feat: migrate snap-simple-keyring by ccharly · Pull Request #573 · MetaMask/accounts

ccharly · 2026-06-17T14:16:44Z

Adding the snap-simple-keyring repo with git subtree (so we keep the commit references and git tags as well).

Also adapting the config files to match what we have on this monorepo.

None of the code has changed.

Feat/remove account

Update to 0 32 0

* 2.0.0 * update changelog * snap: bump manifest to v2.0.0 and update shasum for CI clean tree * chore(changelog): remove Uncategorized sections and format for RC validation * Update packages/site/CHANGELOG.md Co-authored-by: Maarten Zuidhoorn <maarten@zuidhoorn.com> * Update packages/site/CHANGELOG.md Co-authored-by: Maarten Zuidhoorn <maarten@zuidhoorn.com> * Update packages/snap/CHANGELOG.md Co-authored-by: Charly Chevalier <charly.chevalier@consensys.net> --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: seaona <mariona@gmx.es> Co-authored-by: seaona <54408225+seaona@users.noreply.github.com> Co-authored-by: Maarten Zuidhoorn <maarten@zuidhoorn.com> Co-authored-by: Charly Chevalier <charly.chevalier@consensys.net>

* chore: bump accounts dependencies * build: workaround webpack build issue * build: snap.manifest.json * chore: lint * chore: revert snaps-sdk update

* chore: bump snaps SDK * chore: update shasum

* 2.1.0 * fix: fix changelogs * fix: update manifest * fix: remove wrong changelog entry * fix: update snap changelog * fix: formatting * fix: change to patch release * fix: update shasum * fix: package version --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Hassan Malik <hbmalik88@gmail.com>

* feat: update snap with missing methods * chore: update manifest * chore: add changelog entry

* 2.0.2 * fix: update changelog * fix: update manifest version * fix: update shasum * fix: change to minor release * fix: update shasum --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Hassan Malik <hbmalik88@gmail.com>

* feat: update changelog to prep release * chore: add pr number

* 2.1.1 * chore: update changelog * fix: remove redundant entry --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Hassan Malik <hbmalik88@gmail.com>

socket-security · 2026-06-17T14:17:44Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality
	eslint@8.57.1
	@types/react-helmet@6.1.11
	@typescript-eslint/parser@5.62.0
	eslint-config-prettier@8.10.2
	@types/styled-components@5.1.36
	@metamask/eslint-config-jest@12.1.0
	react-scripts@5.0.1
	@metamask/snaps-cli@6.7.0
	raw-loader@4.0.2
	react-helmet@6.1.0
	gatsby-plugin-svgr@3.0.0-beta.0
	@metamask/snaps-sdk@11.0.0 ⏵ 11.1.1	⁺²		⁺¹
	@typescript-eslint/eslint-plugin@5.62.0
	@types/react@18.3.31
	gatsby-plugin-webfonts@2.3.2
	deepmerge@4.2.2 ⏵ 4.3.1	⁺¹
	@svgr/webpack@6.5.1
	react-icons@4.12.0
	lodash@4.17.21 ⏵ 4.18.1	⁺¹	⁺¹⁹	⁺¹
	@emotion/styled@11.14.1
	webpack@5.107.2
	cross-env@7.0.3
	@emotion/react@11.14.0
	@metamask/eslint-config@12.2.0
	rimraf@4.4.1
	gatsby@5.16.1
	gatsby-plugin-styled-components@6.16.0
	@metamask/eslint-config-nodejs@12.1.0
	eslint-plugin-import@2.32.0
	@metamask/eslint-config-typescript@12.1.0
	eslint-plugin-promise@6.6.0
	crypto-browserify@3.12.1
	@metamask/eth-sig-util@7.0.3
See 16 more rows in the dashboard

View full report

socket-security · 2026-06-17T14:17:46Z

Caution

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Obfuscated code: npm `@pnpm/network.ca-file` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/@pnpm/network.ca-file@1.0.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@pnpm/network.ca-file@1.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `@surma/rollup-plugin-off-main-thread` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/react-scripts@5.0.1` → `npm/@surma/rollup-plugin-off-main-thread@2.2.3` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@surma/rollup-plugin-off-main-thread@2.2.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `css-minimizer-webpack-plugin` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/css-minimizer-webpack-plugin@2.0.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/css-minimizer-webpack-plugin@2.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `cssom` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/react-scripts@5.0.1` → `npm/eslint-plugin-jest@27.9.0` → `npm/cssom@0.4.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/cssom@0.4.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `damerau-levenshtein` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/react-scripts@5.0.1` → `npm/damerau-levenshtein@1.0.8` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/damerau-levenshtein@1.0.8`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `diff-sequences` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/react-scripts@5.0.1` → `npm/eslint-plugin-jest@27.9.0` → `npm/diff-sequences@27.5.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/diff-sequences@27.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `es-abstract` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/eslint-import-resolver-typescript@3.7.0` → `npm/react-scripts@5.0.1` → `npm/eslint-plugin-import@2.32.0` → `npm/es-abstract@1.24.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/es-abstract@1.24.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Protestware or unwanted behavior: npm `es5-ext` Note: The script attempts to run a local post-install script, which could potentially contain malicious code. The error handling suggests that it is designed to fail silently, which is a common tactic in malicious scripts. From: `?` → `npm/gatsby@5.16.1` → `npm/es5-ext@0.10.64` ℹ Read more on: This package \| This alert \| What is protestware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Consider that consuming this package may come along with functionality unrelated to its primary purpose. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/es5-ext@0.10.64`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `eslint-plugin-jest` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/react-scripts@5.0.1` → `npm/eslint-plugin-jest@25.7.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/eslint-plugin-jest@25.7.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `eslint-plugin-react` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/react-scripts@5.0.1` → `npm/eslint-plugin-react@7.37.5` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/eslint-plugin-react@7.37.5`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `fast-xml-parser` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/@metamask/snaps-cli@6.7.0` → `npm/fast-xml-parser@4.5.6` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/fast-xml-parser@4.5.6`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `gatsby` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/snaps/simple-keyring/packages/site/package.json → `npm/gatsby@5.16.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/gatsby@5.16.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `hash-wasm` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby-plugin-manifest@5.16.0` → `npm/gatsby@5.16.1` → `npm/hash-wasm@4.12.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/hash-wasm@4.12.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `js-yaml` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/eslint@9.39.4` → `npm/eslint@8.57.1` → `npm/@metamask/snaps-cli@6.7.0` → `npm/react-scripts@5.0.1` → `npm/js-yaml@4.2.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/js-yaml@4.2.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `node-forge` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/react-scripts@5.0.1` → `npm/node-forge@1.4.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/node-forge@1.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: npm `path-to-regexp` vulnerable to Regular Expression Denial of Service via multiple route parameters CVE: GHSA-37ch-88jc-xwx2 path-to-regexp vulnerable to Regular Expression Denial of Service via multiple route parameters (HIGH) Affected versions: < 0.1.13 Patched version: 0.1.13 From: `?` → `npm/gatsby@5.16.1` → `npm/path-to-regexp@0.1.12` ℹ Read more on: This package \| This alert \| What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/path-to-regexp@0.1.12`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `postcss-selector-parser` is now published by moox Author: moox From: `?` → `npm/gatsby@5.16.1` → `npm/react-scripts@5.0.1` → `npm/gatsby-plugin-webfonts@2.3.2` → `npm/postcss-selector-parser@6.1.4` ℹ Read more on: This package \| This alert \| What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/postcss-selector-parser@6.1.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `postcss-selector-parser` is now published by moox Author: moox From: `?` → `npm/gatsby@5.16.1` → `npm/react-scripts@5.0.1` → `npm/postcss-selector-parser@7.1.4` ℹ Read more on: This package \| This alert \| What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/postcss-selector-parser@7.1.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `rollup` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: `?` → `npm/react-scripts@5.0.1` → `npm/rollup@2.80.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/rollup@2.80.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `webpack` is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/snaps/simple-keyring/packages/site/package.json → `npm/webpack@5.107.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/webpack@5.107.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@ardatan/relay-compiler` in module child_process Module: child_process Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/@ardatan/relay-compiler@12.0.0` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@ardatan/relay-compiler@12.0.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@expo/devcert` in module child_process Module: child_process Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/@expo/devcert@1.2.1` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@expo/devcert@1.2.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@expo/sudo-prompt` in module child_process Module: child_process Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/@expo/sudo-prompt@9.3.2` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@expo/sudo-prompt@9.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Potential security risk (AI signal): npm `@lavamoat/allow-scripts` Notes: undefined Confidence: undefined Severity: undefined From: packages/snaps/simple-keyring/packages/snap/package.json → `npm/@lavamoat/allow-scripts@2.5.1` ℹ Read more on: This package \| This alert \| What are AI-detected potential security risks? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: An AI system identified potential security problems in this package. It is advised to review the package thoroughly and assess the potential risks before installation. You may also consider reporting the issue to the package maintainer or seeking alternative solutions with a stronger security posture. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@lavamoat/allow-scripts@2.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@lavamoat/allow-scripts` in module child_process Module: child_process Location: Package overview From: packages/snaps/simple-keyring/packages/snap/package.json → `npm/@lavamoat/allow-scripts@2.5.1` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@lavamoat/allow-scripts@2.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@metamask/snaps-cli` in module http Module: http Location: Package overview From: packages/snaps/simple-keyring/packages/snap/package.json → `npm/@metamask/snaps-cli@6.7.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@metamask/snaps-cli@6.7.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@parcel/package-manager` in module child_process Module: child_process Location: Package overview From: `?` → `npm/gatsby@5.16.1` → `npm/@parcel/package-manager@2.8.3` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@parcel/package-manager@2.8.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 346 more rows in the dashboard

View full report

…a39efda54887736241309'

…packages/snaps/simple-keyring Post-subtree adjustments to fit the accounts monorepo conventions: - Remove .yarnrc.yml (conflicts with accounts root Yarn 4 config) - Remove yarn.lock (Yarn 3 format causes workspace resolution failures) - Remove packageManager fields (accounts root manages Yarn 4) - Remove resolutions block (local patches not present here) - Update homepage/bugs/repository URLs to MetaMask/accounts - Update DAPP_ORIGIN_PRODUCTION to new gh-pages URL - Update build:snaps script in root package.json - Add workspace globs for packages/snaps/* to root package.json - Rewrite wrapper package.json to umbrella shape with installConfig.hoistingLimits - Refresh snap.manifest.json shasum and platformVersion via mm-snap build Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

…aths for snap workspace deps - Add build:snaps:deps to root package.json that builds keyring-utils, keyring-api, and keyring-snap-sdk in topological order before the snap - Update build:snaps to call build:snaps:deps first so mm-snap's webpack bundler can resolve workspace packages without a prior full build - Add @metamask/* paths to simple-keyring tsconfig.json so tsc resolves workspace packages to their source (../../*/src) rather than dist/, enabling type-checking on a fresh checkout without building deps first Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

- Remove icon from gatsby-plugin-manifest to avoid sharp native binary, which cannot run its install script in the monorepo's isolated node_modules (lavamoat allow-scripts only scans root node_modules) - Add raw-loader to site devDependencies; gatsby-plugin-webfonts@2.3.2 uses it via inline loader syntax but does not declare it as a dependency. Added to .depcheckrc.json ignores because depcheck cannot detect usage through webpack inline loader syntax (require('raw-loader!...')). - Add @metamask/keyring-snap-client to build:snaps:deps; the site depends on it and webpack fails to resolve it if its dist/ doesn't exist Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Snap packages migrated from their standalone repo carry older dep versions and a different package layout. Skip all constraint checks for them via SNAP_PACKAGES and suppress version inconsistency violations via ALLOWED_INCONSISTENT_DEPENDENCIES until a follow-up aligns them with monorepo conventions. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Snap packages carry older tooling (ESLint v8, Prettier v2) and different configs that are incompatible with the monorepo's current setup. Exclude packages/snaps/** from ESLint and oxfmt until a follow-up aligns them. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Remove files that only make sense in the standalone repo context: - .github/ (CI workflows, CODEOWNERS — replaced by accounts repo CI) - .editorconfig, .gitattributes, .nvmrc (standalone dev config) - .yarn/releases, .yarn/plugins (standalone Yarn 3 runtime) .yarn/patches/ is kept — patches are applied per-workspace during yarn install and must be preserved. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

The changelog-check script in github-tools iterates workspace patterns in order and returns the first match. With "packages/*" listed first, files under packages/snaps/simple-keyring/ resolve to the phantom "packages/snaps" package (which has no package.json), causing the CI check to fail. Listing more specific patterns first ensures files under packages/snaps/ correctly resolve to their actual package, which is marked private and is therefore skipped by the changelog check. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

montelaidev and others added 30 commits April 3, 2023 15:38

remove dep

6b305d1

remove ethers form accountManagement

fb6b5ce

fix type 2 transactions

51e998c

fix comment

17fd682

remove keys

3920b93

Merge pull request #3 from MetaMask/feat/remove-account

7f85bca

Feat/remove account

fix chain id

a33605e

chore: rename methods and remove more logic from UI

4484f4e

feat: display account addresses

872840b

fix nodemon

6bdfcec

fix handleApproveRequest

6f69c43

refactor into keyring class

de91192

chore: start dev of wrapper

4bddb9c

wip: list accounts

f1919e9

wip: start implementation on snap side

de62377

use latest snap version

a0d5cb3

Update yarn.lock + dedupe ethereumjs packages

8c90c3c

update code owners

52387f4

Merge pull request #5 from MetaMask/update-to-0-32-0

ea4ad5b

Update to 0 32 0

fix unused chainOpts

8d7d8ec

Merge branch 'fix-unused-chainOpts' into feat/api-wrapper

99c7eee

Add material UI module

3b458c1

Update Card component style

7449332

WIP: Update main page

a1ead33

Move styled components to new file

8d76110

Add react-icons and remove material UI

94843e8

Add AccountList component

39d5b9b

Update Card component

fd2661a

Update title

ab4cb3d

Add styled components

df612b7

github-actions Bot and others added 11 commits October 2, 2025 16:31

chore: bump accounts dependencies (#169)

f65dabc

* chore: bump accounts dependencies * build: workaround webpack build issue * build: snap.manifest.json * chore: lint * chore: revert snaps-sdk update

chore: bump snaps SDK (#171)

95d6206

* chore: bump snaps SDK * chore: update shasum

chore: use new font Geist (#172)

e7153e5

chore: bump deps (#173)

32d7c0f

feat: add missing methods (#176)

947d53f

* feat: update snap with missing methods * chore: update manifest * chore: add changelog entry

2.1.0 (#177)

dc09b4b

* 2.0.2 * fix: update changelog * fix: update manifest version * fix: update shasum * fix: change to minor release * fix: update shasum --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Hassan Malik <hbmalik88@gmail.com>

feat: update changelog to prep release (#178)

2689610

* feat: update changelog to prep release * chore: add pr number

chore: add comment explaining package versions (#179)

ae8dff7

2.1.1 (#180)

6793b2d

* 2.1.1 * chore: update changelog * fix: remove redundant entry --------- Co-authored-by: github-actions <github-actions@github.com> Co-authored-by: Hassan Malik <hbmalik88@gmail.com>

ccharly force-pushed the cc/feat/snaps-snap-simple-keyring branch from 4b06d54 to 82a05c6 Compare June 22, 2026 09:37

github-advanced-security AI found potential problems Jun 22, 2026

View reviewed changes

ccharly force-pushed the cc/feat/snaps-snap-simple-keyring branch 2 times, most recently from b05e3b9 to 610b734 Compare June 22, 2026 10:35

Add 'packages/snaps/simple-keyring/' from commit '6793b2d4159d20525f2…

a76169d

…a39efda54887736241309'

ccharly force-pushed the cc/feat/snaps-snap-simple-keyring branch 2 times, most recently from cf57e6b to 0ea97a5 Compare June 22, 2026 11:47

ccharly and others added 9 commits June 22, 2026 14:55

chore: dedupe yarn.lock after snap migration

5978496

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

docs: update README with snap-simple-keyring packages

c631ed6

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

ccharly force-pushed the cc/feat/snaps-snap-simple-keyring branch from 0ea97a5 to c631ed6 Compare June 22, 2026 13:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: migrate snap-simple-keyring#573

feat: migrate snap-simple-keyring#573
ccharly wants to merge 279 commits into
mainfrom
cc/feat/snaps-snap-simple-keyring

ccharly commented Jun 17, 2026

Uh oh!

socket-security Bot commented Jun 17, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Jun 17, 2026 •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

15 participants

Uh oh!

Conversation

ccharly commented Jun 17, 2026

Uh oh!

socket-security Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Jun 17, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

15 participants

socket-security Bot commented Jun 17, 2026 •

edited

Loading

socket-security Bot commented Jun 17, 2026 •

edited

Loading