feat: ledger dmk mobile

[montelaidev]

Examples

[montelaidev]

@metamaskbot publish-preview

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​ws@​8.18.1
	rxjs@​7.8.1 ⏵ 7.8.2
	@​ledgerhq/​device-transport-kit-react-native-ble@​1.3.2
	@​ledgerhq/​device-management-kit@​1.1.0
	@​ledgerhq/​device-signer-kit-ethereum@​1.11.1
	@​ledgerhq/​context-module@​1.14.1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Obfuscated code: npm @ledgerhq/device-management-kit is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: packages/keyring-eth-ledger-bridge/package.json → npm/@ledgerhq/device-management-kit@1.1.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ledgerhq/device-management-kit@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @ledgerhq/context-module in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/keyring-eth-ledger-bridge/package.json → npm/@ledgerhq/context-module@1.14.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ledgerhq/context-module@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @ledgerhq/device-management-kit in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/keyring-eth-ledger-bridge/package.json → npm/@ledgerhq/device-management-kit@1.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@ledgerhq/device-management-kit@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @sentry/hub in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2 → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@sentry/hub@6.19.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/hub@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @sentry/utils in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2 → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@sentry/utils@6.19.7 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/ethers@6.14.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module net Module: net Location: Package overview From: ? → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/ethers@6.14.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module http Module: http Location: Package overview From: ? → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/ethers@6.14.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm ethers in module https Module: https Location: Package overview From: ? → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/ethers@6.14.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm xstate in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/xstate@5.19.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/xstate@5.19.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm async-function is now published by ljharb instead of eduardorfs New Author: ljharb Previous Author: eduardorfs From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/hw-app-eth@6.42.2 → npm/@trezor/connect-web@9.6.1 → npm/jest-environment-jsdom@29.7.0 → npm/@keystonehq/bc-ur-registry-eth@0.19.1 → npm/async-function@1.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async-function@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @sentry/utils is 100.0% likely to have a medium risk anomaly Notes: The code is a conventional utility module for an error-tracking SDK. No malicious behavior detected. The only notable concern is the Math.random() fallback in UUID generation when crypto is unavailable, which is a known compromise and should be documented if cryptographic strength is required in a given deployment. Overall security risk is low to moderate depending on use case, with no external data leakage evident in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2 → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@sentry/utils@6.19.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @sentry/utils is 100.0% likely to have a medium risk anomaly Notes: The code provides environment detection and dynamic module loading designed to support mixed bundler environments. It does not itself implement malicious logic, but its dynamic loading paths present a non-trivial supply-chain risk: if moduleName is influenced by untrusted input, arbitrary modules may be loaded at runtime. A critical reliability issue is the undefined 'module' reference in loadModule’s first call, which should be addressed. Implement input validation, restrict loading to a whitelist of allowed modules, explicitly pass a safe module context, and ensure 'module' is defined or replaced with a controlled loader interface. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-transport-kit-react-native-ble@1.3.2 → npm/@ledgerhq/device-management-kit@1.1.0 → npm/@sentry/utils@6.19.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@sentry/utils@6.19.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a standard, well-scoped progress-event utility used to report progress (upload/download) to a consumer listener. It reads input from the event object and computes metrics, then forwards a structured payload to a listener. A minor data exposure risk exists due to passing the raw event object to the listener; mitigations include sanitizing the payload or removing the event object before emission. Overall security risk remains modest, with malware likelihood negligible in this isolated module. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/axios@1.13.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.13.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard Axios defaults/module implementation with no malicious behavior detected. It handles request/response transformations and content-type management in a typical, safe manner. No data exfiltration, backdoors, or privacy-invasive actions are present within this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/axios@1.13.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.13.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm axios is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, self-contained throttling transformer designed for Axios-like streaming workflows. It throttles data output based on maxRate and timeWindow, preserves data integrity by splitting chunks when necessary, and emits optional progress telemetry. No malicious activity or data leakage is detected in this fragment. Security risk remains moderate due to throttling complexity and potential misconfiguration in real deployments, but the module itself does not introduce obvious security flaws. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/axios@1.13.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/axios@1.13.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ethers is 100.0% likely to have a medium risk anomaly Notes: The analyzed code fragment appears to be a conventional ABI interface utility (likely from a library like ethers.js) used to parse, encode, and decode Ethereum function calls, events, and errors. There is no evidence of malicious behavior such as data exfiltration, remote control, or code injection. Minor anomalies (typo in an error message and a partially commented/unfinished block) are present but do not constitute malicious activity. Overall security risk from this fragment is low, assuming it is used as intended within a trusted library context. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/context-module@1.14.1 → npm/@ledgerhq/device-signer-kit-ethereum@1.11.1 → npm/ethers@6.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ethers@6.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm side-channel-weakmap is 100.0% likely to have a medium risk anomaly Notes: The analyzed code implements a dual-path side-channel storage mechanism that safely uses WeakMap when available, with a fallback to a separate side-channel map. It does not exhibit malicious behavior and appears to serve legitimate functionality around secure data transfer between modules without external data exfiltration or network activity. Confidence: 1.00 Severity: 0.60 From: ? → npm/@ledgerhq/device-management-kit@1.1.0 → npm/side-channel-weakmap@1.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/side-channel-weakmap@1.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

Preview builds have been published. See these instructions (from the core monorepo) for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-api": "1.0.0-cd75414",
  "@metamask-previews/hw-wallet-sdk": "0.5.0-cd75414",
  "@metamask-previews/keyring-api": "21.5.0-cd75414",
  "@metamask-previews/eth-hd-keyring": "13.1.0-cd75414",
  "@metamask-previews/eth-ledger-bridge-keyring": "11.3.0-cd75414",
  "@metamask-previews/eth-qr-keyring": "1.1.0-cd75414",
  "@metamask-previews/eth-simple-keyring": "11.0.0-cd75414",
  "@metamask-previews/eth-trezor-keyring": "9.0.0-cd75414",
  "@metamask-previews/keyring-internal-api": "10.0.0-cd75414",
  "@metamask-previews/keyring-internal-snap-client": "9.0.0-cd75414",
  "@metamask-previews/eth-snap-keyring": "19.0.0-cd75414",
  "@metamask-previews/keyring-snap-client": "8.2.0-cd75414",
  "@metamask-previews/keyring-snap-sdk": "7.2.0-cd75414",
  "@metamask-previews/keyring-utils": "3.2.0-cd75414"
}

[montelaidev]

@metamaskbot publish-preview

[github-actions]

Preview builds have been published. See these instructions (from the core monorepo) for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-api": "1.0.0-c27079a",
  "@metamask-previews/hw-wallet-sdk": "0.5.0-c27079a",
  "@metamask-previews/keyring-api": "21.5.0-c27079a",
  "@metamask-previews/eth-hd-keyring": "13.1.0-c27079a",
  "@metamask-previews/eth-ledger-bridge-keyring": "11.3.0-c27079a",
  "@metamask-previews/eth-qr-keyring": "1.1.0-c27079a",
  "@metamask-previews/eth-simple-keyring": "11.0.0-c27079a",
  "@metamask-previews/eth-trezor-keyring": "9.0.0-c27079a",
  "@metamask-previews/keyring-internal-api": "10.0.0-c27079a",
  "@metamask-previews/keyring-internal-snap-client": "9.0.0-c27079a",
  "@metamask-previews/eth-snap-keyring": "19.0.0-c27079a",
  "@metamask-previews/keyring-snap-client": "8.2.0-c27079a",
  "@metamask-previews/keyring-snap-sdk": "7.2.0-c27079a",
  "@metamask-previews/keyring-utils": "3.2.0-c27079a"
}