MetaMask
devDeps: bump vite and webdriverio
- Bump
vitefrom 4.4 to 4.5.- Closes:
- https://github.com/advisories/GHSA-c24v-8rfc-w8vw / https://github.com/advisories/GHSA-c24v-8rfc-w8vw
- https://github.com/advisories/GHSA-92r3-m2mg-pj97 / https://github.com/advisories/GHSA-92r3-m2mg-pj97
- Closes:
- Bump vite-tsconfig-paths@^4.0.5->^4.3.1
- Bump
@wdio/*from^8.19.0to^8.28.0- Removes transitive dependency on
vite@~4.4.6- deduping it
- Removes transitive dependency on
New and removed dependencies detected. Learn more about Socket for GitHub ↗︎
🚮 Removed packages: npm/@ljharb/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/@wdio/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎
To accept the risk, merge this PR and you will not be notified again.
| Alert | Package | Note |
|---|---|---|
| No contributors or author data | npm/@vitest/[email protected] |
|
| New author | npm/[email protected] |
|
Next steps
Why is contributor and author data important?
Package does not specify a list of contributors or an author in package.json.
Add a author field or contributors array to package.json.
What is new author?
A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.
Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.
Take a deeper look at the dependency
Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.
Remove the package
If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.
Mark a package as acceptable risk
To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/[email protected] or ignore all packages with @SocketSecurity ignore-all
@SocketSecurity ignore npm/@vitest/[email protected]@SocketSecurity ignore npm/[email protected]
Codecov Report
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
cf1fa9a) 96.66% compared to head (246822f) 96.66%.
Additional details and impacted files
@@ Coverage Diff @@
## main #2121 +/- ##
=======================================
Coverage 96.66% 96.66%
=======================================
Files 312 312
Lines 7042 7042
Branches 1104 1104
=======================================
Hits 6807 6807
Misses 235 235
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
![codecov[bot] avatar](https://avatars.githubusercontent.com/in/254?v=4 "Published by a pub.dev verified publisher"){kind=small}
Looks good to me, but there's a lot of lint errors currently: https://github.com/MetaMask/snaps/actions/runs/7613049917/job/20732121835?pr=2121
Looks like the linter thinks we should await expectations in WDIO now 🤔 Did the API change without a major version bump? 🤔
Looks good to me, but there's a lot of lint errors currently: https://github.com/MetaMask/snaps/actions/runs/7613049917/job/20732121835?pr=2121
Looks like the linter thinks we should await expectations in WDIO now 🤔 Did the API change without a major version bump? 🤔
Somehow I am getting the same 319 errors when running yarn && yarn lint locally on current main (f1903db62c2f2dccbc5c39c7211dac0bcc9275b1)...
Did rm -rf node_modules packages/*/dist before.
We're not seeing the same linting errors in CI on main, though.
EDIT: nvm, it was a case of .eslintcache interfering - removing it gives consistent results again.
Looks good to me, but there's a lot of lint errors currently: https://github.com/MetaMask/snaps/actions/runs/7613049917/job/20732121835?pr=2121
Looks like the linter thinks we should await expectations in WDIO now 🤔 Did the API change without a major version bump? 🤔
@FrederikBolding : I see the errors crop up down to wdio 8.20. It turns out that on current snaps main and for older wdio versions, expect is typed as jest.Expect, whereas it now has a type that involves a Promise (<Record<string, unknown>, void | Promise<void>>(actual: Record<string, unknown>) => ExpectWebdriverIO.Matchers<void | Promise<void>, Record<string, unknown>>).
Haven't actually tracked down where that change is introduced, yet.
(see action results for each commit for reference: https://github.com/legobeat/snaps-monorepo/pull/10)
@wdio/browser-runner uses updated vite starting with v8.21.0.
This seems related: https://github.com/webdriverio/webdriverio/issues/11999