Skip to content

refactor!: remove gatsby#181

Merged
ccharly merged 18 commits into
mainfrom
cc/refactor/remove-gatsby
Jul 3, 2026
Merged

refactor!: remove gatsby#181
ccharly merged 18 commits into
mainfrom
cc/refactor/remove-gatsby

Conversation

@ccharly

@ccharly ccharly commented Jun 25, 2026

Copy link
Copy Markdown
Contributor

Trying to simplify the SSK site as much as we can to align with other test dapps we have.

Screenshot 2026-06-30 at 15 21 56 Screenshot 2026-06-30 at 15 22 03

Note

Medium Risk
Large build and UI refactor with CI publishing dist/ and renamed env vars; breakage would mainly affect the dev test site and e2e flows rather than production snap logic.

Overview
Replaces the Simple Snap Keyring site’s Gatsby stack with a Webpack 5 + SWC SPA that builds to dist/ instead of public/, matching other MetaMask test dapps.

The Gatsby config, page routing, and MUI/styled-components UI are removed in favor of index.html + index.tsx, Bootstrap styling, and a single App.tsx that inlines connect, accounts, options, and keyring RPC test forms. Snap targeting now uses SNAP_ORIGIN and PATH_PREFIX (injected at build time via Webpack’s EnvironmentPlugin) instead of GATSBY_* / .env.production writes.

GitHub Actions publish the new output directory and pass build env vars directly in the dapp workflow; release caches no longer include packages/*/public. MetaMask access goes through getEthereumProvider() with optional window.ethereum typing, and the snap manifest shasum is updated for the bundled snap.

Reviewed by Cursor Bugbot for commit b09ed59. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security

socket-security Bot commented Jun 25, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedbootstrap@​5.3.89910010084100
Addedcopy-webpack-plugin@​11.0.08910010087100
Addedwebpack-cli@​5.1.49810010093100

View full report

Comment thread packages/snap/snap.config.ts Outdated
Comment thread packages/site/src/config/snap.ts Outdated
@ccharly
ccharly force-pushed the cc/refactor/remove-gatsby branch from 43e0af3 to 6ab1be1 Compare June 29, 2026 07:57
@ccharly
ccharly marked this pull request as ready for review June 30, 2026 11:31
Comment thread packages/site/src/hooks/MetamaskContext.tsx Outdated
env:
GATSBY_PATH_PREFIX: ${{ github.event.repository.name }}/${{ inputs.destination_dir }}/
SNAP_ORIGIN: npm:@metamask/${{ github.event.repository.name }}-snap
PATH_PREFIX: ${{ github.event.repository.name }}/${{ inputs.destination_dir }}/

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now used by webpack! See webpack.config.js

Comment on lines -35 to -53
"dependencies": {
"@emotion/react": "^11.11.1",
"@emotion/styled": "^11.11.0",
"@metamask/keyring-api": "^23.1.0",
"@metamask/keyring-snap-client": "^9.0.2",
"@metamask/providers": "^19.0.0",
"@mui/icons-material": "^5.14.0",
"@mui/material": "^5.14.0",
"@types/react-helmet": "^6.1.6",
"crypto-browserify": "^3.12.1",
"react": "^18.2.0",
"react-dom": "^18.2.0",
"react-helmet": "^6.1.0",
"react-icons": "^4.8.0",
"react-is": "^18.2.0",
"semver": "^7.5.4",
"styled-components": "5.3.9",
"webpack": "^5.88.2"
},

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Moved all dependencies as devDependencies so they do not interfere with the main dep tree (the extension is using the dapp dependency to use it in its e2e tests).

That's ok given that we mostly build a bundle/static code that will be then served. No need to have any actual runtime dep for this.

@socket-security

socket-security Bot commented Jun 30, 2026

Copy link
Copy Markdown

Warning

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Warn Low
Potential code anomaly (AI signal): npm flat is 65.0% likely to have a medium risk anomaly

Notes: The code is a simple CLI wrapper for a flattening utility. The primary security concern is the dynamic require of a user-supplied file, which can execute arbitrary code if the input is a JavaScript module. If inputs are strictly JSON data and no file path is provided, the risk is minimal. Overall, the risk is moderate due to the potential for code execution via require(file).

Confidence: 0.65

Severity: 0.50

From: ?npm/webpack-cli@5.1.4npm/flat@5.0.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat@5.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm function-bind is 75.0% likely to have a medium risk anomaly

Notes: The code is a standard Function.prototype.bind polyfill implementation. It carefully handles this binding, constructor behavior, and argument binding without introducing observable malicious behavior. The dynamic Function constructor is used as part of a legitimate polyfill technique and does not indicate an attack by itself in this context.

Confidence: 0.75

Severity: 0.50

From: ?npm/webpack-cli@5.1.4npm/function-bind@1.1.2

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/function-bind@1.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm resolve is 85.0% likely to have a medium risk anomaly

Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment.

Confidence: 0.85

Severity: 0.80

From: ?npm/webpack-cli@5.1.4npm/resolve@1.22.12

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

  • copy-webpack-plugin@11.0.0
  • commander@10.0.1

View full report

@ccharly

ccharly commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/commander@10.0.1

I think that's a false-positive, there's no actual obfuscated code in there. Also, double-checked the actual code, and everything look legit to me.

@ccharly

ccharly commented Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore npm/copy-webpack-plugin@11.0.0

Looks legit too, this package uses serialize-javascript mostly to cache things. That's also a know plugin for webpack, so we're good here.

Comment thread packages/site/package.json Outdated
@ccharly
ccharly force-pushed the cc/refactor/remove-gatsby branch from 95f988c to 2f6f89d Compare July 2, 2026 10:08
Comment thread packages/site/webpack.config.js
Comment thread packages/site/src/hooks/MetamaskContext.tsx Outdated
Comment thread packages/site/src/utils/metamask.ts Outdated

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

There are 2 total unresolved issues (including 1 from previous review).

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit b77791d. Configure here.

Comment thread packages/site/src/utils/provider.ts Outdated
@ccharly
ccharly enabled auto-merge (squash) July 2, 2026 12:45
@ccharly
ccharly merged commit 9c25dd0 into main Jul 3, 2026
18 checks passed
@ccharly
ccharly deleted the cc/refactor/remove-gatsby branch July 3, 2026 11:19
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants