chore: Upgrade `fast-xml-parser` to `5.3.4` (GHSA-37qj-frw5-hhjh) #39683

cryptodev-2s · 2026-01-30T21:04:55Z

Description

Reason: fast-xml-parser 4.x (pulled in by @metamask/snaps-utils) is vulnerable to a RangeError DoS (GHSA-37qj-frw5-hhjh).

fast-xml-parser Changelog

The only breaking change in v5 is the ESM support

Solution: Add a resolution to fast-xml-parser ^5.3.4 and add it to npmPreapprovedPackages so the safe version can be installed despite the minimal age gate.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

Screenshots/Recordings

N/A (dependency upgrade).

Before

After

Pre-merge author checklist

I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
I've completed the PR template to the best of my ability
I've included tests if applicable
I've documented my code using JSDoc format if applicable
I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

Note

Medium Risk
Dependency upgrade plus LavaMoat policy updates could cause runtime/build regressions if @metamask/snaps-utils expects v4 behavior or if the new globals aren’t correctly captured.

Overview
Upgrades fast-xml-parser to ^5.3.4 via package.json resolutions (and updates yarn.lock, including strnum to ^2.1.0) to address GHSA-37qj-frw5-hhjh.

Refreshes LavaMoat policies: removes the @metamask/snaps-utils>fast-xml-parser allowlist entry from Browserify policies, and updates Webpack MV2 policies to allow the new fast-xml-parser access pattern (exports.isExist) instead of the old entityName/val globals.

^{Written by Cursor Bugbot for commit 57261b8. This will update automatically on new commits. Configure here.}

- Add resolution in package.json for fast-xml-parser ^5.3.4 - Add fast-xml-parser to npmPreapprovedPackages for minimal age gate; remove once satisfied

github-actions · 2026-01-30T21:05:04Z

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

metamaskbotv2 · 2026-01-30T21:37:45Z

Builds ready [e953db8]

builds: chrome, firefox
builds (beta): chrome, firefox
builds (flask): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
bundle size: Bundle Size Stats
user-actions-benchmark: User Actions Stats
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
- ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
- content-script: 0
- offscreen: 0

UI Startup Metrics (1293 ± 106 ms)

Platform	BuildType	Page	Metric	Test Title (ms)	Persona (ms)	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	1293	1057	1650	106	1341	1466
			load	-	-	1114	888	1442	106	1175	1312
			domContentLoaded	-	-	1107	886	1438	107	1168	1304
			domInteractive	-	-	26	15	94	17	23	71
			firstPaint	-	-	164	64	1228	182	187	319
			backgroundConnect	-	-	228	210	276	11	231	255
			firstReactRender	-	-	16	10	29	4	17	23
			initialActions	-	-	1	0	6	1	1	3
			loadScripts	-	-	894	676	1221	107	952	1092
			setupStore	-	-	12	6	35	5	16	21
			numNetworkReqs	-	-	21	15	82	17	15	73
			19	-	-	-	-	-	-	-	-
	Browserify	Power User Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	2648	1662	8447	1241	2610	5264
			load	-	-	1160	995	1649	151	1209	1543
			domContentLoaded	-	-	1140	983	1624	144	1178	1525
			domInteractive	-	-	40	20	239	31	40	117
			firstPaint	-	-	231	81	1576	199	258	394
			backgroundConnect	-	-	749	294	3622	855	569	3070
			firstReactRender	-	-	25	16	52	7	28	42
			initialActions	-	-	1	0	5	1	1	2
			loadScripts	-	-	890	742	1301	127	934	1204
			setupStore	-	-	16	6	56	7	18	29
			numNetworkReqs	-	-	127	55	269	50	162	241
			19	-	-	-	-	-	-	-	-
	Webpack	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
2			-	-	-	-	-	-	-	-
3			-	-	-	-	-	-	-	-
4			-	-	-	-	-	-	-	-
5			-	-	-	-	-	-	-	-
6			-	-	-	-	-	-	-	-
7			-	-	-	-	-	-	-	-
8			-	-	-	-	-	-	-	-
9			-	-	-	-	-	-	-	-
10			-	-	-	-	-	-	-	-
11			-	-	-	-	-	-	-	-
12			-	-	-	-	-	-	-	-
13			-	-	-	-	-	-	-	-
14			-	-	-	-	-	-	-	-
15			-	-	-	-	-	-	-	-
16			-	-	-	-	-	-	-	-
17			-	-	-	-	-	-	-	-
18			-	-	-	-	-	-	-	-
uiStartup			-	-	846	663	1118	97	915	1012
load			-	-	696	597	922	83	765	877
domContentLoaded			-	-	691	592	915	83	759	872
domInteractive			-	-	25	16	94	18	22	77
firstPaint			-	-	105	58	342	57	124	211
backgroundConnect			-	-	39	18	120	24	46	95
firstReactRender			-	-	15	10	38	6	16	30
initialActions			-	-	1	0	3	1	1	2
loadScripts			-	-	688	590	913	82	756	870
setupStore			-	-	11	5	30	5	11	26
numNetworkReqs			-	-	22	15	84	18	16	75
19			-	-	-	-	-	-	-	-
Webpack	Power User Home	0	-	-	-	-	-	-	-	-
		1	-	-	-	-	-	-	-	-
		2	-	-	-	-	-	-	-	-
		3	-	-	-	-	-	-	-	-
		4	-	-	-	-	-	-	-	-
		5	-	-	-	-	-	-	-	-
		6	-	-	-	-	-	-	-	-
		7	-	-	-	-	-	-	-	-
		8	-	-	-	-	-	-	-	-
		9	-	-	-	-	-	-	-	-
		10	-	-	-	-	-	-	-	-
		11	-	-	-	-	-	-	-	-
		12	-	-	-	-	-	-	-	-
		13	-	-	-	-	-	-	-	-
		14	-	-	-	-	-	-	-	-
		15	-	-	-	-	-	-	-	-
		16	-	-	-	-	-	-	-	-
		17	-	-	-	-	-	-	-	-
		18	-	-	-	-	-	-	-	-
		uiStartup	-	-	1264	864	2548	282	1440	1703
		load	-	-	713	610	1040	108	725	1013
		domContentLoaded	-	-	703	606	1033	108	715	1006
		domInteractive	-	-	36	17	186	28	36	112
		firstPaint	-	-	155	64	1020	126	187	439
		backgroundConnect	-	-	160	129	624	63	158	313
		firstReactRender	-	-	23	16	35	4	24	31
		initialActions	-	-	1	0	4	1	1	1
		loadScripts	-	-	701	604	1024	106	713	996
		setupStore	-	-	12	4	29	4	14	20
		numNetworkReqs	-	-	149	50	359	57	171	276
		19	-	-	-	-	-	-	-	-
Firefox	Browserify	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	1438	1127	1964	196	1570	1906
			load	-	-	1155	961	1760	158	1225	1601
			domContentLoaded	-	-	1154	957	1759	158	1225	1601
			domInteractive	-	-	68	34	263	43	95	137
			firstPaint	-	-	-	-	-	-	-	-
			backgroundConnect	-	-	68	24	206	48	88	184
			firstReactRender	-	-	13	10	38	4	13	20
			initialActions	-	-	1	0	3	1	2	2
			loadScripts	-	-	1118	947	1735	139	1181	1431
			setupStore	-	-	17	6	206	32	11	76
			numNetworkReqs	-	-	23	12	86	18	19	75
			19	-	-	-	-	-	-	-	-
	Browserify	Power User Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	2862	1922	8117	731	3060	3538
			load	-	-	1339	1109	2452	274	1368	1979
			domContentLoaded	-	-	1339	1109	2452	274	1367	1978
			domInteractive	-	-	156	48	1344	158	149	435
			firstPaint	-	-	-	-	-	-	-	-
			backgroundConnect	-	-	415	125	3095	403	511	1073
			firstReactRender	-	-	22	14	67	8	23	31
			initialActions	-	-	2	1	3	1	2	3
			loadScripts	-	-	1260	1075	2408	215	1281	1621
			setupStore	-	-	148	13	779	186	160	678
			numNetworkReqs	-	-	86	36	233	47	98	206
			19	-	-	-	-	-	-	-	-
	Webpack	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
2			-	-	-	-	-	-	-	-
3			-	-	-	-	-	-	-	-
4			-	-	-	-	-	-	-	-
5			-	-	-	-	-	-	-	-
6			-	-	-	-	-	-	-	-
7			-	-	-	-	-	-	-	-
8			-	-	-	-	-	-	-	-
9			-	-	-	-	-	-	-	-
10			-	-	-	-	-	-	-	-
11			-	-	-	-	-	-	-	-
12			-	-	-	-	-	-	-	-
13			-	-	-	-	-	-	-	-
14			-	-	-	-	-	-	-	-
15			-	-	-	-	-	-	-	-
16			-	-	-	-	-	-	-	-
17			-	-	-	-	-	-	-	-
18			-	-	-	-	-	-	-	-
uiStartup			-	-	1706	1387	3375	262	1793	2158
load			-	-	1454	1205	3023	211	1511	1717
domContentLoaded			-	-	1453	1204	3021	211	1511	1716
domInteractive			-	-	86	30	253	47	131	156
firstPaint			-	-	-	-	-	-	-	-
backgroundConnect			-	-	65	26	252	42	80	144
firstReactRender			-	-	14	10	23	2	15	18
initialActions			-	-	1	0	3	1	2	2
loadScripts			-	-	1418	1184	2923	197	1473	1630
setupStore			-	-	20	4	229	39	12	122
numNetworkReqs			-	-	23	12	84	17	18	72
19			-	-	-	-	-	-	-	-
Webpack	Power User Home	0	-	-	-	-	-	-	-	-
		1	-	-	-	-	-	-	-	-
		2	-	-	-	-	-	-	-	-
		3	-	-	-	-	-	-	-	-
		4	-	-	-	-	-	-	-	-
		5	-	-	-	-	-	-	-	-
		6	-	-	-	-	-	-	-	-
		7	-	-	-	-	-	-	-	-
		8	-	-	-	-	-	-	-	-
		9	-	-	-	-	-	-	-	-
		10	-	-	-	-	-	-	-	-
		11	-	-	-	-	-	-	-	-
		12	-	-	-	-	-	-	-	-
		13	-	-	-	-	-	-	-	-
		14	-	-	-	-	-	-	-	-
		15	-	-	-	-	-	-	-	-
		16	-	-	-	-	-	-	-	-
		17	-	-	-	-	-	-	-	-
		18	-	-	-	-	-	-	-	-
		uiStartup	-	-	2935	2075	8017	659	3054	3855
		load	-	-	1522	1258	2559	240	1644	2010
		domContentLoaded	-	-	1522	1258	2559	240	1644	2010
		domInteractive	-	-	137	33	561	123	125	490
		firstPaint	-	-	-	-	-	-	-	-
		backgroundConnect	-	-	344	120	1596	266	394	980
		firstReactRender	-	-	23	15	60	7	25	30
		initialActions	-	-	2	0	3	1	2	3
		loadScripts	-	-	1476	1240	2528	222	1597	1869
		setupStore	-	-	156	6	823	207	211	727
		numNetworkReqs	-	-	82	39	224	47	90	210
		19	-	-	-	-	-	-	-	-

📊 Page Load Benchmark Results

Current Commit: e953db8 | Date: 1/30/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

pageLoadTime-> current mean value: 1.08s (±131ms) 🟡 | historical mean value: 1.03s ⬆️ (historical data)
domContentLoaded-> current mean value: 749ms (±155ms) 🟢 | historical mean value: 717ms ⬆️ (historical data)
firstContentfulPaint-> current mean value: 92ms (±130ms) 🟢 | historical mean value: 77ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.08s	131ms	1.03s	2.21s	1.29s	2.21s
domContentLoaded	749ms	155ms	700ms	2.16s	951ms	2.16s
firstPaint	92ms	130ms	60ms	1.38s	100ms	1.38s
firstContentfulPaint	92ms	130ms	60ms	1.38s	100ms	1.38s
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

background: 58 Bytes (0%)
ui: 2 Bytes (0%)
common: 899 Bytes (0.01%)

.yarnrc.yml

Gudahtt · 2026-01-30T21:44:41Z

@metamaskbot update-policies

metamaskbot · 2026-01-30T21:59:15Z

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

👀 lavamoat/browserify/beta/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/experimental/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/browserify/flask/policy.json changes differ from main/policy.json policy changes
👀 lavamoat/webpack/mv2/beta/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/experimental/policy.json changes differ from mv2/main/policy.json policy changes
👀 lavamoat/webpack/mv2/flask/policy.json changes differ from mv2/main/policy.json policy changes
✅ lavamoat/webpack/mv3/beta/policy.json changes match mv3/main/policy.json policy changes
✅ lavamoat/webpack/mv3/experimental/policy.json changes match mv3/main/policy.json policy changes
✅ lavamoat/webpack/mv3/flask/policy.json changes match mv3/main/policy.json policy changes

metamaskbotv2 · 2026-01-30T21:59:56Z

✨ Files requiring CODEOWNER review ✨

📜 @MetaMask/policy-reviewers (8 files, +4 -44)

📁 lavamoat/
- 📁 browserify/
  - 📁 beta/
    - 📄 policy.json +0 -9
  - 📁 experimental/
    - 📄 policy.json +0 -9
  - 📁 flask/
    - 📄 policy.json +0 -9
  - 📁 main/
    - 📄 policy.json +0 -9
- 📁 webpack/
  - 📁 mv2/
    - 📁 beta/
      - 📄 policy.json +1 -2
    - 📁 experimental/
      - 📄 policy.json +1 -2
    - 📁 flask/
      - 📄 policy.json +1 -2
    - 📁 main/
      - 📄 policy.json +1 -2

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

Gudahtt

LGTM!

mcmire

LGTM!

metamaskbotv2 · 2026-01-30T22:32:05Z

Builds ready [57261b8]

builds: chrome, firefox
builds (beta): chrome, firefox
builds (flask): chrome, firefox
builds (test): chrome, firefox
builds (test-flask): chrome, firefox
lavamoat build viz: Build System
bundle size: Bundle Size Stats
user-actions-benchmark: User Actions Stats
storybook: Storybook
typescript migration: Dashboard
all artifacts
bundle viz:
- background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10
- common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
- ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
- content-script: 0
- offscreen: 0

UI Startup Metrics (1320 ± 107 ms)

Platform	BuildType	Page	Metric	Test Title (ms)	Persona (ms)	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	1320	1103	1543	107	1396	1500
			load	-	-	1118	903	1354	103	1186	1262
			domContentLoaded	-	-	1112	894	1348	102	1179	1257
			domInteractive	-	-	26	17	80	15	24	70
			firstPaint	-	-	158	68	1090	118	198	297
			backgroundConnect	-	-	237	218	307	16	240	277
			firstReactRender	-	-	18	10	42	5	20	29
			initialActions	-	-	1	0	5	1	1	3
			loadScripts	-	-	890	688	1126	103	964	1037
			setupStore	-	-	12	6	34	5	15	23
			numNetworkReqs	-	-	21	15	78	17	15	70
			19	-	-	-	-	-	-	-	-
	Browserify	Power User Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	2062	1612	4916	527	2067	2849
			load	-	-	1098	945	1937	155	1131	1475
			domContentLoaded	-	-	1079	933	1922	150	1100	1424
			domInteractive	-	-	37	18	188	29	36	102
			firstPaint	-	-	232	81	1590	267	240	671
			backgroundConnect	-	-	422	281	3415	409	350	691
			firstReactRender	-	-	22	15	45	5	24	34
			initialActions	-	-	1	0	4	1	1	2
			loadScripts	-	-	842	716	1595	135	863	1148
			setupStore	-	-	15	6	33	6	18	26
			numNetworkReqs	-	-	85	47	190	39	95	176
			19	-	-	-	-	-	-	-	-
	Webpack	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
2			-	-	-	-	-	-	-	-
3			-	-	-	-	-	-	-	-
4			-	-	-	-	-	-	-	-
5			-	-	-	-	-	-	-	-
6			-	-	-	-	-	-	-	-
7			-	-	-	-	-	-	-	-
8			-	-	-	-	-	-	-	-
9			-	-	-	-	-	-	-	-
10			-	-	-	-	-	-	-	-
11			-	-	-	-	-	-	-	-
12			-	-	-	-	-	-	-	-
13			-	-	-	-	-	-	-	-
14			-	-	-	-	-	-	-	-
15			-	-	-	-	-	-	-	-
16			-	-	-	-	-	-	-	-
17			-	-	-	-	-	-	-	-
18			-	-	-	-	-	-	-	-
uiStartup			-	-	821	667	1196	94	865	1004
load			-	-	675	598	922	65	725	805
domContentLoaded			-	-	670	595	915	64	720	798
domInteractive			-	-	26	15	119	20	22	82
firstPaint			-	-	105	61	298	49	128	209
backgroundConnect			-	-	42	18	149	28	50	114
firstReactRender			-	-	16	10	35	6	18	29
initialActions			-	-	1	0	5	1	1	3
loadScripts			-	-	668	593	906	63	716	790
setupStore			-	-	11	5	37	5	12	25
numNetworkReqs			-	-	22	15	86	18	15	75
19			-	-	-	-	-	-	-	-
Webpack	Power User Home	0	-	-	-	-	-	-	-	-
		1	-	-	-	-	-	-	-	-
		2	-	-	-	-	-	-	-	-
		3	-	-	-	-	-	-	-	-
		4	-	-	-	-	-	-	-	-
		5	-	-	-	-	-	-	-	-
		6	-	-	-	-	-	-	-	-
		7	-	-	-	-	-	-	-	-
		8	-	-	-	-	-	-	-	-
		9	-	-	-	-	-	-	-	-
		10	-	-	-	-	-	-	-	-
		11	-	-	-	-	-	-	-	-
		12	-	-	-	-	-	-	-	-
		13	-	-	-	-	-	-	-	-
		14	-	-	-	-	-	-	-	-
		15	-	-	-	-	-	-	-	-
		16	-	-	-	-	-	-	-	-
		17	-	-	-	-	-	-	-	-
		18	-	-	-	-	-	-	-	-
		uiStartup	-	-	1261	864	1809	227	1411	1739
		load	-	-	702	593	1202	124	711	1051
		domContentLoaded	-	-	693	586	1180	123	701	1037
		domInteractive	-	-	32	17	124	22	31	89
		firstPaint	-	-	149	68	1044	125	184	288
		backgroundConnect	-	-	174	138	393	44	178	286
		firstReactRender	-	-	23	16	39	4	25	32
		initialActions	-	-	1	0	3	1	1	1
		loadScripts	-	-	690	584	1172	122	699	1030
		setupStore	-	-	12	5	34	4	14	18
		numNetworkReqs	-	-	105	48	310	55	131	226
		19	-	-	-	-	-	-	-	-
Firefox	Browserify	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	1472	1166	2028	179	1581	1869
			load	-	-	1176	983	1774	118	1251	1381
			domContentLoaded	-	-	1176	980	1774	118	1247	1381
