chore: update allow-scripts to v5 for version pinning

[naugtur]

Description

Updated @lavamoat/allow-scripts to v5

The breaking change is that it now pins versions by default.

An update to allowed package's version will not get it scripts executed until allowlist gets updated. Thus - every version bump of a package with allowed scripts needs to be looked at before the new script runs.

running

yarn allow-scripts auto

will produce the updates necessary

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

yarn

and then look at it

For additional information, run:

yarn allow-scripts debug

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Moderate risk because it changes install-time script allowlisting behavior (version-pinned entries) which can block or newly permit dependency scripts after upgrades, potentially impacting yarn/CI builds.

Overview
Upgrades @lavamoat/allow-scripts to v5.0.1 and updates lavamoat.allowScripts to pin allowed script entries to exact package versions (e.g., @sentry/cli#..., sharp#...) instead of unversioned allow rules.

Updates the lockfile for the new allow-scripts dependency chain and adjusts resolved versions accordingly (including tar).

^{Reviewed by Cursor Bugbot for commit 6742cfc. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​lavamoat/​allow-scripts@​5.0.1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm tar is 100.0% likely to have a medium risk anomaly Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming. Confidence: 1.00 Severity: 0.60 From: ? → npm/@storybook/addon-docs@7.6.21 → npm/storybook@7.6.21 → npm/eth-lattice-keyring@1.1.0 → npm/@metamask/eth-trezor-keyring@9.1.0 → npm/@metamask/keyring-controller@25.2.0 → npm/@playwright/test@1.59.1 → npm/@metamask/eth-ledger-bridge-keyring@11.4.0 → npm/@lavamoat/allow-scripts@5.0.1 → npm/crypto-browserify@3.12.1 → npm/@ledgerhq/hw-app-eth@6.42.2 → npm/@keystonehq/bc-ur-registry-eth@0.22.1 → npm/ethereumjs-util@7.1.5 → npm/@trezor/connect-web@9.6.0 → npm/@metamask/test-dapp-solana@0.3.1 → npm/ganache@7.9.2 → npm/@jest/globals@29.7.0 → npm/@metamask/foundryup@1.0.1 → npm/jest@29.7.0 → npm/@storybook/test-runner@0.14.1 → npm/level@8.0.1 → npm/@metamask/eth-qr-keyring@1.1.0 → npm/chokidar@3.6.0 → npm/@metamask/snap-account-abstraction-keyring-site@1.0.0 → npm/tsx@4.21.0 → npm/tar@7.5.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[naugtur]

Notice this one is gone. It no longer has a lifecycle script and new version of allow-scripts prunes that automatically on yarn allow-scripts auto

[naugtur]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.
🧠 Learn how to read policy diffs: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

✅ lavamoat/browserify/beta/policy.json changes match main/policy.json policy changes
✅ lavamoat/browserify/experimental/policy.json changes match main/policy.json policy changes
✅ lavamoat/browserify/flask/policy.json changes match main/policy.json policy changes
✅ lavamoat/webpack/mv2/beta/policy.json changes match mv2/main/policy.json policy changes
✅ lavamoat/webpack/mv2/experimental/policy.json changes match mv2/main/policy.json policy changes
✅ lavamoat/webpack/mv2/flask/policy.json changes match mv2/main/policy.json policy changes
✅ lavamoat/webpack/mv3/beta/policy.json changes match mv3/main/policy.json policy changes
✅ lavamoat/webpack/mv3/experimental/policy.json changes match mv3/main/policy.json policy changes
✅ lavamoat/webpack/mv3/flask/policy.json changes match mv3/main/policy.json policy changes

[naugtur]

@MetaMask/policy-reviewers
The update is here because @lavamoat/allow-scripts pulls in an update to resolve package and deduplication bumps it in dependencies for build system. It has a new dependency, so we needed an update. nothing interesting there.

[metamaskbotv2]

Builds ready [60ba8f3]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 24664753753 | Baseline logs

Interaction Benchmarks · Samples: 5

Benchmark	chrome-browserify
loadNewAccount	🟡 [Show logs]
confirmTx	🟡 [Show logs]
bridgeUserActions	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ loadNewAccount/load_new_account: -72%
• ↓ loadNewAccount/total: -72%
• ↓ bridgeUserActions/bridge_load_page: -16%
• ↓ bridgeUserActions/bridge_load_asset_picker: -24%
• ↓ bridgeUserActions/bridge_search_token: -23%
• ↓ bridgeUserActions/total: -27%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 loadNewAccount/FCP: p75 2.6s
• 🟡 confirmTx/FCP: p75 2.6s
• 🟡 bridgeUserActions/FCP: p75 2.6s

Startup Benchmarks · Samples: 100

Benchmark	chrome-browserify	chrome-webpack	firefox-browserify	firefox-webpack
startupStandardHome	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ startupStandardHome/uiStartup: -22%
• ↓ startupStandardHome/load: -10%
• ↓ startupStandardHome/domContentLoaded: -13%
• ↓ startupStandardHome/firstReactRender: -14%
• ↑ startupStandardHome/initialActions: +33%
• ↓ startupStandardHome/loadScripts: -15%
• ↑ startupStandardHome/setupStore: +14%
• ↓ startupStandardHome/numNetworkReqs: -37%
• ↓ startupStandardHome/uiStartup: -19%
• ↓ startupStandardHome/load: -15%
• ↓ startupStandardHome/domContentLoaded: -15%
• ↓ startupStandardHome/backgroundConnect: -35%
• ↓ startupStandardHome/firstReactRender: -23%
• ↓ startupStandardHome/loadScripts: -15%
• ↓ startupStandardHome/numNetworkReqs: -44%
• ↓ startupStandardHome/uiStartup: -13%
• ↓ startupStandardHome/domInteractive: -42%
• ↓ startupStandardHome/initialActions: -33%
• ↓ startupStandardHome/numNetworkReqs: -34%
• ↓ startupStandardHome/uiStartup: -20%
• ↓ startupStandardHome/load: -13%
• ↓ startupStandardHome/domContentLoaded: -13%
• ↓ startupStandardHome/domInteractive: -58%
• ↓ startupStandardHome/initialActions: -43%
• ↓ startupStandardHome/loadScripts: -13%
• ↓ startupStandardHome/setupStore: -64%
• ↓ startupStandardHome/numNetworkReqs: -34%

User Journey Benchmarks · Samples: 5 · mock API

Benchmark	chrome-browserify
onboardingImportWallet	🟢 [Show logs]
onboardingNewWallet	🟢 [Show logs]
assetDetails	🟡 [Show logs]
solanaAssetDetails	🟡 [Show logs]
importSrpHome	🟡 [Show logs]
sendTransactions	🟡 [Show logs]
swap	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ onboardingImportWallet/srpButtonToSrpForm: -88%
• ↓ onboardingImportWallet/confirmSrpToPwForm: -28%
• ↓ onboardingImportWallet/pwFormToMetricsScreen: -27%
• ↓ onboardingImportWallet/metricsToWalletReadyScreen: -59%
• ↓ onboardingImportWallet/doneButtonToHomeScreen: -77%
• ↑ onboardingImportWallet/openAccountMenuToAccountListLoaded: +25%
• ↓ onboardingImportWallet/total: -48%
• ↓ onboardingNewWallet/srpButtonToPwForm: -77%
• ↓ onboardingNewWallet/skipBackupToMetricsScreen: -66%
• ↓ onboardingNewWallet/agreeButtonToOnboardingSuccess: -23%
• ↓ onboardingNewWallet/doneButtonToAssetList: -19%
• ↓ onboardingNewWallet/total: -22%
• ↓ assetDetails/assetClickToPriceChart: -46%
• ↓ assetDetails/total: -46%
• ↓ solanaAssetDetails/assetClickToPriceChart: -65%
• ↓ solanaAssetDetails/total: -65%
• ↓ importSrpHome/openAccountMenuAfterLogin: -79%
• ↓ importSrpHome/homeAfterImportWithNewWallet: -66%
• ↓ importSrpHome/total: -57%
• ↓ sendTransactions/openSendPageFromHome: -15%
• ↑ sendTransactions/reviewTransactionToConfirmationPage: +38%
• ↑ sendTransactions/total: +36%
• ↓ swap/openSwapPageFromHome: -96%
• ↑ swap/fetchAndDisplaySwapQuotes: +32%
• ↑ swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 assetDetails/FCP: p75 2.6s
• 🟡 solanaAssetDetails/FCP: p75 2.6s
• 🟡 importSrpHome/FCP: p75 2.5s
• 🟡 sendTransactions/INP: p75 232ms
• 🟡 sendTransactions/FCP: p75 2.6s
• 🟡 swap/FCP: p75 2.6s

Dapp Page Load Benchmarks · Samples: 100

Benchmark	chrome-browserify
dappPageLoad	🟢 [Show logs]

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 1.12 KiB (0.02%)
• ui: 2.44 KiB (0.03%)
• common: 19 Bytes (0%)

[metamaskbotv2]

Builds ready [60ba8f3]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 24664753753 | Baseline logs

Interaction Benchmarks · Samples: 5

Benchmark	chrome-browserify
loadNewAccount	🟡 [Show logs]
confirmTx	🟡 [Show logs]
bridgeUserActions	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ loadNewAccount/load_new_account: -72%
• ↓ loadNewAccount/total: -72%
• ↓ bridgeUserActions/bridge_load_page: -16%
• ↓ bridgeUserActions/bridge_load_asset_picker: -24%
• ↓ bridgeUserActions/bridge_search_token: -23%
• ↓ bridgeUserActions/total: -27%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 loadNewAccount/FCP: p75 2.6s
• 🟡 confirmTx/FCP: p75 2.6s
• 🟡 bridgeUserActions/FCP: p75 2.6s

Startup Benchmarks · Samples: 100

Benchmark	chrome-browserify	chrome-webpack	firefox-browserify	firefox-webpack
startupStandardHome	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ startupStandardHome/uiStartup: -22%
• ↓ startupStandardHome/load: -10%
• ↓ startupStandardHome/domContentLoaded: -13%
• ↓ startupStandardHome/firstReactRender: -14%
• ↑ startupStandardHome/initialActions: +33%
• ↓ startupStandardHome/loadScripts: -15%
• ↑ startupStandardHome/setupStore: +14%
• ↓ startupStandardHome/numNetworkReqs: -37%
• ↓ startupStandardHome/uiStartup: -19%
• ↓ startupStandardHome/load: -15%
• ↓ startupStandardHome/domContentLoaded: -15%
• ↓ startupStandardHome/backgroundConnect: -35%
• ↓ startupStandardHome/firstReactRender: -23%
• ↓ startupStandardHome/loadScripts: -15%
• ↓ startupStandardHome/numNetworkReqs: -44%
• ↓ startupStandardHome/uiStartup: -13%
• ↓ startupStandardHome/domInteractive: -42%
• ↓ startupStandardHome/initialActions: -33%
• ↓ startupStandardHome/numNetworkReqs: -34%
• ↓ startupStandardHome/uiStartup: -20%
• ↓ startupStandardHome/load: -13%
• ↓ startupStandardHome/domContentLoaded: -13%
• ↓ startupStandardHome/domInteractive: -58%
• ↓ startupStandardHome/initialActions: -43%
• ↓ startupStandardHome/loadScripts: -13%
• ↓ startupStandardHome/setupStore: -64%
• ↓ startupStandardHome/numNetworkReqs: -34%

User Journey Benchmarks · Samples: 5 · mock API

Benchmark	chrome-browserify
onboardingImportWallet	🟢 [Show logs]
onboardingNewWallet	🟢 [Show logs]
assetDetails	🟡 [Show logs]
solanaAssetDetails	🟡 [Show logs]
importSrpHome	🟡 [Show logs]
sendTransactions	🟡 [Show logs]
swap	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ onboardingImportWallet/srpButtonToSrpForm: -88%
• ↓ onboardingImportWallet/confirmSrpToPwForm: -28%
• ↓ onboardingImportWallet/pwFormToMetricsScreen: -27%
• ↓ onboardingImportWallet/metricsToWalletReadyScreen: -59%
• ↓ onboardingImportWallet/doneButtonToHomeScreen: -77%
• ↑ onboardingImportWallet/openAccountMenuToAccountListLoaded: +25%
• ↓ onboardingImportWallet/total: -48%
• ↓ onboardingNewWallet/srpButtonToPwForm: -77%
• ↓ onboardingNewWallet/skipBackupToMetricsScreen: -66%
• ↓ onboardingNewWallet/agreeButtonToOnboardingSuccess: -23%
• ↓ onboardingNewWallet/doneButtonToAssetList: -19%
• ↓ onboardingNewWallet/total: -22%
• ↓ assetDetails/assetClickToPriceChart: -46%
• ↓ assetDetails/total: -46%
• ↓ solanaAssetDetails/assetClickToPriceChart: -65%
• ↓ solanaAssetDetails/total: -65%
• ↓ importSrpHome/openAccountMenuAfterLogin: -79%
• ↓ importSrpHome/homeAfterImportWithNewWallet: -66%
• ↓ importSrpHome/total: -57%
• ↓ sendTransactions/openSendPageFromHome: -15%
• ↑ sendTransactions/reviewTransactionToConfirmationPage: +38%
• ↑ sendTransactions/total: +36%
• ↓ swap/openSwapPageFromHome: -96%
• ↑ swap/fetchAndDisplaySwapQuotes: +32%
• ↑ swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 assetDetails/FCP: p75 2.6s
• 🟡 solanaAssetDetails/FCP: p75 2.6s
• 🟡 importSrpHome/FCP: p75 2.5s
• 🟡 sendTransactions/INP: p75 232ms
• 🟡 sendTransactions/FCP: p75 2.6s
• 🟡 swap/FCP: p75 2.6s

Dapp Page Load Benchmarks · Samples: 100

Benchmark	chrome-browserify
dappPageLoad	🟢 [Show logs]

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 1.12 KiB (0.02%)
• ui: 2.44 KiB (0.03%)
• common: 19 Bytes (0%)

[metamaskbotv2]

Builds ready [a792438]

• ⚠️ Make sure the build is safe before downloading and running this build.
  • Please do not use these builds with accounts that contain significant real money.
  • Beware the security risks of cache poisoning.
• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 24795447224 | Baseline logs

Interaction Benchmarks · Samples: 5

Benchmark	chrome-browserify
loadNewAccount	🟡 [Show logs]
confirmTx	🟡 [Show logs]
bridgeUserActions	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ loadNewAccount/load_new_account: -55%
• ↓ loadNewAccount/total: -55%
• ↓ bridgeUserActions/bridge_load_page: -23%
• ↓ bridgeUserActions/bridge_load_asset_picker: -32%
• ↓ bridgeUserActions/bridge_search_token: -25%
• ↓ bridgeUserActions/total: -28%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 loadNewAccount/FCP: p75 2.4s
• 🟡 confirmTx/FCP: p75 2.4s
• 🟡 bridgeUserActions/FCP: p75 2.4s

Startup Benchmarks · Samples: 100

Benchmark	chrome-browserify	chrome-webpack	firefox-browserify	firefox-webpack
startupStandardHome	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ startupStandardHome/uiStartup: -19%
• ↑ startupStandardHome/firstPaint: +16%
• ↑ startupStandardHome/backgroundConnect: +16%
• ↓ startupStandardHome/firstReactRender: -14%
• ↓ startupStandardHome/initialActions: -33%
• ↓ startupStandardHome/loadScripts: -13%
• ↓ startupStandardHome/numNetworkReqs: -37%
• ↓ startupStandardHome/uiStartup: -19%
• ↓ startupStandardHome/load: -14%
• ↓ startupStandardHome/domContentLoaded: -14%
• ↓ startupStandardHome/backgroundConnect: -37%
• ↓ startupStandardHome/firstReactRender: -27%
• ↓ startupStandardHome/loadScripts: -14%
• ↓ startupStandardHome/setupStore: -13%
• ↓ startupStandardHome/numNetworkReqs: -44%
• ↓ startupStandardHome/domInteractive: -37%
• ↑ startupStandardHome/backgroundConnect: +16%
• ↑ startupStandardHome/initialActions: +33%
• ↓ startupStandardHome/numNetworkReqs: -32%
• ↓ startupStandardHome/domInteractive: -23%
• ↑ startupStandardHome/initialActions: +14%
• ↓ startupStandardHome/setupStore: -54%
• ↓ startupStandardHome/numNetworkReqs: -34%

User Journey Benchmarks · Samples: 5 · mock API

Benchmark	chrome-browserify
onboardingImportWallet	🟢 [Show logs]
onboardingNewWallet	🟢 [Show logs]
assetDetails	🟡 [Show logs]
solanaAssetDetails	🟡 [Show logs]
importSrpHome	🟡 [Show logs]
sendTransactions	🟡 [Show logs]
swap	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ onboardingImportWallet/srpButtonToSrpForm: -85%
• ↓ onboardingImportWallet/metricsToWalletReadyScreen: -37%
• ↓ onboardingImportWallet/doneButtonToHomeScreen: -76%
• ↑ onboardingImportWallet/openAccountMenuToAccountListLoaded: +28%
• ↓ onboardingImportWallet/total: -44%
• ↓ onboardingNewWallet/srpButtonToPwForm: -78%
• ↓ onboardingNewWallet/skipBackupToMetricsScreen: -69%
• ↓ onboardingNewWallet/doneButtonToAssetList: -36%
• ↓ onboardingNewWallet/total: -36%
• ↓ assetDetails/assetClickToPriceChart: -50%
• ↓ assetDetails/total: -50%
• ↓ solanaAssetDetails/assetClickToPriceChart: -75%
• ↓ solanaAssetDetails/total: -75%
• ↓ importSrpHome/openAccountMenuAfterLogin: -80%
• ↓ importSrpHome/homeAfterImportWithNewWallet: -66%
• ↓ importSrpHome/total: -60%
• ↓ sendTransactions/openSendPageFromHome: -29%
• ↓ sendTransactions/selectTokenToSendFormLoaded: -24%
• ↑ sendTransactions/reviewTransactionToConfirmationPage: +34%
• ↑ sendTransactions/total: +31%
• ↓ swap/openSwapPageFromHome: -97%
• ↑ swap/fetchAndDisplaySwapQuotes: +32%
• ↑ swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 assetDetails/FCP: p75 2.5s
• 🟡 solanaAssetDetails/FCP: p75 2.5s
• 🟡 importSrpHome/FCP: p75 2.5s
• 🟡 sendTransactions/FCP: p75 2.5s
• 🟡 swap/FCP: p75 2.4s

Dapp Page Load Benchmarks · Samples: 100

Benchmark	chrome-browserify
dappPageLoad	🟢 [Show logs]

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 5 Bytes (0%)
• common: 27 Bytes (0%)

[metamaskbotv2]

Builds ready [a792438]

• ⚠️ Make sure the build is safe before downloading and running this build.
  • Please do not use these builds with accounts that contain significant real money.
  • Beware the security risks of cache poisoning.
• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

⚡ Performance Benchmarks (Total: 🟢 7 pass · 🟡 8 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 24795447224 | Baseline logs

Interaction Benchmarks · Samples: 5

Benchmark	chrome-browserify
loadNewAccount	🟡 [Show logs]
confirmTx	🟡 [Show logs]
bridgeUserActions	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ loadNewAccount/load_new_account: -55%
• ↓ loadNewAccount/total: -55%
• ↓ bridgeUserActions/bridge_load_page: -23%
• ↓ bridgeUserActions/bridge_load_asset_picker: -32%
• ↓ bridgeUserActions/bridge_search_token: -25%
• ↓ bridgeUserActions/total: -28%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 loadNewAccount/FCP: p75 2.4s
• 🟡 confirmTx/FCP: p75 2.4s
• 🟡 bridgeUserActions/FCP: p75 2.4s

Startup Benchmarks · Samples: 100

Benchmark	chrome-browserify	chrome-webpack	firefox-browserify	firefox-webpack
startupStandardHome	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]	🟢 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ startupStandardHome/uiStartup: -19%
• ↑ startupStandardHome/firstPaint: +16%
• ↑ startupStandardHome/backgroundConnect: +16%
• ↓ startupStandardHome/firstReactRender: -14%
• ↓ startupStandardHome/initialActions: -33%
• ↓ startupStandardHome/loadScripts: -13%
• ↓ startupStandardHome/numNetworkReqs: -37%
• ↓ startupStandardHome/uiStartup: -19%
• ↓ startupStandardHome/load: -14%
• ↓ startupStandardHome/domContentLoaded: -14%
• ↓ startupStandardHome/backgroundConnect: -37%
• ↓ startupStandardHome/firstReactRender: -27%
• ↓ startupStandardHome/loadScripts: -14%
• ↓ startupStandardHome/setupStore: -13%
• ↓ startupStandardHome/numNetworkReqs: -44%
• ↓ startupStandardHome/domInteractive: -37%
• ↑ startupStandardHome/backgroundConnect: +16%
• ↑ startupStandardHome/initialActions: +33%
• ↓ startupStandardHome/numNetworkReqs: -32%
• ↓ startupStandardHome/domInteractive: -23%
• ↑ startupStandardHome/initialActions: +14%
• ↓ startupStandardHome/setupStore: -54%
• ↓ startupStandardHome/numNetworkReqs: -34%

User Journey Benchmarks · Samples: 5 · mock API

Benchmark	chrome-browserify
onboardingImportWallet	🟢 [Show logs]
onboardingNewWallet	🟢 [Show logs]
assetDetails	🟡 [Show logs]
solanaAssetDetails	🟡 [Show logs]
importSrpHome	🟡 [Show logs]
sendTransactions	🟡 [Show logs]
swap	🟡 [Show logs]

📈 Results compared to the previous 5 runs on main

• ↓ onboardingImportWallet/srpButtonToSrpForm: -85%
• ↓ onboardingImportWallet/metricsToWalletReadyScreen: -37%
• ↓ onboardingImportWallet/doneButtonToHomeScreen: -76%
• ↑ onboardingImportWallet/openAccountMenuToAccountListLoaded: +28%
• ↓ onboardingImportWallet/total: -44%
• ↓ onboardingNewWallet/srpButtonToPwForm: -78%
• ↓ onboardingNewWallet/skipBackupToMetricsScreen: -69%
• ↓ onboardingNewWallet/doneButtonToAssetList: -36%
• ↓ onboardingNewWallet/total: -36%
• ↓ assetDetails/assetClickToPriceChart: -50%
• ↓ assetDetails/total: -50%
• ↓ solanaAssetDetails/assetClickToPriceChart: -75%
• ↓ solanaAssetDetails/total: -75%
• ↓ importSrpHome/openAccountMenuAfterLogin: -80%
• ↓ importSrpHome/homeAfterImportWithNewWallet: -66%
• ↓ importSrpHome/total: -60%
• ↓ sendTransactions/openSendPageFromHome: -29%
• ↓ sendTransactions/selectTokenToSendFormLoaded: -24%
• ↑ sendTransactions/reviewTransactionToConfirmationPage: +34%
• ↑ sendTransactions/total: +31%
• ↓ swap/openSwapPageFromHome: -97%
• ↑ swap/fetchAndDisplaySwapQuotes: +32%
• ↑ swap/total: +11%

🌐 Core Web Vitals — 🟢 good · 🟡 needs improvement · 🔴 poor (web.dev thresholds)

• 🟡 assetDetails/FCP: p75 2.5s
• 🟡 solanaAssetDetails/FCP: p75 2.5s
• 🟡 importSrpHome/FCP: p75 2.5s
• 🟡 sendTransactions/FCP: p75 2.5s
• 🟡 swap/FCP: p75 2.4s

Dapp Page Load Benchmarks · Samples: 100

Benchmark	chrome-browserify
dappPageLoad	🟢 [Show logs]

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 5 Bytes (0%)
• common: 27 Bytes (0%)

[Gudahtt]

LGTM!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 90f32ce. Configure here.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[metamaskbotv2]

Builds ready [6742cfc]

• ⚠️ Make sure the build is safe before downloading and running this build.
  • Please do not use these builds with accounts that contain significant real money.
  • Beware the security risks of cache poisoning.
• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• webpack builds: chrome, firefox
• webpack builds (beta): chrome, firefox
• webpack builds (flask): chrome, firefox
• webpack builds (test): chrome, firefox
• webpack builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• bundle analyzer: Bundle Analyzer
• interaction-benchmark: Interaction Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts

⚡ Performance Benchmarks (Total: 🟢 0 pass · 🟡 0 warn · 🔴 0 fail)

Baseline (latest main): 71bd826 | Date: 10/14/58243 | Pipeline: 25191239725 | Baseline logs

Interaction Benchmarks · Samples: 5

⚠️ Missing data: chrome/webpack/interactionUserActions, firefox/webpack/interactionUserActions

✅ No regressions detected

Startup Benchmarks · Samples: 100

⚠️ Missing data: chrome/webpack/startupStandardHome, chrome/webpack/startupPowerUserHome, firefox/webpack/startupStandardHome, firefox/webpack/startupPowerUserHome

✅ No regressions detected

User Journey Benchmarks · Samples: 5 · mock API

⚠️ Missing data: chrome/webpack/userJourneyOnboardingImport, chrome/webpack/userJourneyOnboardingNew, chrome/webpack/userJourneyAssets, chrome/webpack/userJourneyAccountManagement, chrome/webpack/userJourneyTransactions, firefox/webpack/userJourneyOnboardingImport, firefox/webpack/userJourneyOnboardingNew, firefox/webpack/userJourneyAssets, firefox/webpack/userJourneyAccountManagement, firefox/webpack/userJourneyTransactions

✅ No regressions detected

Dapp Page Load Benchmarks · Samples: 100

⚠️ Missing data: chrome/webpack/pageLoadBenchmark

✅ No regressions detected

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 5 Bytes (0%)
• common: 26 Bytes (0%)