chore(6938): migrate settings-search InputAdornment from MUI v4 → v5

[Copilot]

Part of the broader MUI v4 → v5 migration. Updates the single @material-ui/core/InputAdornment usage in the settings search component to @mui/material/InputAdornment. The InputAdornment API is unchanged between versions.

Changes

• settings-search.js — swap import path:

  - import InputAdornment from '@material-ui/core/InputAdornment';
  + import InputAdornment from '@mui/material/InputAdornment';

• package.json — add @mui/material: "^5.14.0" as a direct dependency (@mui/material v5.18.0 was already present as a transitive dep; this makes the direct usage explicit)
• yarn.lock — one-line update to register @mui/material under the root workspace metadata (no new resolution required)

[MajorLift]

@metamaskbot update-policies

[metamaskbot]

No policy changes

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	koa@​3.2.0 ⏵ 3.1.1		-15
	@​playwright/​test@​1.59.1 ⏵ 1.55.0

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Critical CVE: Basic FTP has Path Traversal Vulnerability in its downloadToDir() method in npm basic-ftp CVE: GHSA-5rq4-664w-9x2c Basic FTP has Path Traversal Vulnerability in its downloadToDir() method (CRITICAL) Affected versions: < 5.2.0 Patched version: 5.2.0 From: ? → npm/mockttp@4.2.3 → npm/basic-ftp@5.0.4 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Critical CVE: Handlebars.js has JavaScript Injection via AST Type Confusion CVE: GHSA-2w6w-674q-4c4q Handlebars.js has JavaScript Injection via AST Type Confusion (CRITICAL) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: ? → npm/@storybook/addon-docs@7.6.21 → npm/@storybook/addon-essentials@7.6.21 → npm/@storybook/react@7.6.21 → npm/@storybook/react-webpack5@7.6.21 → npm/storybook@7.6.21 → npm/@storybook/test-runner@0.14.1 → npm/handlebars@4.7.7 ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block CVE: GHSA-3mfm-83xf-c92r Handlebars.js has JavaScript Injection via AST Type Confusion by tampering @partial-block (HIGH) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: ? → npm/@storybook/addon-docs@7.6.21 → npm/@storybook/addon-essentials@7.6.21 → npm/@storybook/react@7.6.21 → npm/@storybook/react-webpack5@7.6.21 → npm/storybook@7.6.21 → npm/@storybook/test-runner@0.14.1 → npm/handlebars@4.7.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options CVE: GHSA-xjpj-3mr7-gcpf Handlebars.js has JavaScript Injection in CLI Precompiler via Unescaped Names and Options (HIGH) Affected versions: >= 4.0.0 < 4.7.9 Patched version: 4.7.9 From: ? → npm/@storybook/addon-docs@7.6.21 → npm/@storybook/addon-essentials@7.6.21 → npm/@storybook/react@7.6.21 → npm/@storybook/react-webpack5@7.6.21 → npm/storybook@7.6.21 → npm/@storybook/test-runner@0.14.1 → npm/handlebars@4.7.7 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/handlebars@4.7.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Immutable is vulnerable to Prototype Pollution CVE: GHSA-wf6x-7x77-mvgw Immutable is vulnerable to Prototype Pollution (HIGH) Affected versions: >= 4.0.0-rc.1 < 4.3.8; >= 5.0.0 < 5.1.5; < 3.8.3 Patched version: 4.3.8 From: ? → npm/sass-embedded@1.71.0 → npm/immutable@4.3.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/immutable@4.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Koa has Host Header Injection via ctx.hostname CVE: GHSA-7gcc-r8m5-44qm Koa has Host Header Injection via ctx.hostname (HIGH) Affected versions: >= 3.0.0 < 3.1.2; < 2.16.4 Patched version: 3.1.2 From: package.json → npm/koa@3.1.1 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/koa@3.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		High CVE: Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate CVE: GHSA-7mvr-c777-76hp Playwright downloads and installs browsers without verifying the authenticity of the SSL certificate (HIGH) Affected versions: < 1.55.1 Patched version: 1.55.1 From: ? → npm/@playwright/test@1.55.0 → npm/playwright@1.55.0 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.55.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Deprecated by its maintainer: npm basic-ftp Reason: Security vulnerability fixed in 5.2.1, please upgrade From: ? → npm/mockttp@4.2.3 → npm/basic-ftp@5.0.4 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/basic-ftp@5.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm ejs lacks certain pollution protection CVE: GHSA-ghr5-ch3p-vcr6 ejs lacks certain pollution protection (MODERATE) Affected versions: < 3.1.10 Patched version: 3.1.10 From: ? → npm/storybook@7.6.21 → npm/ejs@3.1.9 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@3.1.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: npm lockfile-lint-api Vulnerable to Incorrect Behavior Order CVE: GHSA-7cfr-5cjf-32p4 lockfile-lint-api Vulnerable to Incorrect Behavior Order (MODERATE) Affected versions: < 5.9.2 Patched version: 5.9.2 From: ? → npm/lockfile-lint@4.10.6 → npm/lockfile-lint-api@5.5.5 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/lockfile-lint-api@5.5.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Cross site scripting in npm markdown-to-jsx CVE: GHSA-4wx3-54gh-9fr9 Cross site scripting in markdown-to-jsx (MODERATE) Affected versions: < 7.4.0 Patched version: 7.4.0 From: ? → npm/@storybook/addon-docs@7.6.21 → npm/@storybook/addon-essentials@7.6.21 → npm/markdown-to-jsx@7.2.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/markdown-to-jsx@7.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Medium CVE: Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS CVE: GHSA-phc3-fgpg-7m6h Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS (MODERATE) Affected versions: >= 7.17.0 < 7.24.0 Patched version: 7.24.0 From: ? → npm/addons-linter@9.8.0 → npm/undici@7.20.0 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ejs is 100.0% likely to have a medium risk anomaly Notes: This is the official EJS templating engine code (v3.1.8). It does not contain malware or network/backdoor behavior. The primary security risk is inherent to templating engines: dynamic code compilation via new Function and inclusion of files means untrusted template content or attacker-controlled include paths/data can lead to remote code execution or local file execution. Use safe handling: do not compile/render untrusted templates, avoid enabling raw/unescaped output for untrusted data, restrict file include roots and use a custom fileLoader/includer if needed. Confidence: 1.00 Severity: 0.60 From: ? → npm/storybook@7.6.21 → npm/ejs@3.1.9 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ejs@3.1.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm playwright-core is 100.0% likely to have a medium risk anomaly Notes: This macOS installation script implements multiple dangerous security practices that create significant supply-chain attack vectors. The script downloads arbitrary .pkg files from user-supplied URLs using curl with TLS certificate verification explicitly disabled (-k flag), making it vulnerable to man-in-the-middle attacks. It performs no integrity checks (no checksums or signature verification) before installing packages with root privileges via sudo installer. The script writes to a predictable /tmp path, creating TOCTOU race conditions, and immediately removes downloaded artifacts, hindering forensic analysis. The combination of insecure network transfer, lack of authenticity verification, and privileged execution creates a high-risk pathway for arbitrary code execution with root privileges if an attacker controls the URL or network path. While the script contains no embedded malicious code, these unsafe installation practices materially increase system compromise risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/@playwright/test@1.55.0 → npm/playwright-core@1.55.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright-core@1.55.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm playwright is 100.0% likely to have a medium risk anomaly Notes: The code fragment is a legitimate test runner component (Playwright-like) with standard security considerations. There is no direct malware, backdoors, or data leakage observed. Security risk is moderate due to the plugin surface area and external dependencies; ensure trusted plugins and config integrity to minimize supply-chain risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/@playwright/test@1.55.0 → npm/playwright@1.55.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/playwright@1.55.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Low CVE: npm tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter CVE: GHSA-52f5-9888-hmc6 tmp allows arbitrary temporary file / directory write via symbolic link dir parameter (LOW) Affected versions: < 0.2.4 Patched version: 0.2.4 From: ? → npm/selenium-webdriver@4.31.0 → npm/tmp@0.2.3 ℹ Read more on: This package | This alert | What is a mild CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known low severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tmp@0.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 100.0% likely to have a medium risk anomaly Notes: The code performs an in-place re-encoding of a local file (undici-fetch.js) and overwrites it with latin1-encoded data. There is no evidence of exfiltration, backdoors, or network activity. However, the lack of validation, error handling, and the fact that it can corrupt or permanently alter a source file constitutes a nontrivial risk. In a supply-chain or extension context, such a script could be misused to tamper with code. It is not inherently malicious by itself but is risky and should be restricted or audited before typical usage in a build or runtime environment. Confidence: 1.00 Severity: 0.60 From: ? → npm/addons-linter@9.8.0 → npm/undici@7.20.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@7.20.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud