deps: Update @metamask/post-message-stream and dependents

[brad-decker]

Description

1. Updates @metamask/post-message-stream to 7.0.0
2. Updates @metamask/phishin-warning to 3.0.0 (which eliminates dependencies on post-message-stream 6.2.0)

Related issues

Fixes: #21653

Manual testing steps

1. No functional changes expected. Verify tests pass.

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Coding Standards.
• I've clearly explained what problem this PR is solving and how it is solved.
• I've linked related issues
• I've included manual testing steps
• I've included screenshots/recordings if applicable
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.
• I’ve properly set the pull request status:
  • In case it's not yet "ready for review", I've set it to "draft".
  • In case it's "ready for review", I've changed it from "draft" to "non-draft".

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[brad-decker]

@metamaskbot update-policies

[metamaskbot]

Policies updated

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (3e81e01) 68.61% compared to head (b077452) 68.61%.
Report is 6 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #21651   +/-   ##
========================================
  Coverage    68.61%   68.61%           
========================================
  Files         1045     1045           
  Lines        41611    41611           
  Branches     11111    11111           
========================================
  Hits         28550    28550           
  Misses       13061    13061           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[metamaskbot]

Builds ready [e1ea736]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 2, 3, 4, 5, 6
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 10, 11, 12, 13, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (1400 ± 268 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	82	138	95	13	6
		domContentLoaded	71	134	90	13	6
		load	82	1895	1400	557	268
		domInteractive	71	134	89	13	6

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: -70 Bytes (-0.00%)
• ui: 0 Bytes (0.00%)
• common: 12.39 KiB (0.26%)

[legobeat]

Note that 6.0.0 is still pulled in through @metamask/phishing-warning.

MetaMask/phishing-warning#104 (comment)

[brad-decker]

@legobeat should that block this?

[legobeat]

@legobeat should that block this?

I have not looked deeply enough into precisely how the stream API is used extension to say for sure. Someone who is more familiar might be able to say "this is fine anyway". Behavioral changes in differences are summarized here FWIW. This may or may not be relevant for usage here.

Keeping them aligned should be safer and preferred, in any case.

[brad-decker]

I am fairly confident that the two places we directly import this dependency in the extension are not affected by the breaking changes, the main one that I think could affect it is the upgrade of readable-stream. However, The phishing page is under E2E test so I feel confident that this isn't breaking due to a mismatch here. I do think we should prioritize the upgrade of the phishing-controller dependency. Ill wait for others to chime in on this and add the do-not-merge flag until a decision is reached.

[Mrtenz]

Looks good to me, but I don't know if this would affect @metamask/phishing-warning in some way.

[brad-decker]

@metamaskbot update-policies

[brad-decker]

@metamaskbot update-policies

[socket-security]

Updated dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@metamask/phishing-warning	2.1.0...3.0.0	None	+1/-0	1.71 MB

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
Unpublished package	@metamask/phishing-warning	3.0.0	Version: Invalid Date	package.json

Next steps

What are unpublished packages?

Package version was not found on the registry. It may exist on a different registry and need to be configured to pull from that registry.

Packages can be removed from the registry by manually un-publishing, a security issue removal, or may simply never have been published to the registry. Reliance on these packages will cause problem when they are not found.

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @metamask/phishing-warning@3.0.0

[metamaskbot]

Policies updated

[metamaskbot]

Policies updated

[brad-decker]

@SocketSecurity ignore @metamask/phishing-warning@3.0.0

[metamaskbot]

Builds ready [b077452]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 2, 3, 4, 5, 6
  • content-script: 0
  • contentscript: contentscript
  • disable-console: disable-console
  • inpage: inpage
  • policy-load: policy-load
  • sentry-install: sentry-install
  • ui: 0, 1, 10, 11, 12, 13, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (578 ± 264 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	80	111	92	8	4
		domContentLoaded	68	109	83	10	5
		load	76	1302	578	549	264
		domInteractive	68	109	83	10	5

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: -70 Bytes (-0.00%)
• ui: 0 Bytes (0.00%)
• common: 12.43 KiB (0.26%)