Update @metamask/eth-keyring-controller

[mikesposito]

Explanation

This PR updates @metamask/eth-keyring-controller in KeyringController to ^13.
As after v11.0.0 the library has been migrated to TS there is a number of changes needed to support it.

• Type guards have been added to mitigate some issues with the Keyring type used by @metamask/eth-keyring-controller, which is still not supported by the latest released versions of the HD and simple keyrings.
• Keyring type from @metamask/utils has been added, superseding local type declarations

References

• Related to #19659
• Related to Keyring Consolidation: Patch core KeyringController on extension to expose inner EthKeyringController #1315

Changelog

@metamask/keyring-controller

• BREAKING: Removed keyringTypes property from the KeyringController state
• BREAKING: Constructor KeyringControllerOptions type changed
  • The KeyringControllerOptions.state accepted type is now { vault?: string }
  • The KeyringControllerOptions.keyringBuilders type is now { (): Keyring<Json>; type: string }[]
• BREAKING: The address type accepted by the removeAccount method is now Hex
• BREAKING: The signTypedMessage method now returns a Promise<string>
• BREAKING: The signTransaction method now requires a TypedTransaction from @ethereumjs/tx@^4 for the transaction argument, and returns a Promise<TxData>
• BREAKING: Rename Keyring type to KeyringObject
• BREAKING: addNewAccount now throws if address of new account is not a hex string
• BREAKING: exportSeedPhrase now throws if first keyring does not have a mnemonic
• BREAKING: verifySeedPhrase now throws if HD keyring does not have a mnemonic
• CHANGED: Update return type of getAccountKeyringType to Promise<string>
• CHANGED: The private method addQRKeyring has been renamed to #addQRKeyring
• CHANGED: Updated @metamask/eth-keyring-controller to ^13.0.0

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've highlighted breaking changes using the "BREAKING" category above as appropriate

[socket-security]

Updated and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@metamask/eth-json-rpc-middleware	11.0.0...11.0.1	None	+0/-0	149 kB	metamaskbot
jsonschema	1.2.4...1.4.1	None	+0/-0	81.8 kB	acubed
@types/node	16.18.24...20.4.2	None	+0/-0	3.81 MB	types
@types/jest-when	2.7.3...2.7.4	None	+0/-0	5.87 kB	types
nanoid	3.1.31...3.3.6	None	+0/-0	21.7 kB	ai
immer	9.0.6...9.0.21	None	+0/-0	872 kB	mweststrate
jest-when	3.4.2...3.5.2	None	+27/-45	14 MB	timkindberg
multiformats	9.5.2...9.9.0	None	+0/-0	529 kB	npm-service-account-multiformats

🚮 Removed packages: @metamask/[email protected], @metamask/[email protected], [email protected]

[mikesposito]

Starting from @metamask/[email protected] any attempt to add a Keyring of a type with a missing keyring builder throws an error instead of returning undefined.

[mikesposito]

signPersonalMessage › should sign personal message even if empty data is passed
This test is currently failing with this error: Missing data parameter.

Seems like this behavior is changed in @metamask/eth-keyring-controller due to this line added. The data is being normalized too, using normalize function from @metamask/eth-sig-util, which returns undefined with an empty string,

[mikesposito]

Update of @ethereumjs/tx, @ethereumjs/common, @keystonehq/metamask-airgapped-keyring and @metamask/utils has been moved to #1514

[socket-security]

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: @sinonjs/[email protected], [email protected]

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

[mcmire]

Looks good! Just spotted some typecasting and had some questions.

[legobeat]

@SocketSecurity ignore @sinonjs/[email protected]
@SocketSecurity ignore [email protected]

[mcmire]

Looked over these changes and they make sense to me.

[mcmire]

Would it be worth it to list these in the changelog as well?

• BREAKING: Rename Keyring type to KeyringObject
• BREAKING: addNewAccount now throws if address of new account is not a hex string
• BREAKING: exportSeedPhrase now throws if first keyring does not have a mnemonic
• BREAKING: verifySeedPhrase now throws if HD keyring does not have a mnemonic
• CHANGED: Update return type of getAccountKeyringType to Promise<string>

Also you had listed that the setLocked method is now async, but it seems like that was already the case before, no?