Release V17

[chaitanyapotti]

Jira Link

Description

Release V17

How has this been tested?

Screenshots (if appropriate)

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist

• My code follows the code style of this project. (run lint)
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have added tests to cover my changes.
• All new and existing tests passed.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​node@​22.10.6 ⏵ 22.19.13	+1		+1	+1
	jsdom@​26.0.0 ⏵ 26.1.0	+2		+1
	prettier@​3.5.3 ⏵ 3.8.1	-7		+1
	dotenv@​16.6.1
	lint-staged@​15.5.0 ⏵ 15.5.2	+1		+1	+7
	@​tkey/​common-types@​16.0.0 ⏵ 17.0.0	+23		+26	+18	+20
	@​tkey/​core@​16.0.0 ⏵ 17.0.0	+24		+31	+12	+20
	@​tkey/​private-keys@​16.0.0 ⏵ 17.0.0	+28		+13	+18	+20
	@​tkey/​security-questions@​16.0.0 ⏵ 17.0.0	+28		+1	+18	+20
	@​tkey/​seed-phrase@​16.0.0 ⏵ 17.0.0	+29		+8	+17
	@​tkey/​service-provider-base@​16.0.0 ⏵ 17.0.0	+28		+31	+18	+20
	@​tkey/​service-provider-torus@​16.0.0 ⏵ 17.0.0	+28		+25	+18	+20
	@​tkey/​share-serialization@​16.0.0 ⏵ 17.0.0	+28		+14	+19	+20
	@​tkey/​share-transfer@​16.0.0 ⏵ 17.0.0	+27		+1	+18	+20
	@​tkey/​storage-layer-torus@​16.0.0 ⏵ 17.0.0	+27		+19	+18	+20

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm cors is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: package-lock.json → npm/karma@6.4.4 → npm/cors@2.8.6 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cors@2.8.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm negotiator is now published by blakeembrey instead of wesleytodd New Author: blakeembrey Previous Author: wesleytodd From: package-lock.json → npm/lerna@8.2.4 → npm/negotiator@0.6.4 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/negotiator@0.6.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm jsdom is 100.0% likely to have a medium risk anomaly Notes: The code fragment does not exhibit clear malicious behavior, but it has several anomalies, including typos and dynamic property manipulation using Reflect API, which could pose a security risk if not properly managed. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/jsdom@26.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/jsdom@26.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm nx is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/lerna@8.2.4 → npm/nx@20.8.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/nx@20.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm process-on-spawn is 100.0% likely to have a medium risk anomaly Notes: The module is a global hook that intercepts and allows modification of all child process spawns. The code itself is not overtly malicious (no embedded exfiltration or network code), but it creates a high-risk capability: listeners receive full environment and spawn metadata and can both read secrets and modify what is executed. If untrusted or malicious listeners can be registered, this becomes a significant supply-chain/backdoor risk. Recommend careful review of any code that registers listeners and restrict usage to trusted code only; consider whether such global monkey-patching is acceptable for your threat model. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/nyc@17.1.0 → npm/process-on-spawn@1.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/process-on-spawn@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm socket.io-parser is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a legitimate, well-structured Socket.IO v5 encoder/decoder with proper binary payload handling and input validation. No malicious indicators found, and the risk profile is low to moderate for this isolated module. No hardcoded secrets or exfiltration logic detected. Recommend treating as safe for use within a secure codebase, with standard review of imported utilities to confirm their integrity. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@toruslabs/customauth@22.1.0 → npm/karma@6.4.4 → npm/socket.io-parser@4.2.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/socket.io-parser@4.2.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm yaml is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard YAML stringify module with robust tag resolution, anchor handling, and formatting controls. It correctly delegates to appropriate stringify logic and handles edge cases like circular aliases and unresolved tags with explicit errors. Overall security posture is conservative and typical for a serialization library; no malicious activity detected. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/lint-staged@15.5.2 → npm/lerna@8.2.4 → npm/yaml@2.8.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yaml@2.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report