[pull] main from MetaMask:main#509
Merged
Merged
Conversation
<!-- Please submit this PR as a draft initially. Do not mark it as "Ready for review" until the template has been completely filled out, and PR status checks have passed at least once. --> ## **Description** **Reason for change:** `yarn audit:ci` was failing due to a high-severity vulnerability in `axios` (GHSA-43fc-jf86-j433): Denial of Service via the `__proto__` key in `mergeConfig`. Affected versions are ≤1.13.4; the project was on 1.12.2. **Solution:** - Bumped axios resolutions to `^1.13.5` in root `package.json` (both resolution entries) and in `.github/scripts/package.json`. - Added `axios` to `npmPreapprovedPackages` in `.yarnrc.yml` so Yarn’s 3-day minimal age gate allows the new release. - Ran `yarn install --no-immutable` to update the lockfile to axios 1.13.5. No code changes; dependency upgrade only. `yarn audit:ci` now passes. ## **Changelog** CHANGELOG entry: null ## **Related issues** Fixes: N/A ## **Manual testing steps** ```gherkin Feature: Security audit and dependency usage after axios upgrade Scenario: CI audit passes after axios upgrade Given the repo has axios resolved to 1.13.5 When I run yarn audit:ci Then the command exits with code 0 and reports no audit suggestions Scenario: App and scripts still run with upgraded axios Given the branch is checked out and dependencies are installed When I run yarn install and then run any flow that uses axios (e.g. scripts or app network calls) Then no runtime errors occur and behavior is unchanged ``` ## **Screenshots/Recordings** Not applicable (dependency-only change; no UI changes). ### **Before** N/A ### **After** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [x] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Medium Risk** > Dependency upgrade plus bundler resolution changes could affect runtime networking behavior or Metro module resolution, especially if any code relied on Axios’ Node build. > > **Overview** > Bumps `axios` to `^1.13.5` (and updates both root `yarn.lock` and `.github/scripts/yarn.lock`) to address the reported security advisory. > > Updates `metro.config.js` resolver logic to always redirect `axios` (and `axios/dist/node/*`) imports to `axios/dist/browser/axios.cjs`, while preserving the existing E2E-only Sentry module mocking behavior under the new unified `resolveRequest` handler. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 520829a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> --------- Co-authored-by: sethkfman <10342624+sethkfman@users.noreply.github.com> Co-authored-by: Mark Stacey <markjstacey@gmail.com> Co-authored-by: Cal-L <cal.leung@consensys.net>
<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->
## **Description**
Redirect user to rehydration screen to handle seedless password changed
During biometric login when the app reopen, it consume 1 retry of
password entering for the new password changed.
This will cause issue when user hit the rate-limit then close and reopen
the app
<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->
## **Changelog**
<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`
If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`
(This helps the Release Engineer do their job more quickly and
accurately)
-->
CHANGELOG entry: when passoword oudated, it navigate to oauthRehydrate
screen when reopen app
## **Related issues**
Fixes:
## **Manual testing steps**
```gherkin
Feature: my feature name
Scenario: user [verb for user action]
Given [describe expected initial app state]
When user [verb for user action]
Then [describe expected outcome]
```
## **Screenshots/Recordings**
<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->
### **Before**
<!-- [screenshots/recordings] -->
### **After**
<!-- [screenshots/recordings] -->
## **Pre-merge author checklist**
- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.
## **Pre-merge reviewer checklist**
- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
<!-- CURSOR_SUMMARY -->
---
> [!NOTE]
> **Medium Risk**
> Changes the app-start and foreground biometric unlock flow to
conditionally redirect instead of unlocking, which can affect
login/navigation behavior. Risk is moderated by added saga tests
covering the new redirect path.
>
> **Overview**
> Adds a shared `tryBiometricUnlock` flow used by both
`requestAuthOnAppStart` and `appStateListenerTask` to **check
`Authentication.checkIsSeedlessPasswordOutdated()` before prompting
biometric unlock**.
>
> When the seedless password is outdated, the app now resets navigation
to `Routes.ONBOARDING.REHYDRATE` (with `isSeedlessPasswordOutdated:
true`) and **skips `Authentication.unlockWallet`**, preventing biometric
retries from being consumed; tests are updated to mock the new API and
assert the redirect behavior.
>
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c82a857. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )