use native bs58

[chaitanyapotti]

Note

Medium Risk
Changes a network call that gates key retrieval/import (method/URL/parameters and option rename), so misconfiguration or server incompatibility could block logins; the bs58 swap is otherwise low risk.

Overview
Swaps base58 encoding/decoding from @toruslabs/bs58 to upstream bs58 (and updates the ed25519 test accordingly), with lockfile/package updates to pull in bs58@6.

Updates the pre-share-retrieval allowlist/gating request: removes the old GET flow and authorizationServerUrl override, and instead always POSTs to citadelServerUrl (or the default ${SIGNER_MAP[network]}/api/allow) with a normalized payload (including a default source). Public options/ctor wiring are renamed to citadelServerUrl to match.

^{Written by Cursor Bugbot for commit aad7a63. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​bs58@​5.0.0
	bs58@​6.0.0

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Deprecated by its maintainer: npm @types/bs58 Reason: This is a stub types definition. bs58 provides its own type definitions, so you do not need this installed. From: package-lock.json → npm/@types/bs58@5.0.0 ℹ Read more on: This package | This alert | What is a deprecated package? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/bs58@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 2 potential issues.

[cursor]

Deprecated @types/bs58 added as unnecessary devDependency

Low Severity

The @types/bs58 package (v5.0.0) is deprecated and unnecessary — bs58 v6 ships its own type definitions. The lockfile even explicitly says: "This is a stub types definition. bs58 provides its own type definitions, so you do not need this installed." This adds a redundant dependency that could confuse future contributors.

 

[cursor]

Authorization POST request missing useAPIKey option

Medium Severity

The refactored post call to the citadel/allow endpoint no longer passes { useAPIKey: true } as the fourth argument. The previous code included this flag in both the POST and GET paths. Every other post call in metadataUtils.ts consistently passes { useAPIKey: true }. Without it, the API key set via Torus.setAPIKey() won't be sent with this request, which could cause authentication failures.