Skip to content

feat: solana wallet standard e2e #16136

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 9 commits into
base: main
Choose a base branch
from

Conversation

baptiste-marchand
Copy link
Contributor

@baptiste-marchand baptiste-marchand commented Jun 5, 2025

Description

Adds E2E tests for Solana Wallet Standard following #15707

Related issues

Extension PR: MetaMask/metamask-extension#31989

Manual testing steps

  1. In one terminal, run yarn setup:e2e && yarn setup && yarn watch
  2. In another terminal, run MULTICHAIN=1 yarn test:e2e:ios:debug:build
  3. Then in this second terminal: MULTICHAIN=1 yarn test:e2e:ios:debug:run e2e/specs/multichain/solana-wallet-standard/connect.spec.ts to run the connect.spec.ts test

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Copy link
Contributor

github-actions bot commented Jun 5, 2025

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@baptiste-marchand baptiste-marchand force-pushed the feat/solana-wallet-standard-e2e branch from 191b546 to 92fb423 Compare June 5, 2025 14:20
Copy link

socket-security bot commented Jun 5, 2025

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block High
npm/bigint-buffer@1.1.5 has a High CVE.

CVE: GHSA-3gc7-fjrx-p6mg bigint-buffer Vulnerable to Buffer Overflow via toBigIntLE() Function (HIGH)

Affected versions: <= 1.1.5

Patched version: No patched versions

From: yarn.locknpm/bigint-buffer@1.1.5

ℹ Read more on: This package | This alert | What is a CVE?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bigint-buffer@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@metamask/test-dapp-solana@0.3.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@metamask/test-dapp-solana@0.3.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/test-dapp-solana@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@reown/appkit-controllers@1.7.2 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@reown/appkit-controllers@1.7.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@reown/appkit-controllers@1.7.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@solana/kit@2.1.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@solana/kit@2.1.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@solana/kit@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@solana/rpc-transport-http@2.1.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@solana/rpc-transport-http@2.1.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@solana/rpc-transport-http@2.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@solana/web3.js@1.98.2 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@solana/web3.js@1.98.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@solana/web3.js@1.98.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@stellar/stellar-sdk@13.3.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@stellar/stellar-sdk@13.3.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@stellar/stellar-sdk@13.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@toruslabs/base-controllers@5.11.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@toruslabs/base-controllers@5.11.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@toruslabs/base-controllers@5.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@toruslabs/broadcast-channel@10.0.2 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@toruslabs/broadcast-channel@10.0.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@toruslabs/broadcast-channel@10.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@toruslabs/http-helpers@6.1.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@toruslabs/http-helpers@6.1.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@toruslabs/http-helpers@6.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@toruslabs/metadata-helpers@5.1.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@toruslabs/metadata-helpers@5.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@toruslabs/metadata-helpers@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@toruslabs/solana-embed@2.1.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@toruslabs/solana-embed@2.1.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@toruslabs/solana-embed@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
npm/@trezor/analytics@1.3.5 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@trezor/analytics@1.3.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@trezor/analytics@1.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

See 40 more rows in the dashboard

View full report

@baptiste-marchand baptiste-marchand added No QA Needed Apply this label when your PR does not need any QA effort. Run Smoke E2E Requires smoke E2E testing labels Jun 5, 2025
Copy link
Contributor

github-actions bot commented Jun 5, 2025

https://bitrise.io/ Bitrise

❌❌❌ pr_smoke_e2e_pipeline failed on Bitrise! ❌❌❌

Commit hash: 92fb423
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/cd9ac0ee-01f3-464a-8827-015e0d68a2cf

Note

  • You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

Tip

  • Check the documentation if you have any doubts on how to understand the failure on bitrise

@baptiste-marchand baptiste-marchand added the team-wallet-standard Team responsible of the MetaMask Wallet Standard implementation label Jun 5, 2025
@baptiste-marchand baptiste-marchand marked this pull request as ready for review June 5, 2025 14:31
@baptiste-marchand baptiste-marchand force-pushed the feat/solana-wallet-standard-e2e branch from f9eb79a to 1a431d9 Compare June 5, 2025 14:37
@baptiste-marchand baptiste-marchand requested a review from a team as a code owner June 5, 2025 15:17
Copy link

sonarqubecloud bot commented Jun 6, 2025

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
No QA Needed Apply this label when your PR does not need any QA effort. Run Smoke E2E Requires smoke E2E testing team-wallet-standard Team responsible of the MetaMask Wallet Standard implementation
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant