Skip to content

[pull] main from MetaMask:main#509

Merged
pull[bot] merged 2 commits into
Reality2byte:mainfrom
MetaMask:main
Feb 10, 2026
Merged

[pull] main from MetaMask:main#509
pull[bot] merged 2 commits into
Reality2byte:mainfrom
MetaMask:main

Conversation

@pull

@pull pull Bot commented Feb 10, 2026

Copy link
Copy Markdown

See Commits and Changes for more details.


Created by pull[bot] (v2.0.0-alpha.4)

Can you help keep this open source service alive? 💖 Please sponsor : )

MarioAslau and others added 2 commits February 10, 2026 03:56
<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

**Reason for change:** `yarn audit:ci` was failing due to a
high-severity vulnerability in `axios` (GHSA-43fc-jf86-j433): Denial of
Service via the `__proto__` key in `mergeConfig`. Affected versions are
≤1.13.4; the project was on 1.12.2.

**Solution:**
- Bumped axios resolutions to `^1.13.5` in root `package.json` (both
resolution entries) and in `.github/scripts/package.json`.
- Added `axios` to `npmPreapprovedPackages` in `.yarnrc.yml` so Yarn’s
3-day minimal age gate allows the new release.
- Ran `yarn install --no-immutable` to update the lockfile to axios
1.13.5.

No code changes; dependency upgrade only. `yarn audit:ci` now passes.

## **Changelog**

CHANGELOG entry: null

## **Related issues**

Fixes: N/A

## **Manual testing steps**

```gherkin
Feature: Security audit and dependency usage after axios upgrade

  Scenario: CI audit passes after axios upgrade
    Given the repo has axios resolved to 1.13.5
    When I run yarn audit:ci
    Then the command exits with code 0 and reports no audit suggestions

  Scenario: App and scripts still run with upgraded axios
    Given the branch is checked out and dependencies are installed
    When I run yarn install and then run any flow that uses axios (e.g. scripts or app network calls)
    Then no runtime errors occur and behavior is unchanged
```

## **Screenshots/Recordings**

Not applicable (dependency-only change; no UI changes).

### **Before**

N/A

### **After**

N/A

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [x] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Dependency upgrade plus bundler resolution changes could affect
runtime networking behavior or Metro module resolution, especially if
any code relied on Axios’ Node build.
> 
> **Overview**
> Bumps `axios` to `^1.13.5` (and updates both root `yarn.lock` and
`.github/scripts/yarn.lock`) to address the reported security advisory.
> 
> Updates `metro.config.js` resolver logic to always redirect `axios`
(and `axios/dist/node/*`) imports to `axios/dist/browser/axios.cjs`,
while preserving the existing E2E-only Sentry module mocking behavior
under the new unified `resolveRequest` handler.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
520829a. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->

---------

Co-authored-by: sethkfman <10342624+sethkfman@users.noreply.github.com>
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
Co-authored-by: Cal-L <cal.leung@consensys.net>
<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**
Redirect user to rehydration screen to handle seedless password changed

During biometric login when the app reopen, it consume 1 retry of
password entering for the new password changed.
This will cause issue when user hit the rate-limit then close and reopen
the app


<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

## **Changelog**

<!--
If this PR is not End-User-Facing and should not show up in the
CHANGELOG, you can choose to either:
1. Write `CHANGELOG entry: null`
2. Label with `no-changelog`

If this PR is End-User-Facing, please write a short User-Facing
description in the past tense like:
`CHANGELOG entry: Added a new tab for users to see their NFTs`
`CHANGELOG entry: Fixed a bug that was causing some NFTs to flicker`

(This helps the Release Engineer do their job more quickly and
accurately)
-->

CHANGELOG entry: when passoword oudated, it navigate to oauthRehydrate
screen when reopen app

## **Related issues**

Fixes:

## **Manual testing steps**

```gherkin
Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]
```

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile
Coding
Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I've included tests if applicable
- [x] I've documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I've applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.


<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Changes the app-start and foreground biometric unlock flow to
conditionally redirect instead of unlocking, which can affect
login/navigation behavior. Risk is moderated by added saga tests
covering the new redirect path.
> 
> **Overview**
> Adds a shared `tryBiometricUnlock` flow used by both
`requestAuthOnAppStart` and `appStateListenerTask` to **check
`Authentication.checkIsSeedlessPasswordOutdated()` before prompting
biometric unlock**.
> 
> When the seedless password is outdated, the app now resets navigation
to `Routes.ONBOARDING.REHYDRATE` (with `isSeedlessPasswordOutdated:
true`) and **skips `Authentication.unlockWallet`**, preventing biometric
retries from being consumed; tests are updated to mock the new API and
assert the redirect behavior.
> 
> <sup>Written by [Cursor
Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit
c82a857. This will update automatically
on new commits. Configure
[here](https://cursor.com/dashboard?tab=bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
@pull pull Bot locked and limited conversation to collaborators Feb 10, 2026
@pull pull Bot added the ⤵️ pull label Feb 10, 2026
@pull pull Bot merged commit c311186 into Reality2byte:main Feb 10, 2026
0 of 7 checks passed
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants