Skip to content

update#1348

Closed
Semsemq wants to merge 15 commits into
MetaMask:mainfrom
Semsemq:main
Closed

update#1348
Semsemq wants to merge 15 commits into
MetaMask:mainfrom
Semsemq:main

Conversation

@Semsemq

@Semsemq Semsemq commented Sep 20, 2025

Copy link
Copy Markdown

This PR is automatically opened to update the coverage.json file when test coverage increases. Coverage increased from % to %.

@Semsemq Semsemq requested a review from a team as a code owner September 20, 2025 19:13
cursor[bot]

This comment was marked as outdated.

@socket-security

socket-security Bot commented Sep 20, 2025

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​@​metamask/​sdk-ui@​0.1.3751007488100
Addednpm/​@​metamask/​sdk-react@​0.3.181100749280
Addednpm/​@​metamask/​sdk-react-ui@​0.5.679100758380
Addednpm/​@​metamask/​sdk@​0.1.095100879250
Addednpm/​@​metamask/​sdk-communication-layer@​0.1.097100909050

View full report

@socket-security

socket-security Bot commented Sep 20, 2025

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Shell access.

Module: child_process

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Network access.

Module: http

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Network access.

Module: https

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Network access.

Module: net

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.1.0 has Network access.

Module: tls

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk-communication-layer@0.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.3.3 has Network access.

Module: http

Location: Package overview

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-communication-layer@0.3.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.3.3 has Network access.

Module: https

Location: Package overview

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-communication-layer@0.3.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.3.3 has Shell access.

Module: child_process

Location: Package overview

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-communication-layer@0.3.3

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.3.3 has Network access.

Module: net

Location: Package overview

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-communication-layer@0.3.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.3.3 has Network access.

Module: tls

Location: Package overview

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-communication-layer@0.3.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.5.3 has Network access.

Module: http

Location: Package overview

From: ?npm/@metamask/sdk-react-ui@0.5.6npm/@metamask/sdk-communication-layer@0.5.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.5.3 has Network access.

Module: https

Location: Package overview

From: ?npm/@metamask/sdk-react-ui@0.5.6npm/@metamask/sdk-communication-layer@0.5.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.5.3 has Shell access.

Module: child_process

Location: Package overview

From: ?npm/@metamask/sdk-react-ui@0.5.6npm/@metamask/sdk-communication-layer@0.5.3

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.5.3 has Network access.

Module: net

Location: Package overview

From: ?npm/@metamask/sdk-react-ui@0.5.6npm/@metamask/sdk-communication-layer@0.5.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk-communication-layer@0.5.3 has Network access.

Module: tls

Location: Package overview

From: ?npm/@metamask/sdk-react-ui@0.5.6npm/@metamask/sdk-communication-layer@0.5.3

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk-communication-layer@0.5.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/sdk@0.1.0 has Shell access.

Module: child_process

Location: Package overview

From: packages/devnext/package.jsonnpm/@metamask/sdk@0.1.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/sdk@0.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
npm/@react-native/polyfills@2.0.0 has a New author.

New Author: yungsters

Previous Author: cpojer

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-react-ui@0.5.6npm/@react-native/polyfills@2.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native/polyfills@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
npm/deprecated-react-native-prop-types@3.0.2 has a New author.

New Author: rh389

Previous Author: yungsters

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-react-ui@0.5.6npm/deprecated-react-native-prop-types@3.0.2

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/deprecated-react-native-prop-types@3.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
npm/json-rpc-middleware-stream@3.0.0 has a New author.

New Author: rekmarks

Previous Author: kumavis

From: ?npm/@metamask/sdk@0.1.0npm/json-rpc-middleware-stream@3.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json-rpc-middleware-stream@3.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
npm/@react-native-community/cli@10.2.7 is a AI-detected potential code anomaly.

Notes: The code itself is not overtly malicious — it implements expected template installation and execution behavior for a CLI. However, it performs operations that allow execution of arbitrary code from third-party template packages (require of template.config.js and execa of a post-init script) and writes files into the user's working directory. These are legitimate features but represent a significant supply-chain and remote-code-execution risk if an attacker controls the template package or if a malicious/typosquatted package is installed. Use caution: ensure templates come from trusted sources and consider additional user prompts or verification.

Confidence: 1.00

Severity: 0.60

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-react-ui@0.5.6npm/@react-native-community/cli@10.2.7

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@react-native-community/cli@10.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
npm/@walletconnect/core@2.11.0 is a AI-detected potential code anomaly.

Notes: The fragment demonstrates a legitimate attestation/verification subsystem using an embedded iframe and cross-origin messaging with persistent expiration management. The main security vulnerabilities stem from cross-origin messaging with an insecure wildcard in postMessage and reliance on external attestation endpoints. Harden cross-origin messaging by specifying exact targetOrigin, validating message sources, and restricting data exchanged via postMessage. Add input validation for attestationId/verifyUrl and minimize sensitive data in logs. Overall risk is medium; malware likelihood is low unless combined with insecure deployment practices.

Confidence: 1.00

Severity: 0.60

From: ?npm/@metamask/sdk-react@0.3.1npm/@metamask/sdk-react-ui@0.5.6npm/@walletconnect/core@2.11.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@walletconnect/core@2.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

cursor[bot]

This comment was marked as outdated.

cursor[bot]

This comment was marked as outdated.

@Semsemq Semsemq left a comment

Copy link
Copy Markdown
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

great

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants