Skip to content

chore: bitcoin snap integration into packages#27

Open
taran-a wants to merge 10 commits into
mainfrom
chore/bitcoin-integration-into-packages
Open

chore: bitcoin snap integration into packages#27
taran-a wants to merge 10 commits into
mainfrom
chore/bitcoin-integration-into-packages

Conversation

@taran-a

@taran-a taran-a commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Explanation

Phase C: Integration into packages/ migration guide

Move files from intermediate folder merged-packages/ to packages/.
Fix eslint/ts errors, and suppress the rest.
Add a bunch of resolutions to the main package.json to fix SES env issue during bitcoin snap build.
Update teams.json, codeowners files.

References

Checklist

  • I've updated the test suite for new or updated code as appropriate
  • I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
  • I've communicated my changes to consumers by updating changelogs for packages I've changed
  • I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

@taran-a taran-a requested review from a team as code owners July 13, 2026 16:32
@taran-a taran-a deployed to default-branch July 13, 2026 16:32 — with GitHub Actions Active
@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

@socket-security

socket-security Bot commented Jul 13, 2026

Copy link
Copy Markdown

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Deprecated by its maintainer: npm lodash.isequal

Reason: This package is deprecated. Use require('node:util').isDeepStrictEqual instead.

From: ?npm/jest-mock-extended@4.0.1npm/lodash.isequal@4.5.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lodash.isequal@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Install-time scripts: npm secp256k1 during install

Install script: install

Source: npm run rebuild || echo "Secp256k1 bindings compilation fail. Pure JS implementation will be used."

From: ?npm/bip322-js@3.0.0npm/secp256k1@3.8.1

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/secp256k1@3.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm rxjs is 75.0% likely to have a medium risk anomaly

Notes: The code is a conventional, well-scoped implementation of an RxJS-like concat operator. No malicious behavior, data exfiltration, or suspicious I/O detected in this fragment. Security risk is low; malware likelihood is negligible for this isolated operator function.

Confidence: 0.75

Severity: 0.50

From: ?npm/concurrently@10.0.3npm/rxjs@7.8.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rxjs@7.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm secp256k1 is 90.0% likely to have a medium risk anomaly

Notes: The install script triggers a native rebuild (node-gyp) which is expected for native bindings and falls back to a pure-JS implementation on failure. There is no direct evidence of malicious behavior in the install script itself. However, the presence of a devDependency pinned to a git URL (non-registry source) increases supply-chain risk (medium). Native compilation via node-gyp also increases risk surface because build scripts run with local privileges and could be abused if sources or dependencies are compromised. Recommend auditing any non-registry git dependencies and verifying integrity of native build inputs when installing in sensitive environments.

Confidence: 0.90

Severity: 0.60

From: ?npm/bip322-js@3.0.0npm/secp256k1@3.8.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/secp256k1@3.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

  • @metamask/bitcoindevkit@0.1.13
  • tree-kill@1.2.2
  • varuint-bitcoin@1.1.2
  • ripemd160@2.0.2
  • bs58check@3.0.1
  • bs58@5.0.0

View full report

@taran-a taran-a force-pushed the chore/bitcoin-integration-into-packages branch 2 times, most recently from acb7eab to 4337ee5 Compare July 13, 2026 17:15
@taran-a taran-a force-pushed the chore/bitcoin-integration-into-packages branch from 4337ee5 to fdf9e88 Compare July 13, 2026 17:20
Comment thread package.json Outdated
@mikesposito

Copy link
Copy Markdown
Member
@SocketSecurity ignore npm/@metamask/bitcoindevkit@0.1.13

This is our package

@mikesposito

Copy link
Copy Markdown
Member

@taran-a should the env be setup for GitHub workflows before merging this one?

@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@taran-a should the env be setup for GitHub workflows before merging this one?

I believe it can be done in parallel, we just wouldn't be able to release or publish previews. If that is not on us, we could already ask for these changes.

@taran-a taran-a force-pushed the chore/bitcoin-integration-into-packages branch from bd37c03 to 567e031 Compare July 14, 2026 10:36
@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/tree-kill@1.2.2

@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/bs58@5.0.0

@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/bs58check@3.0.1

@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/ripemd160@2.0.2

@taran-a

taran-a commented Jul 14, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/varuint-bitcoin@1.1.2

@taran-a taran-a requested a review from mikesposito July 14, 2026 11:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants