Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix(deps): Bump @metamask/eth-json-rpc-middleware to ^14.0.0, @metamask/transaction-controller to ^35.1.1 #26143

Merged
merged 27 commits into from
Aug 21, 2024

Conversation

MajorLift
Copy link
Contributor

@MajorLift MajorLift commented Jul 25, 2024

Description

Updates @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0.

  • This version bump comes with a large number of regressions, most of them type errors.
  • This is because the package's dependencies are also updated by multiple major versions, and the changes include improved, stricter types (especially in @metamask/utils).

Open in GitHub Codespaces

Related issues

Changelog

Added

  • Add and export PPOMMiddlewareRequest type for JsonRpcRequest types that include the securityAlertResponse property.
    • securityAlertResponse is defined as both optional and nullable.
  • Add PPOMRequest type for eth-sendTransaction requests.

Changed

  • BREAKING: Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0.
  • BREAKING: Bump @metamask/transaction-controller from ^34.0.0 to ^35.1.1.
  • BREAKING: Redefine SecurityAlertsAPIRequest as a JsonRpcRequest type that accepts unknown[] as its params type.
  • Widen the request parameters of the functions validateWithController and validateWithAPI to include SecurityAlertsAPIRequest.
  • Bump @trezor/connect-web from 9.2.2 to 9.3.0.

Fixed

  • BREAKING: Narrow Params generic parameter of createPPOMMiddleware function from JsonRpcParams to (string | { to: string })[].
  • Add Params generic parameter to handleSnapRequest function, which defaults to JsonRpcParams.
    • handleSnapRequest can now be typed correctly with any params object.

Security

  • BREAKING: Typed signature validation only replaces 0X prefix with 0x, and contract address normalization is removed for decimal and octal values.
    • Threat actors have been manipulating eth_signTypedData_v4 fields to cause failures in blockaid's detectors.
    • Extension crashes with an error when performing Malicious permit with a non-0x prefixed integer address.
    • This fixes an issue where the key value row or petname component disappears if a signed address is prefixed by "0X" instead of "0x".

Manual testing steps

Screenshots/Recordings

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@legobeat
Copy link
Contributor

legobeat commented Jul 25, 2024

As this is updating transitive @metamask/eth-block-tracker from v9 to v11, I guess it makes sense to look at updating to that in general?

Related (blocking? not sure):

@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch 3 times, most recently from 04c7968 to 67468d3 Compare July 31, 2024 16:02

This comment was marked as resolved.

@MajorLift

This comment was marked as outdated.

@MajorLift

This comment was marked as outdated.

@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch from faea0b2 to 176f838 Compare July 31, 2024 16:25
@MajorLift

This comment was marked as resolved.

@metamaskbot

This comment was marked as resolved.

@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch 2 times, most recently from 4f2217c to 4abc716 Compare July 31, 2024 20:19
@MajorLift MajorLift added the team-confirmations Push issues to confirmations team label Aug 1, 2024
@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch from 4abc716 to 520ac80 Compare August 1, 2024 21:19
@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch 2 times, most recently from 38d7512 to c6c724a Compare August 12, 2024 19:51
@MajorLift

This comment was marked as resolved.

This comment was marked as resolved.

@MajorLift
Copy link
Contributor Author

MajorLift commented Aug 12, 2024

@SocketSecurity ignore npm/@storybook/addon-actions@7.6.20, npm/@storybook/addon-docs@7.6.20, npm/@storybook/blocks@7.6.20, npm/@storybook/channels@7.6.20, npm/@storybook/client-logger@7.6.20, npm/@storybook/components@7.6.20, npm/@storybook/core-client@7.6.20, npm/@storybook/core-common@7.6.20, npm/@storybook/core-events@7.6.20, npm/@storybook/csf-plugin@7.6.20, npm/@storybook/csf-tools@7.6.20, npm/@storybook/docs-tools@7.6.20, npm/@storybook/manager-api@7.6.20, npm/@storybook/node-logger@7.6.20, npm/@storybook/postinstall@7.6.20, npm/@storybook/preview-api@7.6.20, npm/@storybook/react-dom-shim@7.6.20, npm/@storybook/react@7.6.20, npm/@storybook/router@7.6.20, npm/@storybook/theming@7.6.20, npm/@storybook/types@7.6.20

@storybook

@MajorLift
Copy link
Contributor Author

@SocketSecurity ignore npm/@metamask/eth-block-tracker@11.0.1, npm/lavamoat-core@15.4.0, npm/lavamoat-tofu@7.3.0

Internal packages

@metamaskbot

This comment was marked as outdated.

@MajorLift MajorLift force-pushed the bump/eth-json-rpc-provider-14.0.0 branch from 3a41bd3 to 4fa246f Compare August 13, 2024 16:29
@MajorLift

This comment was marked as outdated.

@MajorLift
Copy link
Contributor Author

@SocketSecurity ignore npm/diff@5.2.0
benign author change

@metamaskbot

This comment was marked as outdated.

@metamaskbot

This comment was marked as duplicate.

@metamaskbot

This comment was marked as outdated.

@metamaskbot
Copy link
Collaborator

Builds ready [3c40934]
Page Load Metrics (86 ± 20 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint632691114321
domContentLoaded41240824321
load48241864120
domInteractive10147343115
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 192.1 KiB (5.77%)
  • ui: 120 Bytes (0.00%)
  • common: 207.83 KiB (2.64%)

@MajorLift
Copy link
Contributor Author

MajorLift commented Aug 20, 2024

@legobeat I bumped @metamask/transaction-controller to latest (3c40934), but it looks like there are additional blockers for this:

  • @metamask/eth-token-tracker@9.0.0 is on @metamask/eth-block-tracker@10.0.0
  • @metamask/network-controller@20.2.0 is on @metamask/eth-block-tracker@9.0.3

Given that we might not have time to fully upgrade eth-block-tracker in this PR (it needs to be merged urgently), how would you feel about extracting the transaction-controller version bump to a separate ticket?

@MajorLift
Copy link
Contributor Author

MajorLift commented Aug 20, 2024

@bschorchit Thanks for checking in on this. We're just waiting on review and approval especially from codeowners.

I just bumped this to priority-2 priority-1 on the PR review queue, and I'll make a post today requesting another round of reviews.

@MajorLift MajorLift changed the title fix(deps): Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0 fix(deps): Bump @metamask/eth-json-rpc-middleware to ^14.0.0, @metamask/transaction-controller to ^35.1.1 Aug 20, 2024
@MajorLift MajorLift added the release-blocker This bug is blocking the next release label Aug 20, 2024
gantunesr
gantunesr previously approved these changes Aug 20, 2024
Copy link
Member

@gantunesr gantunesr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Approved for team-accounts.

Files reviewed,

  • app/scripts/lib/accounts/BalancesController.ts
  • app/scripts/lib/snap-keyring/snap-keyring.test.ts

@@ -5,8 +5,8 @@ import BitcoinWalletSnap from '@metamask/bitcoin-wallet-snap/dist/preinstalled-s
///: END:ONLY_INCLUDE_IF

// The casts here are less than ideal but we expect the SnapController to validate the inputs.
const PREINSTALLED_SNAPS: readonly PreinstalledSnap[] = Object.freeze([
MessageSigningSnap as unknown as PreinstalledSnap,
const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
const PREINSTALLED_SNAPS = Object.freeze<ReadOnlyArray<PreinstalledSnap>>([

Can we do this instead since before the type was readonly?

Copy link
Contributor Author

@MajorLift MajorLift Aug 20, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would be redundant since the return type of Object.freeze<T> is readonly T. By hovering over PREINSTALLED_SNAPS, you can verify that its type is readonly PreinstalledSnap[] like before.

If we want to be extra careful about validating the type maybe we could add a satisfies clause to replace the type annotation that was originally there?

diff --git a/app/scripts/snaps/preinstalled-snaps.ts b/app/scripts/snaps/preinstalled-snaps.ts
index 6be0bb7f35..95b9c54e69 100644
--- a/app/scripts/snaps/preinstalled-snaps.ts
+++ b/app/scripts/snaps/preinstalled-snaps.ts
@@ -10,6 +10,6 @@ const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
   ///: BEGIN:ONLY_INCLUDE_IF(build-flask)
   BitcoinWalletSnap as unknown as PreinstalledSnap,
   ///: END:ONLY_INCLUDE_IF
-]);
+]) satisfies readonly PreinstalledSnap[];
 
 export default PREINSTALLED_SNAPS;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bug report

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@daniela2000111 Is there a bug related to the changes in preinstalled-snaps.ts?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah yes that's correct! Fine to leave as is :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Curious about this bug report ^

@MajorLift

This comment was marked as resolved.

Copy link

AccountWatcherSnap as unknown as PreinstalledSnap,
const PREINSTALLED_SNAPS = Object.freeze<PreinstalledSnap[]>([
MessageSigningSnap as PreinstalledSnap,
AccountWatcherSnap as PreinstalledSnap,
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@k-g-j I removed an as unknown as cast introduced in #26402 while merging develop into this branch.

@metamaskbot

This comment was marked as resolved.

@metamaskbot
Copy link
Collaborator

Builds ready [4d13778]
Page Load Metrics (67 ± 7 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint64149952311
domContentLoaded419463157
load4510167157
domInteractive96227147
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 192.1 KiB (5.72%)
  • ui: 120 Bytes (0.00%)
  • common: 208.37 KiB (2.54%)

@legobeat
Copy link
Contributor

legobeat commented Aug 20, 2024

@legobeat I bumped @metamask/transaction-controller to latest (3c40934), but it looks like there are additional blockers for this:

* `@metamask/eth-token-tracker@9.0.0` is on `@metamask/eth-block-tracker@10.0.0`

* `@metamask/network-controller@20.2.0` is on `@metamask/eth-block-tracker@9.0.3`

Given that we might not have time to fully upgrade eth-block-tracker in this PR (it needs to be merged urgently), how would you feel about extracting the transaction-controller version bump to a separate ticket?

@legobeat
Copy link
Contributor

legobeat commented Aug 21, 2024

@SocketSecurity ignore npm/@storybook/addon-actions@7.6.20, npm/@storybook/addon-docs@7.6.20, npm/@storybook/blocks@7.6.20, npm/@storybook/channels@7.6.20, npm/@storybook/client-logger@7.6.20, npm/@storybook/components@7.6.20, npm/@storybook/core-client@7.6.20, npm/@storybook/core-common@7.6.20, npm/@storybook/core-events@7.6.20, npm/@storybook/csf-plugin@7.6.20, npm/@storybook/csf-tools@7.6.20, npm/@storybook/docs-tools@7.6.20, npm/@storybook/manager-api@7.6.20, npm/@storybook/node-logger@7.6.20, npm/@storybook/postinstall@7.6.20, npm/@storybook/preview-api@7.6.20, npm/@storybook/react-dom-shim@7.6.20, npm/@storybook/react@7.6.20, npm/@storybook/router@7.6.20, npm/@storybook/theming@7.6.20, npm/@storybook/types@7.6.20

@storybook

@MajorLift What is the context behind bumping some @storybook/ packages from 7.6.19 to 7.6.20 as part of this PR?

There are still 7.6.19 versions remaining through transitive pins, with many now being duplicated. Would either of these options be reasonable?

  1. Revert @storybook/ bumps in lockfile in this PR to stay on 7.6.19 for the time being
  2. Break out full 7.6.20 upgrade in a separate PR

@benjisclowder benjisclowder merged commit 27655eb into develop Aug 21, 2024
78 checks passed
@benjisclowder benjisclowder deleted the bump/eth-json-rpc-provider-14.0.0 branch August 21, 2024 08:19
@github-actions github-actions bot locked and limited conversation to collaborators Aug 21, 2024
@github-actions github-actions bot removed the needs-dev-review PR needs reviews from other engineers (in order to receive required approvals) label Aug 21, 2024
@metamaskbot metamaskbot added the release-12.5.0 Issue or pull request that will be included in release 12.5.0 label Aug 21, 2024
@metamaskbot metamaskbot removed the release-12.5.0 Issue or pull request that will be included in release 12.5.0 label Sep 3, 2024
@metamaskbot
Copy link
Collaborator

More than one release label on PR. Keeping the lowest one (release-12.1.0) on PR and removing other release labels (release-12.5.0).

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
release-12.1.0 Issue or pull request that will be included in release 12.1.0 release-blocker This bug is blocking the next release team-confirmations Push issues to confirmations team team-wallet-framework
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

chore(deps): Bump @metamask/eth-json-rpc-middleware from ^12.1.1 to ^14.0.0