fix: Ensure peer dependencies reflect latest breaking changes #6652

Gudahtt · 2025-09-18T15:02:45Z

Explanation

Our constraints for peerDependencies previously only required the major version to match. However, this was problematic for pre-1.0 packages because it allowed for situations where we cannot update a package without introducing a peer dependency error, since pre-1.0 packages can have breaking changes in minor or patch releases.

The constraint has been updated to require the most significant part of the version to be synchronized for peer dependencies, and all resulting constraint errors have been auto-fixed.

References

N/A

Checklist

I've updated the test suite for new or updated code as appropriate
I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes
- Extension: chore: Update packages to resolve peer dependency warnings metamask-extension#36093
- Mobile: chore: Update Earn controller to resolve peer dependency warnings metamask-mobile#20044

socket-security · 2025-09-18T15:10:12Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@metamask/account-tree-controller@0.12.1 ⏵ 0.18.1	⁺²		⁺²⁷	⁺³

View full report

Gudahtt · 2025-09-18T16:43:36Z

Rebased to resolve changelog conflicts in account-tree-controller

mcmire

LGTM! This does seem better than the behavior that was in place before #6274 was merged.

cryptodev-2s

LGTM!

Gudahtt · 2025-09-19T13:36:48Z

Rebased to resolve conflicts again

Gudahtt · 2025-09-19T13:40:08Z

@metamaskbot publish-preview

cryptodev-2s

LGTM!

github-actions · 2025-09-19T13:46:27Z

Preview builds have been published. See these instructions for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-tree-controller": "0.18.0-preview-a7d366c",
  "@metamask-previews/accounts-controller": "33.1.0-preview-a7d366c",
  "@metamask-previews/address-book-controller": "6.1.1-preview-a7d366c",
  "@metamask-previews/announcement-controller": "7.0.3-preview-a7d366c",
  "@metamask-previews/app-metadata-controller": "1.0.0-preview-a7d366c",
  "@metamask-previews/approval-controller": "7.1.3-preview-a7d366c",
  "@metamask-previews/assets-controllers": "75.2.0-preview-a7d366c",
  "@metamask-previews/base-controller": "8.4.0-preview-a7d366c",
  "@metamask-previews/bridge-controller": "43.1.0-preview-a7d366c",
  "@metamask-previews/bridge-status-controller": "43.1.0-preview-a7d366c",
  "@metamask-previews/build-utils": "3.0.3-preview-a7d366c",
  "@metamask-previews/chain-agnostic-permission": "1.1.1-preview-a7d366c",
  "@metamask-previews/composable-controller": "11.0.0-preview-a7d366c",
  "@metamask-previews/controller-utils": "11.14.0-preview-a7d366c",
  "@metamask-previews/delegation-controller": "0.7.0-preview-a7d366c",
  "@metamask-previews/earn-controller": "7.0.0-preview-a7d366c",
  "@metamask-previews/eip-5792-middleware": "1.2.0-preview-a7d366c",
  "@metamask-previews/eip1193-permission-middleware": "1.0.0-preview-a7d366c",
  "@metamask-previews/ens-controller": "17.0.1-preview-a7d366c",
  "@metamask-previews/error-reporting-service": "2.0.0-preview-a7d366c",
  "@metamask-previews/eth-json-rpc-provider": "4.1.8-preview-a7d366c",
  "@metamask-previews/foundryup": "1.0.1-preview-a7d366c",
  "@metamask-previews/gas-fee-controller": "24.0.0-preview-a7d366c",
  "@metamask-previews/gator-permissions-controller": "0.2.0-preview-a7d366c",
  "@metamask-previews/json-rpc-engine": "10.0.3-preview-a7d366c",
  "@metamask-previews/json-rpc-middleware-stream": "8.0.7-preview-a7d366c",
  "@metamask-previews/keyring-controller": "23.1.0-preview-a7d366c",
  "@metamask-previews/logging-controller": "6.0.4-preview-a7d366c",
  "@metamask-previews/message-manager": "12.0.2-preview-a7d366c",
  "@metamask-previews/messenger": "0.3.0-preview-a7d366c",
  "@metamask-previews/multichain-account-service": "0.11.0-preview-a7d366c",
  "@metamask-previews/multichain-api-middleware": "1.0.0-preview-a7d366c",
  "@metamask-previews/multichain-network-controller": "0.12.0-preview-a7d366c",
  "@metamask-previews/multichain-transactions-controller": "5.0.0-preview-a7d366c",
  "@metamask-previews/name-controller": "8.0.3-preview-a7d366c",
  "@metamask-previews/network-controller": "24.1.0-preview-a7d366c",
  "@metamask-previews/network-enablement-controller": "1.2.0-preview-a7d366c",
  "@metamask-previews/notification-services-controller": "18.1.0-preview-a7d366c",
  "@metamask-previews/permission-controller": "11.0.6-preview-a7d366c",
  "@metamask-previews/permission-log-controller": "4.0.0-preview-a7d366c",
  "@metamask-previews/phishing-controller": "13.1.0-preview-a7d366c",
  "@metamask-previews/polling-controller": "14.0.0-preview-a7d366c",
  "@metamask-previews/preferences-controller": "19.0.0-preview-a7d366c",
  "@metamask-previews/profile-sync-controller": "25.0.0-preview-a7d366c",
  "@metamask-previews/rate-limit-controller": "6.0.3-preview-a7d366c",
  "@metamask-previews/remote-feature-flag-controller": "1.7.0-preview-a7d366c",
  "@metamask-previews/sample-controllers": "1.0.0-preview-a7d366c",
  "@metamask-previews/seedless-onboarding-controller": "4.0.0-preview-a7d366c",
  "@metamask-previews/selected-network-controller": "24.0.0-preview-a7d366c",
  "@metamask-previews/shield-controller": "0.1.2-preview-a7d366c",
  "@metamask-previews/signature-controller": "33.0.0-preview-a7d366c",
  "@metamask-previews/subscription-controller": "0.1.0-preview-a7d366c",
  "@metamask-previews/token-search-discovery-controller": "3.3.0-preview-a7d366c",
  "@metamask-previews/transaction-controller": "60.4.0-preview-a7d366c",
  "@metamask-previews/user-operation-controller": "39.0.0-preview-a7d366c"
}

…-1.0 packages (#836) ## **Description** Fixes peer dependency constraints for pre-1.0 packages in the monorepo. The previous implementation only used major version ranges (`^0.0.0` for all pre-1.0 packages), which was too permissive and could allow incompatible older versions. This update ensures peer dependencies correctly reflect the most significant version digit for breaking changes, following semantic versioning best practices for pre-1.0 packages. [Same PR in core](https://github.com/MetaMask/core/pull/6652/files#diff-594447fef9feecf11f1839e337c464b7b857fdb73fde7e18940eaa9cdf5b819d) ## **Related issues** Fixes:  ## **Manual testing steps** 1. Run `yarn constraints` to verify no constraint violations 2. Check that the updated logic handles various version scenarios: - `0.4.1` → generates `^0.4.0` peer dependency range - `0.2.1` → generates `^0.2.0` peer dependency range - `8.1.1` → generates `^8.0.0` peer dependency range (unchanged) - `0.0.5` → generates `^0.0.5` peer dependency range 3. Verify existing peer dependencies in package.json files remain valid 4. Test that the constraint logic properly prevents version mismatches ## **Screenshots/Recordings** Not applicable - this is a build configuration improvement with no visual changes. ### **Before** Pre-1.0 packages generated overly permissive `^0.0.0` peer dependency ranges. ### **After** Pre-1.0 packages generate appropriate ranges: `^0.minor.0` for minor-based versions, `^0.0.patch` for patch-only versions. ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

cryptodev-2s

LGTM!

Our constraints for `peerDependencies` previously only required the major version to match. However, this was problematic for pre-1.0 packages because it allowed for situations where we cannot update a package without introducing a peer dependency error, since pre-1.0 packages can have breaking changes in minor or patch releases. The constraint has been updated to require the most significant part of the version to be synchronized for peer dependencies, and all resulting constraint errors have been auto-fixed.

## Explanation This release includes a number of breaking changes and "stabilization" 1.0 releases, intended to resolve a variety of peer dependency warnings caused by misaligned dependencies on pre-1.0 packages. ## References See #6652 ## Checklist N/A

## **Description** Update a variety of packages that are part of the `core` monorepo which had peer dependency warnings. The only breaking changes here are the peer dependencies, which should now be aligned. Individual package changelogs: - `account-tree-controller`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/account-tree-controller/CHANGELOG.md#100) - `assets-controllers`: [76.0.0](https://github.com/MetaMask/core/blob/main/packages/assets-controllers/CHANGELOG.md#7600) - `bridge-controller`: [44.0.0](https://github.com/MetaMask/core/blob/main/packages/bridge-controller/CHANGELOG.md#4400) - `bridge-status-controller`: [44.0.0](https://github.com/MetaMask/core/blob/main/packages/bridge-status-controller/CHANGELOG.md#4400) - `multichain-account-service`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/multichain-account-service/CHANGELOG.md#100) - `multichain-network-controller`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/multichain-network-controller/CHANGELOG.md#100) [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/36093?quickstart=1) ## **Changelog** CHANGELOG entry: null ## **Related issues** Here is the corresponding core PR: MetaMask/core#6652 ## **Manual testing steps** N/A ## **Screenshots/Recordings** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]>

## **Description** Update a variety of packages that are part of the `core` monorepo which had peer dependency warnings. The only breaking changes here are the peer dependencies, which should now be aligned. Individual package changelogs: - `account-tree-controller`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/account-tree-controller/CHANGELOG.md#100) - `assets-controllers`: [76.0.0](https://github.com/MetaMask/core/blob/main/packages/assets-controllers/CHANGELOG.md#7600) - `bridge-controller`: [44.0.0](https://github.com/MetaMask/core/blob/main/packages/bridge-controller/CHANGELOG.md#4400) - `bridge-status-controller`: [44.0.0](https://github.com/MetaMask/core/blob/main/packages/bridge-status-controller/CHANGELOG.md#4400) - `multichain-account-service`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/multichain-account-service/CHANGELOG.md#100) - `multichain-network-controller`: [1.0.0](https://github.com/MetaMask/core/blob/main/packages/multichain-network-controller/CHANGELOG.md#100) - [![Open in GitHub Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/36093?quickstart=1) ## **Changelog** CHANGELOG entry: null ## **Related issues** Here is the corresponding core PR: MetaMask/core#6652 ## **Manual testing steps** N/A ## **Screenshots/Recordings** N/A ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]>

…0044) ## **Description** Update a variety of packages that are part of the `core` monorepo which had peer dependency warnings. The only breaking changes here are the peer dependencies, which should now be aligned. Edit: Other packages were updated in separate PRs, this now only updates the EarnController. Package changelog: - `earn-controller`: [8.0.0](https://github.com/MetaMask/core/blob/main/packages/earn-controller/CHANGELOG.md#800) ## **Changelog** CHANGELOG entry: null ## **Related issues** Here is the corresponding core PR: MetaMask/core#6652 ## **Manual testing steps** N/A ## **Screenshots/Recordings** N/A ## **Pre-merge author checklist** - [x] I’ve followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Mobile Coding Standards](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-mobile/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.  --- > [!NOTE] > Update @metamask/earn-controller to ^8.0.0 and align related peer/transitive dependencies. > > - **Dependencies**: > - Upgrade `@metamask/earn-controller` to `^8.0.0` in `package.json`. > - Align linked deps/peers in `yarn.lock`: `@metamask/base-controller@^8.4.0`, `@metamask/controller-utils@^11.14.0`, `@metamask/keyring-api@^21.0.0`, peer `@metamask/account-tree-controller@^1.0.0`. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit a42066a. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup>

Gudahtt marked this pull request as ready for review September 18, 2025 15:37

Gudahtt requested review from a team as code owners September 18, 2025 15:37

This comment was marked as outdated.

Sign in to view

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from 33665a7 to f93b0b9 Compare September 18, 2025 16:43

This comment was marked as outdated.

Sign in to view

mcmire previously approved these changes Sep 18, 2025

View reviewed changes

georgewrmarshall mentioned this pull request Sep 18, 2025

fix: ensure peer dependencies reflect latest breaking changes for pre-1.0 packages MetaMask/metamask-design-system#836

Merged

7 tasks

Gudahtt mentioned this pull request Sep 18, 2025

chore: Update packages to resolve peer dependency warnings MetaMask/metamask-extension#36093

Merged

7 tasks

cryptodev-2s previously approved these changes Sep 18, 2025

View reviewed changes

Gudahtt dismissed stale reviews from cryptodev-2s and mcmire via 8792126 September 19, 2025 12:15

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from f93b0b9 to 8792126 Compare September 19, 2025 12:15

This comment was marked as outdated.

Sign in to view

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from 8792126 to 8c52fbb Compare September 19, 2025 13:35

This comment was marked as outdated.

Sign in to view

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from 8c52fbb to a7d366c Compare September 19, 2025 13:39

cryptodev-2s previously approved these changes Sep 19, 2025

View reviewed changes

Gudahtt mentioned this pull request Sep 19, 2025

chore: Update Earn controller to resolve peer dependency warnings MetaMask/metamask-mobile#20044

Merged

7 tasks

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from a7d366c to b351b45 Compare September 19, 2025 15:07

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from b351b45 to ac3d7ea Compare September 22, 2025 12:16

Gudahtt dismissed cryptodev-2s’s stale review via ce4adab September 22, 2025 14:02

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from ac3d7ea to ce4adab Compare September 22, 2025 14:02

cryptodev-2s approved these changes Sep 22, 2025

View reviewed changes

Gudahtt added 5 commits September 22, 2025 11:48

Update changelogs

76e7a85

Update lockfile

a851a77

Update changelogs

906a320

Fix constraints and update changelogs again

1dbff7b

Gudahtt force-pushed the ensure-peer-dependencies-have-latest-breaking-changes branch from ce4adab to 1dbff7b Compare September 22, 2025 14:18

Gudahtt enabled auto-merge (squash) September 22, 2025 14:19

Gudahtt merged commit 784fdf9 into main Sep 22, 2025
239 checks passed

Gudahtt deleted the ensure-peer-dependencies-have-latest-breaking-changes branch September 22, 2025 14:25

Gudahtt mentioned this pull request Sep 22, 2025

Release/572.0.0 #6676

Merged

Uh oh!

fix: Ensure peer dependencies reflect latest breaking changes #6652

fix: Ensure peer dependencies reflect latest breaking changes #6652

Uh oh!

Conversation

Gudahtt commented Sep 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Explanation

References

Checklist

Uh oh!

socket-security bot commented Sep 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

Gudahtt commented Sep 18, 2025

Uh oh!

This comment was marked as outdated.

This comment was marked as outdated.

mcmire left a comment

Choose a reason for hiding this comment

Uh oh!

cryptodev-2s left a comment

Choose a reason for hiding this comment

Uh oh!

This comment was marked as outdated.

Uh oh!

This comment was marked as outdated.

Gudahtt commented Sep 19, 2025

Uh oh!

Gudahtt commented Sep 19, 2025

Uh oh!

cryptodev-2s left a comment

Choose a reason for hiding this comment

Uh oh!

github-actions bot commented Sep 19, 2025

Uh oh!

cryptodev-2s left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Gudahtt commented Sep 18, 2025 •

edited

Loading

socket-security bot commented Sep 18, 2025 •

edited

Loading