chore(runway): cherry-pick dbdf5b0 by runway-github[bot] · Pull Request #29244 · MetaMask/metamask-mobile

runway-github · 2026-04-23T10:18:56Z

chore(ci): bump xmldom & ignore uuid advisory to address ci audit failure (chore(ci): bump xmldom & ignore uuid advisory to address ci audit failure #29222)

Description

uuid version update in progress
https://consensyssoftware.atlassian.net/browse/MCWP-557

Changelog

CHANGELOG entry: null

Related issues

Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-556

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

I've followed MetaMask Contributor
Docs and MetaMask Mobile
Coding
Standards.
I've completed the PR template to the best of my ability
I've included tests if applicable
I've documented my code using JSDoc format
if applicable
I've applied the right labels on the PR (see labeling
guidelines).
Not required for external contributors.

Performance checks (if applicable)

I've tested on Android
- Ideally on a mid-range device; emulator is acceptable
I've tested with a power user scenario
Use these power-user
SRPs
to import wallets with many accounts and tokens
I've instrumented key operations with Sentry traces for production
performance metrics
See trace() for usage and
addToken
for an example

For performance guidelines and tooling, see the Performance
Guide.

Pre-merge reviewer checklist

I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots. dbdf5b0

…ory to address ci audit failure (#29222)  ## **Description**  uuid version update in progress https://consensyssoftware.atlassian.net/browse/MCWP-557 ## **Changelog**  CHANGELOG entry: null ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/MCWP-556 ## **Manual testing steps** ```gherkin Feature: my feature name Scenario: user [verb for user action] Given [describe expected initial app state] When user [verb for user action] Then [describe expected outcome] ``` ## **Screenshots/Recordings**  ### **Before**  ### **After**  ## **Pre-merge author checklist**  - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. #### Performance checks (if applicable) - [ ] I've tested on Android - Ideally on a mid-range device; emulator is acceptable - [ ] I've tested with a power user scenario - Use these [power-user SRPs](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/edit-v2/401401446401?draftShareId=9d77e1e1-4bdc-4be1-9ebb-ccd916988d93) to import wallets with many accounts and tokens - [ ] I've instrumented key operations with Sentry traces for production performance metrics - See [`trace()`](/app/util/trace.ts) for usage and [`addToken`](/app/components/Views/AddAsset/components/AddCustomToken/AddCustomToken.tsx#L274) for an example For performance guidelines and tooling, see the [Performance Guide](https://consensyssoftware.atlassian.net/wiki/spaces/TL1/pages/400085549067/Performance+Guide+for+Engineers). ## **Pre-merge reviewer checklist**  - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

github-actions · 2026-04-23T10:19:06Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

chloeYue

LGTM

github-actions · 2026-04-23T10:20:30Z

🔍 Smart E2E Test Selection

Selected E2E tags: None (no tests recommended)
Selected Performance tags: None (no tests recommended)
Risk Level: low
AI Confidence: 92%

click to see 🤖 AI reasoning details

E2E Test Selection:
The PR contains three very low-risk changes:

@xmldom/xmldom patch bump (^0.8.12 → ^0.8.13): This library is used in exactly one place — app/util/favicon/index.ts — for parsing HTML to extract favicon URLs from dApp websites. This is a minor patch update with no breaking changes expected. The favicon utility is a non-critical helper that fetches and caches favicons for the browser. No E2E test flows depend on favicon correctness.
.yarnrc.yml audit advisory suppression: Adding advisory 1116970 (uuid buffer bounds check for v3/v5/v6) to the ignore list. The comment explicitly notes the app uses v4 and v1 which are unaffected. This is a pure CI/audit configuration change with zero runtime impact.
yarn.lock: Lock file update reflecting the xmldom version bump.

No core functionality, controllers, navigation, confirmations, accounts, networks, or any user-facing flows are affected. The changes are purely a dependency patch update and a security advisory suppression. Running E2E tests would provide no additional safety signal for these changes.

Performance Test Selection:
The xmldom patch update only affects favicon HTML parsing, which is a non-critical background utility. No performance-sensitive code paths (rendering, state management, account/network lists, app startup) are touched. No performance tests are warranted.

View GitHub Actions results

socket-security · 2026-04-23T10:21:24Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/@xmldom/xmldom@0.8.12 ⏵ 0.8.13		⁺⁴⁰	⁺¹	⁺⁴

View full report

codecov-commenter · 2026-04-23T10:45:11Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
⚠️ Please upload report for BASE (release/7.73.2@651902c). Learn more about missing BASE report.

Additional details and impacted files

@@                Coverage Diff                @@
##             release/7.73.2   #29244   +/-   ##
=================================================
  Coverage                  ?   82.91%           
=================================================
  Files                     ?     4877           
  Lines                     ?   126521           
  Branches                  ?    28371           
=================================================
  Hits                      ?   104903           
  Misses                    ?    14404           
  Partials                  ?     7214

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

sonarqubecloud · 2026-04-23T10:46:09Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

metamaskbotv2 Bot added the team-bots Bot team (for MetaMask Bot, Runway Bot, etc.) label Apr 23, 2026

chloeYue approved these changes Apr 23, 2026

View reviewed changes

github-actions Bot added size-XS risk-low Low testing needed · Low bug introduction risk labels Apr 23, 2026

chloeYue merged commit 6b85848 into release/7.73.2 Apr 23, 2026
59 checks passed

chloeYue deleted the runway-cherry-pick-7.73.2-1776939529 branch April 23, 2026 10:51

github-actions Bot locked and limited conversation to collaborators Apr 23, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(runway): cherry-pick dbdf5b0#29244

chore(runway): cherry-pick dbdf5b0#29244
chloeYue merged 1 commit into
release/7.73.2from
runway-cherry-pick-7.73.2-1776939529

runway-github Bot commented Apr 23, 2026

Uh oh!

github-actions Bot commented Apr 23, 2026

Uh oh!

chloeYue left a comment

Uh oh!

github-actions Bot commented Apr 23, 2026

Uh oh!

socket-security Bot commented Apr 23, 2026

Uh oh!

codecov-commenter commented Apr 23, 2026

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Conversation

runway-github Bot commented Apr 23, 2026

Description

Changelog

Related issues

Manual testing steps

Screenshots/Recordings

Before

After

Pre-merge author checklist

Performance checks (if applicable)

Pre-merge reviewer checklist

Uh oh!

github-actions Bot commented Apr 23, 2026

Uh oh!

chloeYue left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions Bot commented Apr 23, 2026

🔍 Smart E2E Test Selection

Uh oh!

socket-security Bot commented Apr 23, 2026

Uh oh!

codecov-commenter commented Apr 23, 2026

Codecov Report

Uh oh!

sonarqubecloud Bot commented Apr 23, 2026

Quality Gate passed

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants