverted, or feature flags disabled to maintain release quality and timelines.

Cherry-Picking Criteria

  • Only critical fixes meeting outlined criteria will be cherry-picked.
  • Developers must ensure these fixes are thoroughly reviewed, tested, and merged by Tuesday EOD PT.

🗓️ Timeline and Milestones

  1. Today (Friday): Begin Release Candidate validation.
  2. Tuesday EOD PT: Finalize RC with all fixes and cherry-picks.
  3. Wednesday: Buffer day for final checks.
  4. Thursday: Submit release to app stores and begin rollout to 1% of users.
  5. Monday: Scale deployment to 10%.
  6. Tuesday: Full rollout to 100%.

✅ Signoff Checklist

Each team is responsible for signing off via GitHub. Use the checkbox below to track signoff completion:

Team sign-off checklist

  • [x] Accounts Framework
  • [x] Assets
  • [x] Bots Team
  • [x] Card
  • [ ] Confirmations
  • [x] Core Platform
  • [x] Design System
  • [x] Earn
  • [x] Extension Platform
  • [x] Mobile Platform
  • [x] Mobile UX
  • [x] Network Enablement
  • [ ] New Networks
  • [x] Onboarding
  • [ ] Perps
  • [ ] Predict
  • [ ] Product Safety
  • [x] Ramp
  • [x] Rewards
  • [ ] Swaps and Bridge
  • [x] Transactions
  • [x] Wallet Integrations
  • [x] Web3auth

This process is a major step forward in ensuring release stability and quality. Let’s stay aligned and make this release a success! 🚀

Feel free to reach out if you have questions or need clarification.

Many thanks in advance

Reference

  • Testing plan sheet - https://docs.google.com/spreadsheets/d/1tsoodlAlyvEUpkkcNcbZ4PM9HuC9cEM80RZeoVv5OCQ/edit?gid=404070372#gid=404070372

metamaskbot avatar Nov 27 '25 20:11 metamaskbot

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

github-actions[bot] avatar Nov 27 '25 20:11 github-actions[bot]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​@​metamask/​profile-metrics-controller@​2.0.0741007392100
Updatednpm/​@​metamask/​snaps-rpc-methods@​14.1.0 ⏵ 14.1.199 -110076 -2497 -350 -50
Updatednpm/​@​metamask/​snaps-controllers@​16.1.1 ⏵ 17.0.098 +110076 +198 +150
Updatednpm/​@​metamask/​bridge-status-controller@​63.1.0 ⏵ 61.0.099 +11007898100
Updatednpm/​@​metamask/​seedless-onboarding-controller@​5.0.0 ⏵ 6.1.099 +110078 +196 +1100
Updatednpm/​@​metamask/​bridge-controller@​63.2.0 ⏵ 61.0.099 +11007998100
Updatednpm/​@​metamask/​transaction-pay-controller@​10.3.0 ⏵ 10.5.079 -2110079 -2197 -3100
Addednpm/​@​metamask/​delegation-deployments@​0.15.01001007993100
Updatednpm/​@​metamask/​tron-wallet-snap@​1.13.0 ⏵ 1.16.0100 +110080 +298 +1100
Updatednpm/​@​metamask/​transaction-controller@​62.4.0 ⏵ 62.6.096 -410081 -1998 -2100
Updatednpm/​@​metamask/​bitcoin-wallet-snap@​1.8.0 ⏵ 1.7.0100 +110083 +198100
Addednpm/​expo-screen-orientation@​8.0.410010086100100
Updatednpm/​@​metamask/​keyring-api@​21.2.0 ⏵ 21.3.0100 +110010097 +150
Updatednpm/​@​metamask/​smart-transactions-controller@​20.1.0 ⏵ 21.0.0971001009550
Updatednpm/​@​metamask/​assets-controllers@​91.0.0 ⏵ 89.0.198 +110091 +198100
Updatednpm/​@​metamask/​stake-sdk@​3.3.0 ⏵ 3.4.0100 +110095 +193 +6100
Updatednpm/​@​nktkas/​hyperliquid@​0.25.9 ⏵ 0.27.199100100 +196 +1100
Addednpm/​eas-cli@​12.6.297100100100100

View full report

socket-security[bot] avatar Nov 27 '25 20:11 socket-security[bot]

[!CAUTION] MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
High CVE: Crash in HeaderParser in npm dicer

CVE: GHSA-wm7h-9275-46v2 Crash in HeaderParser in dicer (HIGH)

Affected versions: <= 0.3.1

Patched version: No patched versions

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @expo/config in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/[email protected]npm/@expo/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask/profile-metrics-controller in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask/remote-feature-flag-controller in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/@metamask/[email protected]npm/@metamask/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @metamask/transaction-pay-controller in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @oclif/core in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/[email protected]npm/@oclif/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@oclif/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm @oclif/core in module child_process

Module: child_process

Location: Package overview

From: ?npm/[email protected]npm/@oclif/[email protected]

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@oclif/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @oclif/core in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/[email protected]npm/@oclif/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@oclif/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm http-call in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm keychain in module child_process

Module: child_process

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm osenv in module child_process

Module: child_process

Location: Package overview

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm @expo/json-file is now published by evanbacon instead of brentvatne

New Author: evanbacon

Previous Author: brentvatne

From: ?npm/[email protected]npm/@expo/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm @expo/plugin-help is now published by radoslawkrzemien instead of dsokal

New Author: radoslawkrzemien

Previous Author: dsokal

From: ?npm/[email protected]npm/@expo/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm @expo/plugin-warn-if-update-available is now published by radoslawkrzemien instead of dsokal

New Author: radoslawkrzemien

Previous Author: dsokal

From: ?npm/[email protected]npm/@expo/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm @expo/spawn-async is now published by fson instead of dsokal

New Author: fson

Previous Author: dsokal

From: ?npm/[email protected]npm/@expo/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm asn1 is now published by bahamat instead of melloc

New Author: bahamat

Previous Author: melloc

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm hosted-git-info is now published by nlf instead of isaacs

New Author: nlf

Previous Author: isaacs

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm is-retry-allowed is now published by sindresorhus instead of floatdrop

New Author: sindresorhus

Previous Author: floatdrop

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm jsonwebtoken is now published by julien.wollscheid instead of ziluvatar

New Author: julien.wollscheid

Previous Author: ziluvatar

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
Publisher changed: npm validate-npm-package-name is now published by chrisdickinson instead of zkat

New Author: chrisdickinson

Previous Author: zkat

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm @oclif/screen

Reason: Package no longer supported. Contact Support at https://www.npmjs.com/support for more info.

From: ?npm/[email protected]npm/@oclif/[email protected]

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@oclif/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Deprecated by its maintainer: npm osenv

Reason: This package is no longer supported.

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm domino is 100.0% likely to have a medium risk anomaly

Notes: This code contains legitimate but risky JavaScript patterns used for DOM simulation. While it uses dangerous features like eval() and 'with' statements, it appears to be intentional library functionality rather than malicious code. However, it poses security risks if user-controlled input reaches these functions without proper sanitization.

Confidence: 1.00

Severity: 0.60

From: ?npm/[email protected]npm/[email protected]

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected].

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

socket-security[bot] avatar Nov 27 '25 20:11 socket-security[bot]

Codecov Report

:x: Patch coverage is 85.96882% with 63 lines in your changes missing coverage. Please review. :white_check_mark: Project coverage is 78.57%. Comparing base (82c6b44) to head (88b7cbe). :warning: Report is 1467 commits behind head on stable.

Files with missing lines Patch % Lines
app/components/UI/AssetOverview/AssetOverview.tsx 30.76% 13 Missing and 5 partials :warning:
...p/components/UI/Bridge/hooks/useTopTokens/index.ts 63.15% 1 Missing and 6 partials :warning:
...mponents/TransactionDetails/TransactionDetails.tsx 40.00% 3 Missing and 3 partials :warning:
...e/components/QuoteDetailsCard/QuoteDetailsCard.tsx 78.26% 1 Missing and 4 partials :warning:
...ponents/UI/Bridge/components/SwapsKeypad/index.tsx 80.00% 4 Missing :warning:
app/components/Nav/Main/MainNavigator.js 70.00% 3 Missing :warning:
...pp/components/UI/AssetOverview/Balance/Balance.tsx 0.00% 1 Missing and 2 partials :warning:
...omponents/UI/Bridge/hooks/useRewards/useRewards.ts 90.00% 3 Missing :warning:
...nergyBandwidthDetail/TronEnergyBandwidthDetail.tsx 71.42% 0 Missing and 2 partials :warning:
...ridge/components/BridgeDestTokenSelector/index.tsx 77.77% 0 Missing and 2 partials :warning:
... and 8 more
Additional details and impacted files 
@@            Coverage Diff             @@
##           stable   #23381      +/-   ##
==========================================
+ Coverage   76.32%   78.57%   +2.24%     
==========================================
  Files        3288     4004     +716     
  Lines       79709   104343   +24634     
  Branches    14545    20874    +6329     
==========================================
+ Hits        60841    81985   +21144     
- Misses      14879    16662    +1783     
- Partials     3989     5696    +1707

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

:rocket: New features to boost your workflow:
  • :snowflake: Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • :package: JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

codecov-commenter avatar Dec 01 '25 21:12 codecov-commenter

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.2 on PR. Adding release label release-7.60.2 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.2 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.4 on PR. Adding release label release-7.60.4 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.4 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.4 on PR. Adding release label release-7.60.4 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.4 when release was cut.

metamaskbot avatar Dec 12 '25 21:12 metamaskbot

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

Missing release label release-7.60.4 on PR. Adding release label release-7.60.4 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.4 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

Missing release label release-7.60.2 on PR. Adding release label release-7.60.2 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.2 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

Missing release label release-7.60.3 on PR. Adding release label release-7.60.3 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.3 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

Missing release label release-7.60.4 on PR. Adding release label release-7.60.4 on PR and removing other release labels(release-7.61.0), as PR was added to branch 7.60.4 when release was cut.

metamaskbot avatar Dec 12 '25 22:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.60.3,release-7.60.4,release-7.61.0).

metamaskbot avatar Dec 12 '25 23:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.61.0).

metamaskbot avatar Dec 13 '25 01:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.61.0).

metamaskbot avatar Dec 13 '25 01:12 metamaskbot

More than one release label on PR. Keeping the lowest one (release-7.60.2) on PR and removing other release labels (release-7.61.0).

metamaskbot avatar Dec 13 '25 01:12 metamaskbot