Jl/wip mm connect

[jiexi]

---

Note

Integrates MetaMask multichain connectivity and prepares the app for Solana Wallet Standard.

• Adds SDKProvider built on @metamask/connect-multichain to manage session/state and expose connect, disconnect, invokeMethod, and getProvider
• Registers Solana Wallet Standard in App using the SDK provider client after initialization
• Wraps the app with SDKProvider in main.tsx
• Updates Vite config to include/alias bowser and maintain node polyfills
• package.json: adds MetaMask multichain dependencies and local resolutions, bowser, tweaks dev script (--force), and extends LavaMoat allowlist

^{Written by Cursor Bugbot for commit ea40729. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​connect-multichain@​0.4.0
	@​metamask/​rpc-errors@​7.0.3
	bowser@​2.13.1
	@​metamask/​solana-wallet-standard@​0.6.0
	@​metamask/​multichain-api-client@​0.10.0

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm @metamask/analytics in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/analytics@0.2.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/analytics@0.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/connect-multichain in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/@metamask/connect-multichain@0.4.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/connect-multichain@0.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/multichain-ui in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/multichain-ui@0.3.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/multichain-ui@0.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm micro-ftch in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/rpc-errors@7.0.3 → npm/micro-ftch@0.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/micro-ftch@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm micro-ftch in module http Module: http Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/rpc-errors@7.0.3 → npm/micro-ftch@0.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/micro-ftch@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm micro-ftch in module https Module: https Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/rpc-errors@7.0.3 → npm/micro-ftch@0.3.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/micro-ftch@0.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm openapi-fetch in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/openapi-fetch@0.13.8 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openapi-fetch@0.13.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm openapi-typescript-helpers in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/openapi-typescript-helpers@0.0.15 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/openapi-typescript-helpers@0.0.15. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm @metamask/onboarding is now published by gudahtt instead of whymarrh New Author: gudahtt Previous Author: whymarrh From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@metamask/onboarding@1.0.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/onboarding@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm @paulmillr/qr Reason: The package is now available as "qr": npm install qr From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/@paulmillr/qr@0.2.1 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@paulmillr/qr@0.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm pako is 100.0% likely to have a medium risk anomaly Notes: The code constitutes a robust, standard UTF-8/UTF-16 conversion utility with appropriate fallback paths for environments lacking TextEncoder/TextDecoder. It handles surrogate pairs, invalid sequences, and boundary-safe slicing correctly. No malicious behavior or data leakage is evident in this isolated module; it is safe to rely on as a helper in the open-source supply chain when used as intended. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/pako@2.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pako@2.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm protobufjs is 100.0% likely to have a medium risk anomaly Notes: This package appears to be a legitimate library (protobufjs) and does not contain obvious malicious remote-execution commands in package.json itself. However, it includes an install-time hook (node scripts/postinstall) which will execute code during npm install, and it references a GitHub-sourced devDependency. These are supply-chain risk factors: you should inspect scripts/postinstall.js and any nested install targets (cli directory) before trusting automatic installation in sensitive environments. If you cannot review the postinstall script, treat installation as potentially risky. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/connect-multichain@0.4.0 → npm/protobufjs@7.5.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/protobufjs@7.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Local file dependencies break builds in non-local environments

High Severity

The resolutions and dependencies contain local file paths like file:../connect-monorepo/packages/connect-multichain that reference a sibling directory. These paths will fail in CI/CD pipelines, other developers' machines, and production builds since the expected local directory structure won't exist. This appears to be development-time configuration that was accidentally included in the PR.

 

[cursor]

Unhandled promise rejection when getProvider throws

Medium Severity

The async IIFE in the useEffect calls getProvider() without any error handling. Unlike other SDK methods (connect, disconnect, invokeMethod) which catch errors and call setError(), getProvider throws errors directly. If SDK initialization fails or createMetamaskConnect rejects, this results in an unhandled promise rejection, causing silent failure of wallet registration.

Additional Locations (1)

• src/SDKProvider.tsx#L106-L113

 

[cursor]

Environment variable inaccessible in Vite browser context

Medium Severity

The code uses process.env.INFURA_API_KEY which will always be undefined in Vite's browser runtime. The codebase already uses import.meta.env.VITE_* for environment variables (e.g., in src/config.ts), and there's no define configuration in vite.config.ts to substitute process.env values. The fallback empty string will always be used, causing getInfuraRpcUrls('') to receive an invalid API key.

 

[cursor]

Inconsistent error handling in getProvider callback

Medium Severity

The getProvider function throws errors directly without catching them or calling setError, unlike disconnect, connect, and invokeMethod which all wrap their logic in try-catch blocks and store errors in state. This inconsistency means errors from getProvider won't appear in the context's error state and will propagate as unhandled rejections.