bump: mockttp and webpack-dev-server to remove node-forge cp-13.25.0 by HowardBraham · Pull Request #41288 · MetaMask/metamask-extension

HowardBraham · 2026-03-27T00:36:21Z

Description

I initially wrote this to fix a node-forge audit error, but someone else got a resolution fix in first.

This PR updates mockttp and webpack-dev-server, which eliminates node-forge entirely.

Changelog

CHANGELOG entry: null

Note

Medium Risk
Dependency upgrades and Lavamoat policy regeneration may affect dev-server/test tooling and bundling behavior, though changes are largely config/third-party updates rather than app logic.

Overview
Resolves the node-forge audit finding by upgrading mockttp to ^4.2.3 and webpack-dev-server to ^5.2.3, and removing the explicit node-forge entry from package.json.

Regenerates multiple Lavamoat policy.json files to reflect the new dependency graphs (notably shifting async-mutex allowances to mockttp>async-mutex, adding new @peculiar/x509 chains for mockttp, and updating some webpack-dev-server builtin module references). Updates the Jest setup helper to polyfill crypto.randomUUID when missing in the test environment.

^{Written by Cursor Bugbot for commit 635717d. This will update automatically on new commits. Configure here.}

github-actions · 2026-03-27T00:36:29Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

HowardBraham · 2026-03-27T00:36:30Z

@metamaskbot update-policies

socket-security · 2026-03-27T00:37:42Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	webpack-dev-server@5.2.2 ⏵ 5.2.3
	mockttp@3.10.1 ⏵ 4.2.3	^-1			⁺²

View full report

socket-security · 2026-03-27T00:37:44Z

Caution

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Network access: npm `on-headers` in module http Module: http Location: Package overview From: `?` → `npm/storybook@7.6.21` → `npm/webpack-dev-server@5.2.3` → `npm/on-headers@1.1.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/on-headers@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `finalhandler` is now published by ulisesgascon instead of wesleytodd New Author: ulisesgascon Previous Author: wesleytodd From: `?` → `npm/@storybook/react-webpack5@7.6.21` → `npm/storybook@7.6.21` → `npm/webpack-dev-server@5.2.3` → `npm/mockttp@4.2.3` → `npm/@metamask/test-bundler@1.0.0` → `npm/finalhandler@1.3.2` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/finalhandler@1.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `negotiator` is now published by blakeembrey instead of wesleytodd New Author: blakeembrey Previous Author: wesleytodd From: `?` → `npm/storybook@7.6.21` → `npm/webpack-dev-server@5.2.3` → `npm/negotiator@0.6.4` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/negotiator@0.6.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `on-headers` is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: `?` → `npm/storybook@7.6.21` → `npm/webpack-dev-server@5.2.3` → `npm/on-headers@1.1.0` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/on-headers@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

metamaskbot · 2026-03-27T00:48:15Z

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

👀 lavamoat/browserify/beta/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/experimental/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/flask/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/webpack/mv2/beta/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/experimental/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/flask/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv3/beta/policy.json changes differ from mv3/main/policy.json policy changes
👀 lavamoat/webpack/mv3/experimental/policy.json changes differ from mv3/main/policy.json policy changes
👀 lavamoat/webpack/mv3/flask/policy.json changes differ from mv3/main/policy.json policy changes

metamaskbotv2 · 2026-03-27T01:22:35Z

Builds ready [3a0384f]

builds: chrome, firefox
builds (beta): chrome, firefox
builds (flask): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
webpack builds: chrome, firefox
webpack builds (beta): chrome, firefox
webpack builds (flask): chrome, firefox
webpack builds (test): chrome, firefox
webpack builds (test-flask): chrome, firefox
lavamoat build viz: Build System
bundle size: Bundle Size Stats
interaction-benchmark: Interaction Stats
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
- ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
- content-script: 0
- offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Load New Account load_new_account 1128 1121 1134 5 1134 1134
total 1128 1121 1134 5 1134 1134
Confirm Tx confirm_tx 6053 6001 6111 40 6078 6111
total 6053 6001 6111 40 6078 6111
Bridge User Actions bridge_load_page 296 291 299 3 296 299
bridge_load_asset_picker 306 235 365 52 362 365
bridge_search_token 841 757 963 94 950 963
total 1438 1283 1621 149 1611 1621

🔌 Startup Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Chrome Browserify Startup Standard Home uiStartup 1510 1319 1857 79 1555 1633
load 1244 1064 1526 72 1281 1356
domContentLoaded 1238 1054 1507 71 1275 1350
domInteractive 28 18 143 14 27 47
firstPaint 152 75 380 70 211 281
backgroundConnect 232 214 274 10 237 246
firstReactRender 22 13 60 8 23 37
initialActions 1 0 5 1 2 4
loadScripts 1019 844 1273 70 1054 1128
setupStore 14 7 63 8 16 27
numNetworkReqs 35 31 59 7 38 46
Chrome Browserify Startup Power User Home uiStartup 4976 1932 15900 2221 5724 7562
load 1297 1152 2054 127 1337 1507
domContentLoaded 1278 1144 1968 117 1323 1471
domInteractive 32 20 174 18 34 59
firstPaint 217 85 1468 206 256 352
backgroundConnect 2116 305 12474 1959 2865 4358
firstReactRender 26 18 61 6 29 34
initialActions 1 0 7 1 1 3
loadScripts 1052 931 1642 107 1086 1238
setupStore 17 6 79 10 19 30
numNetworkReqs 222 82 344 60 259 311

🧭 User Journey Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Onboarding Import Wallet importWalletToSocialScreen 219 217 220 1 220 220
srpButtonToSrpForm 94 94 95 1 94 95
confirmSrpToPwForm 22 21 22 0 22 22
pwFormToMetricsScreen 16 15 16 0 16 16
metricsToWalletReadyScreen 16 16 17 1 17 17
doneButtonToHomeScreen 565 510 677 67 559 677
openAccountMenuToAccountListLoaded 2906 2901 2915 6 2915 2915
total 3874 3778 4053 112 3959 4053
Onboarding New Wallet createWalletToSocialScreen 218 217 220 1 219 220
srpButtonToPwForm 118 111 124 6 123 124
createPwToRecoveryScreen 9 8 9 0 9 9
skipBackupToMetricsScreen 40 38 46 3 39 46
agreeButtonToOnboardingSuccess 16 16 17 0 16 17
doneButtonToAssetList 515 501 538 15 518 538
total 970 893 1106 77 982 1106
Asset Details assetClickToPriceChart 74 69 82 5 77 82
total 74 69 82 5 77 82
Solana Asset Details assetClickToPriceChart 57 54 64 4 57 64
total 57 54 64 4 57 64
Import Srp Home loginToHomeScreen 2063 1956 2253 107 2099 2253
openAccountMenuAfterLogin 53 53 53 0 53 53
homeAfterImportWithNewWallet 1187 284 2580 1049 2357 2580
total 3299 2315 4662 1106 4642 4662
Send Transactions openSendPageFromHome 30 19 42 9 33 42
selectTokenToSendFormLoaded 28 23 35 4 31 35
reviewTransactionToConfirmationPage 1213 997 1394 164 1392 1394
total 1289 1064 1552 187 1448 1552
Swap openSwapPageFromHome 123 115 137 8 126 137
fetchAndDisplaySwapQuotes 2690 2684 2695 4 2692 2695
total 2809 2806 2813 3 2811 2813

🌐 Dapp Page Load Benchmarks

Current Commit: 3a0384f | Date: 3/27/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

pageLoadTime-> current mean value: 1.04s (±53ms) 🟡 | historical mean value: 1.03s ⬆️ (historical data)
domContentLoaded-> current mean value: 731ms (±50ms) 🟢 | historical mean value: 730ms ⬆️ (historical data)
firstContentfulPaint-> current mean value: 85ms (±10ms) 🟢 | historical mean value: 84ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.04s	53ms	1.01s	1.33s	1.10s	1.33s
domContentLoaded	731ms	50ms	699ms	1.01s	789ms	1.01s
firstPaint	85ms	10ms	68ms	168ms	92ms	168ms
firstContentfulPaint	85ms	10ms	68ms	168ms	92ms	168ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

background: 58 Bytes (0%)
ui: 5 Bytes (0%)
common: 706 Bytes (0.01%)

nickewansmith · 2026-03-27T02:58:14Z

@HowardBraham if for some reason your PR is taking a while for review or other, this PR here is green as well and could be a temporary fix.

metamaskbot · 2026-03-27T17:31:56Z

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

👀 lavamoat/browserify/beta/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/experimental/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/flask/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/webpack/mv2/beta/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/experimental/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/flask/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv3/beta/policy.json changes differ from mv3/main/policy.json policy changes
👀 lavamoat/webpack/mv3/experimental/policy.json changes differ from mv3/main/policy.json policy changes
👀 lavamoat/webpack/mv3/flask/policy.json changes differ from mv3/main/policy.json policy changes

metamaskbotv2 · 2026-03-27T17:32:54Z

✨ Files requiring CODEOWNER review ✨

📜 @MetaMask/policy-reviewers (13 files, +427 -242)

📁 lavamoat/
- 📁 browserify/
  - 📁 beta/
    - 📄 policy.json +19 -19
  - 📁 experimental/
    - 📄 policy.json +19 -19
  - 📁 flask/
    - 📄 policy.json +19 -19
  - 📁 main/
    - 📄 policy.json +19 -19
- 📁 webpack/
  - 📁 build/
    - 📄 policy.json +251 -66
  - 📁 mv2/
    - 📁 beta/
      - 📄 policy.json +16 -16
    - 📁 experimental/
      - 📄 policy.json +16 -16
    - 📁 flask/
      - 📄 policy.json +16 -16
    - 📁 main/
      - 📄 policy.json +16 -16
  - 📁 mv3/
    - 📁 beta/
      - 📄 policy.json +9 -9
    - 📁 experimental/
      - 📄 policy.json +9 -9
    - 📁 flask/
      - 📄 policy.json +9 -9
    - 📁 main/
      - 📄 policy.json +9 -9

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

sonarqubecloud · 2026-03-27T17:59:48Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

metamaskbotv2 · 2026-03-27T18:18:31Z

Builds ready [635717d]

builds: chrome, firefox
builds (beta): chrome, firefox
builds (flask): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
webpack builds: chrome, firefox
webpack builds (beta): chrome, firefox
webpack builds (flask): chrome, firefox
webpack builds (test): chrome, firefox
webpack builds (test-flask): chrome, firefox
lavamoat build viz: Build System
bundle size: Bundle Size Stats
interaction-benchmark: Interaction Stats
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19
- ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21
- content-script: 0
- offscreen: 0

⚡ Performance Benchmarks

👆 Interaction Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Load New Account load_new_account 1024 956 1137 80 1137 1137
total 1024 956 1137 80 1137 1137
Confirm Tx confirm_tx 6053 6031 6090 22 6046 6090
total 6053 6031 6090 22 6046 6090
Bridge User Actions bridge_load_page 302 253 371 41 312 371
bridge_load_asset_picker 271 155 338 70 332 338
bridge_search_token 1073 734 1471 321 1454 1471
total 1646 1232 2107 359 2045 2107

🔌 Startup Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Chrome Browserify Startup Standard Home uiStartup 1538 1271 1900 121 1603 1794
load 1267 1024 1565 107 1325 1455
domContentLoaded 1259 1020 1553 107 1319 1448
domInteractive 28 18 69 9 30 50
firstPaint 229 72 1383 204 270 303
backgroundConnect 219 193 260 15 226 249
firstReactRender 21 15 45 5 23 30
initialActions 1 0 6 1 1 4
loadScripts 1056 823 1352 101 1121 1234
setupStore 14 7 70 9 16 22
numNetworkReqs 34 31 61 6 37 43
Chrome Browserify Startup Power User Home uiStartup 5250 2112 16166 3015 5846 12729
load 1336 1137 1789 129 1397 1566
domContentLoaded 1306 1127 1779 109 1355 1500
domInteractive 38 23 119 18 42 76
firstPaint 266 103 1514 183 314 380
backgroundConnect 2106 303 13771 2747 2724 8414
firstReactRender 29 18 78 9 31 40
initialActions 1 0 8 1 1 3
loadScripts 1092 925 1539 102 1133 1260
setupStore 17 7 45 7 21 31
numNetworkReqs 184 88 388 67 224 303

