release: 13.26.0#41456
Conversation
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Upgrades `brace-expansion` from `5.0.3` to `5.0.5` in the lockfile to resolve a moderate-severity ReDoS advisory [GHSA-f886-m6hf-6m8v]. Also picks up incidental patch bumps to `brace-expansion` v1 and v2. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41284?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Lockfile-only dependency bumps; main risk is unexpected tooling/build behavior changes from the updated transitive package versions. > > **Overview** > Updates `yarn.lock` to bump `brace-expansion` across supported ranges (`^1.1.7`, `^2.0.1`, `^5.0.2`) to newer patch versions (notably `5.0.3` → `5.0.5`), refreshing the associated resolved tarballs and checksums to pick up the security advisory fix. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 08903ce. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
release: sync stable to main for version 13.25.0
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41297?quickstart=1) Resolution to resolve node-forge audit issue. <img width="865" height="856" alt="image" src="https://github.com/user-attachments/assets/5d0485c6-50af-4596-9de2-d35de0c0ccc8" /> ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk dependency-only change: bumps `node-forge` via Yarn `resolutions`, which could affect transitive crypto/PKI behavior but has no direct code changes. > > **Overview** > Resolves a security/audit finding by forcing `node-forge` to `^1.4.0` via `package.json` `resolutions`. > > Updates `yarn.lock` accordingly to pull `node-forge@1.4.0` (previously `1.3.2`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f108bf9. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> The Bridge API's /getTokens/popular and /getTokens/search endpoints now return an isVerified property on token records. This PR surfaces that signal in the Bridge asset picker by rendering a verified badge (the VerifiedFilled icon) next to the token symbol for any token where isVerified is true. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: feat: add asset verified badge in swaps asset picker ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/SWAPS-4220 ## **Manual testing steps** 1. Open the Bridge page (`portfolio.metamask.io` or the extension's Bridge tab). 2. Click the source token selector to open the asset picker. 3. Scroll through the popular tokens list — tokens with `isVerified: true` from the API should display a blue verified checkmark badge (VerifiedFilled icon) inline next to their symbol. 4. Type a token name or address in the search field and confirm that verified tokens in the search results also display the badge. 5. Confirm that tokens without `isVerified` (or with `isVerified: false`) show no badge next to their symbol. 6. Repeat steps 2–5 for the destination token selector. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <img width="468" height="500" alt="image" src="https://github.com/user-attachments/assets/80256b2c-efe7-4938-90c8-979b36ddae88" /> <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] 've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk UI/data-shaping change that threads a new optional `isVerified` field from the Bridge API through token normalization and renders an icon when true; main risk is minor mismatches with API/schema assumptions affecting display only. > > **Overview** > Surfaces the Bridge API’s new optional `isVerified` token field end-to-end and displays a **Verified** badge in the Bridge asset picker when `isVerified === true`. > > Updates token validation/types (`BridgeAssetV2Schema`) and normalization (`toBridgeToken`) to carry `isVerified` (with `tokenMetadata` able to override), and adds/updates unit tests and snapshots to cover pass-through behavior and conditional badge rendering. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 10722d8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** In case there is error in simulation result static data should not be show, rather error should be shown. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** 1. Submit batched transaction with an approval 2. If simulation fails no static data should be displayed ## **Screenshots/Recordings** TODO ## **Pre-merge author checklist** - [X] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [X] I've completed the PR template to the best of my ability - [X] I’ve included tests if applicable - [X] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [X] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk UI-logic change gated to `SimulationErrorCode.Reverted`, with new unit tests covering the intended rendering behavior. > > **Overview** > When simulation results include an error, `SimulationDetails` now **suppresses static balance-change rows for `SimulationErrorCode.Reverted`** and shows the reverted warning content instead. > > For other errors (e.g., `ChainNotSupported`), static rows can still render when provided. Tests were added to assert both behaviors. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit dbc17bf. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…match alert icon color (#41196) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Send flow - update field color for sending to contract alert to match alert icon color. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/CONF-1099 ## **Manual testing steps** 1. Start send to a contract address 2. Check styling of error displayed ## **Screenshots/Recordings** <img width="804" height="736" alt="Screenshot 2026-03-25 at 6 48 26 PM" src="https://github.com/user-attachments/assets/a1b92ce2-9feb-4567-a9b9-03ba7db44c53" /> ## **Pre-merge author checklist** - [X] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [X] I've completed the PR template to the best of my ability - [X] I’ve included tests if applicable - [X] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [X] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk UI-only change in the send recipient input that adjusts error vs warning styling; no changes to validation logic or transaction behavior. > > **Overview** > Updates the send flow `RecipientInput` to distinguish *acknowledgeable* recipient validation issues (e.g., sending to a contract) from hard errors. > > The recipient `TextField` now only sets `error` for blocking errors, and applies a warning border class (`!border-warning-default`) when `recipientErrorAllowAcknowledge` is present so the field color matches the warning/alert state. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a658062. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: George Marshall <george.marshall@consensys.net> Co-authored-by: georgewrmarshall <georgewrmarshall@users.noreply.github.com>
…41187) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Update more specs to use FixtureBuilderV2. Specially focused on: - ppom specs - send specs - shield specs Left some out of scope, if require bigger changes in builder, to not grow the PR [](https://codespaces.new/MetaMask/metamask-extension/pull/41187?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** 1. All specs should continue to pass ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <img width="3091" height="1541" alt="image" src="https://github.com/user-attachments/assets/fcb1a32d-dc48-42d9-98f5-0068b5d2d187" /> ### **After** <img width="3092" height="1541" alt="image" src="https://github.com/user-attachments/assets/58637a4c-6973-466a-b02e-5e481b33480e" /> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: changes are confined to E2E test infrastructure and specs, but touch many tests and fixture defaults so failures may surface as test flakiness or altered expectations. > > **Overview** > Migrates a large set of E2E specs (PPOM/Blockaid, send flows, shield, smart transactions, multichain, network) from legacy `FixtureBuilder` to `FixtureBuilderV2`, updating network selection (`NETWORK_CLIENT_ID`), permission setup (explicit `chainIds`/localhost dapp), and login/balance expectations to match the new fixtures. > > Extends `FixtureBuilderV2` with multichain rates helpers (`withMultichainAssetsRatesController`, `withMultichainRatesController`, plus `withConversionRates`/`withCurrencyRates`) and updates docs accordingly; adjusts the default fixture to seed Polygon balance, blocklists `polygon-mainnet.infura.io` in E2E mocks, and adds a `TransactionConfirmation.clickBackButton()` helper while removing an unused `reviewTransaction` flow. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 28213b4. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…for the chosen token` (#41239) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Sometimes the BAT Token doesn't appear in the token list when we search for it. We seed the token list controller with that token, but not the storage service. Solution: Seed the same BAT entry in the TokenListController StorageService to avoid miss-match and flakiness <img width="1050" height="812" alt="image" src="https://github.com/user-attachments/assets/1f93327e-7a16-4339-b33a-2968740f22aa" /> [](https://codespaces.new/MetaMask/metamask-extension/pull/41239?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: ## **Related issues** Fixes: ## **Manual testing steps** 1. Check ci ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: changes are limited to E2E test setup/waits and fixture seeding, with no production logic impact. > > **Overview** > Improves E2E test determinism by replacing a fixed delay in `dapp-viewed.spec.ts` with `HomePage.waitForNonEvmAccountsLoaded()` before asserting `DappViewed` metrics properties. > > Stabilizes the token search E2E by reusing a shared BSC BAT token-list entry, keying caches by `CHAIN_IDS.BSC`, seeding token list data into StorageService via `withTokenListControllerStorageServiceData`, and removing the custom `login(..., { validateBalance: false })` invocation. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ede4536. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Replace the default `QueryClient` with a custom `QueryClient` from `createUIQueryClient`. This establishes the query client required for using the `BaseDataService` pattern from the core repo, which handles cache syncing. Existing UI-only queries should work as they did previously. [](https://codespaces.new/MetaMask/metamask-extension/pull/41183?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** https://consensyssoftware.atlassian.net/browse/WPC-445 <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Replaces the app-wide React Query client with a custom client that bridges to background messaging, which could impact caching/query behavior across the UI if misconfigured. Also introduces new dependency and LavaMoat policy entries that affect build/runtime module access. > > **Overview** > Replaces the default TanStack `QueryClient` with a `createUIQueryClient` instance wired to the background via `submitRequestToBackground`/`subscribeToMessengerEvent`, enabling cache syncing for data services that follow the `BaseDataService` pattern. > > Adds a `DATA_SERVICES` registry (currently empty) and updates dependencies/lockfile plus LavaMoat policies to allow `@metamask/react-data-query` (and its TanStack Query deps) in browserify/webpack builds. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 94d0a55. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41232?quickstart=1) Addresses references to `RatesController` by creating migration selectors and by putting calls to the controller behind a feature flag. Adds comments to reference uses of `allDetectedTokens` still in the code. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/ASSETS-2851 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [X] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [X] I've completed the PR template to the best of my ability - [X] I’ve included tests if applicable - [X] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [X] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes how fiat currency and non-EVM rates are sourced when the assets unify state flag is enabled, which can affect pricing displays and Snap `getCurrencyRate` responses. Guarding `multichainRatesController` start/stop behind the flag reduces risk but could surface edge cases if state is incomplete during migration. > > **Overview** > Adds migration selectors `getRatesControllerRates` and `getRatesControllerFiatCurrency` that, when *assets unify state* is enabled, derive non-EVM native asset rates from `assetsInfo`/`assetsPrice` and switch fiat currency to `selectedCurrency` (with new unit tests). > > Routes Snap `getCurrencyRate` to these new selectors and centralizes the feature-flag check in `MetaMaskController` via `#isAssetsUnifyStateEnabled`, also skipping `MultichainRatesController` startup/subscriptions and stop calls when the unified state path is active. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f9cb1d2. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** This PR is a third iteration at the PoC for Dapp Connection Control Bar on our extension. The MetaMask extension currently has a confusing split between dapp connection controls and the wallet network picker, making it difficult for users to understand what context they are in and where to manage an active connection. So we built a proof of concept for a new UX pattern, introducing a contextual control bar that appears only when an active dapp connection is present and remains hidden when no connection exists. The purpose of this POC is to let the team interact with a clearer, more explicit connection surface, evaluate whether it reduces confusion between wallet and dapp contexts, and decide if this pattern should be refined and taken to production. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/40617?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: adds dapp connection control bar ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/WAPI-1147 https://consensyssoftware.atlassian.net/browse/WAPI-1146 ## **Manual testing steps** 1. Go to [test dapp](https://metamask.github.io/test-dapp/) 2. Request permissions 3. Make sure dapp connection control bar shows on bottom when viewing extension 4. Clicking the `select` element should show dapp network selector 5. Clicking the cogwheel icon should show dapp permission management screen 6. Clicking the exit icon should prompt to disconnect from dapp ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <img width="421" height="623" alt="Screenshot 2026-03-04 at 12 00 01" src="https://github.com/user-attachments/assets/509ff8fc-f3f5-4f46-8920-b7e616c30e71" /> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Introduces a new connection UI surface that dispatches network-menu and permission-removal actions; regressions could affect per-dapp network switching or disconnect behavior. Changes are mostly UI/test refactors with limited impact outside connected-site flows. > > **Overview** > Adds a new *Dapp Connection Control Bar* shown at the bottom of `Home` when the current tab is connected, surfacing the connected origin/account plus quick actions to open the per-dapp network selector, navigate to `review-permissions`, and disconnect (via `removePermissionsFor` + a confirmation modal). > > Removes the previous header-level connection status indicator and simplifies `ConnectedSiteMenu` to a basic button (no popover/metadata-driven rendering), updating snapshots and unit coverage accordingly. > > Updates E2E network tests to use the new control-bar network button (with a toast-close safeguard), and drops unused i18n keys for the removed connected/not-connected tooltip strings. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 6dda52f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
## **Description** Removes the `@metamask/error-reporting-service` package. This service registered a `ErrorReportingService:captureException` messenger action, but no controller ever called it. Error reporting is now handled directly via `messenger.captureException`, which is a built-in capability of `@metamask/messenger` (used e.g. in `oauth-service.ts`), making this package redundant. ## **Changelog** CHANGELOG entry: null ## **Related issues** N/A ## **Manual testing steps** 1. Build the extension and verify it starts without errors. ## **Screenshots/Recordings** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk cleanup that removes an unused controller/messenger and dependency; main risk is missing any hidden runtime references during initialization. > > **Overview** > Removes the redundant `ErrorReportingService` controller: deletes its init + messenger modules/tests, and drops it from controller/messenger registration and `metamask-controller` initialization. > > Also removes the `@metamask/error-reporting-service` dependency from `package.json`/`yarn.lock` and cleans up the related deprecation ignore entry in `.yarnrc.yml`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit fe77e35. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…design / cta segment prop update (#41226) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Buy/Get Cta Style Alignment Adjust the token-list mUSD banner so the bonus subtitle uses primary text color and the action control is a secondary (outline) button instead of primary. Segment event prop updates for Claim CTA location and Convert CTA 2&3 redirectTo - MusdConversionCtaClicked: Asset overview and token-list convert CTAs now emit properties via createMusdCtaClickedEventProperties, with redirects_to from resolveMusdConversionCtaRedirectsTo (aligned with buy vs conversion and education vs custom amount). Replaces incorrect chain_id / token_symbol with network_chain_id, network_name, and asset_symbol. Convert link location follows entryPoint (musdConversionFlowEntryPointToCtaEventLocation). - MusdClaimBonusButtonClicked: location is token_list_item or asset_overview via resolveMerklClaimBonusAnalyticsLocation from TokenCell (showMusdConvertCta), not claim_bonus_bottom_sheet. DeFi TokenCell usage no longer opts into Merkl/mUSD list props; tests assert that. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41226?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: Updated Buy/Get mUSD CTA styling ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/MUSD-556 Fixes: https://consensyssoftware.atlassian.net/browse/MUSD-558 ## **Manual testing steps** ``` Feature: mUSD home CTA visual design As a user viewing the token list mUSD banner I want the bonus line and action control to match the intended hierarchy So primary copy stays clear and the action reads as secondary to the row Background: Given the mUSD Buy/Get CTA is visible on the home token list Scenario: Bonus subtitle uses primary default text color When I view the mUSD CTA Then the bonus percentage subtitle is styled with primary default text color And the subtitle remains readable against the banner background Scenario: Action control uses secondary button styling When I view the mUSD CTA Then the CTA action is a secondary (outline) button And the button label matches the main CTA copy ("Buy mUSD" or "Get mUSD") Scenario Outline: Design applies for both CTA variants Given the CTA shows "<variant_title>" as the main line When I view the mUSD CTA Then the bonus subtitle uses primary default text color And the action control is a secondary button labeled "<variant_title>" Examples: | variant_title | | Buy mUSD | | Get mUSD | ``` ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> <img width="550" height="107" alt="image" src="https://github.com/user-attachments/assets/01f96c6f-5e36-4572-9155-4a988965ab6f" /> ### **After** <!-- [screenshots/recordings] --> <img width="504" height="126" alt="image" src="https://github.com/user-attachments/assets/5fd1c5d6-52e0-44a6-861e-be5c6e17497d" /> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Medium risk due to cross-component changes to mUSD CTA/claim analytics payloads and `TokenCell` prop shape, which could affect event tracking and CTA visibility if misconfigured. > > **Overview** > Updates the home token-list mUSD banner copy/styling to match mobile: headline now uses the product name ("MetaMask USD"), subtitle uses the new `musdEarnBonusPercentage` string, and the action is a secondary button while keeping the row clickable. > > Refactors `TokenCell` mUSD integration from boolean flags to a single `musd` options prop (with exported presets for token list and asset overview), and uses that to gate the Merkl claim badge and convert link plus their analytics locations/entry points. > > Standardizes mUSD analytics across `MusdBuyGetCta`, `MusdAssetCta`, `MusdConvertLink`, and `ClaimBonusBadge`: events now include `redirects_to` derived from education/buy intent, correct network/asset fields (`network_chain_id`, `network_name`, `asset_symbol`), and consistent location mapping; adds/updates tests and snapshots accordingly. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9aa0d85. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
## **Description** Filter out incoming native token transfers in the Activity list to reduce risk of address poisoining ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: chore: filter out native token transfers ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/CEUX-948 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes transaction selection logic to hide incoming native-coin transfers, which could inadvertently suppress legitimate inbound transactions in the Activity view if the heuristic misclassifies a tx (e.g., certain contract-mediated receipts). > > **Overview** > Adds an *address-poisoning defense* by updating `selectTransactions` to filter out **incoming native coin transfers** when the current account is the recipient but did not initiate the transaction (similar to the existing incoming token-transfer filter). > > Extends unit coverage around `selectTransactions` (outgoing/self-send/swap vs blocked inbound native receipts) and updates the incoming-transactions e2e expectations so native incoming transfers (and token transfers) result in an empty Activity list while outgoing sends still render. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit ae1aa24. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…ponents (#40209) ## **Description** When a user opens the Secret Recovery Phrase reveal page while on a malicious website, this PR adds a real-time dapp scan that warns them before they can proceed. If the site is flagged as malicious (`BLOCK`), a danger banner appears with an acknowledgment checkbox — the Next button turns red and stays disabled until the user explicitly accepts the risk. [](https://codespaces.new/MetaMask/metamask-extension/pull/40209?quickstart=1) ## **Changelog** CHANGELOG entry: Added real-time dapp scanning warning with acknowledgment checkbox on the SRP reveal page for malicious websites ## **Related issues** Fixes: ## **Manual testing steps** 1. Navigate to a known malicious site (e.g. `this-is-a-malicious-website-by-jacob2.xyz`) 2. Open the extension and go to Settings > Security > Reveal Secret Recovery Phrase 3. Confirm: danger banner shows, acknowledgment checkbox appears, Next button is red and disabled 4. Check the checkbox → Next button becomes enabled (still red) 5. On a safe/clean site: no extra warning, normal blue Next button, no checkbox ## **Screenshots/Recordings** ### **Before** <!-- No dapp scan warning on SRP reveal page --> ### **After** <img width="400" height="599" alt="Screenshot 2026-03-26 at 3 57 31 PM" src="https://github.com/user-attachments/assets/0bf3c585-e74b-4826-bc8d-f9f608c291b2" /> <!-- Malicious site: danger banner + acknowledgment checkbox + red disabled Next button --> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [ ] I've included tests if applicable - [ ] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds a new phishing-scan call and UX gating to the Secret Recovery Phrase reveal flow; mistakes could block legitimate SRP access or fail to warn on malicious origins. Changes also introduce a new background RPC and metrics event that must remain consistent across UI/background boundaries. > > **Overview** > Adds a real-time phishing scan when opening the SRP reveal flow, using the current tab origin to detect malicious sites. > > If the scan recommends `Block`, the password step shows a new localized danger banner + acknowledgment checkbox, turns the Continue button into a *danger* state, and prevents both button-click and form-submit progression until the risk is acknowledged. > > Wires a new background action (`scanUrlForPhishing`) through the controller/actions layer, and emits a new MetaMetrics event (`SrpRevealMaliciousSiteDetected`) when a malicious site is detected; updates unit tests to cover scan outcomes, gating behavior, and metric emission. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 571ba82. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Howard Braham <howrad@gmail.com>
Part of the ongoing JS→TS migration effort for `shared/constants`. Converts `terms.js` to `terms.ts`. ## Changes - **`shared/constants/terms.js` → `shared/constants/terms.ts`** — rename only; no logic changes. TypeScript infers the exported constants as string literals without explicit annotations. Existing consumers import without file extensions, so no import paths required updating. <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>TypeScript conversion of `shared/constants/terms.js` (level 30)</issue_title> > <issue_description>### What is this about? > > . > > ### Scenario > > _No response_ > > ### Design > > _No response_ > > ### Technical Details > > _No response_ > > ### Threat Modeling Framework > > _No response_ > > ### Acceptance Criteria > > _No response_ > > ### Stakeholder review needed before the work gets merged > > - [ ] Engineering (needed in most cases) > - [ ] Design > - [ ] Product > - [ ] QA (automation tests are required to pass before merging PRs but not all changes are covered by automation tests - please review if QA is needed beyond automation tests) > - [ ] Security > - [ ] Legal > - [ ] Marketing > - [ ] Management (please specify) > - [ ] Other (please specify) > > ### References > > _No response_</issue_description> > > <agent_instructions>Follow the best practice https://github.com/MetaMask/contributor-docs/blob/main/docs/typescript.md</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes MetaMask/MetaMask-planning#5530 <!-- START COPILOT CODING AGENT TIPS --> --- 📍 Connect Copilot coding agent with [Jira](https://gh.io/cca-jira-docs), [Azure Boards](https://gh.io/cca-azure-boards-docs) or [Linear](https://gh.io/cca-linear-docs) to delegate work to Copilot in one click without leaving your project management tool. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk rename-only JS→TS migration of a constants module; behavior should be unchanged as consumers import via extensionless path. > > **Overview** > Migrates the shared Terms constants module from `shared/constants/terms.js` to `shared/constants/terms.ts`, keeping the exported values (`TERMS_OF_USE_LINK`, `TERMS_OF_USE_LAST_UPDATED`) the same so existing extensionless imports continue to work. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 035970f. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: DDDDDanica <12678455+DDDDDanica@users.noreply.github.com>
## Version Bump After Release This PR bumps the main branch version from 13.25.0 to 13.26.0 after cutting the release branch. ### Why this is needed: - **Nightly builds**: Each nightly build needs to be one minor version ahead of the current release candidate - **Version conflicts**: Prevents conflicts between nightlies and release candidates - **Platform alignment**: Maintains version alignment between MetaMask mobile and extension - **Update systems**: Ensures nightlies are accepted by app stores and browser update systems ### What changed: - Version bumped from `13.25.0` to `13.26.0` - Platform: `extension` - Files updated by `set-semvar-version.sh` script ### Next steps: This PR should be **manually reviewed and merged by the release manager** to maintain proper version flow. ### Related: - Release version: 13.25.0 - Release branch: release/13.25.0 - Platform: extension - Test mode: false --- *This PR was automatically created by the `create-platform-release-pr.sh` script.* Co-authored-by: metamaskbot <metamaskbot@users.noreply.github.com> Co-authored-by: chloeYue <105063779+chloeYue@users.noreply.github.com>
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Updates a test to use waitForNextUpdate rather than setTimeout, as setTimeout seemed to be causing some inconsistent results. <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41308?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Test-only changes that update async waiting semantics; low product risk, with minor risk of altering test reliability if the new `waitFor` assertions are too permissive or timing-sensitive. > > **Overview** > Refactors `useMerklRewards.test.ts` to remove `setTimeout`/`act`-based async flushing and instead wait on specific state transitions via `renderHook`’s `waitFor`. > > Cleans up teardown logic (dropping the extra microtask flush) and makes the geoblocked case explicitly synchronous since the query is disabled. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 014f0f8. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41242?quickstart=1) Removed code that calculated available time ranges for non-evm assets using the `historicalPrices` state, which is now deprecated, as historical prices are now fetched directly from price-api, not the snap. It should not have any impact on the app. ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/ASSETS-2993 ## **Manual testing steps** 1. Open the asset details for any evm or non-evm asset 2. Time ranges should display at the bottom of the chart (no change) ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [X] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [X] I've completed the PR template to the best of my ability - [X] I’ve included tests if applicable - [X] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [X] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes asset chart time-range behavior (now always hardcoded) and removes `historicalPrices` from selector composition, which could affect non-EVM chart UX or any remaining consumers expecting populated historical price state. > > **Overview** > Removes remaining `historicalPrices` plumbing and related utilities/tests, including the `getHistoricalPrices` selector and the non‑EVM `useChartTimeRanges` hook. > > The asset price chart now uses a hardcoded `TIME_RANGES` list (dropping CAIP address conversion + dynamic interval selection), and multichain balance-rate selector composition now always supplies an empty `historicalPrices` object. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 30473ad. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…s) (#41207) ## **Description** This PR adds first part of the MetaMetrics integration for hardware wallet recovery flow tracking. [](https://codespaces.new/MetaMask/metamask-extension/pull/41207?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: n/a Related ticket: https://consensyssoftware.atlassian.net/browse/MUL-1483 #### Main PR: #41154 ## **Manual testing steps** 1. Add hardware wallet account 2. Setup local Segment event tracking 3. Disconnect hardware wallet 4. Go to Swaps and try to do a swap with hardware wallet account while hardware wallet is disconnected 5. Click on button to start recovery flow for hardware wallet 6. Observe event tracking result in local Segment console #### To run Segment tracking locally do the following: Add/replace the `SEGMENT_HOST` and `SEGMENT_WRITE_KEY` variables in `.metamaskrc`: ``` SEGMENT_HOST='http://localhost:9090/' SEGMENT_WRITE_KEY='FAKE' ``` Run the following: ``` node development/mock-segment.js yarn start ``` ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** This type of tracking was not available before. Nothing to show here. ### **After** No UI changes, but here are some Segment events intercepted locally. <img width="609" height="244" alt="Screenshot 2026-03-25 at 16 57 45" src="https://github.com/user-attachments/assets/b2c13870-21aa-44c7-b0f4-03daf84340af" /> <img width="609" height="479" alt="Screenshot 2026-03-25 at 17 08 17" src="https://github.com/user-attachments/assets/54737e3e-3cfd-4839-927e-3a50d7c81ee6" /> <img width="606" height="242" alt="Screenshot 2026-03-26 at 15 10 03" src="https://github.com/user-attachments/assets/dfd5c4ca-37d7-4d15-ac8d-eeca11981813" /> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Adds new MetaMetrics tracking with additional state/side-effect logic in `HardwareWalletErrorModal`, which could affect modal lifecycle and event deduping/counting if edge cases are missed. > > **Overview** > Adds first-class MetaMetrics coverage for the hardware wallet recovery flow by introducing new Segment-aligned enums (`location`, `device_type`, `error_type`) and three new events: `HardwareWalletRecoveryModalViewed`, `HardwareWalletRecoverySuccessModalViewed`, and `HardwareWalletRecoveryCtaClicked`. > > Implements shared helpers to build a schema-compliant Segment `properties` payload (including sanitized/truncated `error_message`, `error_code` labeling, device type/model mapping, and `error_type` normalization), plus a new `useHardwareWalletRecoveryLocation` hook to derive `location` from the current route/confirmation context. > > Updates `HardwareWalletErrorModal` to emit these events with deduping and an `error_type_view_count` that increments on repeated views/reconnect failures, and expands test harness utilities to allow injecting a mock `trackEvent`; adds unit tests for the new helpers, hook, and modal tracking behavior. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a746a85. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Fixes a bug where the form would reset without user taking any action, as well as some design tweaks to remove cancel button and add projected p&l values in form. [](https://codespaces.new/MetaMask/metamask-extension/pull/41283?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: fixes tpsl form reset bug ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/TAT-2700, https://consensyssoftware.atlassian.net/browse/TAT-2698 ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** https://github.com/user-attachments/assets/f9a2a1d4-d2d0-4756-8d58-885717dfe29d ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Touches perps TP/SL editing flow and modal actions; while UI-focused, it changes state initialization/submission wiring and could affect order protection settings if regressions occur. > > **Overview** > Fixes the perps TP/SL update UX so in-progress edits aren’t overwritten by background position refreshes, by initializing TP/SL fields once on mount and keying the modal by `position.symbol`. > > Moves the primary save action out of `UpdateTPSLModalContent` into the modal `ModalFooter` via a new `UpdateTPSLSubmitState` callback, and removes cancel buttons from the TP/SL and close-position modals. > > Adds estimated USD P&L display rows for the configured take-profit and stop-loss prices (including new i18n strings) and updates unit tests to exercise the new footer-driven submit and the new estimated P&L rendering. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a173442. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: Alejandro Garcia <alejandro.garcia@consensys.net>
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Adding tests for the swap/bridge transaction details page. The new test verifies that the app navigates to the custom TransactionDetails page and that it contains the expected data after tx submission <!-- Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions: 1. What is the reason for the change? 2. What is the improvement/solution? --> [](https://codespaces.new/MetaMask/metamask-extension/pull/41269?quickstart=1) ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: test: add e2e tests for unified swap transaction details page ## **Related issues** Fixes: https://consensyssoftware.atlassian.net/browse/SWAPS-4269 ## **Manual testing steps** 1. Tests should succeed ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk since changes are limited to E2E test helpers and assertions, but they may introduce test flakiness due to new UI text/selector expectations and status mapping. > > **Overview** > Adds an `ActivityListPage.checkBridgeTransactionDetails` helper that opens the swap/bridge transaction details view and asserts navigation, status text, scanner link count, and displayed source/destination amounts. > > Extends bridge E2E coverage by calling this helper in negative-case bridge tests (pending/failed) and wires it into the shared `bridgeTransaction` utility via a new `expectedStatus` param plus more consistent action/token label construction. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 83404bf. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
## **Description** This updates the declared build targets to match the browser minimums we already support elsewhere in the extension. The current browserslist and Babel targets were still pointing at Chrome 89 / Firefox 89, which was lower than our real support floor and causes extra transpilation. This PR: - raises browserslist and Babel targets to `chrome >= 113` and `firefox >= 115` - adds Browserify-required Babel syntax transforms for class properties and private methods, plus keeps the existing logical-assignment transform - updates the build-system LavaMoat policy to allow those nested `@babel/preset-env` plugins [](https://codespaces.new/MetaMask/metamask-extension/pull/41170?quickstart=1) ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. build it 2. does it work? <!-- ## **Screenshots/Recordings** If applicable, add screenshots and/or recordings to visualize the before and after of your change. ### **Before** [screenshots/recordings] ### **After** [screenshots/recordings] --> ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. <!-- ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Moderate risk because it changes build/transpilation targets and multiple LavaMoat policies; misconfiguration could cause runtime issues in older browsers or build-time bundling failures. > > **Overview** > Updates declared build targets to **Chrome 113+ / Firefox 115+** by bumping `.browserslistrc` and Babel `targets` in `babel.config.js`, reducing unnecessary transpilation. > > Adds explicit Babel syntax transforms for `class` properties and private class features (keeping logical assignment transforms) and wires in the needed devDependencies/depcheck ignores. > > Adjusts LavaMoat Browserify/Webpack policies to match the new Babel plugin dependency graph and to refine/expand allowed globals (e.g., `AbortSignal.timeout`, scoped `navigator.*`, `document.visibilityState`, `crypto.subtle`, and additional DOM prototype access), while removing several now-unneeded `@swc/helpers` allowances. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5d88a00. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: MetaMask Bot <metamaskbot@users.noreply.github.com>
## **Description** This feature wasn't working well enough (needs maintenance) and we think it's causing a "workflows awaiting approval" problem, so we are removing the "Open in GitHub Codespaces" badge from PR descriptions. ## **Changelog** CHANGELOG entry: null <!--## **Related issues** ## **Manual testing steps** ## **Screenshots/Recordings** ## **Pre-merge author checklist** ## **Pre-merge reviewer checklist** [skip-e2e]--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk: removes a non-critical PR-body automation workflow and a template badge link, with no runtime product code changes. Minor process risk is limited to CODEOWNERS approval routing for `.devcontainer/`. > > **Overview** > Removes the **"Open in GitHub Codespaces"** badge from the PR template (and the CODEBOT PR-description snippet) and deletes the `codespaces-update-badge` GitHub Action that rewrote PR bodies with the PR number. > > Updates `.github/CODEOWNERS` so changes under `.devcontainer/` are owned by `@MetaMask/extension-platform` (instead of `@MetaMask/extension-security-team`) alongside `@HowardBraham`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit f9d3919. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
…41259) Converts `shared/lib/rpc.utils.js` to TypeScript as part of the ongoing TS migration effort. ## Changes - **`shared/lib/rpc.utils.ts`** — Replaces the JS file with full TypeScript types: - Function signature with explicit parameter and return types - `headers` typed as `Record<string, string>` - JSON-RPC response destructured via a typed cast reflecting the two valid error shapes (`{ message?: string }` object or plain string) ```ts export async function jsonRpcRequest( rpcUrl: string, rpcMethod: string, rpcParams: unknown[] = [], options: { headers?: Record<string, string> } = {}, ): Promise<unknown> ``` - **`development/ts-migration-dashboard/files-to-convert.json`** — Removes `shared/lib/rpc.utils.js` from the pending conversion list. <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>TypeScript conversion of `shared/lib/rpc.utils.js` (level 32)</issue_title> > <issue_description>### What is this about? > > . > > ### Scenario > > _No response_ > > ### Design > > _No response_ > > ### Technical Details > > _No response_ > > ### Threat Modeling Framework > > _No response_ > > ### Acceptance Criteria > > _No response_ > > ### Stakeholder review needed before the work gets merged > > - [ ] Engineering (needed in most cases) > - [ ] Design > - [ ] Product > - [ ] QA (automation tests are required to pass before merging PRs but not all changes are covered by automation tests - please review if QA is needed beyond automation tests) > - [ ] Security > - [ ] Legal > - [ ] Marketing > - [ ] Management (please specify) > - [ ] Other (please specify) > > ### References > > _No response_</issue_description> > > <agent_instructions>Follow best practice https://github.com/MetaMask/contributor-docs/blob/main/docs/typescript.md</agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes MetaMask/MetaMask-planning#5528 <!-- START COPILOT CODING AGENT TIPS --> --- 🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. [Learn more about Advanced Security.](https://gh.io/cca-advanced-security) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Mostly a TypeScript migration with added unit tests; only small behavioral impact is slightly different error message formatting for some JSON-RPC `error` shapes. > > **Overview** > Converts `shared/lib/rpc.utils` to TypeScript by adding explicit parameter/return types, typing `headers`, and casting the JSON-RPC response shape. > > Adds a new Jest suite (`shared/lib/rpc.utils.test.ts`) covering success cases, invalid response shapes, basic-auth URL credential handling, custom header merging, and updated error handling that stringifies non-message error objects. > > Removes `shared/lib/rpc.utils.js` from `development/ts-migration-dashboard/files-to-convert.json`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 0710d81. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: DDDDDanica <12678455+DDDDDanica@users.noreply.github.com> Co-authored-by: dddddanica <zhaodanica@gmail.com>
…41125) ## **Description** Expanding the successful policy update comment to point to process doc [](https://codespaces.new/MetaMask/metamask-extension/pull/41125?quickstart=1) ## **Changelog** ## **Related issues** Fixes: null ## **Manual testing steps** 1. change dependencies enough to make current policy outdated 2. trigger policy update 3. observe the comment ## **Screenshots/Recordings** maybe later ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Only changes GitHub Actions comment text; no changes to policy generation, commits, or runtime code paths. > > **Overview** > When the `update-lavamoat-policies` workflow successfully updates and commits policies, the PR comment now includes a *TIP* linking to the `docs/lavamoat-policy-review-process.md` guidance before seeking reviewer approval, in addition to the existing LavaMoat policy diff reading link. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 94ffeb7. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Part of the ongoing TypeScript migration effort (level 14). `shared/lib/ui-utils.js` exports URL string constants and a single `process.env` variable. ## Changes - Renamed `shared/lib/ui-utils.js` → `shared/lib/ui-utils.ts` No content changes were required — TypeScript infers all types from the string literals and `process.env` access (`SUPPORT_LINK` becomes `string | undefined`). All 20+ importing files resolve the module transparently via the `.ts` extension. <!-- START COPILOT ORIGINAL PROMPT --> <details> <summary>Original prompt</summary> > > ---- > > *This section details on the original issue you should resolve* > > <issue_title>TypeScript conversion of `shared/lib/ui-utils.js` (level 14)</issue_title> > <issue_description>### What is this about? > > . > > ### Scenario > > _No response_ > > ### Design > > _No response_ > > ### Technical Details > > _No response_ > > ### Threat Modeling Framework > > _No response_ > > ### Acceptance Criteria > > _No response_ > > ### Stakeholder review needed before the work gets merged > > - [ ] Engineering (needed in most cases) > - [ ] Design > - [ ] Product > - [ ] QA (automation tests are required to pass before merging PRs but not all changes are covered by automation tests - please review if QA is needed beyond automation tests) > - [ ] Security > - [ ] Legal > - [ ] Marketing > - [ ] Management (please specify) > - [ ] Other (please specify) > > ### References > > _No response_</issue_description> > > <agent_instructions>Follow the best practice in https://github.com/MetaMask/contributor-docs/blob/main/docs/typescript.md > </agent_instructions> > > ## Comments on the Issue (you are @copilot in this section) > > <comments> > </comments> > </details> <!-- START COPILOT CODING AGENT SUFFIX --> - Fixes MetaMask/MetaMask-planning#5535 <!-- START COPILOT CODING AGENT TIPS --> --- 📱 Kick off Copilot coding agent tasks wherever you are with [GitHub Mobile](https://gh.io/cca-mobile-docs), available on iOS and Android. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk rename-only TypeScript migration of a constants module; main risk is any tooling/import resolution edge cases around `.js`→`.ts` module resolution. > > **Overview** > Converts `shared/lib/ui-utils` from JavaScript to TypeScript by renaming `ui-utils.js` to `ui-utils.ts` with no functional changes. > > The module continues to export the same URL string constants and `SUPPORT_LINK` sourced from `process.env` (now typed as `string | undefined`). > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 41acd5c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com> Co-authored-by: DDDDDanica <12678455+DDDDDanica@users.noreply.github.com>
## **Description** Fixes ``` └─ serialize-javascript ├─ ID: 1115519 ├─ Issue: Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects ├─ URL: GHSA-qj8w-gfj5-8c6v ├─ Severity: moderate ├─ Vulnerable Versions: <7.0.5 │ ├─ Tree Versions │ └─ 7.0.3 │ └─ Dependents └─ terser-webpack-plugin@npm:5.3.16 [e4394] ``` ## **Changelog** CHANGELOG entry: null <!--## **Related issues** ## **Manual testing steps** ## **Screenshots/Recordings** ## **Pre-merge author checklist** ## **Pre-merge reviewer checklist** [skip-e2e]--> <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk dependency-only change; primary impact is in build tooling consumers of `serialize-javascript`, with minimal chance of runtime behavior changes outside updated library semantics. > > **Overview** > Updates the pinned `serialize-javascript` resolution from `7.0.3` to `7.0.5` and refreshes `yarn.lock` accordingly. > > This is a security-driven bump to address a moderate DoS advisory affecting versions `<7.0.5`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 2b71464. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Builds ready [6c178b2]
⚡ Performance Benchmarks (Total: 🟢 24 pass · 🟡 1 warn · 🔴 0 fail)
Dapp page load benchmarks: data not available. Bundle size diffs [🚨 Warning! Bundle size has increased!]
AI Test Plan
Cherry-Pick Scenarios (4)High Risk Scenarios (2)1. Transactions – Reload behavior after a failed transactionRisk Level: HIGH Why This Matters: Cherry-pick 41523 fixes UI recovery after failed transactions; without it, users may get stuck or see stale activity after failures. Test Steps:
2. Token Management – Eagerly add mUSD during conversion for new single-wallet usersRisk Level: HIGH Why This Matters: Cherry-pick 41633 fixes visibility gaps by eagerly adding mUSD for new single-wallet users post-conversion; without it, users may not see the asset they just acquired. Test Steps:
Medium Risk Scenarios (2)1. Transactions – Prevent duplicate success toasts for already-confirmed txsRisk Level: MEDIUM Why This Matters: Cherry-pick 41514 fixes duplicate success toasts for already-confirmed transactions, which can confuse users and mask real new events. Test Steps:
2. Notifications – Eliminate duplicate toast notifications across flowsRisk Level: MEDIUM Why This Matters: Cherry-pick 41583 addresses duplicate toast notifications across flows; duplicates can overwhelm users and obscure important signals. Test Steps:
Release Scenarios (10)High Risk Scenarios (6)1. State Migrations (201) – Assets data shape and selectorsRisk Level: HIGH Why This Matters: Migrations can corrupt or reshape stored assets data; a bad migration risks lost tokens, duplicates, or broken rendering across networks and accounts. Test Steps:
2. State Migrations (202) – Follow-up/cleanup for assets and migration gatingRisk Level: HIGH Why This Matters: Follow-up migrations often fix edge cases from the first pass; regressions here can re-trigger migration loops or lose user preferences for tokens. Test Steps:
3. Token Management – Post-migration integrity across multi-account and multi-networkRisk Level: HIGH Why This Matters: Large token-management changes and selectors impact how assets are discovered and shown; inconsistencies lead to user confusion, incorrect balances, and trust issues. Test Steps:
4. Bridge – Controller initialization and status updatesRisk Level: HIGH Why This Matters: Controller init changes for Bridge can break status persistence and error handling, leading to stuck or incorrect progress indicators. Test Steps:
5. Accounts Tree and Messaging – Account list integrity and switchingRisk Level: HIGH Why This Matters: Controller messenger changes can cause stale or mismatched account state, leading to signing with the wrong account or UI desync. Test Steps:
6. Transaction Signing – Status, activity updates, and persistenceRisk Level: HIGH Why This Matters: Core controller and UI changes can desynchronize transaction activity and statuses, risking wrong balances or stuck pending entries. Test Steps:
Medium Risk Scenarios (4)1. API Error Handling – User-visible RPC and network errorsRisk Level: MEDIUM Why This Matters: Error handler changes can hide critical failures or flood users with duplicate toasts, degrading reliability and supportability. Test Steps:
2. Connected Sites UX – Removal/rework of Connected Status IndicatorRisk Level: MEDIUM Why This Matters: UI changes to connection indicators can confuse users about which account/site is connected, risking wrong-account actions. Test Steps:
3. Backup & Sync – Feature toggles and persistenceRisk Level: MEDIUM Why This Matters: Toggle logic changes can leave features half-enabled, causing silent failures or privacy issues. Test Steps:
4. Download Mobile Modal – QR and deep linksRisk Level: MEDIUM Why This Matters: User-facing modal updates can break links or QR rendering, reducing trust and driving support tickets. Test Steps:
Teams Sign-off StatusSigned off: None yet Awaiting sign-off (9): Generated by AI Test Plan Analyzer (gpt-5) at 2026-04-10T07:52:17.666Z AI generated test plan (JSON): test-plan-13.26.0.json |
…1655) - feat: disable post-transaction toast cp-13.26.0 (#41636) <!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** Revert the post-transaction toast feature ## **Changelog** <!-- If this PR is not End-User-Facing and should not show up in the CHANGELOG, you can choose to either: 1. Write `CHANGELOG entry: null` 2. Label with `no-changelog` If this PR is End-User-Facing, please write a short User-Facing description in the past tense like: `CHANGELOG entry: Added a new tab for users to see their NFTs` `CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker` (This helps the Release Engineer do their job more quickly and accurately) --> CHANGELOG entry: null ## **Related issues** Fixes: ## **Manual testing steps** 1. Go to this page... 2. 3. ## **Screenshots/Recordings** <!-- If applicable, add screenshots and/or recordings to visualize the before and after of your change. --> ### **Before** <!-- [screenshots/recordings] --> ### **After** https://github.com/user-attachments/assets/f1047cc3-3526-4619-bc68-bedf641df9dc <!-- [screenshots/recordings] --> ## **Pre-merge author checklist** - [ ] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [ ] I've completed the PR template to the best of my ability - [ ] I’ve included tests if applicable - [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [ ] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Changes post-transaction navigation and disables the toast listener, which can affect user flow after swaps/bridges/sends and may surface regressions in transaction feedback. Also updates e2e behavior around the smart transaction status page, which may introduce test or UI flakiness if the status page timing differs. > > **Overview** > Disables the post-transaction toast flow by removing the global `ToastListener` mount and stopping `SmartTransactionStatusPage` from auto-resolving on load. > > Updates post-submit navigation to go directly to `/?tab=activity` after bridge submissions (`useSubmitBridgeTransaction`), non-EVM sends (`useSendActions`), and certain swap completion paths (`awaiting-swap`). > > Adjusts e2e bridge/swap tests to handle the smart transaction status page explicitly (adds a close button selector, makes `submitQuote` optionally dismiss the status page, and threads a `dismissStatusPage` flag through test helpers/cases). > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 7ad5544. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> [4ee597b](4ee597b) --------- Co-authored-by: Francis Nepomuceno <n3ps@users.noreply.github.com>
Builds ready [b9ed5bd]
⚡ Performance Benchmarks (Total: 🟢 25 pass · 🟡 0 warn · 🔴 0 fail)
Dapp page load benchmarks: data not available. Bundle size diffs [🚨 Warning! Bundle size has increased!]
AI Test Plan
Cherry-Pick Scenarios (5)High Risk Scenarios (2)1. Transaction Failure — UI Reload and State SyncRisk Level: HIGH Why This Matters: Cherry-pick 41523 fixes post-failure reload/sync; without it, users may see stale pending states or need manual intervention to recover. Test Steps:
2. Token Management — Eager Add mUSD on Conversion (New User, Single Wallet)Risk Level: HIGH Why This Matters: Cherry-pick 41633 fixes visibility of mUSD for new single-wallet users; incorrect scoping could cause silent token loss of visibility or unwanted auto-adds for existing users. Test Steps:
Medium Risk Scenarios (3)1. Transaction Notifications — Skip Toast for Already-ConfirmedRisk Level: MEDIUM Why This Matters: Cherry-pick 41514 fixes noisy UX by skipping toasts for already-confirmed transactions; regressions could spam users with historical confirmations. Test Steps:
2. Notifications — Prevent Duplicate ToastsRisk Level: MEDIUM Why This Matters: Cherry-pick 41583 fixes duplicate toast notifications; duplicates degrade UX and can mask important single-event signals. Test Steps:
3. Transaction Notifications — Disable Post-Transaction ToastRisk Level: MEDIUM Why This Matters: Cherry-pick 41655 changes UX by disabling post-transaction toasts; ensuring clarity in Activity without silent failures is critical to avoid missed outcomes. Test Steps:
Release Scenarios (9)High Risk Scenarios (4)1. State Migrations (201, 202) — Assets and AccountsRisk Level: HIGH Why This Matters: Migrations can corrupt or drop user assets, duplicate entries, or descope data across networks; verifying persistence across complex states prevents data-loss regressions. Test Steps:
2. State Migrations — Fresh and Edge-Case WalletsRisk Level: HIGH Why This Matters: Edge-case and new-user paths often expose migration bugs (e.g., incorrect defaults, token auto-additions, or persistence issues) that can confuse or mislead users. Test Steps:
3. Transaction Flow — Submission, Status Updates, and ActivityRisk Level: HIGH Why This Matters: Transaction state integrity is core to trust; incorrect transitions or stale states lead to user errors and potential financial loss. Test Steps:
4. Accounts and Permissions — Account Switching and Connected SitesRisk Level: HIGH Why This Matters: Changes in account-tree messaging and controller init can break per-account connection isolation, causing cross-account permission leaks. Test Steps:
Medium Risk Scenarios (5)1. Bridge Flow — Status Tracking and ResumptionRisk Level: MEDIUM Why This Matters: Controller init changes to bridge/status logic risk losing or misreporting long-running bridge statuses, confusing users about fund location. Test Steps:
2. Connected Dapp Status UI — Indicator Removal RegressionRisk Level: MEDIUM Why This Matters: Removing the connected-status-indicator can unintentionally hide connection state; users must still find, confirm, and manage permissions easily. Test Steps:
3. API Error Handling — RPC/Quote FailuresRisk Level: MEDIUM Why This Matters: API error handler changes can suppress or duplicate critical feedback; users need clear recovery paths during RPC and aggregator issues. Test Steps:
4. Backup & Sync Toggles — Persistence and Non-InterferenceRisk Level: MEDIUM Why This Matters: Toggle changes can create hidden state that interferes with core wallet operations or fails to persist. Test Steps:
5. Reset Account — Confirmation and Post-Reset BehaviorRisk Level: MEDIUM Why This Matters: Changes in reset confirmation/UI can lead to user confusion or accidental data loss beyond nonce clearing. Test Steps:
Teams Sign-off StatusSigned off: None yet Awaiting sign-off (10): Generated by AI Test Plan Analyzer (gpt-5) at 2026-04-10T16:52:01.126Z AI generated test plan (JSON): test-plan-13.26.0.json |
🚀 v13.26.0 Testing & Release Quality Process
Hi Team,
As part of our new MetaMask Release Quality Process, here’s a quick overview of the key processes, testing strategies, and milestones to ensure a smooth and high-quality deployment.
📋 Key Processes
Testing Strategy
Conduct regression and exploratory testing for your functional areas, including automated and manual tests for critical workflows.
Focus on exploratory testing across the wallet, prioritize high-impact areas, and triage any Sentry errors found during testing.
Validate new functionalities and provide feedback to support release monitoring.
GitHub Signoff
Issue Resolution
Cherry-Picking Criteria
🗓️ Timeline and Milestones
✅ Signoff Checklist
Each team is responsible for signing off via GitHub. Use the checkbox below to track signoff completion:
Team sign-off checklist
This process is a major step forward in ensuring release stability and quality. Let’s stay aligned and make this release a success! 🚀
Feel free to reach out if you have questions or need clarification.
Many thanks in advance
Reference