Skip to content

Release/974.0.0#8755

Merged
cryptodev-2s merged 6 commits into
mainfrom
release/974.0.0
May 11, 2026
Merged

Release/974.0.0#8755
cryptodev-2s merged 6 commits into
mainfrom
release/974.0.0

Conversation

@cryptodev-2s
Copy link
Copy Markdown
Contributor

@cryptodev-2s cryptodev-2s commented May 11, 2026
edited by cursor Bot
Loading

Explanation

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

Note

Medium Risk
Primarily dependency/version bumps, but it pulls in breaking major releases of @metamask/controller-utils@12 and @metamask/network-controller@31, which can break downstream typed event listeners and service policy handlers.

Overview
Bumps the monorepo release version to 974.0.0 and rolls forward many internal package versions/changelogs.

Most packages are updated to depend on @metamask/controller-utils@12.0.0 and @metamask/network-controller@31.0.0 (plus related patch bumps like @metamask/message-manager@14.1.2, @metamask/polling-controller@16.0.5, etc.), propagating the new breaking event payload/type changes through the dependency graph.

Reviewed by Cursor Bugbot for commit 898f4a8. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 11, 2026
edited
Loading

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Network access: npm @metamask/controller-utils in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/@metamask/snaps-controllers@19.0.1npm/@metamask/snaps-utils@12.2.0npm/@metamask/controller-utils@11.20.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/controller-utils@11.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@cryptodev-2s
chore: Update Changelogs
9e5e1ad
@cryptodev-2s
chore: remove Uncategorized
b2e5c2b
@cryptodev-2s
chore: revert unrelated historical changelog edits
02bf5b8 
Restore changelog entries for prior releases that were inadvertently
reformatted by the release tooling, keeping only the 974.0.0 release
content.
@cryptodev-2s cryptodev-2s marked this pull request as ready for review May 11, 2026 09:14
@cryptodev-2s cryptodev-2s requested review from a team as code owners May 11, 2026 09:14
cryptodev-2s
cryptodev-2s commented May 11, 2026
View reviewed changes
Comment thread packages/sample-controllers/CHANGELOG.md Outdated
Mrtenz
Mrtenz requested changes May 11, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good to me other than sample-controllers needing a major bump.

@cryptodev-2s
chore: bump sample-controllers to 5.0.0
898f4a8 
Major version bump reflects the BREAKING changes in this release
(SampleGasPricesService now inherits from BaseDataService; onRetry,
onBreak, and onDegraded removed).
@cryptodev-2s cryptodev-2s requested a review from Mrtenz May 11, 2026 09:49
@cryptodev-2s cryptodev-2s enabled auto-merge May 11, 2026 09:49
cursor[bot]
cursor Bot reviewed May 11, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 898f4a8. Configure here.

Comment thread packages/accounts-controller/package.json
{
"name": "@metamask/accounts-controller",
"version": "38.0.0",
"version": "38.1.0",
Copy link
Copy Markdown

@cursor cursor Bot May 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor/patch bumps for major dependency upgrades violate semver

High Severity

@metamask/accounts-controller is bumped from 38.0.0 to 38.1.0 (minor), but its dependency on @metamask/network-controller is bumped from ^30.1.0 to ^31.0.0 (major). Consumers who also depend on @metamask/network-controller@^30.x will face unresolvable version conflicts when upgrading to accounts-controller@38.1.0, since ^30.x and ^31.0.0 are incompatible ranges. The same pattern applies broadly: many packages (gas-fee-controller, polling-controller, ens-controller, earn-controller, multichain-network-controller, etc.) receive only patch/minor bumps while bumping major dependencies on network-controller (^30.x^31.0.0) and/or controller-utils (^11.x^12.0.0). Per the reviewer's comment, these need to be major bumps.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 898f4a8. Configure here.

@cryptodev-2s cryptodev-2s added this pull request to the merge queue May 11, 2026
Merged via the queue into main with commit 685b508 May 11, 2026
366 checks passed
@cryptodev-2s cryptodev-2s deleted the release/974.0.0 branch May 11, 2026 09:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Mrtenz Mrtenz Mrtenz approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@cryptodev-2s @Mrtenz