Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Caution MetaMask internal reviewing guidelines:
|
| "@metamask/analytics": "file:../connect-monorepo/packages/analytics" | ||
| }, | ||
| "dependencies": { | ||
| "@metamask/connect-multichain": "file:../connect-monorepo/packages/connect-multichain", |
There was a problem hiding this comment.
Local file dependencies break builds in non-local environments
High Severity
The resolutions and dependencies contain local file paths like file:../connect-monorepo/packages/connect-multichain that reference a sibling directory. These paths will fail in CI/CD pipelines, other developers' machines, and production builds since the expected local directory structure won't exist. This appears to be development-time configuration that was accidentally included in the PR.
| if (provider) { | ||
| registerSolanaWalletStandard({ client: provider }); | ||
| } | ||
| })(); |
There was a problem hiding this comment.
Unhandled promise rejection when getProvider throws
Medium Severity
The async IIFE in the useEffect calls getProvider() without any error handling. Unlike other SDK methods (connect, disconnect, invokeMethod) which catch errors and call setError(), getProvider throws errors directly. If SDK initialization fails or createMetamaskConnect rejects, this results in an unhandled promise rejection, causing silent failure of wallet registration.
Additional Locations (1)
| url: 'https://playground.metamask.io', | ||
| }, | ||
| api: { | ||
| supportedNetworks: getInfuraRpcUrls(process.env.INFURA_API_KEY || ''), |
There was a problem hiding this comment.
Environment variable inaccessible in Vite browser context
Medium Severity
The code uses process.env.INFURA_API_KEY which will always be undefined in Vite's browser runtime. The codebase already uses import.meta.env.VITE_* for environment variables (e.g., in src/config.ts), and there's no define configuration in vite.config.ts to substitute process.env values. The fallback empty string will always be used, causing getInfuraRpcUrls('') to receive an invalid API key.
| } | ||
| const sdkInstance = await sdkRef.current; | ||
| return sdkInstance.provider as MultichainApiClient; | ||
| }, []); |
There was a problem hiding this comment.
Inconsistent error handling in getProvider callback
Medium Severity
The getProvider function throws errors directly without catching them or calling setError, unlike disconnect, connect, and invokeMethod which all wrap their logic in try-catch blocks and store errors in state. This inconsistency means errors from getProvider won't appear in the context's error state and will propagate as unhandled rejections.
Note
Integrates MetaMask multichain connectivity and prepares the app for Solana Wallet Standard.
SDKProviderbuilt on@metamask/connect-multichainto manage session/state and exposeconnect,disconnect,invokeMethod, andgetProviderAppusing the SDK provider client after initializationSDKProviderinmain.tsxbowserand maintain node polyfillsresolutions,bowser, tweaksdevscript (--force), and extends LavaMoat allowlistWritten by Cursor Bugbot for commit ea40729. This will update automatically on new commits. Configure here.