fix: clean up popover capture listeners

[pedronfigueiredo]

Description

Fixes a shared Popover listener leak that retained old route trees during send/settings route churn.

Popover registered document keydown and click listeners with capture enabled, but removed them without matching capture options. Since removeEventListener matches on event type, callback, and capture flag, cleanup failed and leaked document listeners retained their React closure scope.

This PR keeps the change scoped to ui/components/component-library/popover/popover.tsx by:

• defining one shared capture listener options object
• adding document listeners only while the Popover is open and the matching callback exists
• removing those listeners with the same callback and capture options
• adding a regression test that verifies unmount cleanup uses the same listener and options captured from addEventListener

Changelog

CHANGELOG entry: null

Manual testing steps

1. Build the test extension:

   source ~/.nvm/nvm.sh && nvm use
   yarn build:test:webpack

2. The yarn llm:memory profiler is available on the separate profiler PR. With that tooling available and this branch's dist/chrome build, run:

   yarn llm:memory -- --iterations 50 --flow send-open-back --sample final --probe cdp --wait-after-flow 500 --extension-path dist/chrome
   yarn llm:memory -- --iterations 100 --flow settings-route --sample final --probe cdp --wait-after-flow 500 --extension-path dist/chrome

3. Expected post-fix profile from the prior investigation with the Snow WeakMap patch still applied:

   Flow	Before	After
   settings-route 50x	+118.91 MiB	+2.22 MiB rerun, +37 listeners
   settings-route 100x	n/a	-0.34 MiB, +34 listeners
   settings-route 50x paired heap snapshots	n/a	-5.84 MiB
   send-open-back 50x	+111.66 MiB	+0.05 MiB, +307 listeners

Validation

• source ~/.nvm/nvm.sh && nvm use && yarn test:unit ui/components/component-library/popover/popover.test.tsx
• source ~/.nvm/nvm.sh && nvm use && yarn lint:changed:fix
• source ~/.nvm/nvm.sh && nvm use && yarn webpack:tsc
• source ~/.nvm/nvm.sh && nvm use && yarn build:test:webpack

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Low risk: scoped to Popover’s document event listener lifecycle and adds a regression test; main risk is behavior change in when listeners are attached (only when open and handlers provided).

Overview
Fixes a Popover document-listener leak by reusing a shared capture options object and ensuring removeEventListener is called with the same callback and capture options used for addEventListener.

Listeners for keydown (Esc) and click (outside) are now only attached when the popover is open and the corresponding handler prop is provided, and a new unit test asserts the add/remove signatures match on unmount to prevent regressions.

^{Reviewed by Cursor Bugbot for commit 0ccfb58. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

🎨 @MetaMask/design-system-engineers (2 files, +81 -17)

• 📁 ui/
  • 📁 components/
    • 📁 component-library/
      • 📁 popover/
        • 📄 popover.test.tsx +44 -0
        • 📄 popover.tsx +37 -17

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metamaskbotv2]

Builds ready [0ccfb58]

• ⚠️ Make sure the build is safe before downloading and running this build.
  • Please do not use these builds with accounts that contain significant real money.
  • Beware the security risks of cache poisoning.
• Webpack builds: chrome, firefox
• Webpack builds (beta): chrome, firefox
• Webpack builds (flask): chrome, firefox
• Webpack builds (test): chrome, firefox
• Webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

Deprecated Browserify fallback builds

• Browserify builds: chrome, firefox
• Browserify builds (beta): chrome, firefox
• Browserify builds (flask): chrome, firefox
• Browserify builds (test): chrome, firefox
• Browserify builds (test-flask): chrome, firefox

⚡ Performance Benchmarks (Total: 🟢 15 pass · 🟡 9 warn · 🔴 0 fail)

Baseline (latest main): 51036da | Date: 5/2/2026 | Pipeline: 25933813653 | Baseline logs

Interaction Benchmarks · Samples: 5

Benchmark	chrome-webpack	firefox-webpack
loadNewAccount [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
confirmTx [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
bridgeUserActions [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]

📈 Results compared to the previous 5 runs on main

• ↓ loadNewAccount/load_new_account: -77%
• ↓ loadNewAccount/total: -77%
• ↓ bridgeUserActions/bridge_load_page: -37%
• ↓ bridgeUserActions/bridge_load_asset_picker: -54%
• ↓ bridgeUserActions/bridge_search_token: -30%
• ↓ bridgeUserActions/total: -36%
• ↓ loadNewAccount/load_new_account: -53%
• ↓ loadNewAccount/total: -53%
• ↓ bridgeUserActions/bridge_load_asset_picker: -36%
• ↓ bridgeUserActions/bridge_search_token: -34%
• ↓ bridgeUserActions/total: -27%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 loadNewAccount/FCP: p75 1.9s
• 🟡 confirmTx/FCP: p75 1.9s
• 🟡 bridgeUserActions/FCP: p75 1.9s

