fix(deps): Bump @metamask/eth-json-rpc-middleware to ^14.0.0, @metamask/transaction-controller to ^35.1.1

[MajorLift]

Description

Updates @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0.

• This version bump comes with a large number of regressions, most of them type errors.
• This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in @metamask/utils).

Related issues

• Closes chore(deps): Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0 #26287
• Blocks:
  • https://github.com/MetaMask/MetaMask-planning/issues/2991
  • https://github.com/MetaMask/MetaMask-planning/issues/2810
  • [Bug]: PPOM - extension crashes with a error when performing Malicious permit with integer address  #25733

Changelog

Added

• Add and export PPOMMiddlewareRequest type for JsonRpcRequest types that include the securityAlertResponse property.
  • securityAlertResponse is defined as both optional and nullable.
• Add PPOMRequest type for eth-sendTransaction requests.

Changed

• BREAKING: Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0.
• BREAKING: Bump @metamask/transaction-controller from ^34.0.0 to ^35.1.1.
• BREAKING: Redefine SecurityAlertsAPIRequest as a JsonRpcRequest type that accepts unknown[] as its params type.
• Widen the request parameters of the functions validateWithController and validateWithAPI to include SecurityAlertsAPIRequest.
• Bump @trezor/connect-web from 9.2.2 to 9.3.0.

Fixed

• BREAKING: Narrow Params generic parameter of createPPOMMiddleware function from JsonRpcParams to (string | { to: string })[].
• Add Params generic parameter to handleSnapRequest function, which defaults to JsonRpcParams.
  • handleSnapRequest can now be typed correctly with any params object.

Security

• BREAKING: Typed signature validation only replaces 0X prefix with 0x, and contract address normalization is removed for decimal and octal values.
  • Threat actors have been manipulating eth_signTypedData_v4 fields to cause failures in blockaid's detectors.
  • Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address.
  • This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x".

Manual testing steps

Screenshots/Recordings

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[legobeat]

As this is updating transitive @metamask/eth-block-tracker from v9 to v11, I guess it makes sense to look at updating to that in general?

Related (blocking? not sure):

• feat: retrieve global provider and block tracker dynamically core#4359
• deps(transaction-controller): @metamask/nonce-tracker@^5.0.0->^6.0.0 core#4327

[MajorLift]

@SocketSecurity ignore npm/@storybook/addon-actions@7.6.20, npm/@storybook/addon-docs@7.6.20, npm/@storybook/blocks@7.6.20, npm/@storybook/channels@7.6.20, npm/@storybook/client-logger@7.6.20, npm/@storybook/components@7.6.20, npm/@storybook/core-client@7.6.20, npm/@storybook/core-common@7.6.20, npm/@storybook/core-events@7.6.20, npm/@storybook/csf-plugin@7.6.20, npm/@storybook/csf-tools@7.6.20, npm/@storybook/docs-tools@7.6.20, npm/@storybook/manager-api@7.6.20, npm/@storybook/node-logger@7.6.20, npm/@storybook/postinstall@7.6.20, npm/@storybook/preview-api@7.6.20, npm/@storybook/react-dom-shim@7.6.20, npm/@storybook/react@7.6.20, npm/@storybook/router@7.6.20, npm/@storybook/theming@7.6.20, npm/@storybook/types@7.6.20

@storybook

[MajorLift]

@SocketSecurity ignore npm/@metamask/eth-block-tracker@11.0.1, npm/lavamoat-core@15.4.0, npm/lavamoat-tofu@7.3.0

Internal packages

[MajorLift]

@SocketSecurity ignore npm/diff@5.2.0
benign author change

[metamaskbot]

Builds ready [3c40934]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (86 ± 20 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	63	269	111	43	21
		domContentLoaded	41	240	82	43	21
		load	48	241	86	41	20
		domInteractive	10	147	34	31	15

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 192.1 KiB (5.77%)
• ui: 120 Bytes (0.00%)
• common: 207.83 KiB (2.64%)

[MajorLift]

@legobeat I bumped @metamask/transaction-controller to latest (3c40934), but it looks like there are additional blockers for this:

• @metamask/eth-token-tracker@9.0.0 is on @metamask/eth-block-tracker@10.0.0
• @metamask/network-controller@20.2.0 is on @metamask/eth-block-tracker@9.0.3

Given that we might not have time to fully upgrade eth-block-tracker in this PR (it needs to be merged urgently), how would you feel about extracting the transaction-controller version bump to a separate ticket?

[MajorLift]

@bschorchit Thanks for checking in on this. We're just waiting on review and approval especially from codeowners.

