chore: bump @metamask/profile-sync-controller to ^28.0.0#40711
Open
mathieuartu wants to merge 12 commits intomainfrom
Open
chore: bump @metamask/profile-sync-controller to ^28.0.0#40711mathieuartu wants to merge 12 commits intomainfrom
@metamask/profile-sync-controller to ^28.0.0#40711mathieuartu wants to merge 12 commits intomainfrom
Conversation
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
4 tasks
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Co-authored-by: Mathieu Artu <mathieuartu@users.noreply.github.com>
…etamask-extension into chore/core-pr-8144-test-drive
Contributor
Builds ready [f88d70a]
⚡ Performance Benchmarks
🌐 Dapp Page Load BenchmarksCurrent Commit: 📄 Localhost MetaMask Test DappSamples: 100 Summary
📈 Detailed Results
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Contributor
✨ Files requiring CODEOWNER review ✨🔑 @MetaMask/accounts-engineers (1 files, +7 -3)
📜 @MetaMask/policy-reviewers (8 files, +12 -0)
Tip Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers. |
Contributor
Builds ready [f65326c]
⚡ Performance Benchmarks
🌐 Dapp Page Load BenchmarksCurrent Commit: 📄 Localhost MetaMask Test DappSamples: 100 Summary
📈 Detailed Results
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
Contributor
Author
|
@metamaskbot update-policies |
Collaborator
|
Policies updated. 🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff 👀 lavamoat/browserify/beta/policy.json changes differ from main/policy.json policy changes |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| "URL": true, | ||
| "URLSearchParams": true, | ||
| "addEventListener": true, | ||
| "atob": true, |
There was a problem hiding this comment.
Missing btoa in webpack/mv2 LavaMoat policies
Medium Severity
The browserify policies for @metamask/profile-sync-controller add both atob and btoa globals, but all four webpack/mv2 policies only add atob. If the updated preview package uses btoa, it will be blocked by LavaMoat in MV2 webpack builds, potentially causing runtime failures in that build variant while working fine in browserify builds.
Additional Locations (1)
Contributor
Builds ready [0bc0e72]
⚡ Performance Benchmarks
🌐 Dapp Page Load BenchmarksCurrent Commit: 📄 Localhost MetaMask Test DappSamples: 100 Summary
📈 Detailed Results
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
mathieuartu
commented
Mar 10, 2026
Contributor
Author
mathieuartu
left a comment
mathieuartu
left a comment
There was a problem hiding this comment.
The Test-Lint step is failing because of preferences-controller version that needs alignment. Doesn't interfere with the purpose of this test drive PR.
Contributor
Builds ready [0bc0e72]
⚡ Performance Benchmarks
🌐 Dapp Page Load BenchmarksCurrent Commit: 📄 Localhost MetaMask Test DappSamples: 100 Summary
📈 Detailed Results
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
github-merge-queue bot
pushed a commit
to MetaMask/core
that referenced
this pull request
Mar 10, 2026
… bugs (#8144) ## Explanation⚠️ This is a breaking change, and clients will need to be updated around the E2E setup area. Needed changes are in the test-drive PRs below. Extension test-drive PR: MetaMask/metamask-extension#40711 ## References Related to https://consensyssoftware.atlassian.net/browse/MUL-1549 ## Checklist - [x] I've updated the test suite for new or updated code as appropriate - [x] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [x] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [x] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **High Risk** > Touches authentication session validation and token retrieval behavior (including breaking test/mock contract), which can affect login/coalescing and any consumers relying on cached tokens. > > **Overview** > Fixes profile auth/token caching edge-cases that could lead to **stale bearer tokens (401s)**. > > `profile-sync-controller` now validates cached login sessions by decoding the JWT `exp` claim (rejecting expired/malformed/non-JWT tokens) and resolves `undefined` `entropySourceId` to the *primary* SRP ID (cached across calls and cleared on sign-out), eliminating duplicate logins caused by `undefined` vs explicit primary IDs; `getUserProfileLineage` is updated to accept an optional `entropySourceId` end-to-end. > > `profile-metrics-controller` moves `AuthenticationController:getBearerToken` acquisition inside the retry execution so each retry fetches a fresh token. E2E/test mocks are updated to wrap mock identifiers in JWT-shaped tokens and provide `getE2EIdentifierFromJwt` to extract the original identifier. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 884180c. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
mathieuartu
changed the title
@metamask/profile-sync-controller to ^28.0.0
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Contributor
Builds ready [37adf72]
⚡ Performance Benchmarks
🌐 Dapp Page Load BenchmarksCurrent Commit: 📄 Localhost MetaMask Test DappSamples: 100 Summary
📈 Detailed Results
Bundle size diffs [🚨 Warning! Bundle size has increased!]
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Changelog
CHANGELOG entry: null
Related issues
Fixes:
Manual testing steps
No manual testing steps
Screenshots/Recordings
Before
After
Pre-merge author checklist
Pre-merge reviewer checklist
Note
Medium Risk
Dependency upgrade in auth/profile-sync plus new LavaMoat global allowances (
atob/btoa) could affect token handling and runtime sandboxing if mismatched with the new package behavior.Overview
Updates the extension to
@metamask/profile-sync-controller@28(and related package bumps), and refactors multiple controller messengers to use the new*Actiontype exports (e.g.,AuthenticationControllerGetBearerTokenAction,UserStorageControllerPerformGetStorageAction) while keeping the delegated action strings the same.Adjusts LavaMoat policies to allow
atob/btoaglobals for@metamask/profile-sync-controller, and updates the user-storage E2E mock to derive the SRP identifier from the auth JWT viaAuthenticationController.Mocks.getE2EIdentifierFromJwtinstead of using a fallback identifier.Written by Cursor Bugbot for commit 37adf72. This will update automatically on new commits. Configure here.