chore(deps): update dependency @metamask/sdk to ^0.33.0 [security]#216

Open

renovate[bot] wants to merge 1 commit intounstablefrom

renovate/npm-metamask-sdk-vulnerability

renovate bot commented Sep 15, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
@metamask/sdk (source)	`^0.27.0` → `^0.33.0`

GitHub Vulnerability Alerts

GHSA-qj3p-xc97-xw74

Who is affected?

This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application:

Installed MetaMask SDK into a project with a lockfile for the first time
Installed MetaMask SDK in a project without a lockfile
Updated a lockfile to pull in debug@4.4.2 (e.g., via npm update or yarn upgrade)

What happened?

On Sept 8th, 2025 (13:00–15:30 UTC), a malicious version of the debug package (v4.4.2) was published to npm. The injected code attempts to interfere with dApp-to-wallet communication when executed in a browser context.

While MetaMask SDK itself was not directly impacted, projects installing the SDK during this window may have inadvertently pulled in the malicious version of debug.

Mitigation

If your application was rebuilt and redeployed after Sept 8th, 2025, 15:30 UTC, the malicious version of debug should no longer be present. Please also verify that your package manager (npm, yarn, pnpm, etc.) is not caching debug@4.4.2.
If you have not yet deployed since performing one of the actions above, delete your node_modules and reinstall dependencies before deploying.
If your application was deployed during the attack window and has not been rebuilt since, perform a clean install of dependencies and redeploy to ensure the malicious package is removed.

Resources

GitHub Advisory for debug

Release Notes

MetaMask/metamask-sdk (@metamask/sdk)

`v0.33.1`

Fixed

chore: pin debug package to 4.3.4 due to npm compromise (#1342)

`v0.33.0`

Added

Add rpc ingore list to analytics (#1293)
Integrate sdk-analytics with SDK (#1289)

Fixed

Updates and Fixes to Analytics (#1294)

`v0.32.1`

Fixed

fix: Fix analytics for unwanted events when using extension (#1219)

`v0.32.0`

Added

feat(sdk): rollback @metamask/providers to 16.1.0 due to Next.js compatibility issues (#1207)
feat(sdk): upgrade @metamask/providers to ^18.3.1 (#1199)
feat: implement message size validation to prevent excessive payloads (#1197)
feat: add turborepo for improved monorepo development experience (#1195)

Fixed

fix: user rejection bug (#1202)

`v0.31.5`

Added

feat: improves the react connected hook when using extension & emit terminate when using extension (#1186)
chore: add analytics to install modal (#1189)
feat: add MetaMask Flask provider support for EIP-6963 (#1192)
chore: call getPermissions on accountsChanged when using extension (#1185)

Fixed

Fix nextjs localstorage issue (#1193)
fix(MetaMaskInstaller): replace delete with assignment to undefined for window.ethereum (#1162)

`v0.31.4`

Fixed

refactor(sdk): always send RPC requests via network and deeplink (#1181)

`v0.31.3`

Fixed

fix(analytics): improve dapp details tracking and SDK RPC request analytics (#1179)

`v0.31.2`

Fixed

fix: nextjs build fix pr (#1163)
Set initial modal tab based on preferDesktop option (#1158)

`v0.31.1`

Changed

fix: Tell webpack about dynamic import + fixed polyfills (#1151)
chore: removes sdk terminate when accountsChanged comes in empty (#1148)

`v0.31.0`

Changed

refactor(sdk-install-modal-web): migrate from i18next to custom SimpleI18n implementation (#1141)
refactor(sdk-install-modal-web): migrate to StencilJS + Lazy Loading (#1139)
refactor: replace qr-code-styling with smaller library (#1129)

`v0.30.3`

Changed

refactor(sdk): modernize wallet provider detection with EIP-6963 (#1126)

`v0.30.2`

Added

fix: potential security issue with secp256k1 (#1111)
chore: remove the alert of 'SDK Connection has been terminated' (#1095)
fix: chainId for sepolia in infura rpc map (#1105)

`v0.30.1`

Added

feat: deprecate getUniversalLink in favor or display_uri (#1089)
feat: cleanup sdk dependencies (#1088)

`v0.30.0`

Added

feat: wallet_requestpermissions update local provider accounts (#1081)
fix: connectAndSign send as hexString (#1082)
feat: sdk integration improvements (#1080)
feat: fake metamask wallet detection (#1074)
fix: rpc protocol resetting after refresh (#1079)

`v0.29.3`

Added

fix: display_uri event malformed (#1076)

`v0.29.2`

Added

feat: default options for pure js and useDeeplink default to true (#1070)

`v0.29.1`

Added

feat: emit connectWithResponse event (#1067)
feat: always re-emit display uri event (#1066)
fix: improper implementation of handleBatchMethod + more robust tests (#1065)

`v0.29.0`

Added

feat: event alignment with async protocol (#1054)
feat: auto activate deeplink protocol when wallet supports it (#1056)
fix: connectWith potnetially returning incorrect response (#1053)
fix: unit tests (#1055)
feat: default web url metadata (#1043)
feat: missing extension analytics event for personal_sign (#1048)
feat: server events and dappid recovery (#1044)
feat: handle connection reject event (#1020)

`v0.28.4`

Added

fix: update the initializeMobileProvider function to ensure it returns all connected accounts on mobile (#1031)

`v0.28.3`

Added

fix: invalid display_uri event emitted

`v0.28.2`

Added

fix: sdk-react for react-native (#1011)

`v0.28.1`

Added

fix: sdk _selectedAddress not always initialized and rn setup (#1008)

`v0.28.0`

Added

fix: adds a unique id to RPC events for extension (#996)
feat: connectwith working with async key exchange (#1004)
feat: socket reconnection optimization (#994)
feat: full deeplink protocol (#992)
feat: experimental deeplink protocoll (#990)
feat: revert socket server changes (#985)
feat: change the default value for 'dappId' to 'N/A' instead of an empty string (#972)

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.


          chore(deps): update dependency @metamask/sdk to ^0.33.0 [security]

8128d2b

renovate bot added the renovate label

safe-settings-ssvlabs bot removed the renovate label

renovate bot changed the title ~~chore(deps): update dependency @metamask/sdk to ^0.33.0 [security]~~ chore(deps): update dependency @metamask/sdk to ^0.33.0 [security] - abandoned

Author

renovate bot commented Oct 15, 2025

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

renovate bot changed the title ~~chore(deps): update dependency @metamask/sdk to ^0.33.0 [security] - abandoned~~ chore(deps): update dependency @metamask/sdk to ^0.33.0 [security]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet