1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-12-12 04:37:13 +01:00
Commit Graph

14483 Commits

Author SHA1 Message Date
Dan J Miller
254e600d07 Destroy ledger keyring when removing last account in ledger keyring (#14993)
* Destroy ledger keyring when removing last account in ledger keyring

* Update unit tests
2022-06-21 17:06:36 -02:30
MetaMask Bot
390cf09b3f Version v10.15.1 2022-06-21 19:26:15 +00:00
Dan J Miller
9813fcae13
Merge pull request #14563 from MetaMask/Version-v10.15.0
Version v10.15.0 RC
2022-06-09 10:27:35 -02:30
Dan J Miller
aae91c5596 Delete lavamoat patch 2022-06-09 03:10:58 -02:30
kumavis
c1804c33f5 lavamoat - bump for stats support (#14641)
* lavamoat - bump for stats support

* lavamoat - update policy

* deps - dedupe lockfile
2022-06-09 02:34:47 -02:30
Mark Stacey
85c52d1214 Remove module paths from bundle (#14763)
A patch has been added to ensure lavapack no longer includes the path
for each module as part of each serialized module. This path was
originally added for debugging purposes, and is not used for anything
at runtime. The module path was an absolute path, not a relative one,
so it was an obstacle to having reproducible builds between
environments.
2022-06-09 02:19:02 -02:30
Alex Donesky
5a6f7541db fix lavamoat policy files for drag and drop package (#14901) 2022-06-09 01:55:50 -02:30
kumavis
15a962527a LavaMoat - UI upgrade - secure package naming (#14565)
* lavamoat - update lavamoat-browserify to v15

* lavamoat/ui - unify override across build types

* lavamoat/ui - update policy overrides

* lavamoat - update to lavapack@3 to match lavamoat-browserify@15

* lavamoat - add missing policy

* lavamoat - add missing nanoid policy

* lavamoat - regenerate policy

* deps - update lock

* lavamoat - update policy

* lavamoat - update policy
2022-06-09 01:55:29 -02:30
Mark Stacey
13adf0381d Update e2e test to reflect change in Chrome
Previously Chrome would ignore an attempt to navigate to a restricted
URL like an extension page that is not web accessible. In a recent
Chrome update, this has changed. Now it does perform the navigation,
but to an error page that explains that the request was invalid.

The last assertion, responsible for checking that the warning page is
still shown, has been removed. The test still ensures the main wallet
UI is not loaded, that assertion was not needed.
2022-06-06 16:46:54 -02:30
Erik Marks
ada427af6d Fix development build scripts (#14594)
#14583 broke the development build scripts (e.g. `yarn start`) by adding a positional argument to a package script (`build:dev`) that is used and passed positional arguments in the build script itself. This PR removes the positional argument from the `build:dev` script and `yarn start` now works again. In addition, the `--apply-lavamoat` flag is properly forwarded to child processes, which was not the case in the original implementation.

To test, `yarn start` should work and LavaMoat should _not_ be applied, in distinction to `yarn build:dev dev --apply-lavamoat=true`. Whether LavaMoat is applied can be determined by checking whether `Object.isFrozen(Object.prototype)` is `true` (with LavaMoat) or `false` (without LavaMoat).
2022-06-06 14:13:01 -02:30
Erik Marks
fda057637e Add applyLavaMoat build flag (#14583)
Adds a new flag, `--apply-lavamoat`, to the main build script. The flag controls whether LavaMoat is actually applied to the output of the build process. The flag defaults to `true`, but we explicitly set it to `false` in the `start` package script. Meanwhile, the `start:lavamoat` script is modified such that it applies LavaMoat to the build output in development mode, but it no longer runs the build process itself under LavaMoat as there aren't very compelling reasons to do so.

This change is motivated by the fact that development builds do not have their own dedicated LavaMoat policies, which causes development builds to fail since #14537. The downside of this change is that LavaMoat-related failures will not be detected when running `yarn start`. @kumavis has plans for fixing this problem in a future major version of the `@lavamoat` suite.
2022-06-06 14:13:01 -02:30
Mark Stacey
c70ea259d6 Update minimist from v1.2.5 to v1.2.6 (#14850)
This addresses a security advisory.
2022-06-03 17:09:17 -02:30
Mark Stacey
92cd6138f2 Update protobufjs and remove obsolete advisory exclusion (#14841)
The package `protobufjs` has been updated from v6.11.2 to v6.11.3. This
addresses a security advisory.

The advisory `GHSA-fwr7-v2mv-hh25` has also been removed from our list
of ignored advisories.

These two changes should fix the `test-deps-audit` failures.
2022-06-03 08:26:47 -02:30
Dan Miller
3942502951 Merge branch 'master' into Version-v10.15.0 2022-06-03 08:16:08 -02:30
Mark Stacey
7057955845
Merge pull request #14834 from MetaMask/Version-v10.14.7
Version v10.14.7 RC
2022-06-02 23:32:13 -02:30
Mark Stacey
cf5db650fe Merge remote-tracking branch 'origin/master' into Version-v10.14.7
* origin/master: (101 commits)
  Updating changelog
  Add token standard to custom token details (#14506)
  Revert "Dark Mode: What's New Announcement (#14346)"
  Ensure network name in confirm page container is defined (#14520)
  Updating lavamoat policies
  Fix the alerts toggles in settings (#14498)
  Disable swaps whenever the environment is not development or testing, so that behaviour follows production for QA purposes (#14499)
  [skip e2e] Updating changelog for v10.14.0 (#14487)
  Version v10.14.0
  Docs - segment metrics (#14435)
  Add snaps view search (#14419)
  Run main, flask and beta in sequence in generate-lavamoat-policies.sh (#14470)
  Modify import SRP page (#14425)
  Dark Mode: Implement Metrics (#14455)
  HoldToRevealButton component (#13785)
  e2e test import json file as import account strategy (#14449)
  MetaMetrics: Identify 'number_of_tokens' user trait (#14427)
  MetaMetrics: Identify 'nft_autodetection_enabled' &  'opensea_api_enabled' (#14367)
  Swaps: Sort "token_from" dropdown tokens by their fiat value first and "token_to" by top tokens (#14436)
  Update segment instantiation check. Only check if SEGMENT_WRITE_KEY exists (#14407)
  ...
2022-06-02 18:30:23 -02:30
Dan J Miller
9a74e309e6 Update changelog 2022-06-01 18:59:57 -02:30
Dan J Miller
8709c14126 Ignore advisory GHSA-wm7h-9275-46v2 (#14789)
* We can safely ignore this advisory because the affected package is only used in the ipfs cli, which our use of 3box does not use, therefore the vulnerable code is not included in our build.
2022-05-27 20:21:52 -07:00
Alex Miller
08490def8f [GridPlus] Updates Lattice-related modules to unlock functionality (#14467)
GridPlus has updated the EVM signing pathway in Lattice firmware,
which has not yet been released. Additionally, requesters can now
include ABI definitions with signing requests, which are used by
Lattice firmware to decode calldata in place.
All updates are backward compatable.
Updates:
* https://github.com/GridPlus/gridplus-sdk/compare/v1.1.6...v1.2.4
* https://github.com/GridPlus/eth-lattice-keyring/compare/v0.6.1...v0.7.3
2022-05-27 14:41:05 -02:30
Mark Stacey
5b05dd4e8e v10.14.7
This release includes another change to make the builds reproducible
between different environments.
2022-05-23 18:17:32 -02:30
Mark Stacey
eb55c0d1f7 Remove module paths from bundle
A patch has been added to ensure lavapack no longer includes the path
for each module as part of each serialized module. This path was
originally added for debugging purposes, and is not used for anything
at runtime. The module path was an absolute path, not a relative one,
so it was an obstacle to having reproducible builds between
environments.
2022-05-23 18:13:18 -02:30
Dan J Miller
3ede652895
Update CHANGELOG.md
Co-authored-by: Erik Marks <25517051+rekmarks@users.noreply.github.com>
2022-05-20 09:19:14 -02:30
Dan J Miller
5a6e82fc0f Ensure send logs use current chain currency symbol (#14726) 2022-05-17 14:31:02 -02:30
VSaric
2668446e3b Fix Ropsten Test Network icon (#14626) 2022-05-17 09:44:06 -02:30
David Walsh
7325549940 Add search information for Theme dropdown (#14476) 2022-05-16 21:08:25 -02:30
Mark Stacey
211f98c5c7 v10.14.6
In this release, the phishing warning page is extracted to an external
site.
2022-05-16 18:48:20 -02:30
Mark Stacey
d1ac1a8389 Rename phishing warning page environment variable
The phishing warning page URL environment variable has been renamed
from `PHISHING_PAGE_URL` to `PHISHING_WARNING_PAGE_URL`. We call this
page the "phishing warning page" everywhere else, and this name seemed
better suited (it's not a phishing page itself).

The variable has been listed and documented in `.metamaskrc.dist` as
well.
2022-05-16 18:48:20 -02:30
Mark Stacey
5a5e541b5e Fix e2e tests
The e2e tests have been updated for `@metamask/phishing-warning@1.1.0`.
The iframe case was updated with a new design, which required test
changes. The third test that was meant to ensure the phishing page
can't redirect to an extension page has been updated to navigate
directly to the phishing warning page and setting the URL manually via
query parameters, as that was the only way to test that redirect.
2022-05-16 18:48:20 -02:30
Mark Stacey
24c3175ec7 Fix CI validation errors
Two CI validation errors have been fixed:
* A duplcate entry has been removed from the lockfile
* `@metamask/phishing-warning` has been added to the depcheck config,
so that it knows that dependency is being used (in e2e tests)
2022-05-16 16:01:07 -02:30
Mark Stacey
3693de7947 Reproducible .zip files (#14623)
* Create `.zip` files deterministically

Our build system now creates `.zip` archives deterministically.
Previously the `.zip` file would differ between builds even when the
files being archived were identical. This was because the order the
files were passed in was non-deterministic, and the `mtime` for each
file was different between builds.

The files are now sorted before being zipped, and the `mtime` for each
file has been set to the unix epoch.

* Update lavamoat build policy
2022-05-16 14:48:09 -02:30
Mark Stacey
7199d9c567 Use externally hosted phishing warning page
An externally hosted phishing warning page is now used rather than the
built-in phishing warning page.The phishing page warning URL is set via
configuration file or environment variable. The default URL is either
the expected production URL or `http://localhost:9999/` for e2e testing
environments.

The new external phishing page includes a design change when it is
loaded within an iframe. In that case it now shows a condensed message,
and prompts the user to open the full warning page in a new tab to see
more details or bypass the warning. This is to prevent a clickjacking
attack from safelisting a site without user consent.

The new external phishing page also includes a simple caching service
worker to ensure it continues to work offline (or if our hosting goes
offline), as long as the user has successfully loaded the page at least
once. We also load the page temporarily during the extension startup
process to trigger the service worker installation.

The old phishing page and all related lines have been removed. The
property `web_accessible_resources` has also been removed from the
manifest. The only entry apart from the phishing page was `inpage.js`,
and we don't need that to be web accessible anymore because we inject
the script inline into each page rather than loading the file directly.

New e2e tests have been added to cover more phishing warning page
functionality, including the "safelist" action and the "iframe" case.
2022-05-16 14:40:50 -02:30
ryanml
57e7d05bfa Update Lavamoat policies 2022-05-16 09:07:28 -07:00
Brad Decker
f251ca4ff2 Track send flow history on txMeta (#14510) 2022-05-16 08:03:38 -07:00
ryanml
214211f847 Update Lavamoat policies 2022-05-16 07:07:19 -07:00
Dan J Miller
f4094925f0 Ensure ledger keyring message event listener are removed on metamask lock (#14691)
* Ensure ledger keyring message event listener are removed on metamask lock

* Clean up
2022-05-16 06:04:22 -07:00
Mark Stacey
8a14504b63 Version v10.14.5
This version is equivalent to v10.14.2. This release is just intended
to fix build configuration issues.
2022-05-14 21:03:06 -02:30
Ariella Vu
c0957866a9 metametrics: deprecate flatMap (#14608) 2022-05-11 15:16:17 -07:00
Frederik Bolding
a96d40957b Stop using 4bytes for contract deployment (#14598) 2022-05-11 15:15:55 -07:00
Mark Stacey
a58faa13a3 Version v10.14.2
This version includes a build system fix that ensures our builds are
deterministic.
2022-05-04 12:57:38 -02:30
kumavis
fefe9401a1 build - update bify-module-groups for build determinism (#14610) 2022-05-04 12:54:59 -02:30
Mark Stacey
900ac4596b Version v10.14.1
This is a rollback release to v10.13.0
2022-05-03 14:06:07 -02:30
Mark Stacey
0110bd9571 Fix lint errors 2022-05-03 14:06:02 -02:30
kumavis
c1ca70d732 phishing-detect - validate redirect url protocol 2022-05-03 13:39:18 -02:30
Brad Decker
8a141fe28c fix cross-fetch moderate vulnerability alert (#14570) 2022-05-02 23:10:06 -07:00
ryanml
2a3b77c95f
[skip e2e] Update changelog for v10.15.0 (#14593) 2022-05-02 23:07:23 -07:00
MetaMask Bot
402db4e94e Version v10.15.0 2022-04-28 22:32:12 +00:00
Thomas Huang
d139e69545
Unit test proptype (#14509)
* Confirm page container content currentTransaction proptype change string to object

* Add title prop
2022-04-28 15:14:53 -07:00
ryanml
16bfd2f334
Merge pull request #14562 from MetaMask/master-sync
Sync `master` with `develop`
2022-04-28 14:11:44 -07:00
ryanml
fd3eabf327 Revert "Revert "Dark Mode: What's New Announcement (#14346)""
This reverts commit 9cea6f57ef.
2022-04-28 12:05:52 -07:00
ryanml
f19173b0f2 Merge remote-tracking branch 'origin/develop' into master-sync 2022-04-28 12:04:17 -07:00