feat: update to keyring v2#606
Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
|
@SocketSecurity ignore npm/ses@1.15.0 |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 0bcdc72. Configure here.
|
ccharly
left a comment
ccharly
left a comment
There was a problem hiding this comment.
LGTM for v2!
One thing though, I wonder if we should really expose exportAccount for hexadecimal, it seems base58 is the way to go for Solana.
We could keep it if we wish to export them in "raw format", but I would strip the 0x prefix then (I'm not sure this is commonly used outside of Ethereum, but I could be wrong about that 😄)
2 participants
Summary
Migrates the Solana snap to the v2 Keyring API and declares the corresponding capabilities in the manifest. Also fixes a latent test-isolation bug surfaced while validating the migration.
getAccountsandexportAccount(base58/hex) onSolanaKeyring;getAccountnow throws on missing IDs instead of returningundefinedSnapErrorhandleKeyringRequestto the v2 dispatcher (@metamask/keyring-snap-sdk/v2)endowment:keyring.capabilitiestosnap.manifest.json@metamask/snaps-sdk→ 11.1.1,snaps-cli→ 8.4.1,snaps-jest→ 10.1.3,keyring-snap-sdk→ 9.0.1, and updates the rootresolutionsto match;snaps-utilsresolves to 12.2.0 which is required to validate the new manifest fieldmoduleResolution: "bundler"inpackages/snap/tsconfig.jsonso v2 subpath types resolve correctlyjest --runInBandfailure: replaces an incompletejest.mock('@noble/ed25519', ...)inindex.test.tswithjest.mock('./polyfills', ...). The previous mock was captured by the ed25519 polyfill's closure when it patchedglobalThis.crypto.subtle, leaking into other test files via shared global state under--runInBandNote
High Risk
Adds private-key export and changes keyring error/lookup contracts (breaking getAccount), which are security- and integration-sensitive despite being gated by manifest capabilities and permissions.
Overview
Migrates the Solana wallet snap to Keyring API v2:
SolanaKeyringnow implementsKeyringRpc, keyring traffic goes throughhandleKeyringRequestfrom@metamask/keyring-snap-sdk/v2, and origin permissions use v2 RPC method names (includingExportAccountfor MetaMask).New / changed keyring behavior: Adds
getAccounts(delegates tolistAccounts) andexportAccount(64-byte Solana secret key as base58 or hex, derived on demand).getAccountis breaking—it always returns an account or throws instead ofundefined. Public keyring paths consistently surface failures as a singleSnapError.Manifest & platform: Declares
endowment:keyring.capabilities(Solana scopes, private-key export formats, BIP-44 derive/discover) and bumpsplatformVersion/ dependency stack (@metamask/snaps-sdk11.1.1,keyring-api23,keyring-snap-sdk9, updated lockfile). SnaptsconfigusesmoduleResolution: "bundler"for v2 subpath types.Tests: Extends
Keyringtests for v2 behavior and export; fixesindex.test.tsisolation under--runInBandby mocking./polyfillsinstead of partially mocking@noble/ed25519(avoids leakingcrypto.subtlepatches).Reviewed by Cursor Bugbot for commit de19867. Bugbot is set up for automated code reviews on this repo. Configure here.