Merge dependabot security PRs #4847
Assignees
Labels
Comments
4 tasks
This was referenced Jan 14, 2025
github-merge-queue bot
pushed a commit
to MetaMask/metamask-extension
that referenced
this issue
Feb 6, 2025
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This is a lock-only change to update `express` to a version higher than `4.19.2`, according to this security advisory: https://github.com/MetaMask/metamask-extension/security/dependabot/157 [](https://codespaces.new/MetaMask/metamask-extension/pull/29708?quickstart=1) ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]>
github-merge-queue bot
pushed a commit
to MetaMask/metamask-mobile
that referenced
this issue
Feb 11, 2025
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This PR bumps `elliptic` in the dependency tree to mitigate the following security advisories: - https://github.com/MetaMask/metamask-mobile/security/dependabot/154 - https://github.com/MetaMask/metamask-mobile/security/dependabot/146 - https://github.com/MetaMask/metamask-mobile/security/dependabot/129 - https://github.com/MetaMask/metamask-mobile/security/dependabot/128 - https://github.com/MetaMask/metamask-mobile/security/dependabot/127 The closer version that mitigates all the above advisories is `6.6.0`. Currently on `main`, these are the versions we have for `elliptic`: ```bash > yarn why elliptic => Found "[email protected]" info Has been hoisted to "elliptic" info Reasons this module exists - Hoisted from "@WalletConnect#utils#elliptic" - Hoisted from "@MetaMask#ppom-validator#elliptic" - Hoisted from "secp256k1#elliptic" - Hoisted from "ethereumjs-abi#ethereumjs-util#elliptic" - Hoisted from "react-native-crypto#create-ecdh#elliptic" - Hoisted from "react-native-crypto#browserify-sign#elliptic" - Hoisted from "ethereumjs-util#secp256k1#elliptic" info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@ethersproject/signing-key#[email protected]" info This module exists because "ethers#@ethersproject#signing-key" depends on it. info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@reown/walletkit#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 => Found "@walletconnect/sign-client#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 ``` The added resolution forces the package on `^6.6.0` which currently resolves to `6.6.1` ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: Mark Stacey <[email protected]>
github-merge-queue bot
pushed a commit
to MetaMask/metamask-mobile
that referenced
this issue
Feb 11, 2025
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This PR bumps `elliptic` in the dependency tree to mitigate the following security advisories: - https://github.com/MetaMask/metamask-mobile/security/dependabot/154 - https://github.com/MetaMask/metamask-mobile/security/dependabot/146 - https://github.com/MetaMask/metamask-mobile/security/dependabot/129 - https://github.com/MetaMask/metamask-mobile/security/dependabot/128 - https://github.com/MetaMask/metamask-mobile/security/dependabot/127 The closer version that mitigates all the above advisories is `6.6.0`. Currently on `main`, these are the versions we have for `elliptic`: ```bash > yarn why elliptic => Found "[email protected]" info Has been hoisted to "elliptic" info Reasons this module exists - Hoisted from "@WalletConnect#utils#elliptic" - Hoisted from "@MetaMask#ppom-validator#elliptic" - Hoisted from "secp256k1#elliptic" - Hoisted from "ethereumjs-abi#ethereumjs-util#elliptic" - Hoisted from "react-native-crypto#create-ecdh#elliptic" - Hoisted from "react-native-crypto#browserify-sign#elliptic" - Hoisted from "ethereumjs-util#secp256k1#elliptic" info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@ethersproject/signing-key#[email protected]" info This module exists because "ethers#@ethersproject#signing-key" depends on it. info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@reown/walletkit#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 => Found "@walletconnect/sign-client#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 ``` The added resolution forces the package on `^6.6.0` which currently resolves to `6.6.1` ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: Mark Stacey <[email protected]>
github-merge-queue bot
pushed a commit
to MetaMask/metamask-mobile
that referenced
this issue
Feb 11, 2025
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This PR bumps `elliptic` in the dependency tree to mitigate the following security advisories: - https://github.com/MetaMask/metamask-mobile/security/dependabot/154 - https://github.com/MetaMask/metamask-mobile/security/dependabot/146 - https://github.com/MetaMask/metamask-mobile/security/dependabot/129 - https://github.com/MetaMask/metamask-mobile/security/dependabot/128 - https://github.com/MetaMask/metamask-mobile/security/dependabot/127 The closer version that mitigates all the above advisories is `6.6.0`. Currently on `main`, these are the versions we have for `elliptic`: ```bash > yarn why elliptic => Found "[email protected]" info Has been hoisted to "elliptic" info Reasons this module exists - Hoisted from "@WalletConnect#utils#elliptic" - Hoisted from "@MetaMask#ppom-validator#elliptic" - Hoisted from "secp256k1#elliptic" - Hoisted from "ethereumjs-abi#ethereumjs-util#elliptic" - Hoisted from "react-native-crypto#create-ecdh#elliptic" - Hoisted from "react-native-crypto#browserify-sign#elliptic" - Hoisted from "ethereumjs-util#secp256k1#elliptic" info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@ethersproject/signing-key#[email protected]" info This module exists because "ethers#@ethersproject#signing-key" depends on it. info Disk size without dependencies: "288KB" info Disk size with unique dependencies: "656KB" info Disk size with transitive dependencies: "656KB" info Number of shared dependencies: 7 => Found "@reown/walletkit#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 => Found "@walletconnect/sign-client#[email protected]" info Reasons this module exists - "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils" depends on it - Hoisted from "@WalletConnect#se-sdk#@Reown#walletkit#@WalletConnect#sign-client#@WalletConnect#utils#elliptic" info Disk size without dependencies: "172KB" info Disk size with unique dependencies: "540KB" info Disk size with transitive dependencies: "540KB" info Number of shared dependencies: 7 ``` The added resolution forces the package on `^6.6.0` which currently resolves to `6.6.1` ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: Mark Stacey <[email protected]>
github-merge-queue bot
pushed a commit
to MetaMask/metamask-extension
that referenced
this issue
Feb 14, 2025
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This is a lock-only change to update `express` to a version higher than `4.19.2`, according to this security advisory: https://github.com/MetaMask/metamask-extension/security/dependabot/157 [](https://codespaces.new/MetaMask/metamask-extension/pull/29708?quickstart=1) ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]> Co-authored-by: Elliot Winkler <[email protected]>
PatrykLucka
pushed a commit
to MetaMask/metamask-extension
that referenced
this issue
Feb 19, 2025
](https://codespaces.new/MetaMask/metamask-extension/pull/29708?quickstart=1){kind=link}
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> This is a lock-only change to update `express` to a version higher than `4.19.2`, according to this security advisory: https://github.com/MetaMask/metamask-extension/security/dependabot/157 [](https://codespaces.new/MetaMask/metamask-extension/pull/29708?quickstart=1) ## **Related issues** Related: MetaMask/core#4847 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]> Co-authored-by: Elliot Winkler <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
There are several PR related to security vulnerabilities from dependabot in repos owned by Wallet Framework (for full list, see https://github.com/MetaMask/MetaMask-planning/issues/3540).
In some cases, we should also prioritize release and update of affected packages in their consumers in order to mitigate the security issues, based on their
EPSSvalue.When to release the package
EPSSis >= 1% then release the package and deliver to clientsEPSSis < 1%To get the
EPSSvalueEPSSright belowGHSA IDFor packages we are in process of archiving
For affected packages that are in the process of being abandoned/archived, we should make sure that the related vulnerabilities have been mitigated on clients before ignoring the dependabot PR.
PR List
ellipticpackage (patched version 6.6.0):ellipticto^6.6.0metamask-mobile#12979bracesThe text was updated successfully, but these errors were encountered: