Skip to content

poc: libsodium#33377

Open
jiexi wants to merge 1 commit into
mainfrom
jl/poc-libsodium
Open

poc: libsodium#33377
jiexi wants to merge 1 commit into
mainfrom
jl/poc-libsodium

Conversation

@jiexi

@jiexi jiexi commented Jul 15, 2026

Copy link
Copy Markdown
Member

Description

Screenshot 2026-07-15 at 11 34 23 AM Screenshot 2026-07-15 at 11 33 57 AM

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

Performance checks (if applicable)

  • I've tested on Android
    • Ideally on a mid-range device; emulator is acceptable
  • I've tested with a power user scenario
    • Use these power-user SRPs to import wallets with many accounts and tokens
  • I've instrumented key operations with Sentry traces for production performance metrics

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@jiexi jiexi requested a review from a team as a code owner July 15, 2026 18:42
@metamask-ci metamask-ci Bot added the team-wallet-integrations Wallet Integrations team label Jul 15, 2026
@metamask-ci

metamask-ci Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

PR template — items to address before "Ready for review"

Blocking — these items fail the workflow until fixed:

  • Changelog section has an empty CHANGELOG entry: line. Fill in a description, write CHANGELOG entry: null, or apply the no-changelog label.

Warnings — informational, address before merging:

  • Related issues section is empty. Add Fixes: #123 / Closes: <URL> / Refs: <Jira key>, or write a short rationale after the colon.
  • Manual testing steps still contain template content (the Gherkin example title or a [...] placeholder). Replace with real steps, or write N/A — <reason>.
  • Screenshots/Recordings section is empty. Add an image/video for user-facing changes, logs/console output for non-user-facing changes, or write N/A if no evidence is applicable.
  • Pre-merge author checklist has unchecked items (e.g. "I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards."). Every box must be consciously checked — see docs/readme/ready-for-review.md.

See docs/readme/ready-for-review.md for the full Definition of Ready for Review.

@cursor cursor Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 493aa06. Configure here.

<Box
twClassName={`mt-2 p-3 rounded-lg ${
summary.includes('failed') ? 'bg-error-muted' : 'bg-success-muted'
}`}

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial failures show success banner

Medium Severity

When some cryptographic checks fail, the summary still uses bg-success-muted because styling only looks for the word failed in the summary string. Messages like 3/10 checks passed never include that substring, so failed runs can look like full success at a glance.

Additional Locations (2)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 493aa06. Configure here.

name={Routes.LIBSODIUM_POC}
component={LibsodiumPoc}
options={{ headerShown: false, ...slideFromRightNativeOptions }}
/>

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

POC route lacks production guard

Low Severity

The wallet entry to LibsodiumPoc is hidden when METAMASK_ENVIRONMENT is production, but MainNavigator always registers Routes.LIBSODIUM_POC. That mismatch leaves the screen reachable in production via navigation while the adjacent FeatureFlagOverride route uses the same env guard.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 493aa06. Configure here.

@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addednpm/​react-native-libsodium@​1.7.07110010091100
Addednpm/​libsodium-wrappers@​0.8.41001009984100

View full report

@socket-security

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm libsodium-sumo is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/react-native-libsodium@1.7.0npm/libsodium-sumo@0.8.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/libsodium-sumo@0.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm libsodium-sumo is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: ?npm/react-native-libsodium@1.7.0npm/libsodium-sumo@0.8.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/libsodium-sumo@0.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
Obfuscated code: npm react-native-libsodium is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: package.jsonnpm/react-native-libsodium@1.7.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-libsodium@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Install-time scripts: npm react-native-libsodium during postinstall

Install script: postinstall

Source: tar -xzf libsodium/build.tgz --directory ./libsodium

From: package.jsonnpm/react-native-libsodium@1.7.0

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/react-native-libsodium@1.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@github-actions

Copy link
Copy Markdown
Contributor

🔍 Smart E2E Test Selection

  • Selected E2E tags: SmokeWalletPlatform
  • Selected Performance tags: None (no tests recommended)
  • Risk Level: medium
  • AI Confidence: 78%
click to see 🤖 AI reasoning details

E2E Test Selection:

This PR introduces a libsodium proof-of-concept developer screen with the following changes:

  1. New LibsodiumPoc screen (app/components/Views/LibsodiumPoc/index.tsx): A new developer/debug screen for testing libsodium cryptographic bindings. No impact on existing flows.

  2. MainNavigator.js: Adds the LibsodiumPoc screen to the navigation stack. This is an additive change and doesn't modify existing screen registrations.

  3. Wallet/index.tsx: Adds a "libsodium POC" button to the wallet home screen's portfolioHeaderBase and portfolioHeaderWithNFTs components. The button is gated behind process.env.METAMASK_ENVIRONMENT !== 'production', so it won't appear in production builds. However, the structural modification to the portfolio header components warrants validation of the wallet home screen.

  4. metro.config.js: Adds a node:fs stub for libsodium module resolution. This is a bundler-level change that could theoretically affect module resolution, though it's narrowly scoped to libsodium origin modules.

  5. package.json: Adds libsodium-wrappers and react-native-libsodium as new dependencies. The native dependency requires iOS pod linking (Podfile.lock updated).

  6. yarn.lock / ios/Podfile.lock: Lock file updates for new dependencies.

Why SmokeWalletPlatform: The Wallet home screen (app/components/Views/Wallet/index.tsx) is directly modified — the portfolioHeaderBase and portfolioHeaderWithNFTs components have a new element added. SmokeWalletPlatform covers wallet home screen rendering, transaction history display, and core wallet platform features. This validates that the structural change to the portfolio header doesn't break the wallet home screen layout or functionality.

Why not broader tags: The libsodium POC button is gated to non-production environments, so it won't appear in standard E2E test runs. The navigation change is purely additive. The metro config change is narrowly scoped. No existing user flows (confirmations, swaps, accounts, etc.) are modified.

Performance Test Selection:
No performance-sensitive flows are modified. The libsodium POC button is gated to non-production environments and won't appear in performance test runs. The Wallet home screen structural change is minimal (one conditionally-rendered button). No changes to asset loading, account list rendering, login/unlock flows, onboarding, swaps, or app launch paths that would affect measured performance metrics.

View GitHub Actions results

@github-actions github-actions Bot added the risk:medium AI analysis: medium risk label Jul 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

risk:medium AI analysis: medium risk size-L team-wallet-integrations Wallet Integrations team

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant