All @metamask/sdk-communication-layer versions

@metamask/[email protected] rejected Risk: 16 No license

@metamask/sdk-communication-layer @0.33.0

rejected
This version was rejected. It did not pass GreenFlagged's security review and is not served by the registry. The findings and risk dispositions below explain why.
npm Repository Homepage Tarball
16
Risk Score
License
No
Install Scripts
6
Dependencies
47
Dev Dependencies
500.0 KB
Package Size
Published

Maintainers

danfinlaykumavismcmirerekmarksmetamaskbotgudahttnicholasellulsethkfmannaugtur

Dependencies (6)

PackageConstraintRegistry Status
uuid ^8.3.2 auto_approved
debug ^4.3.4 auto_approved
date-fns ^2.29.3 auto_approved
bufferutil ^4.0.8 auto_approved
utf-8-validate ^5.0.2 No greenflagged match
@metamask/sdk-analytics 0.0.5 auto_approved

Dev Dependencies (47)

PackageConstraintRegistry Status
jest ^29.3.1 auto_approved
eslint ^7.30.0 auto_approved
rimraf ^3.0.2 auto_approved
rollup ^4.26.0 auto_approved
eciesjs ^0.4.11 auto_approved
ts-jest ^29.0.3 auto_approved
ts-node ^10.9.1 auto_approved
prettier ^2.3.0 auto_approved
size-limit ^11.1.6 No greenflagged match
typescript ^5.6.3 auto_approved
@types/jest ^29.2.4 auto_approved
@types/node ^20.1.3 auto_approved
@types/uuid ^9.0.0 No greenflagged match
cross-fetch ^4.0.0 auto_approved
concurrently ^9.1.2 auto_approved
@jest/globals ^29.3.1 auto_approved
eventemitter2 ^6.4.9 auto_approved
socket.io-client ^4.5.1 auto_approved
stream-browserify ^3.0.0 auto_approved
eslint-plugin-jest ^24.4.0 No greenflagged match
eslint-plugin-node ^11.1.0 auto_approved
rollup-plugin-jscc ^2.0.0 Not imported
@rollup/plugin-json ^6.0.0 auto_approved
eslint-plugin-jsdoc ^36.1.0 auto_approved
rollup-plugin-sizes ^1.0.6 auto_approved
eslint-plugin-import ^2.23.4 auto_approved
@rollup/plugin-terser ^0.4.4 auto_approved
rollup-plugin-natives ^0.7.5 Not imported
@rollup/plugin-replace ^6.0.1 auto_approved
eslint-config-prettier ^8.3.0 auto_approved
eslint-plugin-prettier ^3.4.0 auto_approved
@lavamoat/allow-scripts ^2.3.1 No greenflagged match
@metamask/eslint-config ^6.0.0 No greenflagged match
@rollup/plugin-commonjs ^25.0.0 auto_approved
@metamask/auto-changelog 3.1.0 No greenflagged match
rollup-plugin-visualizer ^5.12.0 auto_approved
@typescript-eslint/parser ^4.26.0 auto_approved
rollup-plugin-typescript2 ^0.31.2 auto_approved
@size-limit/preset-big-lib ^11.0.2 Not imported
rollup-plugin-node-globals ^1.4.0 auto_approved
@rollup/plugin-node-resolve ^15.0.2 auto_approved
rollup-plugin-node-builtins ^2.1.2 auto_approved
rollup-plugin-polyfill-node ^0.13.0 auto_approved
@metamask/eslint-config-nodejs ^6.0.0 No greenflagged match
@typescript-eslint/eslint-plugin ^4.26.0 auto_approved
rollup-plugin-peer-deps-external ^2.2.4 No greenflagged match
@metamask/eslint-config-typescript ^6.0.0 No greenflagged match

Transitive Dependency Tree

10 transitive deps max depth 2
  ├─ @metamask/sdk-analytics 0.0.5 → 0.0.5
  ├─ bufferutil ^4.0.8 → 4.1.0
  ├─ date-fns ^2.29.3 → 2.30.0
  ├─ debug ^4.3.4 → 4.4.3
  ├─ utf-8-validate ^5.0.2
├─ uuid ^8.3.2 → 8.3.2
  ├─ @babel/runtime ^7.21.0 → 7.29.7
  ├─ ms ^2.1.3 → 2.1.3
  ├─ node-gyp-build ^4.3.0
  ├─ openapi-fetch ^0.13.5

Risk Dispositions (1 applicable to this version, 0 other)

Accepted rules are downgraded to INFO on future analyses; rejected rules escalate to CRITICAL.

Rule Source Disposition Author Reason
osv:GHSA-qj3p-xc97-xw74 osv reject AI AI (osv): Affected range >=0.16.0 <0.33.1; fix available in 0.33.1. Generalizes to all versions in this range.

SAST Findings (2)

MEDIUM GHSA-qj3p-xc97-xw74: MetaMask SDK indirectly exposed via malicious [email protected] dependency osv

### Who is affected? This advisory only applies to developers who use MetaMask SDK in the browser and who, on Sept 8th 2025 between 13:00–15:30 UTC, performed one of the following actions and then deployed their application: - Installed MetaMask SDK into a project with a lockfile for the first time - Installed MetaMask SDK in a project without a lockfile - Updated a lockfile to pull in `[email protected]` (e.g., via `npm update` or `yarn upgrade`) ### What happened? On Sept 8th, 2025 (13:00–15:30 UTC), a malicious version of the `debug` package (v4.4.2) was published to npm. The injected code attempts to interfere with dApp-to-wallet communication when executed in a browser context. While MetaMask SDK itself was not directly impacted, projects installing the SDK during this window may have inadvertently pulled in the malicious version of `debug`. ### Mitigation - If your application was rebuilt and redeployed after Sept 8th, 2025, 15:30 UTC, the malicious version of debug should no longer be present. Please also verify that your package manager (npm, yarn, pnpm, etc.) is not caching `[email protected]`. - If you have not yet deployed since performing one of the actions above, delete your `node_modules` and reinstall dependencies before deploying. - If your application was deployed during the attack window and has not been rebuilt since, perform a clean install of dependencies and redeploy to ensure the malicious package is removed. ### Resources [GitHub Advisory for debug](https://github.com/advisories/GHSA-8mgj-vmr8-frr6)

LOW No provenance attestation provenance

Package was published without Sigstore provenance. Only ~12% of npm packages have provenance, so this is common but not ideal.

Review Summary

Risk score: 16. Findings: 1 medium (+10), 2 low (+6), 3 info (+0).

Commit: e1764d4a5c7c Browse source

Published to npm: