feat: use patch-package for SES-compat patches; expose patches in published packages#874
Draft
feat: use patch-package for SES-compat patches; expose patches in published packages#874
Conversation
…lished packages - Replace Yarn patch: protocol with patch-package for @chainsafe/libp2p-yamux - Add patches/ to files in @MetaMask/ocap-kernel and @metamask/kernel-utils so consumers can copy the patch file without visiting GitHub - Add patchedDependencies field to both published packages (machine-readable) - Add SES/Lockdown Compatibility section to both package READMEs - Add yarn constraints: expectNoPatchProtocolProductionDependencies, expectPatchedDependenciesAreDeclaredAndShipped Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
Contributor
Coverage Report
File CoverageNo changed files found. |
Member
Author
|
@SocketSecurity ignore npm/patch-package@8.0.1 Capabilities are necessary. New authors are known to be or seem legit. |
Member
Author
|
@SocketSecurity ignore-all (I guess it makes sense ignoring one package doesn't also ignore its dependencies) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
@metamask/ocap-kerneland@metamask/kernel-utilsdepend on@chainsafe/libp2p-yamux@7.0.4, which requires a patch for SES/lockdown compatibility (Object.definePropertyinstead of direct assignment on a frozen iterator). Previously the patch was applied via Yarn'spatch:protocol from a root.yarn/patches/file — invisible to and unreproducible by consumers.This PR switches to
patch-package(package manager-agnostic) and bundles the patch in the published npm tarballs so consumers can apply it without visiting GitHub.Changes
patch:URL for@chainsafe/libp2p-yamuxin all three dependent packages (ocap-kernel,kernel-utils,brow-2-brow) with a plain7.0.4version specifierpatch-packageas a rootdevDependency; prependpatch-packageto the rootpostinstallscript so the patch is applied after everyyarn installpatches/@chainsafe+libp2p-yamux+7.0.4.patchat the repo root (patch-package format) and delete the old.yarn/patches/filepatches/to thefilesarray and apatchedDependenciesfield in both published packages (ocap-kernel,kernel-utils) so consumers get the patch file when theynpm installeither packagepatch-packageinstructionsyarn constraintsrules:expectNoPatchProtocolProductionDependencies(guard against re-introducingpatch:URLs in published packages) andexpectPatchedDependenciesAreDeclaredAndShipped(ensure every declared patch is included infiles)Testing
yarn constraintspasses with no errors. The patch is verified applied bygrep-ingObject.definePropertyinnode_modules/@chainsafe/libp2p-yamux/dist/src/decode.jsafteryarn install. The constraint rules were validated by temporarily removing apatchedDependenciesentry and confirming an error is reported.🤖 Generated with Claude Code
Note
Medium Risk
Medium risk because it changes install-time behavior (
postinstall) and how published packages manage/ship patched dependencies, which could break consumer installs if misconfigured. Also includes minor dependency bumps (@metamask/snaps-utils,@metamask/design-system-react) that may introduce compatibility changes.Overview
Switches SES compatibility patching to
patch-package. Replaces Yarnpatch:dependency specs for@chainsafe/libp2p-yamux@7.0.4with a plain version and addspatch-packageto the rootpostinstall, while adding patch files underpatches/(and duplicating them underpackages/kernel-utils/patches/andpackages/ocap-kernel/patches/).Makes patches consumable and enforceable.
@metamask/ocap-kerneland@metamask/kernel-utilsnow shippatches/in their npmfilesand declarepatchedDependencies, with README guidance for consumers; Yarn constraints now rejectpatch:production deps and ensure declared patch files are included in published packagefiles.Separately updates
@metamask/snaps-utilsinkernel-browser-runtimeand bumps@metamask/design-system-reactinkernel-ui(lockfile updated accordingly).Written by Cursor Bugbot for commit 54149eb. This will update automatically on new commits. Configure here.