security: implement NPM supply chain attack protection with 3-day age gate #846
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
📖 Storybook Preview |
georgewrmarshall
force-pushed
the
security-update
branch
from
3bc017e to
3ac7680
Compare
Contributor
📖 Storybook Preview |
georgewrmarshall
force-pushed
the
security-update
branch
from
3ac7680 to
7ac14ea
Compare
Comment on lines
+21
to
+28
| # NPM Supply Chain Attack Protection | ||
| # Minimum age gate: only allow packages older than 3 days (4320 minutes) | ||
| npmMinimalAgeGate: 4320 | ||
|
|
||
| # Pre-approved packages that can bypass the age gate | ||
| npmPreapprovedPackages: | ||
| - '@metamask/*' | ||
| - '@lavamoat/*' |
Contributor
Author
There was a problem hiding this comment.
Adding configurations from notion document
| "yargs": "^17.7.2" | ||
| }, | ||
| "packageManager": "yarn@4.2.2", | ||
| "packageManager": "yarn@4.10.3", |
Contributor
Author
There was a problem hiding this comment.
Upgrading yarn version
Contributor
📖 Storybook Preview |
brianacnguyen
approved these changes
Oct 24, 2025
Contributor
📖 Storybook Preview |
Contributor
📖 Storybook Preview |
brianacnguyen
pushed a commit
that referenced
this pull request
Dec 9, 2025
## **Description** This PR releases version 17.0.0 of the MetaMask Design System, featuring important fixes for mobile font compatibility, the addition of the ButtonHero component to React, export fixes for React Native, and various dependency updates including ESLint configuration upgrades. ## **Included PRs** #836, #837, #838, #840, #843, #845, #846, #847, #848, #850, #851, #852, #853, #854, #855, #856, #857, #858, #859, #861, #862, #863, #864 ## **Manual testing steps** 1. Check package.json version bumps align with included changes 2. Check changelog accurately reflects the release ## **Pre-merge author checklist** - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) - [x] I've completed the PR template to the best of my ability - [x] I've included tests if applicable - [x] I've documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I've applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. ## **Pre-merge reviewer checklist** - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. <!-- CURSOR_SUMMARY --> --- > [!NOTE] > Release 17.0.0 introducing React `ButtonHero`, RN font naming changes and TWRNC preset font family rename (both breaking), plus RN export fix and dependency updates. > > - **Release 17.0.0** > - Bump root `package.json` to `17.0.0`. > - **React (`@metamask/[email protected]`)** > - Add `ButtonHero` component for prominent CTAs. > - Update `@metamask/utils` peer to `^11.8.1`. > - **React Native (`@metamask/[email protected]`)** > - BREAKING: Rename font files to hyphenated PostScript format for iOS Metro compatibility. > - Export missing `TextButtonSize` enum. > - Peer: require `@metamask/design-system-twrnc-preset@^0.3.0`; update `@metamask/utils` peer. > - **TWRNC preset (`@metamask/[email protected]`)** > - BREAKING: Rename font family names to hyphenated PostScript format for iOS/expo-font. > - **Changelogs** > - Update `CHANGELOG.md` links and entries for all packages. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 9a90311. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY -->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Implements critical NPM supply chain attack protection by adding a 3-day minimum age gate for package installations. This security enhancement prevents the installation of freshly published packages that could contain malicious code, providing a crucial defense against supply chain attacks.
The implementation follows instructions from the security team for protecting against ongoing NPM supply chain threats, requiring all packages to be at least 3 days old before installation while maintaining exceptions for trusted MetaMask and LavaMoat packages.
Related issues
Fixes: https://consensyssoftware.atlassian.net/browse/DSYS-242
Manual testing steps
yarn installto confirm age gate configuration works without blocking existing dependencies@metamask/*and@lavamoat/*packages are pre-approved and can bypass age restrictionsScreenshots/Recordings
Not applicable - this is a security infrastructure change without visual components.
Pre-merge author checklist
Pre-merge reviewer checklist
Security Impact
Protection Against Supply Chain Attacks:
Before:
After:
Technical Details
Configuration Changes:
packageManagerfrom[email protected]to[email protected]npmMinimalAgeGate: 4320(3 days in minutes)npmPreapprovedPackageswith["@metamask/*", "@lavamoat/*"]Yarn Lock Updates:
Security Alignment:
Note
Enable a 3‑day NPM package age gate in Yarn and bump Yarn to 4.10.3, updating constraints and lockfile accordingly.
npmMinimalAgeGate: 4320andnpmPreapprovedPackages(@metamask/*,@lavamoat/*) in.yarnrc.yml.packageManagerfrom[email protected]to[email protected]inpackage.json.yarn.config.cjsconstraint to expect[email protected].yarn.lockTypeScript patch resolution/checksum.Written by Cursor Bugbot for commit 4d63fe0. This will update automatically on new commits. Configure here.