Skip to content

chore: Bump Snaps and related dependencies#28140

Merged
Mrtenz merged 16 commits intotest/core-pr-8245-testdrivefrom
mrtenz/bump-snaps-packages
Mar 31, 2026
Merged

chore: Bump Snaps and related dependencies#28140
Mrtenz merged 16 commits intotest/core-pr-8245-testdrivefrom
mrtenz/bump-snaps-packages

Conversation

@Mrtenz
Copy link
Copy Markdown
Member

@Mrtenz Mrtenz commented Mar 31, 2026
edited by cursor bot
Loading

Description

Major bump of @metamask/snaps-controllers and related packages. This mainly handles breaking changes, there shouldn't be any changes in functionality. Changes include:

  • Standardisation of action and event names (e.g., GetSnap is now SnapControllerGetSnapAction).
    • Some method names have changes as well (e.g., SnapController:get is now SnapController:getSnap).
  • The JsonSnapsRegistry is now named SnapRegistryController for consistency with other Snap controllers.
    • This includes a migration to copy the previous state to the new controller state.
  • The MultichainRouter is now named MultichainRoutingService.
  • snap_getCurrencyRate and snap_experimentalProviderRequest were removed. These were undocumented and deprecated, and shouldn't be used by any Snaps.

Changelog

CHANGELOG entry: Remove deprecated Snap methods snap_getCurrencyRate and snap_experimentalProviderRequest.

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Medium Risk
Broad dependency upgrade with widespread renames of controller/messenger action strings and a persisted-state migration; main risk is runtime breakage if any call sites or stored state keys were missed.

Overview
Updates to @metamask/snaps-controllers (and related packages) are wired through the app, including standardized action/event types and renamed RPC/messenger action strings (e.g. SnapController:get �� SnapController:getSnap).

Renames JsonSnapsRegistry �� SnapRegistryController and MultichainRouter �� MultichainRoutingService across Engine initialization, messengers, and Snap/multichain middleware, and adds migration 129 to move persisted SnapsRegistry state under SnapRegistryController.

Adjusts a few controller inits/tests to match updated upstream APIs (e.g., GatorPermissionsController now uses a config object and no longer relies on isGatorPermissionsFeatureEnabled; BridgeStatusController init stops passing transaction helper fns and instead expands its messenger delegation). Removes deprecated Snap permission snap_experimentalProviderRequest from the allowed method list.

Written by Cursor Bugbot for commit da37ac3. This will update automatically on new commits. Configure here.

@metamaskbot metamaskbot added the team-core-platform Core Platform team label Mar 31, 2026
@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 31, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatednpm/​@​metamask/​keyring-internal-api@​10.0.0 ⏵ 10.0.11001007394 +2100
Updatednpm/​@​metamask/​logging-controller@​8.0.0 ⏵ 8.0.11001007394 +2100
Updatednpm/​@​metamask/​multichain-transactions-controller@​7.0.2 ⏵ 7.0.4981007497 +1100
Updatednpm/​@​metamask/​keyring-snap-client@​8.2.0 ⏵ 8.2.1991007594 +3100
Updatednpm/​@​metamask/​accounts-controller@​37.1.0 ⏵ 37.1.1981007798 +1100
Updatednpm/​@​metamask/​snaps-execution-environments@​11.0.1 ⏵ 11.0.299 +110077 +197 +180
Updatednpm/​@​metamask/​signature-controller@​39.1.0 ⏵ 39.1.2981007898 +1100
Updatednpm/​@​metamask/​bridge-status-controller@​70.0.3 ⏵ 70.0.4971007899100
Updatednpm/​@​metamask/​account-tree-controller@​6.0.0 ⏵ 7.0.0981007899 +1100
Updatednpm/​@​metamask/​bridge-controller@​69.2.3 ⏵ 70.0.096 +110079 +199100
Updatednpm/​@​metamask/​multichain-account-service@​8.0.0 ⏵ 8.0.1981007998 +1100
Updatednpm/​@​metamask/​transaction-pay-controller@​19.0.0 ⏵ 19.0.198 +110080 +199 +1100
Updatednpm/​@​metamask/​profile-sync-controller@​28.0.1 ⏵ 28.0.2971008798 +1100
Updatednpm/​@​metamask/​gator-permissions-controller@​2.1.1 ⏵ 3.0.09910087 +198 +1100
Addednpm/​@​metamask/​eth-snap-keyring@​20.0.098100939550

View full report

@socket-security
Copy link
Copy Markdown

socket-security bot commented Mar 31, 2026
edited
Loading

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Potential code anomaly (AI signal): npm @metamask/transaction-controller is 100.0% likely to have a medium risk anomaly

Notes: The code performs straightforward signature verification using ethers.js, returning true when the recovered signer matches the provided publicKey. While generally safe, the silent catch and potential mismatch between data formatting and signing process should be addressed to avoid silent failures. Overall, a benign utility with moderate input-format sensitivity.

Confidence: 1.00

Severity: 0.60

From: ?npm/@metamask/eip-5792-middleware@2.0.0npm/@metamask/transaction-controller@61.3.0

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/transaction-controller@61.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions github-actions bot added size-L and removed size-S labels Mar 31, 2026
Mrtenz and others added 3 commits March 31, 2026 11:31
@Mrtenz
Handle breaking changes in execution service
19513ec
@Mrtenz
Fix more breaking SnapController changes
9c7d94a
@jeffsmale90 @Mrtenz
Handle breaking changes in gator-permissions-controller
f30068a 
- Removes GATOR_PERMISSIONS_ENABLED
- Presently configured with hardcoded supportedPermissionTypes: []
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@github-actions github-actions bot added size-XL and removed size-L labels Mar 31, 2026
@Mrtenz Mrtenz marked this pull request as ready for review March 31, 2026 11:38
@Mrtenz Mrtenz requested review from a team as code owners March 31, 2026 11:38
@Mrtenz Mrtenz requested a review from a team as a code owner March 31, 2026 11:38
cursor[bot]
cursor bot reviewed Mar 31, 2026
View reviewed changes
cursor[bot]
cursor bot reviewed Mar 31, 2026
View reviewed changes
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - base branch is not main or a release branch (base: test/core-pr-8245-testdrive)

All E2E tests pre-selected.

View GitHub Actions results

cursor[bot]
cursor bot reviewed Mar 31, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

app/core/Engine/controllers/gator-permissions-controller/gator-permissions-controller-init.ts
},
messenger: controllerMessenger,
config: createGatorPermissionsConfig(),
state: persistedState.GatorPermissionsController,
Copy link
Copy Markdown

@cursor cursor bot Mar 31, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing state migration for GatorPermissionsController schema change

Medium Severity

The GatorPermissionsController state schema changed completely (old: gatorPermissionsMapSerialized, gatorPermissionsProviderSnapId, isGatorPermissionsEnabled; new: grantedPermissions, lastSyncedTimestamp, pendingRevocations), but no migration was added to handle this. The old init code explicitly merged defaults with persisted state via generateDefaultGatorPermissionsControllerState(), but the new code passes persistedState.GatorPermissionsController directly to the constructor. On upgrade, existing users will have old-format state passed to the v3.0.0 controller. A migration was added for the SnapsRegistrySnapRegistryController key rename, but the analogous GatorPermissionsController internal state shape change was not addressed.

Additional Locations (1)
Fix in Cursor Fix in Web

@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Mar 31, 2026

E2E Fixture Validation — Schema is up to date
17 value mismatches detected (expected — fixture represents an existing user).
View details

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Mar 31, 2026

Quality Gate Passed Quality Gate passed

Issues
3 New issues
0 Accepted issues

Measures
0 Security Hotspots
82.5% Coverage on New Code
1.6% Duplication on New Code

See analysis details on SonarQube Cloud

@Mrtenz Mrtenz merged commit 30b93b5 into test/core-pr-8245-testdrive Mar 31, 2026
182 of 193 checks passed
@Mrtenz Mrtenz deleted the mrtenz/bump-snaps-packages branch March 31, 2026 13:01
@github-actions github-actions bot locked and limited conversation to collaborators Mar 31, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

Assignees

No one assigned

Labels

size-XL team-core-platform Core Platform team

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Mrtenz @metamaskbot @jeffsmale90