release(runway): cherry-pick chore: Resolve multiple advisories cp-13.20.0

[runway-github]

• chore: Resolve multiple advisories (chore: Resolve multiple advisories cp-13.20.0 #40320)

Description

Resolve GHSA-2g4f-4pwh-qvx6 partly by
bumping addons-linter, ajv and by modifying the ignored advisory.
The dependency is only used for dev.

Resolve GHSA-378v-28hj-76wf by bumping
bn.js.

Partially resolve GHSA-3ppc-4f35-3m26 by
bumping minimatch, it was partially resolved by ignoring in the first
place.

This should get main passing.

Changelog

CHANGELOG entry: null

---

Note

Low Risk
Lockfile/config-only changes to dev/build-time dependencies; low runtime impact, but CI/build behavior could change if tooling relies on exact versions.

Overview
Updates the Yarn audit ignore list by replacing the ignored minimatch advisory ID (1113296 -> 1113371).

Refreshes dependency metadata/locks to resolve advisories, including bumps to addons-linter (9.6.0 -> 9.8.0) and related transitive deps (addons-scanner-utils, @mdn/browser-compat-data, ajv 8.x), plus security-motivated updates to ajv 6.x (6.12.6 -> 6.14.0), bn.js (5.2.1 -> 5.2.3), and minimatch (10.1.1 -> 10.2.2, with updated brace-expansion/balanced-match entries). attribution.txt is updated to reflect the new ajv and bn.js versions.

^{Written by Cursor Bugbot for commit 02a509a. This will update automatically on new commits. Configure here.}

64b4472

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

👨‍🔧 @MetaMask/extension-platform (1 files, +1 -1)

• 📄 .yarnrc.yml +1 -1

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	addons-linter@​9.6.0 ⏵ 9.8.0				+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/@open-rpc/test-coverage@2.2.4 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/@open-rpc/test-coverage@2.2.4 → npm/ajv@6.14.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard AJV-like dynamic parser generator for JTD schemas. There are no explicit malware indicators in this fragment. The primary security concern is the dynamic code generation and execution from external schemas, which introduces a medium risk if schemas are untrusted. With trusted schemas and proper schema management, the risk is typically acceptable within this pattern. Confidence: 1.00 Severity: 0.60 From: ? → npm/addons-linter@9.8.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code implements standard timestamp validation with clear logic for normal and leap years and leap seconds. There is no network, file, or execution of external code within this isolated fragment. The only anomalous aspect is assigning a string to validTimestamp.code, which could enable external tooling to inject behavior in certain environments, but this does not constitute active malicious behavior in this isolated snippet. Overall, low to moderate security risk in typical usage; no malware detected within the shown code. Confidence: 1.00 Severity: 0.60 From: ? → npm/addons-linter@9.8.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: This module generates JavaScript code at runtime via standaloneCode(...) and then immediately executes it with require-from-string. Because the generated code can incorporate user-supplied schemas or custom keywords without sanitization or sandboxing, an attacker who controls those inputs could inject arbitrary code and achieve remote code execution in the Node process. Users should audit and lock down the standaloneCode output or replace dynamic evaluation with a safer, static bundling approach. Confidence: 1.00 Severity: 0.60 From: ? → npm/addons-linter@9.8.0 → npm/ajv@8.18.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@8.18.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[metamaskbotv2]

Builds ready [02a509a]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1439 ± 126 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1439	1184	1898	126	1522	1628
			load	1220	985	1551	113	1296	1408
			domContentLoaded	1213	980	1539	112	1288	1400
			domInteractive	28	16	128	23	23	86
			firstPaint	162	67	518	93	231	303
			backgroundConnect	202	183	329	18	208	228
			firstReactRender	18	12	37	4	19	25
			initialActions	1	0	7	1	1	3
			loadScripts	1028	797	1352	112	1105	1211
			setupStore	12	6	59	6	14	19
			numNetworkReqs	31	22	95	20	25	84
	Browserify	Power User Home	uiStartup	2354	1332	10334	1524	2172	4565
			load	1157	1021	1821	137	1188	1464
			domContentLoaded	1139	1016	1668	122	1183	1368
			domInteractive	30	18	113	12	31	45
			firstPaint	188	71	1438	152	249	302
			backgroundConnect	696	252	7890	1068	362	2736
			firstReactRender	24	16	47	7	27	39
			initialActions	1	0	5	1	1	2
			loadScripts	937	810	1455	119	978	1172
			setupStore	17	7	74	10	18	39
			numNetworkReqs	68	35	144	24	82	111
	Webpack	Standard Home	uiStartup	870	692	1168	117	942	1104
			load	745	612	1079	107	816	913
			domContentLoaded	739	607	1072	107	809	905
			domInteractive	27	16	102	20	23	77
			firstPaint	113	61	271	51	137	210
			backgroundConnect	26	18	46	7	29	40
			firstReactRender	18	12	36	6	21	32
			initialActions	1	0	5	1	1	3
			loadScripts	737	605	1070	107	807	897
			setupStore	12	5	42	6	13	23
			numNetworkReqs	31	22	99	20	25	85
	Webpack	Power User Home	uiStartup	1206	885	1757	146	1297	1439
			load	725	650	1020	84	721	960
			domContentLoaded	713	640	1014	85	710	952
			domInteractive	37	19	171	30	35	108
			firstPaint	150	61	452	78	189	283
			backgroundConnect	170	131	413	52	164	284
			firstReactRender	21	16	32	3	23	26
			initialActions	1	0	2	1	1	1
			loadScripts	710	638	1004	83	708	943
			setupStore	12	5	20	4	14	18
			numNetworkReqs	80	35	165	27	88	136
Firefox	Browserify	Standard Home	uiStartup	1777	1447	2909	292	1790	2553
			load	1499	1228	2476	251	1504	2200
			domContentLoaded	1498	1223	2476	252	1503	2199
			domInteractive	77	33	343	54	93	141
			firstPaint	-	-	-	-	-	-
			backgroundConnect	67	31	239	34	70	123
			firstReactRender	14	12	17	1	15	16
			initialActions	1	0	3	1	2	2
			loadScripts	1468	1197	2390	243	1476	2167
			setupStore	22	7	190	30	17	51
			numNetworkReqs	32	19	96	19	27	90
	Browserify	Power User Home	uiStartup	2854	2006	4291	442	3017	3627
			load	1597	1353	2890	281	1645	2131
			domContentLoaded	1597	1347	2890	281	1645	2131
			domInteractive	134	36	485	100	132	382
			firstPaint	-	-	-	-	-	-
			backgroundConnect	416	114	1994	375	504	1089
			firstReactRender	20	15	91	11	19	25
			initialActions	2	0	3	1	2	2
			loadScripts	1559	1330	2852	273	1587	2078
			setupStore	109	9	745	162	91	529
			numNetworkReqs	70	30	196	38	87	141
	Webpack	Standard Home	uiStartup	1795	1479	3359	329	1805	2129
			load	1516	1265	3083	280	1530	1720
			domContentLoaded	1516	1264	3082	280	1530	1719
			domInteractive	118	30	1549	151	132	170
			firstPaint	-	-	-	-	-	-
			backgroundConnect	61	28	206	35	63	132
			firstReactRender	16	13	27	3	17	25
			initialActions	1	0	3	1	2	2
			loadScripts	1489	1245	3059	276	1507	1703
			setupStore	39	6	1412	141	26	113
			numNetworkReqs	31	19	92	17	27	77
	Webpack	Power User Home	uiStartup	2640	1949	3846	371	2805	3433
			load	1543	1298	2220	220	1675	2069
			domContentLoaded	1542	1298	2220	220	1674	2069
			domInteractive	134	33	750	138	127	429
			firstPaint	-	-	-	-	-	-
			backgroundConnect	327	110	1466	283	340	894
			firstReactRender	20	15	32	4	22	29
			initialActions	2	1	50	5	2	2
			loadScripts	1507	1276	2197	212	1583	2050
			setupStore	117	7	805	161	115	513
			numNetworkReqs	67	29	229	39	87	142

📊 Page Load Benchmark Results

Current Commit: 02a509a | Date: 2/23/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.06s (±43ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
• domContentLoaded-> current mean value: 739ms (±60ms) 🟢 | historical mean value: 727ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 91ms (±128ms) 🟢 | historical mean value: 80ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.06s	43ms	1.02s	1.40s	1.09s	1.40s
domContentLoaded	739ms	60ms	709ms	1.30s	761ms	1.30s
firstPaint	91ms	128ms	64ms	1.37s	88ms	1.37s
firstContentfulPaint	91ms	128ms	64ms	1.37s	88ms	1.37s
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms