Bump @metamask/inpage-providers to @metamask/providers

[adonesky1]

Successfully building, node version at 16.

Node v18 introduces new errors that will likely require webpack version bump to v5 which is trickier

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@babel/plugin-proposal-nullish-coalescing-operator	7.18.6	shell	+33	10.4 MB	nicolo-ribaudo
@metamask/providers	13.0.0	None	+10	730 kB	metamaskbot
@babel/preset-env	7.12.7...7.22.20	shell	+108/-109	12.5 MB	nicolo-ribaudo
@babel/core	7.7.2...7.23.0	shell, environment	+31/-11	10.4 MB	nicolo-ribaudo

🚮 Removed packages: @metamask/inpage-provider@8.0.3

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: @babel/plugin-syntax-import-meta@7.10.4, extension-port-stream@2.1.1, @metamask/safe-event-emitter@3.0.0, convert-source-map@2.0.0, unicode-canonical-property-names-ecmascript@2.0.0, unicode-match-property-ecmascript@2.0.0, update-browserslist-db@1.0.13

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

[jiexi]

LGTM. i'll look into the failed CI pipeline

[jiexi]

needed for stream.pipeline since webpack v4 uses v2 still. Another reason for us to get up to date with webpack

[jiexi]

[jiexi]

@metamask/providers changelog

• v8: We are here
• v9: No action required
• v10: I don't see METAMASK_EXTENSION_STREAM_CONNECT used anywhere anymore in extension. All i see is this in regards to retry. Searching the whole org yields nothing much
• v11: Node16. Fixed
• v12: Causes more version misalignment on upstream deps. Mobile is currently not aligned on these deps, so we make this no worse
• v13: No action required

[adonesky1]

#85 (comment)

Just to be clear, this is meant to indicate that when pulled into a local mobile build the changes are indeed present and working, correct @jiexi ?

[jiexi]

@adonesky1 Yes, exactly that. See the deprecation warnings for accessing window.ethereum.chainId and others which is part of the v13 release

[jiexi]

@SocketSecurity ignore extension-port-stream@2.1.1
@SocketSecurity ignore @metamask/safe-event-emitter@3.0.0

[jiexi]

@SocketSecurity ignore unicode-canonical-property-names-ecmascript@2.0.0
@SocketSecurity ignore unicode-match-property-ecmascript@2.0.0

Google's npm bot

[jiexi]

@SocketSecurity ignore update-browserslist-db@1.0.13

wrappers around specific commands to npx

[jiexi]

@SocketSecurity ignore @babel/plugin-syntax-import-meta@7.10.4

unmaintained

[jiexi]

@SocketSecurity ignore convert-source-map@2.0.0

author has been around 3 years ago

[sethkfman]

LGTM