Startup Benchmarks · Samples: 100

Benchmark	chrome-webpack	firefox-webpack
startupStandardHome [Sentry log · main/release]	🟢 [CI log]	🟢 [CI log]
startupPowerUserHome [Sentry log · main/release]	–	🟡 [CI log]

📈 Results compared to the previous 5 runs on main

• ↓ startupStandardHome/uiStartup: -23%
• ↓ startupStandardHome/load: -18%
• ↓ startupStandardHome/domContentLoaded: -18%
• ↓ startupStandardHome/firstPaint: -42%
• ↓ startupStandardHome/backgroundConnect: -43%
• ↓ startupStandardHome/firstReactRender: -22%
• ↓ startupStandardHome/loadScripts: -18%
• ↓ startupStandardHome/numNetworkReqs: -50%
• ↓ startupStandardHome/domInteractive: -55%
• ↑ startupStandardHome/backgroundConnect: +12%
• ↑ startupStandardHome/initialActions: +20%
• ↓ startupStandardHome/setupStore: -47%
• ↓ startupStandardHome/numNetworkReqs: -45%
• ↓ startupPowerUserHome/uiStartup: -43%
• ↓ startupPowerUserHome/domInteractive: -79%
• ↓ startupPowerUserHome/backgroundConnect: -72%
• ↓ startupPowerUserHome/setupStore: -87%
• ↓ startupPowerUserHome/numNetworkReqs: -78%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 startupPowerUserHome/LCP: p75 3.0s

User Journey Benchmarks · Samples: 5 · mock API

Benchmark	chrome-webpack	firefox-webpack
onboardingImportWallet [Sentry log · main/release]	🟢 [CI log]	🟢 [CI log]
onboardingNewWallet [Sentry log · main/release]	🟢 [CI log]	🟢 [CI log]
assetDetails [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
solanaAssetDetails [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
importSrpHome [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
sendTransactions [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]
swap [Sentry log · main/release]	🟡 [CI log]	🟢 [CI log]

📈 Results compared to the previous 5 runs on main

• ↓ onboardingImportWallet/srpButtonToSrpForm: -82%
• ↑ onboardingImportWallet/pwFormToMetricsScreen: +582%
• ↓ onboardingImportWallet/metricsToWalletReadyScreen: -32%
• ↓ onboardingImportWallet/doneButtonToHomeScreen: -80%
• ↑ onboardingImportWallet/openAccountMenuToAccountListLoaded: +26%
• ↓ onboardingImportWallet/total: -45%
• ↓ onboardingNewWallet/srpButtonToPwForm: -75%
• ↑ onboardingNewWallet/createPwToRecoveryScreen: +1141%
• ↓ onboardingNewWallet/skipBackupToMetricsScreen: -66%
• ↓ onboardingNewWallet/agreeButtonToOnboardingSuccess: -18%
• ↓ onboardingNewWallet/doneButtonToAssetList: -32%
• ↓ onboardingNewWallet/total: -28%
• ↓ assetDetails/assetClickToPriceChart: -66%
• ↓ assetDetails/total: -66%
• ↓ solanaAssetDetails/assetClickToPriceChart: -87%
• ↓ solanaAssetDetails/total: -87%
• ↓ importSrpHome/loginToHomeScreen: -37%
• ↓ importSrpHome/openAccountMenuAfterLogin: -80%
• ↓ importSrpHome/homeAfterImportWithNewWallet: -68%
• ↓ importSrpHome/total: -64%
• ↓ swap/openSwapPageFromHome: -97%
• ↑ swap/fetchAndDisplaySwapQuotes: +36%
• ↑ swap/total: +12%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 assetDetails/INP: p75 208ms
• 🟡 assetDetails/FCP: p75 1.8s
• 🟡 solanaAssetDetails/FCP: p75 1.9s
• 🟡 importSrpHome/FCP: p75 2.1s
• 🟡 sendTransactions/FCP: p75 1.9s
• 🟡 swap/FCP: p75 1.9s

Dapp Page Load Benchmarks · Samples: 100

Benchmark	chrome-webpack
dappPageLoad [Sentry log · main/release]	🟢 [CI log]

📈 Results compared to the previous 5 runs on main

• ↑ dappPageLoad/pageLoadTime: +26%

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 0 Bytes (0%)
• common: 20 Bytes (0%)

[kirillzyusko]

It looks good, but I have 2 questions:

1. Do we need to port these changes to DSR repo? (thought popover component may be not there yet)
2. Do we need to apply the same fix for ModalContent? The code there is very similar to what we had in Popover component so decided to ask

[pedronfigueiredo]

@kirillzyusko thanks for reviewing. Popover is not on DSR yet, only PopoverHeader, so there's no listener cleanup issue there. ModalContent is similar but it does not have the leak fixed here. It already adds/removes keydown and mousedown without capture options in both calls, so listener identity matches.

[kirillzyusko]

Looks good to me! 🚀