deps(keyring-controller): @metamask/keyring-api@^2.0.0->^3.0.0

[legobeat]

Explanation

References

Blocking

• fix(deps): readable-stream@3 metamask-extension#21934

Changelog

@metamask/keyring-controller

• CHANGED: Update @metamask/keyring-api from ^2.0.0 to ^3.0.0
• CHANGED: Update @metamask/eth-keyring-controller from ^17.0.0 to ^17.0.1

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've highlighted breaking changes using the "BREAKING" category above as appropriate

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@metamask/eth-keyring-controller@17.0.1	Transitive: environment, eval, filesystem, network, shell, unsafe	+424	137 MB	brad.decker, danfinlay, gudahtt, ...9 more
npm/@metamask/keyring-api@3.0.0	Transitive: environment, eval, filesystem, network, shell, unsafe	+414	136 MB	brad.decker, danfinlay, gudahtt, ...9 more

🚮 Removed packages: npm/@metamask/eth-keyring-controller@17.0.0

View full report↗︎

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: npm/@metamask/eth-keyring-controller@17.0.1, npm/@metamask/keyring-api@3.0.0

View full report↗︎

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of ecosystem/package-name@version specifiers. e.g. @SocketSecurity ignore npm/foo@1.0.0 or ignore all packages with @SocketSecurity ignore-all

[mikesposito]

@SocketSecurity ignore @metamask/obs-store@9.0.0

gudahtt is a trusted author

@SocketSecurity ignore @metamask/eth-keyring-controller@16.0.0

v16.0.0 has been published 4 days ago

[mcmire]

@mikesposito This is blocked by the fact that keyring-api introduces a circular dependency on this repo, correct?

[mikesposito]

@mcmire Exactly, we should fix that in eth-keyring-controller before merging this one

[mikesposito]

We should now update to eth-keyring-controller ^17.0.1 directly, but v17 comes with a breaking change related to createNewVaultAndKeychain and createNewVaultAndRestore.

[legobeat]

We should now update to eth-keyring-controller ^17.0.1 directly, but v17 comes with a breaking change related to createNewVaultAndKeychain and createNewVaultAndRestore.

• The update to eth-keyring-controller 17.0.0 has already been merged separately in feat: add methods to support ERC-4337 accounts #3602
• This PR has now been updated to update to ^17.0.1, together with updating the direct dependency of @metamask/keyring-api to ^3.0.0 (in order to match the version now used transitively in eth-keyring-controller 17.0.1).
• @metamask/accounts-controller still depends on the older version transitively so better be updated separately.
  • chore: update dependencies for @metamask/accounts-controller #3747

[legobeat]

@SocketSecurity ignore npm/@metamask/keyring-api@3.0.0
@SocketSecurity ignore npm/@metamask/eth-keyring-controller@17.0.1

False-flagged as "unpublished"

[legobeat]

Due to the requirement in yarn constraints, closing this in favor of #3747