Initial commit by 0xEdouardEth · Pull Request #2 · MetaMask/test-dapp-stellar

0xEdouardEth · 2026-04-29T12:59:33Z

No description provided.

socket-security · 2026-04-29T13:00:55Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@lavamoat/preinstall-always-fail@2.1.1
	@yarnpkg/types@4.0.1
	jsdom@26.1.0
	@walletconnect/types@2.23.9
	@types/react-dom@18.3.7
	@walletconnect/sign-client@2.23.9
	vitest@3.2.4
	@types/react@18.3.28
	@reown/appkit@1.8.19
	depcheck@1.4.7
	@creit.tech/stellar-wallets-kit@2.1.0
	vite@6.4.2
	react@18.3.1
	vite-plugin-node-polyfills@0.22.0
	@testing-library/dom@10.4.1
	@testing-library/react@16.3.2
	typescript@5.6.3
	prettier@3.8.2
	@vitejs/plugin-react-swc@3.11.0
	react-dom@18.3.1
	@biomejs/biome@1.9.4
	@metamask/auto-changelog@5.3.2
	@stellar/stellar-sdk@15.0.1
	@lavamoat/allow-scripts@3.4.3

View full report

socket-security · 2026-04-29T13:00:57Z

Caution

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Obfuscated code: npm `entities` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/jsdom@26.1.0` → `npm/entities@6.0.1` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/entities@6.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `xrpl` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/xrpl@4.4.3` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/xrpl@4.4.3`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@albedo-link/intent` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@albedo-link/intent@0.12.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@albedo-link/intent@0.12.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@base-org/account` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@base-org/account@2.4.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@base-org/account@2.4.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@biomejs/biome` in module child_process Module: child_process Location: Package overview From: package.json → `npm/@biomejs/biome@1.9.4` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@biomejs/biome@1.9.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@coinbase/cdp-sdk` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@coinbase/cdp-sdk@1.48.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@coinbase/cdp-sdk@1.48.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@creit.tech/stellar-wallets-kit` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/@creit.tech/stellar-wallets-kit@2.1.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@creit.tech/stellar-wallets-kit@2.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@ethereumjs/util` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@ethereumjs/util@10.1.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@ethereumjs/util@10.1.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@hot-wallet/sdk` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@hot-wallet/sdk@1.0.11` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@hot-wallet/sdk@1.0.11`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@metamask/auto-changelog` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/@metamask/auto-changelog@5.3.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@metamask/auto-changelog@5.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@near-wallet-selector/core` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@near-wallet-selector/core@8.10.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@near-wallet-selector/core@8.10.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@npmcli/git` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@lavamoat/allow-scripts@3.4.3` → `npm/@npmcli/git@7.0.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@npmcli/git@7.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@npmcli/promise-spawn` in module child_process Module: child_process Location: Package overview From: `?` → `npm/@lavamoat/allow-scripts@3.4.3` → `npm/@npmcli/promise-spawn@9.0.1` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@npmcli/promise-spawn@9.0.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@octokit/request` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@metamask/auto-changelog@5.3.2` → `npm/@octokit/request@8.4.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@octokit/request@8.4.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@protobufjs/fetch` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@protobufjs/fetch@1.1.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@protobufjs/fetch@1.1.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@reown/appkit-controllers` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@reown/appkit-controllers@1.8.19` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit-controllers@1.8.19`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@reown/appkit-pay` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@reown/appkit-pay@1.8.19` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit-pay@1.8.19`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@reown/appkit-utils` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@reown/appkit-utils@1.8.19` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit-utils@1.8.19`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@reown/appkit` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → `npm/@reown/appkit@1.8.19` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@reown/appkit@1.8.19`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@safe-global/safe-gateway-typescript-sdk` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@safe-global/safe-gateway-typescript-sdk@3.23.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@safe-global/safe-gateway-typescript-sdk@3.23.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana-program/token-2022` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@solana-program/token-2022@0.4.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana-program/token-2022@0.4.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/accounts` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@solana/accounts@2.3.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/accounts@2.3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/accounts` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@solana/accounts@5.5.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/accounts@5.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/rpc-transport-http` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@solana/rpc-transport-http@2.3.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/rpc-transport-http@2.3.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/rpc-transport-http` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@reown/appkit@1.8.19` → `npm/@solana/rpc-transport-http@5.5.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/rpc-transport-http@5.5.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/web3.js` in module http Module: http Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@solana/web3.js@1.98.4` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/web3.js@1.98.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@solana/web3.js` in module https Module: https Location: Package overview From: `?` → `npm/@creit.tech/stellar-wallets-kit@2.1.0` → `npm/@solana/web3.js@1.98.4` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@solana/web3.js@1.98.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 253 more rows in the dashboard

View full report

+    name: Prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          node-version: ${{ matrix.node-version }}
+          cache-node-modules: ${{ matrix.node-version == '22.x' }}
+
+  build:


+    name: Build
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22.x]
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          node-version: ${{ matrix.node-version }}
+      - run: yarn build
+      - name: Require clean working directory
+        shell: bash
+        run: |
+          if ! git diff --exit-code; then
+            echo "Working tree dirty at end of job"
+            exit 1
+          fi
+
+  lint:


+    name: Lint
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [22.x]
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          node-version: ${{ matrix.node-version }}
+      - run: yarn lint
+      - name: Validate RC changelog
+        if: ${{ startsWith(github.head_ref, 'release/') }}
+        run: yarn lint:changelog --rc
+      - name: Validate changelog
+        if: ${{ !startsWith(github.head_ref, 'release/') }}
+        run: yarn lint:changelog
+      - name: Require clean working directory
+        shell: bash
+        run: |
+          if ! git diff --exit-code; then
+            echo "Working tree dirty at end of job"
+            exit 1
+          fi
+
+  test:


