Skip to content
This repository was archived by the owner on Oct 16, 2025. It is now read-only.

Revert "refactor!: Synchronize dev toolchain with module template and core monorepo (#420)" #423

Merged
Gudahtt merged 1 commit into from
Oct 15, 2025
Merged

Revert "refactor!: Synchronize dev toolchain with module template and core monorepo (#420)" #423

Gudahtt merged 1 commit into from
Oct 15, 2025

Conversation

@jiexi
Copy link
Contributor

@jiexi jiexi commented Oct 15, 2025
edited
Loading

This reverts commit 5391380.

This breaking change is blocking a release fix that will include:

  1. Revert "fix: ensure middleware uses latest block number (#416)" #421
  2. bump eth-block-tracker to 12.2.1 #422

Will readd this commit after those two PRs are merged and a patch release is cut

@jiexi jiexi requested review from a team as code owners October 15, 2025 17:21
@socket-security
Copy link

socket-security bot commented Oct 15, 2025
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedform-data@​3.0.4 ⏵ 3.0.199 +125 -7510088100
Addedhas@​1.0.3671006252100
Addedisarray@​2.0.5671006552100
Updatednode-releases@​2.0.23 ⏵ 2.0.141001004487100
Addedside-channel@​1.0.4671006752100
Addedhas-proto@​1.0.1671007353100
Addedarray-buffer-byte-length@​1.0.0671007552100
Addedtyped-array-buffer@​1.0.0671007652100
Updatedgopd@​1.2.0 ⏵ 1.0.16710077 -153100
Addedglobalthis@​1.0.3671009052100
Addedhas-property-descriptors@​1.0.0671008052100
Updatedhas-tostringtag@​1.0.2 ⏵ 1.0.067 +11008152100
Addedobject.groupby@​1.0.1671009452100
Addeddefine-properties@​1.2.0671009452100
Addedfunctions-have-names@​1.2.3671007952100
Addedset-function-length@​1.1.1671008452100
Addedobject.fromentries@​2.0.7671008352100
Addedavailable-typed-arrays@​1.0.5671008152100
Addedis-negative-zero@​2.0.2671008052100
Addedobject-keys@​1.1.1671009252100
Addedsafe-regex-test@​1.0.0671007852100
Addedget-symbol-description@​1.0.0671008052100
Addedunbox-primitive@​1.0.2671008252100
Addedis-date-object@​1.0.5671008252100
Addedarraybuffer.prototype.slice@​1.0.2661008852100
Addedis-shared-array-buffer@​1.0.2671008352100
Updatedhas-symbols@​1.1.0 ⏵ 1.0.367 +11008252100
Addedarray.prototype.flat@​1.3.2671009252100
Addedsafe-array-concat@​1.0.1671008452100
Addedis-bigint@​1.0.4671008152100
Updatedes-set-tostringtag@​2.1.0 ⏵ 2.0.167 +110079 -452100
Addedtyped-array-length@​1.0.4671008852100
Addedinternal-slot@​1.0.5671008652100
Addedarray.prototype.flatmap@​1.3.2671009452100
See 145 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Oct 15, 2025
edited
Loading

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
@babel/helpers@7.23.5 has a Medium CVE.

CVE: GHSA-968p-4wvh-cqc8 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups (MODERATE)

Affected versions: < 7.26.10; >= 8.0.0-alpha.0 < 8.0.0-alpha.17

Patched version: 7.26.10

From: yarn.locknpm/@babel/helpers@7.23.5

ℹ Read more on: This package | This alert | What is a medium CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.23.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@humanwhocodes/config-array@0.11.10 is Deprecated.

Reason: Use @eslint/config-array instead

From: yarn.locknpm/@humanwhocodes/config-array@0.11.10

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanwhocodes/config-array@0.11.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
@humanwhocodes/object-schema@1.2.1 is Deprecated.

Reason: Use @eslint/object-schema instead

From: yarn.locknpm/@humanwhocodes/object-schema@1.2.1

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@humanwhocodes/object-schema@1.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
eslint@8.44.0 is Deprecated.

Reason: This version is no longer supported. Please see https://eslint.org/version-support for other options.

From: package.jsonnpm/eslint@8.44.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint@8.44.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
eslint-plugin-import@2.29.0 is a AI-detected potential code anomaly.

Notes: The source code is intended to be a linting rule for JavaScript projects, but the use of _vm2['default'].runInNewContext() to execute comment contents dynamically is potentially dangerous.

Confidence: 1.00

Severity: 0.60

From: package.jsonnpm/eslint-plugin-import@2.29.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-import@2.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

  • estraverse@4.3.0
  • for-each@0.3.3
  • ms@2.1.2
  • cross-spawn@7.0.3
  • form-data@3.0.1
  • source-map@0.7.4

View full report

@Gudahtt Gudahtt mentioned this pull request Oct 15, 2025
Closed
Gudahtt
Gudahtt approved these changes Oct 15, 2025
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@Gudahtt
Copy link
Member

Gudahtt commented Oct 15, 2025

@SocketSecurity ignore npm/form-data@3.0.1
@SocketSecurity ignore npm/cross-spawn@7.0.3

The critical CVE for these two versions are noted. We will update these in a separate PR immediately after this one.

@SocketSecurity ignore npm/estraverse@4.3.0
@SocketSecurity ignore npm/for-each@0.3.3
@SocketSecurity ignore npm/form-data@3.0.1
@SocketSecurity ignore npm/ms@2.1.2
@SocketSecurity ignore npm/source-map@0.7.4

"new author" OK (these are ancient, not really new).

@Gudahtt Gudahtt merged commit c591a5f into main Oct 15, 2025
20 checks passed
@Gudahtt Gudahtt deleted the jl/revert-5391380 branch October 15, 2025 17:29
Gudahtt added a commit that referenced this pull request Oct 15, 2025
@Gudahtt
chore: Update dependencies to resolve audit warnings
a6eefaa 
Update dependencies that Socket warned about in #423
@Gudahtt Gudahtt mentioned this pull request Oct 15, 2025
Merged
jiexi added a commit that referenced this pull request Oct 15, 2025
@jiexi
Reapply "refactor!: Synchronize dev toolchain with module template an…
c2c6d29 
…d core monorepo (#420)" (#423)

This reverts commit c591a5f.
Gudahtt added a commit that referenced this pull request Oct 15, 2025
@Gudahtt
chore: Update dependencies to resolve audit warnings
d530228 
Update dependencies that Socket warned about in #423
Gudahtt added a commit that referenced this pull request Oct 15, 2025
@Gudahtt
chore: Update dependencies to resolve audit warnings (#425)
bbbc67e 
Update dependencies that Socket warned about in #423

<!--
Thanks for your contribution! Take a moment to answer these questions so
that reviewers have the information they need to properly understand
your changes:

* What is the current state of things and why does it need to change?
* What is the solution your changes offer and how does it work?

Are there any issues or other links reviewers should consult to
understand this pull request better? For instance:

* Fixes #12345
* See: #67890
-->

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Updates yarn.lock to bump several packages (e.g., cross-spawn 7.0.6,
form-data 3.0.4, get-intrinsic 1.3.1) and add required transitive deps
to address audits.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
a6eefaa. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Gudahtt pushed a commit that referenced this pull request Oct 15, 2025
@jiexi
Reapply "refactor!: Synchronize dev toolchain with module template an…
849772e 
…d core monorepo (#420)" (#423) (#426)

This reverts commit c591a5f (Reapplies
5391380)

<!--
Thanks for your contribution! Take a moment to answer these questions so
that reviewers have the information they need to properly understand
your changes:

* What is the current state of things and why does it need to change?
* What is the solution your changes offer and how does it work?

Are there any issues or other links reviewers should consult to
understand this pull request better? For instance:

* Fixes #12345
* See: #67890
-->


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> Overhauls the dev toolchain: upgrades ESLint to v9 with new
configs/plugins, moves to TypeScript 5.x, adds
TypeDoc/depcheck/ts-bridge/ATTW tooling, updates Prettier to v3, and
refreshes dependencies.
> 
> - **Dev toolchain sync/upgrade**
> - **ESLint 9**: Bump core and configs (MetaMask v14), migrate
plugins/resolvers (e.g., `eslint-plugin-import-x`,
`eslint-import-resolver-typescript`), and update related utilities.
> - **TypeScript 5.x**: Update TypeScript, `typescript-eslint` (v8),
`ts-node`, and supporting packages.
> - **Formatting & docs**: Upgrade **Prettier** to v3 and
`prettier-plugin-packagejson`; add **TypeDoc**.
> - **New tooling**: Add `@arethetypeswrong/cli`, `@ts-bridge/cli`, and
**depcheck** for dependency hygiene.
> - **Dependencies**: Broad dependency updates and lockfile refresh to
align with core template.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
5ef56a4. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@Gudahtt Gudahtt Gudahtt approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jiexi @Gudahtt