Migrate MM SDK to MM Connect EVM on MetaMask docs#2779
Migrate MM SDK to MM Connect EVM on MetaMask docs#2779shahbaz17 wants to merge 4 commits intosdk-new-structurefrom
Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on:
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
|
@SocketSecurity ignore-all |
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.
| : {}), | ||
| '0xaa36a7': 'https://rpc.sepolia.org', | ||
| '0xe705': 'https://rpc.sepolia.linea.build', | ||
| }, |
There was a problem hiding this comment.
Hardcoded RPC URLs override Infura URLs for key chains
Medium Severity
In the supportedNetworks configuration, the Infura RPC URLs from getInfuraRpcUrls are spread first, then hardcoded public RPC URLs for 0xaa36a7 (Sepolia) and 0xe705 (Linea Sepolia) are placed after. Due to JavaScript object spread semantics, the hardcoded public endpoints always override any Infura-provided URLs for these same chain IDs. Since these are the two primary chains used by the faucet, the INFURA_API_KEY effectively provides no benefit for the most critical networks. The spread order likely needs to be reversed so the public URLs serve as defaults and Infura URLs override them when a key is available.
| console.error('MetaMask Connect EVM initialization failed:', error) | ||
| setClientError(error?.message || 'Failed to initialize wallet connection') | ||
| clientInitialized.current = false | ||
| }) |
There was a problem hiding this comment.
Failed client init prevents retry despite resetting flag
Low Severity
When createEVMClient fails, the catch block resets clientInitialized.current = false to allow a retry, but the useEffect has an empty [] dependency array and will never re-run. The client remains null permanently, causing all wallet operations (login, getStaleDate, disconnect) to silently no-op. The retry logic is effectively dead code.
1 participant
Description
Issue(s) fixed
Fixes #
Preview
Checklist
External contributor checklist
Note
Medium Risk
Replaces the site’s wallet connection/client initialization and provider types, which can affect login, disconnect, and network selection flows. Also introduces a large dependency graph update via
@metamask/connect-evm, increasing build/compatibility risk.Overview
Migrates the docs site’s wallet-connect/login implementation from
@metamask/sdkto@metamask/connect-evm, including new client initialization inRoot.tsx, updated connect/disconnect calls, and switching provider typing to anEIP-1193provider.Adds optional Infura-backed RPC configuration via
INFURA_API_KEY(wired through DocusauruscustomFields) and updates the auth helper to accept a generic request-capable provider.Simplifies Faucet and Navbar wallet CTAs by removing the “install MetaMask” branch and always presenting connect/link flows, and adds a TS module shim in
globals.d.tsfor thecreateEVMClientexport/type mismatch. Dependency lockfile is updated substantially to reflect the new Connect EVM package and transitive upgrades/removals.Written by Cursor Bugbot for commit 591716e. This will update automatically on new commits. Configure here.