			domInteractive	-	-	79	34	365	53	102	165
			firstPaint	-	-	-	-	-	-	-	-
			backgroundConnect	-	-	65	27	232	43	77	169
			firstReactRender	-	-	14	10	42	6	14	36
			initialActions	-	-	1	0	3	1	1	2
			loadScripts	-	-	1143	968	1745	112	1204	1336
			setupStore	-	-	15	5	103	17	11	44
			numNetworkReqs	-	-	23	12	85	19	18	80
			19	-	-	-	-	-	-	-	-
	Browserify	Power User Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
			2	-	-	-	-	-	-	-	-
			3	-	-	-	-	-	-	-	-
			4	-	-	-	-	-	-	-	-
			5	-	-	-	-	-	-	-	-
			6	-	-	-	-	-	-	-	-
			7	-	-	-	-	-	-	-	-
			8	-	-	-	-	-	-	-	-
			9	-	-	-	-	-	-	-	-
			10	-	-	-	-	-	-	-	-
			11	-	-	-	-	-	-	-	-
			12	-	-	-	-	-	-	-	-
			13	-	-	-	-	-	-	-	-
			14	-	-	-	-	-	-	-	-
			15	-	-	-	-	-	-	-	-
			16	-	-	-	-	-	-	-	-
			17	-	-	-	-	-	-	-	-
			18	-	-	-	-	-	-	-	-
			uiStartup	-	-	2795	1993	8252	920	2849	4055
			load	-	-	1322	1039	2462	332	1285	2194
			domContentLoaded	-	-	1322	1038	2462	332	1284	2193
			domInteractive	-	-	141	38	1420	158	136	370
			firstPaint	-	-	-	-	-	-	-	-
			backgroundConnect	-	-	375	124	5415	584	309	974
			firstReactRender	-	-	21	14	72	7	22	30
			initialActions	-	-	2	1	3	1	2	3
			loadScripts	-	-	1262	1017	2437	292	1261	2104
			setupStore	-	-	149	9	1105	193	166	600
			numNetworkReqs	-	-	76	36	208	41	99	176
			19	-	-	-	-	-	-	-	-
	Webpack	Standard Home	0	-	-	-	-	-	-	-	-
			1	-	-	-	-	-	-	-	-
2			-	-	-	-	-	-	-	-
3			-	-	-	-	-	-	-	-
4			-	-	-	-	-	-	-	-
5			-	-	-	-	-	-	-	-
6			-	-	-	-	-	-	-	-
7			-	-	-	-	-	-	-	-
8			-	-	-	-	-	-	-	-
9			-	-	-	-	-	-	-	-
10			-	-	-	-	-	-	-	-
11			-	-	-	-	-	-	-	-
12			-	-	-	-	-	-	-	-
13			-	-	-	-	-	-	-	-
14			-	-	-	-	-	-	-	-
15			-	-	-	-	-	-	-	-
16			-	-	-	-	-	-	-	-
17			-	-	-	-	-	-	-	-
18			-	-	-	-	-	-	-	-
uiStartup			-	-	1610	1336	2212	178	1677	1985
load			-	-	1391	1154	1962	149	1454	1681
domContentLoaded			-	-	1390	1154	1962	149	1454	1681
domInteractive			-	-	81	29	187	39	111	139
firstPaint			-	-	-	-	-	-	-	-
backgroundConnect			-	-	74	26	261	52	110	180
firstReactRender			-	-	13	10	22	2	14	19
initialActions			-	-	1	0	3	1	1	2
loadScripts			-	-	1344	1128	1846	133	1411	1642
setupStore			-	-	15	3	227	27	10	49
numNetworkReqs			-	-	22	12	84	16	18	73
19			-	-	-	-	-	-	-	-
Webpack	Power User Home	0	-	-	-	-	-	-	-	-
		1	-	-	-	-	-	-	-	-
		2	-	-	-	-	-	-	-	-
		3	-	-	-	-	-	-	-	-
		4	-	-	-	-	-	-	-	-
		5	-	-	-	-	-	-	-	-
		6	-	-	-	-	-	-	-	-
		7	-	-	-	-	-	-	-	-
		8	-	-	-	-	-	-	-	-
		9	-	-	-	-	-	-	-	-
		10	-	-	-	-	-	-	-	-
		11	-	-	-	-	-	-	-	-
		12	-	-	-	-	-	-	-	-
		13	-	-	-	-	-	-	-	-
		14	-	-	-	-	-	-	-	-
		15	-	-	-	-	-	-	-	-
		16	-	-	-	-	-	-	-	-
		17	-	-	-	-	-	-	-	-
		18	-	-	-	-	-	-	-	-
		uiStartup	-	-	2800	1991	3873	424	3016	3588
		load	-	-	1508	1181	2400	243	1634	2126
		domContentLoaded	-	-	1507	1181	2400	243	1634	2125
		domInteractive	-	-	106	32	468	77	109	279
		firstPaint	-	-	-	-	-	-	-	-
		backgroundConnect	-	-	294	103	1158	222	313	854
		firstReactRender	-	-	22	15	58	8	26	33
		initialActions	-	-	2	1	8	1	2	3
		loadScripts	-	-	1451	1161	2260	216	1547	1968
		setupStore	-	-	147	8	818	200	144	661
		numNetworkReqs	-	-	73	36	227	43	92	180
		19	-	-	-	-	-	-	-	-

📊 Page Load Benchmark Results

Current Commit: 57261b8 | Date: 1/30/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

pageLoadTime-> current mean value: 1.06s (±43ms) 🟡 | historical mean value: 1.03s ⬆️ (historical data)
domContentLoaded-> current mean value: 740ms (±39ms) 🟢 | historical mean value: 717ms ⬆️ (historical data)
firstContentfulPaint-> current mean value: 80ms (±11ms) 🟢 | historical mean value: 77ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.06s	43ms	1.03s	1.37s	1.07s	1.37s
domContentLoaded	740ms	39ms	717ms	1.03s	750ms	1.03s
firstPaint	80ms	11ms	64ms	172ms	88ms	172ms
firstContentfulPaint	80ms	11ms	64ms	172ms	88ms	172ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

background: 58 Bytes (0%)
ui: 2 Bytes (0%)
common: 899 Bytes (0.01%)

Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh)

e953db8

- Add resolution in package.json for fast-xml-parser ^5.3.4 - Add fast-xml-parser to npmPreapprovedPackages for minimal age gate; remove once satisfied

cryptodev-2s had a problem deploying to pr-comment January 30, 2026 21:05 — with GitHub Actions Error

metamaskbot added the team-core-platform Core Platform team label Jan 30, 2026

cryptodev-2s self-assigned this Jan 30, 2026

cryptodev-2s changed the title ~~Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh)~~ chore: Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh) Jan 30, 2026

cryptodev-2s changed the title ~~chore: Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh)~~ chore: Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh) Jan 30, 2026

github-actions bot added the size-XS label Jan 30, 2026

cryptodev-2s marked this pull request as ready for review January 30, 2026 21:08

cryptodev-2s requested a review from a team as a code owner January 30, 2026 21:08

cryptodev-2s temporarily deployed to pr-comment January 30, 2026 21:08 — with GitHub Actions Inactive

mikesposito previously approved these changes Jan 30, 2026

View reviewed changes

cryptodev-2s enabled auto-merge January 30, 2026 21:12

cryptodev-2s temporarily deployed to pr-comment January 30, 2026 21:33 — with GitHub Actions Inactive

Gudahtt reviewed Jan 30, 2026

View reviewed changes

.yarnrc.yml Outdated Show resolved Hide resolved

Remove minimal age gate changes

37fb425

Gudahtt dismissed mikesposito’s stale review via 37fb425 January 30, 2026 21:44

Gudahtt temporarily deployed to pr-comment January 30, 2026 21:44 — with GitHub Actions Inactive

Update LavaMoat policies

57261b8

metamaskbot requested a review from a team as a code owner January 30, 2026 21:59

metamaskbot temporarily deployed to pr-comment January 30, 2026 21:59 — with GitHub Actions Inactive

Gudahtt approved these changes Jan 30, 2026

View reviewed changes

mcmire approved these changes Jan 30, 2026

View reviewed changes

metamaskbot temporarily deployed to pr-comment January 30, 2026 22:27 — with GitHub Actions Inactive

cryptodev-2s added this pull request to the merge queue Jan 30, 2026

Merged via the queue into main with commit 1b0fd13 Jan 30, 2026
337 of 339 checks passed

cryptodev-2s deleted the upgrade/fast-xml-parser branch January 30, 2026 22:50

github-actions bot locked and limited conversation to collaborators Jan 30, 2026

metamaskbot added the release-13.18.0 Issue or pull request that will be included in release 13.18.0 label Jan 30, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore: Upgrade `fast-xml-parser` to `5.3.4` (GHSA-37qj-frw5-hhjh) #39683

chore: Upgrade `fast-xml-parser` to `5.3.4` (GHSA-37qj-frw5-hhjh) #39683

Uh oh!

cryptodev-2s commented Jan 30, 2026 •

edited by cursor bot

Loading

Uh oh!

github-actions bot commented Jan 30, 2026

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

📄 Localhost MetaMask Test Dapp

Summary

Uh oh!

Uh oh!

Gudahtt commented Jan 30, 2026

Uh oh!

metamaskbot commented Jan 30, 2026

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

Uh oh!

Gudahtt left a comment

Uh oh!

mcmire left a comment

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

📄 Localhost MetaMask Test Dapp

Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

chore: Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh) #39683

chore: Upgrade fast-xml-parser to 5.3.4 (GHSA-37qj-frw5-hhjh) #39683

Uh oh!

Conversation

cryptodev-2s commented Jan 30, 2026 • edited by cursor bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Changelog

Related issues

Manual testing steps

Screenshots/Recordings

Before

After

Pre-merge author checklist

Pre-merge reviewer checklist

Uh oh!

github-actions bot commented Jan 30, 2026

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

📄 Localhost MetaMask Test Dapp

Summary

Uh oh!

Uh oh!

Gudahtt commented Jan 30, 2026

Uh oh!

metamaskbot commented Jan 30, 2026

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

✨ Files requiring CODEOWNER review ✨

Uh oh!

Gudahtt left a comment

Choose a reason for hiding this comment

Uh oh!

mcmire left a comment

Choose a reason for hiding this comment

Uh oh!

metamaskbotv2 bot commented Jan 30, 2026

📄 Localhost MetaMask Test Dapp

Summary

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

chore: Upgrade `fast-xml-parser` to `5.3.4` (GHSA-37qj-frw5-hhjh) #39683

chore: Upgrade `fast-xml-parser` to `5.3.4` (GHSA-37qj-frw5-hhjh) #39683

cryptodev-2s commented Jan 30, 2026 •

edited by cursor bot

Loading