release(runway): cherry-pick bump: mockttp and webpack-dev-server to remove node-forge cp-13.25.0

[runway-github]

• bump: mockttp and webpack-dev-server to remove node-forge (bump: mockttp and webpack-dev-server to remove node-forge cp-13.25.0 #41288)

Description

I initially wrote this to fix a node-forge audit error, but someone else
got a resolution fix in first.

This PR updates mockttp and webpack-dev-server, which eliminates
node-forge entirely.

Changelog

CHANGELOG entry: null

---

Note

Medium Risk
Dependency upgrades and Lavamoat policy regeneration may affect
dev-server/test tooling and bundling behavior, though changes are
largely config/third-party updates rather than app logic.

Overview
Resolves the node-forge audit finding by upgrading mockttp to
^4.2.3 and webpack-dev-server to ^5.2.3, and removing the
explicit node-forge entry from package.json.

Regenerates multiple Lavamoat policy.json files to reflect the new
dependency graphs (notably shifting async-mutex allowances to
mockttp>async-mutex, adding new @peculiar/x509 chains for mockttp,
and updating some webpack-dev-server builtin module references).
Updates the Jest setup helper to polyfill crypto.randomUUID when
missing in the test environment.

^{Written by Cursor
Bugbot for commit
635717d. This will update automatically
on new commits. Configure
here.}

---

Co-authored-by: metamaskbot metamaskbot@users.noreply.github.com 49f46cd

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	webpack-dev-server@​5.2.2 ⏵ 5.2.3
	mockttp@​3.10.1 ⏵ 4.2.3	-1			+2

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm on-headers in module http Module: http Location: Package overview From: ? → npm/storybook@7.6.21 → npm/webpack-dev-server@5.2.3 → npm/on-headers@1.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/on-headers@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm finalhandler is now published by ulisesgascon instead of wesleytodd New Author: ulisesgascon Previous Author: wesleytodd From: ? → npm/@storybook/react-webpack5@7.6.21 → npm/storybook@7.6.21 → npm/webpack-dev-server@5.2.3 → npm/mockttp@4.2.3 → npm/@metamask/test-bundler@1.0.0 → npm/finalhandler@1.3.2 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/finalhandler@1.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm negotiator is now published by blakeembrey instead of wesleytodd New Author: blakeembrey Previous Author: wesleytodd From: ? → npm/storybook@7.6.21 → npm/webpack-dev-server@5.2.3 → npm/negotiator@0.6.4 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/negotiator@0.6.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm on-headers is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: ? → npm/storybook@7.6.21 → npm/webpack-dev-server@5.2.3 → npm/on-headers@1.1.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/on-headers@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

📜 @MetaMask/policy-reviewers (13 files, +427 -242)

• 📁 lavamoat/
  • 📁 browserify/
    • 📁 beta/
      • 📄 policy.json +19 -19
    • 📁 experimental/
      • 📄 policy.json +19 -19
    • 📁 flask/
      • 📄 policy.json +19 -19
    • 📁 main/
      • 📄 policy.json +19 -19
  • 📁 webpack/
    • 📁 build/
      • 📄 policy.json +251 -66
    • 📁 mv2/
      • 📁 beta/
        • 📄 policy.json +16 -16
      • 📁 experimental/
        • 📄 policy.json +16 -16
      • 📁 flask/
        • 📄 policy.json +16 -16
      • 📁 main/
        • 📄 policy.json +16 -16
    • 📁 mv3/
      • 📁 beta/
        • 📄 policy.json +9 -9
      • 📁 experimental/
        • 📄 policy.json +9 -9
      • 📁 flask/
        • 📄 policy.json +9 -9
      • 📁 main/
        • 📄 policy.json +9 -9

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud