fix(deps): unpin [email protected],x [email protected]

[legobeat]

Description

• Unpin and dedupe ethereumjs-util and ethereumjs-abi while staying on legacy v6

• Replace import { BN } from 'ethereumjs-util' with importing BN explicitly from either bn.js@4 or bn.js@5

  • Mixing the two is not safe and can cause breakage.
    • Some on why this is A Bad Thing
  • We don't get complete and correct typings with importing the old re-export
  • This adds both v4 and v5 as explicit dependencies - ideally v4 will be removed as transition to v5 concludes
  • Add EIP-1191 address checksum algorithm support for toChecksumAddress()
  • Unblock relying on the ancient and deprecated [email protected]

• ethereumjs-util changelog

• [email protected]

Related issues

• Support of scientific notation indutny/bn.js#209
• Fix serious issue in .toString(16) indutny/bn.js#295
• fix: toBignumber conversion error with high balance #12010

Blocking

• fix(deps): ethereumjs-util@6->^7.1.5 #11932
  • fix: remove usage of bn.js v4 #12043
  • fix: migrate from deprecated legacy packages #11968

Manual testing steps

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/@lavamoat/[email protected] ➜ 0.2.1	Transitive: environment, filesystem	+6	2.56 MB
npm/@types/[email protected]	None	0	0 B
npm/@types/[email protected]	None	0	0 B
npm/[email protected]	None	0	0 B
npm/[email protected]	None	0	0 B
npm/[email protected] ➜ 0.6.8	None	+2	214 kB	holgerd77

🚮 Removed packages: npm/[email protected], npm/[email protected], npm/[email protected], npm/[email protected]

View full report↗︎

[github-actions]

Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: b708bac
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/619aa4be-9711-4726-9e62-08968d39e035

Note

• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[codecov-commenter]

Codecov Report

Attention: Patch coverage is 75.60976% with 10 lines in your changes missing coverage. Please review.

Project coverage is 63.88%. Comparing base (d1d22d7) to head (67d4e4b).
Report is 61 commits behind head on main.

Files with missing lines	Patch %	Lines
app/util/dappTransactions/index.ts	81.25%	2 Missing and 1 partial ⚠️
...components/UI/Ramp/Views/BuildQuote/BuildQuote.tsx	33.33%	0 Missing and 2 partials ⚠️
app/components/hooks/useTokenBalance.tsx	0.00%	2 Missing ⚠️
...Stake/components/StakingBalance/StakingBalance.tsx	0.00%	0 Missing and 1 partial ⚠️
...nents/hooks/useAddressBalance/useAddressBalance.ts	0.00%	0 Missing and 1 partial ⚠️
app/util/number/index.js	87.50%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #11972      +/-   ##
==========================================
+ Coverage   63.42%   63.88%   +0.46%     
==========================================
  Files        2093     2141      +48     
  Lines       45277    45707     +430     
  Branches     6234     6320      +86     
==========================================
+ Hits        28717    29201     +484     
+ Misses      14676    14616      -60     
- Partials     1884     1890       +6     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[NicolasMassart]

Aside from yarn git-safe-dependencies failing on CI (but passes locally), I think this PR is ready to be merged.
Note that this work is done to explicitly assign BN to either v4 or v5 but it will require to complete the migration to v5 eventually.
This only prevents misunderstanding and mixing BN versions in the code.
All the changes migrated to v5 are because they were ready to migrate as is (mostly)
But for the remaining v4, some work has to be done as migrating simply without changes to the v5 will return different results than expected. Hopefully we have unit tests on this.

[NicolasMassart]

this looks good to me but I don't approve it as I spent a lot of time working on it as if I was the author and I want to make sure we have at least another review

[Copilot]

PR Overview

This PR unpins and dedupes the legacy ethereumjs dependencies while switching from re-exported BN types to explicit imports from bn.js libraries. Key changes include:

• Removing BN imports from ethereumjs-util and replacing them with explicit imports from bnjs4 (and bnjs5 for some tests)
• Updating type annotations and instantiation across production and test files
• Adjusting balance calculations to use the new BN implementations

Reviewed Changes

File	Description
app/components/Views/confirmations/SendFlow/Amount/index.js	Removed ethereumjs-util BN import and updated max value calculation
app/components/UI/Ramp/hooks/useIntentAmount.ts	Switched to explicit BN4 import
app/components/UI/Ramp/Views/BuildQuote/BuildQuote.tsx	Replaced BN with BN4 for amount handling and calculations
app/components/UI/Stake/*	Updated BN usage to BN4 in input and gas fee handling logic
app/components/UI/ConfirmAddAsset/ConfirmAddAsset.test.tsx	Updated BN usage in tests to BN4
app/components/UI/Tokens/index.test.tsx	Updated BN usage in tests to BN5
app/components/Views/confirmations/SendFlow/Confirm/validation.ts	Updated BN types to BN4 for balance validations
other files	Numerous similar updates to enforce explicit BN library usage across production and test code

Copilot reviewed 36 out of 36 changed files in this pull request and generated no comments.

[naugtur]

Fix for failing git-safe-dependencies: LavaMoat/LavaMoat#1556
The tool incorrectly recognized a package specifier as a git dependency.

[naugtur]

I copied the lockfile from this PR to our repo as a fixture and Socket shouted at me. There's a bunch of serious stuff ignored in this repo. Are we fine with that?

[github-actions]

Bitrise

🔄🔄🔄 pr_smoke_e2e_pipeline started on Bitrise...🔄🔄🔄

Commit hash: 9f3f322
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/3bb3b0f3-47c9-4fd6-8408-704568d69485

Note

• This comment will auto-update when build completes
• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[metamaskbot]

Bitrise

✅✅✅ pr_smoke_e2e_pipeline passed on Bitrise! ✅✅✅

Commit hash: 9f3f322
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/3bb3b0f3-47c9-4fd6-8408-704568d69485

Note

• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the Run Smoke E2E label on the pull request

[wachunei]

Ramp changes LGTM.

[nickewansmith]

Stake changes lgtm

[salimtb]

Assets changes LGTM

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
1 Accepted issue

Measures
0 Security Hotspots
84.9% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[OGPoyraz]

Confirmation changes LGTM