I just bumped this to priority-2 priority-1 on the PR review queue, and I'll make a post today requesting another round of reviews.

[gantunesr]

Approved for team-accounts.

Files reviewed,

• app/scripts/lib/accounts/BalancesController.ts
• app/scripts/lib/snap-keyring/snap-keyring.test.ts

[hmalik88]

Suggested change

	const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
	const PREINSTALLED_SNAPS = Object.freeze<ReadOnlyArray<PreinstalledSnap>>([

Can we do this instead since before the type was readonly?

[MajorLift]

This would be redundant since the return type of Object.freeze<T> is readonly T. By hovering over PREINSTALLED_SNAPS, you can verify that its type is readonly PreinstalledSnap[] like before.

If we want to be extra careful about validating the type maybe we could add a satisfies clause to replace the type annotation that was originally there?

diff --git a/app/scripts/snaps/preinstalled-snaps.ts b/app/scripts/snaps/preinstalled-snaps.ts
index 6be0bb7f35..95b9c54e69 100644
--- a/app/scripts/snaps/preinstalled-snaps.ts
+++ b/app/scripts/snaps/preinstalled-snaps.ts
@@ -10,6 +10,6 @@ const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
   ///: BEGIN:ONLY_INCLUDE_IF(build-flask)
   BitcoinWalletSnap as unknown as PreinstalledSnap,
   ///: END:ONLY_INCLUDE_IF
-]);
+]) satisfies readonly PreinstalledSnap[];
 
 export default PREINSTALLED_SNAPS;

[daniela2000111]

Bug report

[MajorLift]

@daniela2000111 Is there a bug related to the changes in preinstalled-snaps.ts?

[hmalik88]

Ah yes that's correct! Fine to leave as is :)

[hmalik88]

Curious about this bug report ^

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[MajorLift]

@k-g-j I removed an as unknown as cast introduced in #26402 while merging develop into this branch.

[metamaskbot]

Builds ready [4d13778]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (67 ± 7 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	64	149	95	23	11
		domContentLoaded	41	94	63	15	7
		load	45	101	67	15	7
		domInteractive	9	62	27	14	7

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 192.1 KiB (5.72%)
• ui: 120 Bytes (0.00%)
• common: 208.37 KiB (2.54%)

[legobeat]

@legobeat I bumped @metamask/transaction-controller to latest (3c40934), but it looks like there are additional blockers for this:

* `@metamask/eth-token-tracker@9.0.0` is on `@metamask/eth-block-tracker@10.0.0`

* `@metamask/network-controller@20.2.0` is on `@metamask/eth-block-tracker@9.0.3`

Given that we might not have time to fully upgrade eth-block-tracker in this PR (it needs to be merged urgently), how would you feel about extracting the transaction-controller version bump to a separate ticket?

• FWIW, existing PR bumping network-controller to be in line would resolve the above, I believe: deps(network-controller): @metamask/eth-block-tracker@^9.0.3->^10.0.0 core#4424
  It has just been rebased.

• Also related: feat: upgrade network controller to v20 #26150

[legobeat]

@SocketSecurity ignore npm/@storybook/addon-actions@7.6.20, npm/@storybook/addon-docs@7.6.20, npm/@storybook/blocks@7.6.20, npm/@storybook/channels@7.6.20, npm/@storybook/client-logger@7.6.20, npm/@storybook/components@7.6.20, npm/@storybook/core-client@7.6.20, npm/@storybook/core-common@7.6.20, npm/@storybook/core-events@7.6.20, npm/@storybook/csf-plugin@7.6.20, npm/@storybook/csf-tools@7.6.20, npm/@storybook/docs-tools@7.6.20, npm/@storybook/manager-api@7.6.20, npm/@storybook/node-logger@7.6.20, npm/@storybook/postinstall@7.6.20, npm/@storybook/preview-api@7.6.20, npm/@storybook/react-dom-shim@7.6.20, npm/@storybook/react@7.6.20, npm/@storybook/router@7.6.20, npm/@storybook/theming@7.6.20, npm/@storybook/types@7.6.20

@storybook

@MajorLift What is the context behind bumping some @storybook/ packages from 7.6.19 to 7.6.20 as part of this PR?

There are still 7.6.19 versions remaining through transitive pins, with many now being duplicated. Would either of these options be reasonable?

1. Revert @storybook/ bumps in lockfile in this PR to stay on 7.6.19 for the time being
2. Break out full 7.6.20 upgrade in a separate PR

[metamaskbot]

More than one release label on PR. Keeping the lowest one (release-12.1.0) on PR and removing other release labels (release-12.5.0).