Skip to content

Version v11.7.5#22670

Merged
danjm merged 4 commits intomasterfrom
Version-v11.7.5
Jan 29, 2024
Merged

Version v11.7.5#22670
danjm merged 4 commits intomasterfrom
Version-v11.7.5

Conversation

@danjm
Copy link
Copy Markdown
Contributor

@danjm danjm commented Jan 26, 2024

No description provided.

FrederikBolding and others added 4 commits January 25, 2024 20:30
@FrederikBolding @metamaskbot @danjm
Bump LavaMoat and SES (#22590)
1303b52 
Bumps LavaMoat and SES to fix an issue with lockdown failing on Chrome
Canary, making the extension unable to boot.

This PR also re-applies a patch to `lavamoat-core` and deletes an
outdated patch to `@lavamoat/lavapack` that is not required anymore
since lavapack now defaults to relative paths.

---------

Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
@Gudahtt @danjm
fix: Fix phishing warning page unresponsiveness (#22645)
9f5affc 
The phishing warning page was unresponsive on Chrome v122. This update
resolves the issue.

See changelog for details:
https://github.com/MetaMask/phishing-warning/blob/main/CHANGELOG.md#303

Related to the issue described in #22533

1. Navigate to a blocked site
2. See that the phishing warning page shows up
3. Ensure that the three buttons/links work correctly ("report a
detection problem", "continue to the site", and "Back to safety")

Testing on Chrome Canary (v122) is recommended, that's the only browser
we've confirmed as not working previous to this PR.
@danjm
Cherry-pick changes to IFRAME_EXECUTION_ENVIRONMENT_URL in builds.yml…
c4033e3 
… from commit e956826
@danjm
v11.7.5
c63775a
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Jan 26, 2024

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@danjm danjm mentioned this pull request Jan 26, 2024
Closed
@metamaskbot metamaskbot added the INVALID-PR-TEMPLATE PR's body doesn't match template label Jan 26, 2024
@socket-security
Copy link
Copy Markdown

socket-security bot commented Jan 26, 2024
edited
Loading

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package New capabilities Transitives Size Publisher
npm/@lavamoat/aa@4.0.1 filesystem Transitive: environment +5 244 kB naugtur
npm/@lavamoat/allow-scripts@3.0.1 environment, filesystem, shell Transitive: network +82 4.44 MB naugtur
npm/@lavamoat/lavapack@6.0.2 filesystem Transitive: environment +64 15 MB naugtur
npm/bin-links@4.0.3 filesystem +6 142 kB npm-cli-ops
npm/json-stable-stringify@1.0.2 None +1 43.1 kB ljharb
npm/lavamoat-browserify@17.0.2 filesystem Transitive: environment +78 15.5 MB naugtur
npm/lavamoat-core@15.1.1 filesystem Transitive: environment +48 11.8 MB naugtur
npm/lavamoat-tofu@7.1.0 Transitive: environment, filesystem +48 11.8 MB naugtur
npm/lavamoat-viz@7.0.2 Transitive: environment, filesystem, shell +63 115 MB naugtur
npm/lavamoat@8.0.2 eval, filesystem, unsafe Transitive: environment +61 12.1 MB naugtur

🚮 Removed packages: npm/@lavamoat/aa@3.1.5, npm/@lavamoat/allow-scripts@2.5.1, npm/@lavamoat/lavapack@5.4.1, npm/bin-links@4.0.1, npm/json-stable-stringify@1.1.1, npm/lavamoat-browserify@15.9.1, npm/lavamoat-core@14.4.1, npm/lavamoat-viz@6.2.1, npm/lavamoat@7.3.1

View full report↗︎

@socket-security
Copy link
Copy Markdown

socket-security bot commented Jan 26, 2024
edited
Loading

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@babel/code-frame@7.22.13, npm/@babel/highlight@7.22.20, npm/@babel/parser@7.23.6, npm/@babel/traverse@7.23.7, npm/@babel/types@7.23.6, npm/@lavamoat/aa@4.0.1, npm/@lavamoat/allow-scripts@3.0.1, npm/@lavamoat/lavapack@6.0.2, npm/bin-links@4.0.3, npm/json-stable-stringify@1.0.2, npm/lavamoat-browserify@17.0.2, npm/lavamoat-core@15.1.1, npm/lavamoat-tofu@7.1.0, npm/lavamoat-viz@7.0.2, npm/lavamoat@8.0.2, npm/node-gyp-build@4.6.1, npm/type-fest@4.7.1

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

@metamaskbot
Copy link
Copy Markdown
Collaborator

metamaskbot commented Jan 26, 2024

Builds ready [c63775a]
Page Load Metrics (433 ± 166 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint84129103157
domContentLoaded6612594178
load78949433347166
domInteractive6612594178

@danjm
Copy link
Copy Markdown
Contributor Author

danjm commented Jan 26, 2024

@SocketSecurity ignore-all

The "new author" of the package mentioned is https://github.com/ljharb, and he is legit

@chloeYue
Copy link
Copy Markdown
Contributor

chloeYue commented Jan 29, 2024

Tested Wallet Chat snap and Wallet Guard snap on latest Chrome Canary. And also some basic send token and deploy contract functionalities. QA passed!

@danjm danjm marked this pull request as ready for review January 29, 2024 11:32
@danjm danjm requested review from a team as code owners January 29, 2024 11:32
@danjm
Copy link
Copy Markdown
Contributor Author

danjm commented Jan 29, 2024

Chloe and I tested with success on Chrome Beta and Chrome Canary

@danjm danjm merged commit e9fb912 into master Jan 29, 2024
@danjm danjm deleted the Version-v11.7.5 branch January 29, 2024 11:33
@github-actions github-actions bot locked and limited conversation to collaborators Jan 29, 2024
@metamaskbot metamaskbot added the release-11.7.5 Issue or pull request that will be included in release 11.7.5 label Jan 31, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

INVALID-PR-TEMPLATE PR's body doesn't match template release-11.7.5 Issue or pull request that will be included in release 11.7.5

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@danjm @metamaskbot @chloeYue @FrederikBolding @Gudahtt