🧭 User Journey Benchmarks
Benchmark Metric Mean (ms) Min (ms) Max (ms) Std Dev (ms) P75 (ms) P95 (ms)
Onboarding Import Wallet importWalletToSocialScreen 217 216 218 1 217 218
srpButtonToSrpForm 98 97 98 1 98 98
confirmSrpToPwForm 22 22 23 0 22 23
pwFormToMetricsScreen 15 15 16 0 15 16
metricsToWalletReadyScreen 15 15 16 0 16 16
doneButtonToHomeScreen 530 516 548 12 529 548
openAccountMenuToAccountListLoaded 2895 2707 3128 163 2993 3128
total 3882 3803 4010 81 3891 4010
Onboarding New Wallet createWalletToSocialScreen 221 220 223 1 221 223
srpButtonToPwForm 112 107 120 5 117 120
createPwToRecoveryScreen 8 8 8 0 8 8
skipBackupToMetricsScreen 38 36 41 2 39 41
agreeButtonToOnboardingSuccess 15 15 16 0 16 16
doneButtonToAssetList 492 476 513 14 496 513
total 886 874 899 11 896 899
Asset Details assetClickToPriceChart 72 65 77 5 76 77
total 72 65 77 5 76 77
Solana Asset Details assetClickToPriceChart 60 54 67 5 63 67
total 60 54 67 5 63 67
Import Srp Home loginToHomeScreen 2107 2076 2138 25 2138 2138
openAccountMenuAfterLogin 68 60 78 6 72 78
homeAfterImportWithNewWallet 1179 269 2424 1005 2391 2424
total 3384 2405 4898 1120 4601 4898
Send Transactions openSendPageFromHome 38 21 56 14 51 56
selectTokenToSendFormLoaded 35 24 55 12 43 55
reviewTransactionToConfirmationPage 1104 890 1249 137 1194 1249
total 1241 1180 1301 50 1301 1301
Swap openSwapPageFromHome 113 98 121 8 120 121
fetchAndDisplaySwapQuotes 2685 2682 2687 2 2686 2687
total 2801 2785 2815 11 2808 2815

🌐 Dapp Page Load Benchmarks

Current Commit: 635717d | Date: 3/27/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

pageLoadTime-> current mean value: 1.05s (±71ms) 🟡 | historical mean value: 1.03s ⬆️ (historical data)
domContentLoaded-> current mean value: 746ms (±69ms) 🟢 | historical mean value: 728ms ⬆️ (historical data)
firstContentfulPaint-> current mean value: 86ms (±10ms) 🟢 | historical mean value: 87ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.05s	71ms	1.01s	1.33s	1.26s	1.33s
domContentLoaded	746ms	69ms	710ms	1.01s	950ms	1.01s
firstPaint	86ms	10ms	68ms	160ms	96ms	160ms
firstContentfulPaint	86ms	10ms	68ms	160ms	96ms	160ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

background: 58 Bytes (0%)
ui: 5 Bytes (0%)
common: 684 Bytes (0.01%)

Gudahtt

LGTM!

DDDDDanica · 2026-03-27T19:51:10Z

LGTM ✅

HowardBraham temporarily deployed to pr-comment March 27, 2026 00:36 — with GitHub Actions Inactive

metamaskbot added the team-extension-platform Extension Platform team label Mar 27, 2026

github-actions Bot added the size-S label Mar 27, 2026

HowardBraham changed the title ~~fix: node-forge~~ fix: audit for node-forge Mar 27, 2026

HowardBraham added the skip-release-validation label Mar 27, 2026

metamaskbot temporarily deployed to pr-comment March 27, 2026 00:48 — with GitHub Actions Inactive

HowardBraham mentioned this pull request Mar 27, 2026

chore: upgrade node forge in resolutions / update flaky unit #41290

Closed

7 tasks

HowardBraham added the retry-ci Tells GitHub Actions to retry failed jobs, label removed automatically before the retry label Mar 27, 2026

metamaskbot temporarily deployed to pr-comment March 27, 2026 01:18 — with GitHub Actions Inactive

github-actions Bot removed the retry-ci Tells GitHub Actions to retry failed jobs, label removed automatically before the retry label Mar 27, 2026

HowardBraham added the retry-ci Tells GitHub Actions to retry failed jobs, label removed automatically before the retry label Mar 27, 2026

github-actions Bot removed the retry-ci Tells GitHub Actions to retry failed jobs, label removed automatically before the retry label Mar 27, 2026

HowardBraham marked this pull request as ready for review March 27, 2026 01:38

HowardBraham requested review from a team as code owners March 27, 2026 01:38

HowardBraham temporarily deployed to pr-comment March 27, 2026 01:38 — with GitHub Actions Inactive

nickewansmith previously approved these changes Mar 27, 2026

View reviewed changes