Skip to content

Version v10.14.7 RC #14834

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Jun 3, 2022
Merged

Version v10.14.7 RC #14834

merged 15 commits into from
Jun 3, 2022

Conversation

@metamaskbot
Copy link
Collaborator

@metamaskbot metamaskbot commented Jun 2, 2022

📦 🚀

kumavis and others added 15 commits May 3, 2022 13:39
@kumavis @Gudahtt
phishing-detect - validate redirect url protocol
c1ca70d
@Gudahtt
Fix lint errors
0110bd9
@Gudahtt
Version v10.14.1
900ac45 
This is a rollback release to v10.13.0
@kumavis @Gudahtt
build - update bify-module-groups for build determinism (#14610)
fefe940
@Gudahtt
Version v10.14.2
a58faa1 
This version includes a build system fix that ensures our builds are
deterministic.
@Gudahtt
Version v10.14.5
8a14504 
This version is equivalent to v10.14.2. This release is just intended
to fix build configuration issues.
@Gudahtt
Use externally hosted phishing warning page
7199d9c 
An externally hosted phishing warning page is now used rather than the
built-in phishing warning page.The phishing page warning URL is set via
configuration file or environment variable. The default URL is either
the expected production URL or `http://localhost:9999/` for e2e testing
environments.

The new external phishing page includes a design change when it is
loaded within an iframe. In that case it now shows a condensed message,
and prompts the user to open the full warning page in a new tab to see
more details or bypass the warning. This is to prevent a clickjacking
attack from safelisting a site without user consent.

The new external phishing page also includes a simple caching service
worker to ensure it continues to work offline (or if our hosting goes
offline), as long as the user has successfully loaded the page at least
once. We also load the page temporarily during the extension startup
process to trigger the service worker installation.

The old phishing page and all related lines have been removed. The
property `web_accessible_resources` has also been removed from the
manifest. The only entry apart from the phishing page was `inpage.js`,
and we don't need that to be web accessible anymore because we inject
the script inline into each page rather than loading the file directly.

New e2e tests have been added to cover more phishing warning page
functionality, including the "safelist" action and the "iframe" case.
@Gudahtt
Reproducible .zip files (#14623)
3693de7 
* Create `.zip` files deterministically

Our build system now creates `.zip` archives deterministically.
Previously the `.zip` file would differ between builds even when the
files being archived were identical. This was because the order the
files were passed in was non-deterministic, and the `mtime` for each
file was different between builds.

The files are now sorted before being zipped, and the `mtime` for each
file has been set to the unix epoch.

* Update lavamoat build policy
@Gudahtt
Fix CI validation errors
24c3175 
Two CI validation errors have been fixed:
* A duplcate entry has been removed from the lockfile
* `@metamask/phishing-warning` has been added to the depcheck config,
so that it knows that dependency is being used (in e2e tests)
@Gudahtt
Fix e2e tests
5a5e541 
The e2e tests have been updated for `@metamask/phishing-warning@1.1.0`.
The iframe case was updated with a new design, which required test
changes. The third test that was meant to ensure the phishing page
can't redirect to an extension page has been updated to navigate
directly to the phishing warning page and setting the URL manually via
query parameters, as that was the only way to test that redirect.
@Gudahtt
Rename phishing warning page environment variable
d1ac1a8 
The phishing warning page URL environment variable has been renamed
from `PHISHING_PAGE_URL` to `PHISHING_WARNING_PAGE_URL`. We call this
page the "phishing warning page" everywhere else, and this name seemed
better suited (it's not a phishing page itself).

The variable has been listed and documented in `.metamaskrc.dist` as
well.
@Gudahtt
v10.14.6
211f98c 
In this release, the phishing warning page is extracted to an external
site.
@Gudahtt
Remove module paths from bundle
eb55c0d 
A patch has been added to ensure lavapack no longer includes the path
for each module as part of each serialized module. This path was
originally added for debugging purposes, and is not used for anything
at runtime. The module path was an absolute path, not a relative one,
so it was an obstacle to having reproducible builds between
environments.
@Gudahtt
v10.14.7
5b05dd4 
This release includes another change to make the builds reproducible
between different environments.
@Gudahtt
Merge remote-tracking branch 'origin/master' into Version-v10.14.7
cf5db65 
* origin/master: (101 commits)
  Updating changelog
  Add token standard to custom token details (#14506)
  Revert "Dark Mode: What's New Announcement (#14346)"
  Ensure network name in confirm page container is defined (#14520)
  Updating lavamoat policies
  Fix the alerts toggles in settings (#14498)
  Disable swaps whenever the environment is not development or testing, so that behaviour follows production for QA purposes (#14499)
  [skip e2e] Updating changelog for v10.14.0 (#14487)
  Version v10.14.0
  Docs - segment metrics (#14435)
  Add snaps view search (#14419)
  Run main, flask and beta in sequence in generate-lavamoat-policies.sh (#14470)
  Modify import SRP page (#14425)
  Dark Mode: Implement Metrics (#14455)
  HoldToRevealButton component (#13785)
  e2e test import json file as import account strategy (#14449)
  MetaMetrics: Identify 'number_of_tokens' user trait (#14427)
  MetaMetrics: Identify 'nft_autodetection_enabled' &  'opensea_api_enabled' (#14367)
  Swaps: Sort "token_from" dropdown tokens by their fiat value first and "token_to" by top tokens (#14436)
  Update segment instantiation check. Only check if SEGMENT_WRITE_KEY exists (#14407)
  ...
github-advanced-security[bot]
github-advanced-security bot found potential problems Jun 2, 2022
View reviewed changes
test/e2e/mock-page-with-iframe/index.html Outdated

Check warning

Code scanning / CodeQL

Inclusion of functionality from an untrusted source

Iframe loaded using unencrypted connection.
@github-actions
Copy link
Contributor

github-actions bot commented Jun 2, 2022

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@Gudahtt Gudahtt force-pushed the Version-v10.14.7 branch from c41cfb5 to cf5db65 Compare June 2, 2022 21:10
@Gudahtt Gudahtt marked this pull request as ready for review June 2, 2022 21:29
@Gudahtt Gudahtt requested review from a team and kumavis as code owners June 2, 2022 21:29
@Gudahtt Gudahtt requested a review from danjm June 2, 2022 21:29
@metamaskbot
Copy link
Collaborator Author

metamaskbot commented Jun 2, 2022

Builds ready [cf5db65]
Page Load Metrics (1381 ± 90 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint881668197339163
domContentLoaded11821755137918689
load11821755138118790
domInteractive11821755137918689

highlights:

storybook

@Gudahtt
Copy link
Member

Gudahtt commented Jun 2, 2022

The yarn audit failure is on develop, so we can ignore it here. It will get fixed on develop. This release is already out.

@Gudahtt Gudahtt merged commit 7057955 into master Jun 3, 2022
@Gudahtt Gudahtt deleted the Version-v10.14.7 branch June 3, 2022 02:02
@github-actions github-actions bot locked and limited conversation to collaborators Jun 3, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

@kumavis kumavis Awaiting requested review from kumavis

@danjm danjm Awaiting requested review from danjm danjm was automatically assigned from MetaMask/extension-devs

+1 more reviewer

@tmashuang tmashuang tmashuang approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@metamaskbot @Gudahtt @tmashuang @kumavis