`improved-yarn-audit` has been updated so that it supports GitHub
advisories. Two new GitHub advisories have been ignored, as they are
both moderate RegExp DoS vulnerabilities that don't affect us, and they
are embedded deep within our dependency graph and are difficult to
update.
Most notably this adds the ability to manage multiple Lattice/SafeCard
wallets simultaneously. If a user makes a request from an address not
associated with the device's active wallet, an error will display.
See: https://github.com/GridPlus/eth-lattice-keyring/pull/19
This PR adds one LavaMoat background script policy or each build type. It also renames the build system policy directory from `node` to `build-system` to make its purpose more clear. Each build type has the original `policy-override.json` for `main` builds. The `.prettierignore` file has been updated to match the locations of the new auto-generated policy files.
We need to maintain separate policies for each build type because each type will produce different bundles with different internal and external modules.
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
Most notably this adds the ability to manage multiple Lattice/SafeCard
wallets simultaneously. If a user makes a request from an address not
associated with the device's active wallet, an error will display.
See: https://github.com/GridPlus/eth-lattice-keyring/pull/19
We're bumping from `^6` to `^8`. All imports are now named, and they have been updated. This is a breaking change, in that support for `eth_signTransaction` is added in `^8.0.0`. We do not support this method in our UI, so our middleware stack has been instrumented to reject.
In addition, there are some non-breaking behavioral changes in this version that reviewers should be aware of, see the [7.0.0 release](https://github.com/MetaMask/eth-json-rpc-middleware/releases).
* Support for Layer 2 networks with transaction fees on both layers
* Use variable name in transaction-breakdown
* Add comment on code source to ui/helpers/utils/optimism/fetchEstimatedL1Fee.js
* Fix unit tests
* Ensure values passed to are defined
* Fix activity log
* Support for Layer 2 networks with transaction fees on both layers
* Use variable name in transaction-breakdown
* Add comment on code source to ui/helpers/utils/optimism/fetchEstimatedL1Fee.js
* Fix unit tests
* Ensure values passed to are defined
* Fix activity log
* GridPlus: Adds support for GridPlus Lattice1 hardware wallet
* Fixes issue with switching hardware HD path
The main `Select HD Path` piece of the account selection component was not
properly hooked up to the state manager (`onPathChange`) and the extra
`Popover` component was being used instead.
I'm not sure what the origin of this is, but I don't see why the Popover
is needed at all. I have remove it and hooked `onPathChange` directly into
the HD path selector dropdown.
This was an issue that nearly every Lattice user who had come from Ledger
has contacted us about.
* GridPlus: Addresses QA issues
* Adds Lattice tutorial + image
* Cleans up connectivity issues (see: https://github.com/GridPlus/eth-lattice-keyring/pull/16)
* GridPlus: Adds Firefox support
To connect to the Lattice you need to open a new tab/window and get
login data from it. We were not able to do this for Firefox because
we relied on the `window` API. This is now fixed.
See corresponding changes:
* `eth-lattice-keyring`: https://github.com/GridPlus/eth-lattice-keyring/pull/17
* Lattice connector: https://github.com/GridPlus/wallet-web/pull/152
* GridPlus: Adds missing error path for Firefox
See: 242a93f559
* Check if ledger was successfully able to establish transport on mount of confirm screens
* Update ledger message/action if transport creation was blocked by existing connection
* TEMP: point eth-ledger-bridge-keyring to commite, REMOVE BEFORE MERGE
* Update eth-ledger-bridge-keyring to v0.10.0
* Connect ledger via webhid if that option is available
* Explicitly setting preference for webhid
* Use ledgerTransportType enum instead of booleans for ledger live and webhid preferences
* Use single setLEdgerTransport preference methods and property
* Temp
* Lint fix
* Unit test fix
* Remove async keyword from setLedgerTransportPreference function definition in preferences controller
* Fix ledgelive setting toggle logic
* Migrate useLedgerLive preference property to ledgerTransportType
* Use shared constants for ledger transport type enums
* Use constant for ledger usb vendor id
* Use correct property to check if ledgerLive preference is set when deciding whether to ask for webhid connection
* Update eth-ledger-bridge-keyring to v0.9.0
* Only show ledger live transaction helper messages if using ledger live
* Only show ledger live part of tutorial if ledger live setting is on
* Fix ledger related prop type errors
* Explicitly use u2f enum instead of empty string as a transport type; default transport type to webhid if available; use constants for u2f and webhid
* Cleanup
* Wrap ledger webhid device request in try/catch
* Clean up
* Lint fix
* Ensure user can easily connect their ledger wallet when they need to.
* Fix locales
* Fix/improve locales changes
* Remove unused isFirefox property from confirm-transaction-base.container.js
* Disable transaction and message signing confirmation if ledger webhid requires connection
* Ensure translation keys for ledger connection options in settings dropdown can be properly detected by verify-locales
* Drop .component from ledger-instruction-field file name
* Move renderLedgerLiveStep to module scope
* Remove ledgerLive from function and message names in ledger-instruction-field
* Wrap ledger connection logic in ledger-instruction-field in try catch
* Clean up signature-request.component.js
* Check whether the signing address, and not the selected address, is a ledger account in singature-request.container
* Ensure ledger instructions and webhid connection button are shown on signature-request-original signatures
* Improve webhid selection handling in select-ledger-transport-type onChange handler
* Move metamask redux focused ledger selectors to metamask duck
* Lint fix
* Use async await in checkWebHidStatusRef.current
* Remove unnecessary use of ref in ledger-instruction-field.js
* Lint fix
* Remove unnecessary try/catch in ledger-instruction-field.js
* Check if from address, not selected address, is from a ledger account in confirm-approve
* Move findKeyringForAddress to metamask duck
* Fix typo in function name
* Ensure isEqualCaseInsensitive handles possible differences in address casing
* Fix Learn More link size in advanced settings tab
* Update app/scripts/migrations/066.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Update ui/pages/settings/advanced-tab/advanced-tab.component.test.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Add jsdoc comments for new selectors
* Use jest.spyOn for mocking navigator in ledger webhid migration tests
* Use LEDGER_TRANSPORT_TYPES values to set proptype of ledgerTransportType
* Use LEDGER_TRANSPORT_TYPES values to set proptype of ledgerTransportType
* Fix font size of link in ledger connection description in advanced settings
* Fix return type in setLedgerTransportPreference comment
* Clean up connectHardware code for webhid connection in actions.js
* Update app/scripts/migrations/066.test.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Update ui/ducks/metamask/metamask.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Add migration test for when useLedgerLive is true in a browser that supports webhid
* Lint fix
* Fix inline-link size
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Check if ledger was successfully able to establish transport on mount of confirm screens
* Update ledger message/action if transport creation was blocked by existing connection
* TEMP: point eth-ledger-bridge-keyring to commite, REMOVE BEFORE MERGE
* Update eth-ledger-bridge-keyring to v0.10.0
This PR enables the exclusion of JavaScript and JSON source by `buildType`, and enables the running of `eslint` under LavaMoat. 80-90% of the changes in this PR are `.patch` files and LavaMoat policy additions.
The file exclusion is designed to work in conjunction with our code fencing. If you forget to fence an import statement of an excluded file, the application will now error on boot. **This PR commits us to a particular naming convention for files intended only for certain builds.** Continue reading for details.
### Code Fencing and ESLint
When a file is modified by the code fencing transform, we run ESLint on it to ensure that we fail early for syntax-related issues. This PR adds the first code fences that will be actually be removed in production builds. As a consequence, this was also the first time we attempted to run ESLint under LavaMoat. Making that work required a lot of manual labor because of ESLint's use of dynamic imports, but the manual changes necessary were ultimately quite minor.
### File Exclusion
For all builds, any file in `app/`, `shared/` or `ui/` in a sub-directory matching `**/${otherBuildType}/**` (where `otherBuildType` is any build type except `main`) will be added to the list of excluded files, regardless of its file extension. For example, if we want to add one or more pages to the UI settings in Flask, we'd create the folder `ui/pages/settings/flask`, add any necessary files or sub-folders there, and fence the import statements for anything in that folder. If we wanted the same thing for Beta, we would name the directory `ui/pages/settings/beta`.
As it happens, we already organize some of our source files in this way, namely the logo JSON for Beta and Flask builds. See `ui/helpers/utils/build-types.js` to see how this works in practice.
Because the list of ignored filed is only passed to `browserify.exclude()`, any files not bundled by `browserify` will be ignored. For our purposes, this is mostly relevant for `.scss`. Since we don't have anything like code fencing for SCSS, we'll have to consider how to handle our styles separately.
Static files have been added for the Flask build. This includes logos
of each size and variety that we use, and it includes the 3D model JSON
file.
Closes#12427
On an M1 Mac, when running `yarn start`, CPU can spike to 100% CPU, and
sometimes a bunch of `mdworker` instances will get spawned. This seems
to be caused by the file-watching mechanism used in dev to automatically
regenerate the build when something is changed. More specifically, we
are using an older version of `watchify`, which uses an older version of
`chokidar`, which is the package that actually does the watching. v4.0.0
of `watchify` upgrades `chokidar` to v3.x ([1]), which comes with
"massive CPU & RAM consumption improvements" ([2]). After the upgrade,
CPU usage decreases to 20-40%.
[1]: https://github.com/browserify/watchify/blob/master/CHANGELOG.md#400
[2]: https://github.com/paulmillr/chokidar/releases/tag/3.0.0
* Connect ledger via webhid if that option is available
* Explicitly setting preference for webhid
* Use ledgerTransportType enum instead of booleans for ledger live and webhid preferences
* Use single setLEdgerTransport preference methods and property
* Temp
* Lint fix
* Unit test fix
* Remove async keyword from setLedgerTransportPreference function definition in preferences controller
* Fix ledgelive setting toggle logic
* Migrate useLedgerLive preference property to ledgerTransportType
* Use shared constants for ledger transport type enums
* Use constant for ledger usb vendor id
* Use correct property to check if ledgerLive preference is set when deciding whether to ask for webhid connection
* Update eth-ledger-bridge-keyring to v0.9.0
* Only show ledger live transaction helper messages if using ledger live
* Only show ledger live part of tutorial if ledger live setting is on
* Fix ledger related prop type errors
* Explicitly use u2f enum instead of empty string as a transport type; default transport type to webhid if available; use constants for u2f and webhid
* Cleanup
* Wrap ledger webhid device request in try/catch
* Clean up
* Lint fix
* Ensure user can easily connect their ledger wallet when they need to.
* Fix locales
* Fix/improve locales changes
* Remove unused isFirefox property from confirm-transaction-base.container.js
* Disable transaction and message signing confirmation if ledger webhid requires connection
* Ensure translation keys for ledger connection options in settings dropdown can be properly detected by verify-locales
* Drop .component from ledger-instruction-field file name
* Move renderLedgerLiveStep to module scope
* Remove ledgerLive from function and message names in ledger-instruction-field
* Wrap ledger connection logic in ledger-instruction-field in try catch
* Clean up signature-request.component.js
* Check whether the signing address, and not the selected address, is a ledger account in singature-request.container
* Ensure ledger instructions and webhid connection button are shown on signature-request-original signatures
* Improve webhid selection handling in select-ledger-transport-type onChange handler
* Move metamask redux focused ledger selectors to metamask duck
* Lint fix
* Use async await in checkWebHidStatusRef.current
* Remove unnecessary use of ref in ledger-instruction-field.js
* Lint fix
* Remove unnecessary try/catch in ledger-instruction-field.js
* Check if from address, not selected address, is from a ledger account in confirm-approve
* Move findKeyringForAddress to metamask duck
* Fix typo in function name
* Ensure isEqualCaseInsensitive handles possible differences in address casing
* Fix Learn More link size in advanced settings tab
* Update app/scripts/migrations/066.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Update ui/pages/settings/advanced-tab/advanced-tab.component.test.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Add jsdoc comments for new selectors
* Use jest.spyOn for mocking navigator in ledger webhid migration tests
* Use LEDGER_TRANSPORT_TYPES values to set proptype of ledgerTransportType
* Use LEDGER_TRANSPORT_TYPES values to set proptype of ledgerTransportType
* Fix font size of link in ledger connection description in advanced settings
* Fix return type in setLedgerTransportPreference comment
* Clean up connectHardware code for webhid connection in actions.js
* Update app/scripts/migrations/066.test.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Update ui/ducks/metamask/metamask.js
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
* Add migration test for when useLedgerLive is true in a browser that supports webhid
* Lint fix
* Fix inline-link size
Co-authored-by: Mark Stacey <markjstacey@gmail.com>
The npm scripts used to run Mocha scripts have been greatly simplified.
As we transition more tests from Mocha to Jest it was becoming
increasingly difficult to update the CLI arguments to keep all of these
scripts working correctly. This reorganization should make that process
much simpler.
The base Mocha options are in `.mocharc.js` - all except for the target
tests to run. Those are still given via the CLI. There is a second
config file specifically for the `test:unit:lax` tests (i.e. the Mocha
tests that have no coverage requirements) because it requires a change
to the `ignored` configuration property. We can create an additional
configuration file for each test script we add that needs further
configuration changes.
The `test:unit:path` script used to be used to run Mocha tests at a
given path. Now that can be done using `yarn mocha` instead, so this
script has been removed.
The `yarn watch` command has been broken for some time now, so it has
been removed as well. Mocha tests can still be run with a file watcher
using `yarn mocha --watch <path>` or `yarn test:unit:mocha --watch`.
The README has been updated to remove references about the `watch`
command that was removed. I considered explaining the other test
scripts there as well, but they were difficult to explain I will
attempt to update the README after making further simplifications
instead.
`immer` has been updated to v9. This didn't require any changes on our
part; the only breaking changes are to the TypeScript types [1].
The `@reduxjs/toolkit` library has been updated as well, to ensure that
it's using the updated version of Immer internally as well. This update
makes our patch of that package obsolete, as the problematic pattern
that were were patching out is no longer present.
[1]: https://github.com/immerjs/immer/releases/tag/v9.0.0
`immer` has been updated to v9. This didn't require any changes on our
part; the only breaking changes are to the TypeScript types [1].
The `@reduxjs/toolkit` library has been updated as well, to ensure that
it's using the updated version of Immer internally as well. This update
makes our patch of that package obsolete, as the problematic pattern
that were were patching out is no longer present.
[1]: https://github.com/immerjs/immer/releases/tag/v9.0.0
The main `version` field in `package.json` will now include the beta
version (if present) rather than it being passed in via the CLI when
building. The `version` field is now a fully SemVer-compatible version,
with the added restriction that any prerelease portion of the version
must match the format `<build type>.<build version>`.
This brings the build in-line with the future release process we will
be using for the beta version. The plan is for each future release to
enter a "beta phase" where the version would get updated to reflect
that it's a beta, and we would increment this beta version over time as
we update the beta. The manifest gives us a place to store this beta
version. It was also important to replace the automatic minor bump
logic that was being used previously, because the version in beta might
not be a minor bump.
Additionally, the filename logic used for beta builds was updated to
be generic across all build types rather than beta-specific. This will
be useful for Flask builds in the future.
This PR fixes our local unit test package scripts. When the state migration unit tests were migrated to Jest in #12106, it left the `test:unit` script in a broken state, because it didn't tell `mocha` to ignore the state migration tests.
Arguably, that script was already broken, since the most reasonably expectation from its name is that it runs _all_ unit tests. The PR makes it so that it does just that, by means of `concurrently`.
Unfortunately, `concurrently` only outputs errors from child processes once (at the time when they exit, https://github.com/open-cli-tools/concurrently/issues/134). This means that we have to search/navigate the output for this combined script to identify the failure. That said, it's better than the status quo.
* lavamoat - add lavamoat to webapp background
* test:e2e - add delay to resolve failure
* test:e2e - add delay to resolve failure
* build - add a switch for applying lavamoat, currently off for all
* test/e2e - remove delays added for lavamoat
* Revert "test/e2e - remove delays added for lavamoat"
This reverts commit 79c3479f15c072ed362ba1d4f1af41ea11a17d63.
The warnings about use of the unsafe Buffer constructor have been
addressed by package updates and patches.
The updates were:
* `gulp-sourcemaps` was updated from v2 to v3, and was patched to
replace remaining uses of the `Buffer` constructor
* Upstream PR: https://github.com/gulp-sourcemaps/gulp-sourcemaps/pull/388
* The transitive dependency `yazl` was updated from v2.4.3 to v2.5.1
in the lockfile.
* The abandoned packages `combine-source-map` and `inline-source-map`
were patched.
The dependency `caniuse-lite` has been updated using a Yarn resolution,
because it was pinned to a specific version by some dependencies. All
versions requested in our dependency tree are 1.x so this did not
introduce any breaking changes.
This resolves a frequent console warning that shows up during builds,
and when running tests and the linter.
* Jestify migrations/
* Lint exclude migrations from mocha config, and add inclusion to jest config
* Add migration tests to jest config
* Exclude/ignore migration tests
* Set process.env.IN_TEST to true when running tests locally