Conversation
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning MetaMask internal reviewing guidelines:
|
| "@toruslabs/eslint-config-typescript": "^5.0.0", | ||
| "@toruslabs/fetch-node-details": "^16.0.0", | ||
| "@toruslabs/torus-scripts": "^8.0.0", | ||
| "@types/bs58": "^5.0.0", |
There was a problem hiding this comment.
Deprecated @types/bs58 added as unnecessary devDependency
Low Severity
The @types/bs58 package (v5.0.0) is deprecated and unnecessary — bs58 v6 ships its own type definitions. The lockfile even explicitly says: "This is a stub types definition. bs58 provides its own type definitions, so you do not need this installed." This adds a redundant dependency that could confuse future contributors.
| source: source || "torus-utils-web", | ||
| }, | ||
| {} | ||
| ); |
There was a problem hiding this comment.
Authorization POST request missing useAPIKey option
Medium Severity
The refactored post call to the citadel/allow endpoint no longer passes { useAPIKey: true } as the fourth argument. The previous code included this flag in both the POST and GET paths. Every other post call in metadataUtils.ts consistently passes { useAPIKey: true }. Without it, the API key set via Torus.setAPIKey() won't be sent with this request, which could cause authentication failures.


Note
Medium Risk
Changes a network call that gates key retrieval/import (method/URL/parameters and option rename), so misconfiguration or server incompatibility could block logins; the
bs58swap is otherwise low risk.Overview
Swaps base58 encoding/decoding from
@toruslabs/bs58to upstreambs58(and updates the ed25519 test accordingly), with lockfile/package updates to pull inbs58@6.Updates the pre-share-retrieval allowlist/gating request: removes the old
GETflow andauthorizationServerUrloverride, and instead alwaysPOSTs tocitadelServerUrl(or the default${SIGNER_MAP[network]}/api/allow) with a normalized payload (including a defaultsource). Public options/ctor wiring are renamed tocitadelServerUrlto match.Written by Cursor Bugbot for commit aad7a63. This will update automatically on new commits. Configure here.