+    name: Test
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          node-version: ${{ matrix.node-version }}
+      - run: yarn test
+      - name: Require clean working directory
+        shell: bash
+        run: |
+          if ! git diff --exit-code; then
+            echo "Working tree dirty at end of job"
+            exit 1
+          fi
+
+  compatibility-test:


+    name: Compatibility test
+    needs: prepare
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        node-version: [18.x, 20.x, 22.x]
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: false
+          node-version: ${{ matrix.node-version }}
+      - name: Install dependencies via Yarn
+        run: rm yarn.lock && YARN_ENABLE_IMMUTABLE_INSTALLS=false yarn
+      - run: yarn test
+      - name: Restore lockfile
+        run: git restore yarn.lock
+      - name: Require clean working directory
+        shell: bash
+        run: |
+          if ! git diff --exit-code; then
+            echo "Working tree dirty at end of job"
+            exit 1
+          fi


+    if: github.event_name == 'push' && startsWith(github.event.head_commit.author.name, 'github-actions')
+    needs: all-jobs-pass
+    outputs:
+      IS_RELEASE: ${{ steps.is-release.outputs.IS_RELEASE }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: MetaMask/action-is-release@v1
+        id: is-release
+
+  publish-release:


+    name: Get release version
+    runs-on: ubuntu-latest
+    outputs:
+      release-version: ${{ steps.release-name.outputs.RELEASE_VERSION }}
+    steps:
+      - name: Extract release version from branch name
+        id: release-name
+        run: |
+          BRANCH_NAME='${{ github.ref_name }}'
+          echo "RELEASE_VERSION=v${BRANCH_NAME#release/}" >> "$GITHUB_OUTPUT"
+  publish-to-gh-pages:


+    needs: publish-release
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: true
+          ref: ${{ github.sha }}
+      - name: Restore build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: publish-release-artifacts-${{ github.sha }}
+      - name: Dry Run Publish
+        # omit npm-token token to perform dry run publish
+        uses: MetaMask/action-npm-publish@v5
+        with:
+          slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
+          subteam: S042S7RE4AE # @metamask-npm-publishers
+        env:
+          SKIP_PREPACK: true
+
+  publish-npm:


+    needs: publish-npm-dry-run
+    runs-on: ubuntu-latest
+    environment: npm-publish
+    steps:
+      - name: Checkout and setup environment
+        uses: MetaMask/action-checkout-and-setup@v1
+        with:
+          is-high-risk-environment: true
+          ref: ${{ github.sha }}
+      - name: Restore build artifacts
+        uses: actions/download-artifact@v4
+        with:
+          name: publish-release-artifacts-${{ github.sha }}
+      - name: Publish
+        uses: MetaMask/action-npm-publish@v5
+        with:
+          # This `NPM_TOKEN` needs to be manually set per-repository.
+          # Look in the repository settings under "Environments", and set this token in the `npm-publish` environment.
+          npm-token: ${{ secrets.NPM_TOKEN }}
+        env:
+          SKIP_PREPACK: true
+
+  get-release-version:


+    needs: publish-npm
+    runs-on: ubuntu-latest
+    outputs:
+      RELEASE_VERSION: ${{ steps.get-release-version.outputs.RELEASE_VERSION }}
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          ref: ${{ github.sha }}
+      - id: get-release-version
+        shell: bash
+        run: ./scripts/get.sh ".version" "RELEASE_VERSION"
+
+  publish-release-to-gh-pages:


github-advanced-security · 2026-04-29T13:24:45Z

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

adaOctopus approved these changes Apr 29, 2026

View reviewed changes

0xEdouardEth and others added 7 commits April 29, 2026 15:22

Initial commit

b64b383

fix: wallet-connect and remove SEP-043

6760893

feat: add sendUSDC test

d0763b4

fix: rejected error on signTransaction

fc5041b

fix: lint

e8d21fe

feat: prepare release

79fc0d8

fix: remove metamask

7a45887

0xEdouardEth force-pushed the init branch from 7f8b946 to 7a45887 Compare April 29, 2026 13:22

github-advanced-security AI found potential problems Apr 29, 2026

View reviewed changes

fix: @creit.tech/stellar-wallets-kit dependency

3b434aa

0xEdouardEth force-pushed the init branch from 8448305 to 3b434aa Compare April 29, 2026 13:30

0xEdouardEth added 5 commits April 29, 2026 15:37

fix: tests

f26623c

fix: lint

a022090

fix: lint

fd8e67f

fix: test

aad8050

fix: lint

87e84dd

adaOctopus approved these changes Apr 29, 2026

View reviewed changes

0xEdouardEth merged commit 9201f5e into main Apr 29, 2026
27 of 28 checks passed

0xEdouardEth deleted the init branch May 6, 2026 09:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Initial commit#2

Initial commit#2
0xEdouardEth merged 13 commits into
mainfrom
init

0xEdouardEth commented Apr 29, 2026

Uh oh!

socket-security Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

socket-security Bot commented Apr 29, 2026 •

edited

Loading

Uh oh!

github-advanced-security AI commented Apr 29, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

0xEdouardEth commented Apr 29, 2026

Uh oh!

socket-security Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security Bot commented Apr 29, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

github-advanced-security AI commented Apr 29, 2026

What Enabling Code Scanning Means:

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

socket-security Bot commented Apr 29, 2026 •

edited

Loading

socket-security Bot commented Apr 29, 2026 •

edited

Loading