feat: Install perps-controller v1, remove local mocked alias

[gambinish]

Description

Installs perps-controller v1 package as a dependency, removes aliased local mock. Update import paths as necessary to satisfy lint configuartions related to local vs imported modules.

Broken out from feature branch for easier review: #40078

Changelog

CHANGELOG entry: Install perps-controller v1, remove local mocked alias

Related issues

Fixes:

Manual testing steps

1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Adds a new core dependency (@metamask/perps-controller) plus multiple ESM/transpilation and Yarn resolution changes, which can impact build/test bundling behavior. Risk is mainly around module resolution/compatibility rather than runtime logic changes.

Overview
This PR switches Perps UI integration from a locally-aliased mock @metamask/perps-controller to the real published @metamask/perps-controller@^1.0.0, updating TypeScript/Jest/webpack path mappings accordingly.

To support the controller’s ESM-heavy dependency tree, it expands the build transpilation allowlist (e.g., valibot, @nktkas/*, @myx-trade/*, lodash-es, wretch) and adds Yarn pinning/age-gate exceptions (including a temporary preapproval for @myx-trade/sdk). It also introduces MM_PERPS_BLOCKED_REGIONS as a build-time env var for a perps geoblock fallback.

^{Written by Cursor Bugbot for commit 59ddb67. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​perps-controller@​1.0.1
	ws@​8.19.0
	viem@​2.44.4 ⏵ 2.47.0	-1		+1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Obfuscated code: npm @myx-trade/sdk is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/@myx-trade/sdk@0.1.267 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@myx-trade/sdk@0.1.267. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm @inquirer/external-editor in module child_process Module: child_process Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/@inquirer/external-editor@2.0.3 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@inquirer/external-editor@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/perps-controller in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/@metamask/perps-controller@1.0.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/perps-controller@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @nktkas/hyperliquid in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/@nktkas/hyperliquid@0.30.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@nktkas/hyperliquid@0.30.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module net Module: net Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module http Module: http Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module https Module: https Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm micro-eth-signer in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/micro-eth-signer@0.18.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/micro-eth-signer@0.18.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm wretch in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/perps-controller@1.0.1 → npm/wretch@2.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/wretch@2.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ethers is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment appears to be a conventional ABI interface utility (likely from a library like ethers.js) used to parse, encode, and decode Ethereum function calls, events, and errors. There is no evidence of malicious behavior such as data exfiltration, remote control, or code injection. Minor anomalies (typo in an error message and a partially commented/unfinished block) are present but do not constitute malicious activity. Overall security risk from this fragment is low, assuming it is used as intended within a trusted library context. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/perps-controller@1.0.1 → npm/ethers@6.16.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.16.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

👨‍🔧 @MetaMask/extension-platform (1 files, +2 -0)

• 📄 .yarnrc.yml +2 -0

---

🕵️ @MetaMask/extension-privacy-reviewers (1 files, +1 -1)

• 📄 privacy-snapshot.json +1 -1

---

👨‍🔧 @MetaMask/perps (21 files, +44 -44)

• 📁 ui/
  • 📁 components/
    • 📁 app/
      • 📁 perps/
        • 📁 perps-candlestick-chart/
          • 📄 perps-candlestick-chart.tsx +1 -1
        • 📁 position-card/
          • 📄 position-card.test.tsx +1 -1
          • 📄 position-card.tsx +1 -1
        • 📁 utils/
          • 📄 transactionTransforms.test.ts +6 -6
          • 📄 transactionTransforms.ts +6 -6
          • 📄 mocks.ts +6 -6
  • 📁 hooks/
    • 📁 perps/
      • 📁 stream/
        • 📄 index.mock.ts +9 -9
        • 📄 usePerpsLiveAccount.ts +1 -1
        • 📄 usePerpsLiveCandles.ts +1 -1
        • 📄 usePerpsLiveFills.ts +1 -1
        • 📄 usePerpsLiveMarketData.ts +1 -1
        • 📄 usePerpsLiveOrderBook.ts +1 -1
        • 📄 usePerpsLiveOrders.ts +1 -1
        • 📄 usePerpsLivePositions.ts +1 -1
        • 📄 usePerpsLivePrices.ts +1 -1
        • 📄 usePerpsMarginCalculations.ts +1 -1
        • 📄 usePerpsOrderForm.ts +1 -1
        • 📄 usePerpsTransactionHistory.test.ts +1 -1
        • 📄 useUserHistory.test.ts +1 -1
        • 📄 useUserHistory.ts +1 -1
  • 📁 pages/
    • 📁 perps/
      • 📁 market-list/
        • 📄 index.tsx +1 -1

[metamaskbotv2]

Builds ready [2278e59]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
  • content-script: 0
  • offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Load New Account	load_new_account	289	260	344	32	307	344
	total	289	260	344	32	307	344
Confirm Tx	confirm_tx	6039	6004	6066	22	6053	6066
	total	6039	6004	6066	22	6053	6066
Bridge User Actions	bridge_load_page	251	217	286	23	263	286
	bridge_load_asset_picker	166	148	194	19	181	194
	bridge_search_token	714	704	727	10	725	727
	total	1130	1104	1161	22	1145	1161

🔌 Startup Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Standard Home	uiStartup	1489	1256	1937	108	1514	1694
	load	1229	1024	1631	95	1265	1390
	domContentLoaded	1222	1016	1611	94	1260	1382
	domInteractive	29	18	98	18	26	81
	firstPaint	210	75	1416	226	224	373
	backgroundConnect	217	199	268	13	220	245
	firstReactRender	21	13	144	13	21	33
	initialActions	1	0	13	2	1	3
	loadScripts	1021	813	1384	93	1063	1179
	setupStore	15	7	55	7	18	27
	numNetworkReqs	36	27	91	19	27	89
Power User Home	uiStartup	6131	2365	17860	2829	6810	12564
	load	1429	1123	2193	161	1499	1747
	domContentLoaded	1409	1118	2175	157	1452	1714
	domInteractive	46	22	317	46	40	153
	firstPaint	236	83	1813	223	283	401
	backgroundConnect	2475	367	14830	2571	3355	6620
	firstReactRender	29	20	53	6	33	38
	initialActions	1	0	5	1	1	3
	loadScripts	1162	919	1891	143	1185	1456
	setupStore	20	8	282	27	19	32
	numNetworkReqs	176	71	353	47	200	263

🧭 User Journey Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Onboarding Import Wallet	importWalletToSocialScreen	221	220	221	1	221	221
	srpButtonToSrpForm	94	92	95	1	94	95
	confirmSrpToPwForm	21	21	22	0	21	22
	pwFormToMetricsScreen	15	15	15	0	15	15
	metricsToWalletReadyScreen	16	15	17	1	16	17
	doneButtonToHomeScreen	602	587	615	12	611	615
	openAccountMenuToAccountListLoaded	2909	2907	2911	1	2911	2911
	total	3872	3825	3899	26	3890	3899
Onboarding New Wallet	createWalletToSocialScreen	218	217	218	0	218	218
	srpButtonToPwForm	109	105	113	3	112	113
	createPwToRecoveryScreen	8	8	9	0	9	9
	skipBackupToMetricsScreen	35	34	35	0	35	35
	agreeButtonToOnboardingSuccess	17	16	17	0	17	17
	doneButtonToAssetList	601	493	692	87	689	692
	total	989	878	1089	89	1075	1089
Asset Details	assetClickToPriceChart	124	119	128	4	128	128
	total	124	119	128	4	128	128
Solana Asset Details	assetClickToPriceChart	88	82	96	5	90	96
	total	88	82	96	5	90	96
Import Srp Home	loginToHomeScreen	2298	2264	2333	24	2298	2333
	openAccountMenuAfterLogin	62	57	67	4	65	67
	homeAfterImportWithNewWallet	2375	2354	2388	15	2388	2388
	total	4731	4581	4827	95	4795	4827
Send Transactions	openSendPageFromHome	26	17	35	6	31	35
	selectTokenToSendFormLoaded	18	18	19	0	18	19
	reviewTransactionToConfirmationPage	855	843	879	14	853	879
	total	897	884	927	18	888	927
Swap	openSwapPageFromHome	27	20	33	5	29	33
	fetchAndDisplaySwapQuotes	2686	2682	2692	4	2690	2692
	total	2712	2711	2713	1	2713	2713

🌐 Dapp Page Load Benchmarks

Current Commit: 2278e59 | Date: 3/10/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.03s (±41ms) 🟡 | historical mean value: 1.05s ⬇️ (historical data)
• domContentLoaded-> current mean value: 726ms (±39ms) 🟢 | historical mean value: 736ms ⬇️ (historical data)
• firstContentfulPaint-> current mean value: 78ms (±14ms) 🟢 | historical mean value: 84ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.03s	41ms	1.01s	1.35s	1.07s	1.35s
domContentLoaded	726ms	39ms	708ms	1.02s	747ms	1.02s
firstPaint	78ms	14ms	60ms	208ms	88ms	208ms
firstContentfulPaint	78ms	14ms	60ms	208ms	88ms	208ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 4.41 KiB (0.08%)
• ui: -24.23 KiB (-0.28%)
• common: 154 Bytes (0%)

