diff --git a/.iyarc b/.iyarc index 3fa8de8b3..79536d383 100644 --- a/.iyarc +++ b/.iyarc @@ -15,3 +15,7 @@ GHSA-6fc8-4gx4-v693 # patched version of 3.3.1. We can remove this once the # smart-transaction-controller updates its dependency. GHSA-8gh8-hqwg-xf34 + +# request library is subject to SSRF. +# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch +GHSA-p8p7-x288-28g6 diff --git a/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch b/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch new file mode 100644 index 000000000..c879c340c --- /dev/null +++ b/.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch @@ -0,0 +1,31 @@ +diff --git a/lib/redirect.js b/lib/redirect.js +index b9150e77c73d63367845c0aec15b5684d900943f..2864f9f2abc481ecf2b2dd96b1293f5b93393efd 100644 +--- a/lib/redirect.js ++++ b/lib/redirect.js +@@ -14,6 +14,7 @@ function Redirect (request) { + this.redirects = [] + this.redirectsFollowed = 0 + this.removeRefererHeader = false ++ this.allowInsecureRedirect = false + } + + Redirect.prototype.onRequest = function (options) { +@@ -40,6 +41,9 @@ Redirect.prototype.onRequest = function (options) { + if (options.followOriginalHttpMethod !== undefined) { + self.followOriginalHttpMethod = options.followOriginalHttpMethod + } ++ if (options.allowInsecureRedirect !== undefined) { ++ self.allowInsecureRedirect = options.allowInsecureRedirect ++ } + } + + Redirect.prototype.redirectTo = function (response) { +@@ -108,7 +112,7 @@ Redirect.prototype.onResponse = function (response) { + request.uri = url.parse(redirectTo) + + // handle the case where we change protocol from https to http or vice versa +- if (request.uri.protocol !== uriPrev.protocol) { ++ if (request.uri.protocol !== uriPrev.protocol && self.allowInsecureRedirect) { + delete request.agent + } + diff --git a/CHANGELOG.md b/CHANGELOG.md index b1a20c505..f87706165 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -198,6 +198,13 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Make username mandatory in the edit contact screen ([#17425](https://github.com/MetaMask/metamask-extension/pull/17425)) - NFTs: Hide detail when no thumbnail available ([#17693](https://github.com/MetaMask/metamask-extension/pull/17693)) - Removing TEXT_VARIANTS in favour of TextVariant ([#17674](https://github.com/MetaMask/metamask-extension/pull/17674)) +## [10.27.0] +### Added +- feat: add the ConsenSys zkEVM (Linea) as a default network ([#17875](https://github.com/MetaMask/metamask-extension/pull/17875)) + +## [10.26.2] +### Changed +- Sign in with Ethereum: re-enable warning UI for mismatched domains / disable domain binding ([#18200](https://github.com/MetaMask/metamask-extension/pull/18200)) ## [10.26.1] ### Fixed @@ -3727,6 +3734,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.28.0...HEAD [10.28.0]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...v10.28.0 +[Unreleased]: https://github.com/MetaMask/metamask-extension/compare/v10.27.0...HEAD +[10.27.0]: https://github.com/MetaMask/metamask-extension/compare/v10.26.2...v10.27.0 +[10.26.2]: https://github.com/MetaMask/metamask-extension/compare/v10.26.1...v10.26.2 [10.26.1]: https://github.com/MetaMask/metamask-extension/compare/v10.26.0...v10.26.1 [10.26.0]: https://github.com/MetaMask/metamask-extension/compare/v10.25.0...v10.26.0 [10.25.0]: https://github.com/MetaMask/metamask-extension/compare/v10.24.2...v10.25.0 diff --git a/shared/constants/network.ts b/shared/constants/network.ts index b061c2647..4c619d140 100644 --- a/shared/constants/network.ts +++ b/shared/constants/network.ts @@ -290,6 +290,12 @@ export const BUILT_IN_NETWORKS = { ticker: TEST_NETWORK_TICKER_MAP[NETWORK_TYPES.LINEA_TESTNET], blockExplorerUrl: 'https://explorer.goerli.linea.build', }, + [NETWORK_TYPES.LINEA_TESTNET]: { + networkId: NETWORK_IDS.LINEA_TESTNET, + chainId: CHAIN_IDS.LINEA_TESTNET, + ticker: TEST_NETWORK_TICKER_MAP[NETWORK_TYPES.LINEA_TESTNET], + blockExplorerUrl: 'https://explorer.goerli.linea.build', + }, [NETWORK_TYPES.MAINNET]: { networkId: NETWORK_IDS.MAINNET, chainId: CHAIN_IDS.MAINNET, diff --git a/yarn.lock b/yarn.lock index c770a116f..c492583b8 100644 --- a/yarn.lock +++ b/yarn.lock @@ -29731,7 +29731,7 @@ __metadata: languageName: node linkType: hard -"request@npm:^2.83.0, request@npm:^2.85.0, request@npm:^2.88.2": +"request@npm:2.88.2": version: 2.88.2 resolution: "request@npm:2.88.2" dependencies: @@ -29759,6 +29759,34 @@ __metadata: languageName: node linkType: hard +"request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::locator=metamask-crx%40workspace%3A.": + version: 2.88.2 + resolution: "request@patch:request@npm%3A2.88.2#./.yarn/patches/request-npm-2.88.2-f4a57c72c4.patch::version=2.88.2&hash=2aadd7&locator=metamask-crx%40workspace%3A." + dependencies: + aws-sign2: ~0.7.0 + aws4: ^1.8.0 + caseless: ~0.12.0 + combined-stream: ~1.0.6 + extend: ~3.0.2 + forever-agent: ~0.6.1 + form-data: ~2.3.2 + har-validator: ~5.1.3 + http-signature: ~1.2.0 + is-typedarray: ~1.0.0 + isstream: ~0.1.2 + json-stringify-safe: ~5.0.1 + mime-types: ~2.1.19 + oauth-sign: ~0.9.0 + performance-now: ^2.1.0 + qs: ~6.5.2 + safe-buffer: ^5.1.2 + tough-cookie: ~2.5.0 + tunnel-agent: ^0.6.0 + uuid: ^3.3.2 + checksum: 1a64d706b36b2bdd5803c3a0fd3fee5e76e8c17d01c34f84972460fbfa5914302c300821a1fafce804d236e637f3745f3bdfbbb4219c139e112076790fc279af + languageName: node + linkType: hard + "require-directory@npm:^2.1.1": version: 2.1.1 resolution: "require-directory@npm:2.1.1"