[metamaskbotv2]

Builds ready [f637c4f]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
  • content-script: 0
  • offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Load New Account	load_new_account	273	265	282	6	278	282
	total	273	265	282	6	278	282
Confirm Tx	confirm_tx	6007	5996	6024	10	6010	6024
	total	6007	5996	6024	10	6010	6024
Bridge User Actions	bridge_load_page	208	200	212	5	209	212
	bridge_load_asset_picker	235	217	245	11	238	245
	bridge_search_token	758	742	765	9	765	765
	total	1200	1189	1210	8	1205	1210

🔌 Startup Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Standard Home	uiStartup	1470	1246	2056	127	1501	1673
	load	1217	1008	1654	111	1246	1411
	domContentLoaded	1211	1002	1636	109	1242	1386
	domInteractive	31	18	151	23	25	89
	firstPaint	166	71	1230	168	199	331
	backgroundConnect	217	196	316	16	222	238
	firstReactRender	21	13	49	6	22	33
	initialActions	1	0	7	1	1	4
	loadScripts	1009	812	1411	104	1037	1188
	setupStore	15	7	148	15	17	25
	numNetworkReqs	36	27	94	19	27	87
Power User Home	uiStartup	5987	2228	18118	3315	6819	12222
	load	1316	1153	1716	124	1339	1598
	domContentLoaded	1297	1140	1697	118	1320	1584
	domInteractive	35	21	204	26	30	81
	firstPaint	211	82	1305	145	268	364
	backgroundConnect	2374	325	14388	2721	3501	7868
	firstReactRender	29	18	102	9	31	39
	initialActions	1	0	5	1	1	4
	loadScripts	1068	917	1464	111	1092	1331
	setupStore	16	6	45	7	19	31
	numNetworkReqs	145	67	284	40	159	241

🧭 User Journey Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Onboarding Import Wallet	importWalletToSocialScreen	218	217	220	1	219	220
	srpButtonToSrpForm	95	95	95	0	95	95
	confirmSrpToPwForm	22	21	22	0	22	22
	pwFormToMetricsScreen	15	15	15	0	15	15
	metricsToWalletReadyScreen	16	15	17	1	17	17
	doneButtonToHomeScreen	688	591	826	88	722	826
	openAccountMenuToAccountListLoaded	2928	2903	2946	15	2936	2946
	total	3984	3893	4113	80	4007	4113
Onboarding New Wallet	createWalletToSocialScreen	220	219	221	1	219	221
	srpButtonToPwForm	109	108	110	1	109	110
	createPwToRecoveryScreen	8	8	8	0	8	8
	skipBackupToMetricsScreen	35	34	35	0	35	35
	agreeButtonToOnboardingSuccess	16	15	17	1	16	17
	doneButtonToAssetList	515	494	539	19	537	539
	total	911	881	966	32	928	966
Asset Details	assetClickToPriceChart	116	109	120	4	119	120
	total	116	109	120	4	119	120
Solana Asset Details	assetClickToPriceChart	86	80	91	4	88	91
	total	86	80	91	4	88	91
Import Srp Home	loginToHomeScreen	2241	2192	2313	44	2232	2313
	openAccountMenuAfterLogin	56	43	75	12	57	75
	homeAfterImportWithNewWallet	2419	2259	2588	130	2557	2588
	total	4673	4607	4858	107	4619	4858
Send Transactions	openSendPageFromHome	22	17	27	4	24	27
	selectTokenToSendFormLoaded	19	19	20	0	20	20
	reviewTransactionToConfirmationPage	860	845	876	13	870	876
	total	901	883	923	16	911	923
Swap	openSwapPageFromHome	24	21	27	3	25	27
	fetchAndDisplaySwapQuotes	2686	2685	2686	0	2686	2686
	total	2719	2707	2743	13	2723	2743

🌐 Dapp Page Load Benchmarks

Current Commit: f637c4f | Date: 3/10/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.04s (±41ms) 🟡 | historical mean value: 1.05s ⬇️ (historical data)
• domContentLoaded-> current mean value: 731ms (±39ms) 🟢 | historical mean value: 736ms ⬇️ (historical data)
• firstContentfulPaint-> current mean value: 80ms (±10ms) 🟢 | historical mean value: 84ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.04s	41ms	1.02s	1.35s	1.09s	1.35s
domContentLoaded	731ms	39ms	711ms	1.03s	772ms	1.03s
firstPaint	80ms	10ms	64ms	168ms	84ms	168ms
firstContentfulPaint	80ms	10ms	64ms	168ms	84ms	168ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 4.41 KiB (0.08%)
• ui: -24.23 KiB (-0.28%)
• common: 154 Bytes (0%)

[davidmurdoch]

Going to need an explanation for this :-) I recently removed the last of the code that needed to allow for broken JS like this.

---

But I'm also concerned with @myx-trade/sdk itself.

It only has unknown authors on npm, and before this perps integration, has very few weekly downloads. It has zero documentation and no README.MD, and no links back to its repo on npm.

It ships @types/ws as a regular dependency, and ships invalid mjs as well (if fullySpecified is actually required). Quality, absent of a reputation, might be questionable.

Its about as sketchy as can be, especially with the initial attempt at landing this being over 12000 lines of of changes.

[davidmurdoch]

I did some digging myself, and it looks like their SDK imports from crypto-js, which is not even maintained anymore (and hasn't been for a while).

If the @myx-trade/sdk is required here, which I'm sure it is, perhaps we should patch @myx-trade/sdk to do things The Right Way, instead of bail out of strict parsing via fullySpecified: false here.

I can submit the patch for it to this PR if you're okay with that.

If not, this isn't the right way to do this. This build system uses swc via our npmLoader, which is about 10x faster than webpack's default, so we'd need to figure out how to get this block into the "vendor javascript" oneOf section below, and likely use the npmLoader for it.

[abretonc7s]

Thanks @davidmurdoch , I have mentioned it to MYX directly for urgent fix. Their product hasnt launched hence the limited usage and download but we have a signed partnership with them to implement their protocol. I previously flagged the package with security but we allowed as we are partnering with them to unblock the implementation.

[gambinish]

Will follow up with the team tomorrow morning, and we will align on the best path forward 👍

It sounds like patching it is probably the way to go for now.

[abretonc7s]

MYX just shipped 0.1.267 which addresses this directly: crypto-js replaced with crypto-es (maintained ESM fork), @types/ws removed from runtime deps, and the MJS is now a single bundle with zero bare relative imports. Bumped the resolution and removed the fullySpecified: false workaround in this commit — should be clean now. Added a temporary npmPreapprovedPackages bypass (same pattern as serialize-javascript) to clear the 3-day age gate.

[davidmurdoch]

amazing! thank you!

[davidmurdoch]

I did some digging myself, and it looks like their SDK imports from crypto-js, which is not even maintained anymore (and hasn't been for a while).

If the @myx-trade/sdk is required here, which I'm sure it is, perhaps we should patch @myx-trade/sdk to do things The Right Way, instead of bail out of strict parsing via fullySpecified: false here.

I can submit the patch for it to this PR if you're okay with that.

If not, this isn't the right way to do this. This build system uses swc via our npmLoader, which is about 10x faster than webpack's default, so we'd need to figure out how to get this block into the "vendor javascript" oneOf section below, and likely use the npmLoader for it.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

Broad ESM globs affect existing crypto library builds

Medium Severity

The glob patterns ./**/node_modules/@noble/hashes, ./**/node_modules/@noble/curves, and ./**/node_modules/@scure match ALL versions of these packages at any nesting depth, not just the v2 versions brought in by @nktkas/hyperliquid (a transitive dependency of @metamask/perps-controller). These packages (@noble/hashes@1.8.0, @noble/curves@1.x, @scure/bip32, @scure/bip39) are already used extensively throughout MetaMask for core crypto operations and were not previously in this ESM transform list. Applying ESM handling to all versions project-wide could subtly change how the existing v1 packages are bundled by browserify. Narrower patterns scoped to the perps dependency subtree (e.g., targeting only the v2 paths) would be safer.

 

[davidmurdoch]

This is fine. It may slow the build process down a bit though, however, it actually leads to more "technically correct" builds that properly target are supported browser range by "transpiling" modern JS features into polyfills. In an ideal world we would always do this (we do for webpack), but I believe (this was before my time) the reason we don't is that the build time performance hit was too much (and it hasn't been enough of an actual production problem enough us).

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metamaskbotv2]

Builds ready [59ddb67]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
  • content-script: 0
  • offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Load New Account	load_new_account	272	263	288	10	272	288
	total	272	263	288	10	272	288
Confirm Tx	confirm_tx	6015	6001	6035	12	6023	6035
	total	6015	6001	6035	12	6023	6035
Bridge User Actions	bridge_load_page	209	201	221	8	211	221
	bridge_load_asset_picker	198	173	242	27	216	242
	bridge_search_token	726	702	764	29	760	764
	total	1144	1077	1247	75	1223	1247

🔌 Startup Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Standard Home	uiStartup	1504	1252	1866	111	1542	1678
	load	1245	1021	1635	100	1280	1398
	domContentLoaded	1238	1019	1626	98	1276	1380
	domInteractive	31	18	164	22	27	80
	firstPaint	177	72	1343	137	224	287
	backgroundConnect	224	200	280	14	230	255
	firstReactRender	22	14	40	6	23	36
	initialActions	2	0	11	2	2	4
	loadScripts	1030	822	1408	96	1068	1178
	setupStore	14	7	41	7	16	26
	numNetworkReqs	36	27	88	18	27	84
Power User Home	uiStartup	5339	2074	15135	2390	5905	9668
	load	1371	1140	3715	346	1376	1747
	domContentLoaded	1350	1127	3704	343	1338	1646
	domInteractive	34	21	126	19	34	66
	firstPaint	200	88	474	92	273	364
	backgroundConnect	2284	319	12682	2246	3190	6856
	firstReactRender	28	18	47	7	31	43
	initialActions	1	0	8	1	1	3
	loadScripts	1122	902	3463	339	1103	1402
	setupStore	17	6	45	8	20	38
	numNetworkReqs	209	78	391	53	222	312

🧭 User Journey Benchmarks

Benchmark	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P75 (ms)	P95 (ms)
Onboarding Import Wallet	importWalletToSocialScreen	220	216	228	4	222	228
	srpButtonToSrpForm	93	91	96	2	94	96
	confirmSrpToPwForm	22	21	24	1	23	24
	pwFormToMetricsScreen	15	15	15	0	15	15
	metricsToWalletReadyScreen	16	15	18	1	16	18
	doneButtonToHomeScreen	595	585	605	7	598	605
	openAccountMenuToAccountListLoaded	2924	2904	2939	15	2935	2939
	total	3893	3887	3901	6	3896	3901
Onboarding New Wallet	createWalletToSocialScreen	219	218	221	1	219	221
	srpButtonToPwForm	109	104	114	3	110	114
	createPwToRecoveryScreen	9	8	9	0	9	9
	skipBackupToMetricsScreen	36	36	37	0	36	37
	agreeButtonToOnboardingSuccess	16	16	17	0	16	17
	doneButtonToAssetList	504	495	514	8	507	514
	total	896	885	915	12	898	915
Asset Details	assetClickToPriceChart	136	134	139	2	139	139
	total	136	134	139	2	139	139
Solana Asset Details	assetClickToPriceChart	82	71	90	7	84	90
	total	82	71	90	7	84	90
Import Srp Home	loginToHomeScreen	2249	2175	2331	66	2293	2331
	openAccountMenuAfterLogin	54	39	66	10	64	66
	homeAfterImportWithNewWallet	2296	2243	2398	60	2278	2398
	total	4762	4504	4980	179	4930	4980
Send Transactions	openSendPageFromHome	28	19	40	8	30	40
	selectTokenToSendFormLoaded	27	19	34	6	34	34
	reviewTransactionToConfirmationPage	1211	849	1478	294	1439	1478
	total	1280	891	1572	318	1539	1572
Swap	openSwapPageFromHome	29	26	32	2	29	32
	fetchAndDisplaySwapQuotes	2714	2688	2767	31	2730	2767
	total	2749	2715	2800	31	2758	2800

🌐 Dapp Page Load Benchmarks

Current Commit: 59ddb67 | Date: 3/11/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.06s (±66ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
• domContentLoaded-> current mean value: 745ms (±64ms) 🟢 | historical mean value: 734ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 81ms (±12ms) 🟢 | historical mean value: 85ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.06s	66ms	1.02s	1.36s	1.28s	1.36s
domContentLoaded	745ms	64ms	712ms	1.02s	964ms	1.02s
firstPaint	81ms	12ms	68ms	188ms	96ms	188ms
firstContentfulPaint	81ms	12ms	68ms	188ms	96ms	188ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 4.41 KiB (0.08%)
• ui: -9.69 KiB (-0.11%)
• common: 724 Bytes (0.01%)

[davidmurdoch]

this is not a change request. just an FYI!

I was recently informed that if you add the package to this list locally, run yarn install, then commit the package.json and yarn.lock files, you can then remove the package from this list and things will work.