Skip to content

Release 14.0.0#78

Merged
chakra-guy merged 5 commits intomainfrom
release/14.0.0
Mar 9, 2026
Merged

Release 14.0.0#78
chakra-guy merged 5 commits intomainfrom
release/14.0.0

Conversation

@chakra-guy
Copy link
Collaborator

@chakra-guy chakra-guy commented Mar 9, 2026
edited by cursor bot
Loading

Release v14.0.0 and publish all three packages with audit hardening fixes.

  • Release:
    • Bump root package.json to 14.0.0.
  • Packages:
    • packages/core:
      • Version 0.4.0; add peer key validation, runtime ConnectionMode validation, pin eciesjs to 0.4.17, fix SessionStore race conditions and async initialization, reject expired session messages, timing-safe OTP comparison, guard against NaN expiry timestamps. BREAKING: SessionStore constructor is now private (use SessionStore.create()), drop Node 18 (require Node 20+).
    • packages/dapp-client:
      • Version 0.3.0; validate peer public keys during handshake, validate connection mode at construction, constant-time OTP verification. BREAKING: Drop Node 18 (require Node 20+).
    • packages/wallet-client:
      • Version 0.3.0; replace Math.random() with crypto.getRandomValues() for OTP, validate peer public keys during session creation, fix client stuck in CONNECTING state, validate connection mode at construction. BREAKING: Drop Node 18 (require Node 20+).

Note

Low Risk
Low risk: this PR only bumps package versions and updates changelogs; no runtime code changes are included. The main potential impact is downstream consumers adopting the documented breaking release versions.

Overview
Release bump only. Updates the root version to 14.0.0 and bumps package versions to @metamask/mobile-wallet-protocol-core@0.4.0, @metamask/mobile-wallet-protocol-dapp-client@0.3.0, and @metamask/mobile-wallet-protocol-wallet-client@0.3.0.

Changelog publishing. Adds the corresponding release sections to each package CHANGELOG.md and updates the compare links for Unreleased.

Written by Cursor Bugbot for commit bb6a359. This will update automatically on new commits. Configure here.

@chakra-guy
Initialize Release 14.0.0
0f21503
@chakra-guy
Update Release 14.0.0
5099b4e
@chakra-guy
chore: restore package.json formatting after release tool
140c3a1 
The release script restored original package.json format
and ran yarn install. Committing those cleanup changes.
@chakra-guy
chore: consolidate release 14.0.0 changelogs
620ef02 
Merge auto-generated "Uncategorized" entries into proper
Keep a Changelog categories (Added, Changed, Fixed).
Remove duplicates and add missing entries for Node 20+
requirement and eciesjs version pin.
@chakra-guy
chore: remove files accidentally included in release commit
bb6a359 
These task-tracking files were picked up by the release tool
because they were untracked in the working directory.
@socket-security
Copy link

socket-security bot commented Mar 9, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedexpo-router@​6.0.13 ⏵ 6.0.2373 -2110077100100
Updatedexpo-status-bar@​3.0.8 ⏵ 3.0.973 -2610082100100
Updated@​types/​react-dom@​19.2.2 ⏵ 19.2.31001007587100
Updated@​react-navigation/​native@​7.1.19 ⏵ 7.1.339910075 +1100 +4100
Updated@​react-navigation/​elements@​2.7.1 ⏵ 2.9.109910075 +1100 +1100
Updated@​react-navigation/​bottom-tabs@​7.6.0 ⏵ 7.15.59910076 +2100 +1100
Updatedexpo-constants@​18.0.10 ⏵ 18.0.137610079100100
Updatedexpo-linking@​8.0.8 ⏵ 8.0.1176 -2310079100100
Updatedexpo@​54.0.20 ⏵ 54.0.3377 -2110078 +1100100
Updatedexpo-font@​14.0.9 ⏵ 14.0.117710084100100
Updatedexpo-image@​3.0.10 ⏵ 3.0.1178 -221009199 -1100
Updatedreact-native-safe-area-context@​5.6.1 ⏵ 5.6.21001007886 +2100
Updatedexpo-system-ui@​6.0.8 ⏵ 6.0.9100 +2610078 +1100 +1100
Updated@​types/​react@​19.2.2 ⏵ 19.2.14100 +110079 +194100
Updated@​babel/​core@​7.28.5 ⏵ 7.29.0971008095100
Updated@​types/​node@​20.19.23 ⏵ 20.19.37100 +110081 +196100
Updatedexpo-symbols@​1.0.7 ⏵ 1.0.810010081100 +1100
Updatedreact-native-worklets@​0.5.1 ⏵ 0.5.299 +110083 +198100
Updatedtailwindcss@​4.1.16 ⏵ 4.2.1100 +110084 +198 +2100
Updatedexpo-haptics@​15.0.7 ⏵ 15.0.810010084100100
Updatedexpo-web-browser@​15.0.8 ⏵ 15.0.10100 +2410085100100
Addedws@​8.19.09810010086100
Updatedeslint@​9.38.0 ⏵ 9.39.48910010097100
Updated@​expo/​vector-icons@​15.0.3 ⏵ 15.1.110010091 +192 -1100
Updated@​eslint/​eslintrc@​3.3.1 ⏵ 3.3.599 +110010091100
Updatedreact-native-reanimated@​4.1.3 ⏵ 4.1.698 -110091 +1100 +1100
Updatedexpo-camera@​17.0.8 ⏵ 17.0.10100 +2310095100100
Updated@​tailwindcss/​postcss@​4.1.16 ⏵ 4.2.1100 +110010098 +2100
Updatedexpo-splash-screen@​31.0.10 ⏵ 31.0.13100 +27100100100100

View full report

@socket-security
Copy link

socket-security bot commented Mar 9, 2026
edited
Loading

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • @img/sharp-libvips-linux-riscv64@1.2.4
  • @img/sharp-linux-riscv64@0.34.5
  • node-exports-info@1.6.0
  • glob@13.0.6
  • minimatch@10.2.4
  • minimatch@9.0.9
  • minimatch@3.1.5
  • minipass@7.1.3
  • hermes-parser@0.33.3
  • hermes-estree@0.33.3
  • ws@8.19.0
  • tar@7.5.11
  • minizlib@3.1.0
  • yaml@2.8.2
  • sucrase@3.35.1
  • brace-expansion@5.0.4
  • accepts@2.0.0
  • http-errors@2.0.1
  • serve-static@1.16.3
  • statuses@2.0.2
  • lru-cache@11.2.6
  • eslint-visitor-keys@5.0.1
  • path-scurry@2.0.2
  • balanced-match@4.0.4
  • mime-types@3.0.2
  • acorn@8.16.0
  • semver@7.7.4
  • metro-runtime@0.83.5
  • metro-source-map@0.83.5
  • metro-symbolicate@0.83.5
  • ob1@0.83.5
  • @babel/code-frame@7.29.0
  • @types/node@20.19.37
  • @types/react@19.2.14
  • resolve@2.0.0-next.6
  • @babel/parser@7.29.0
  • @babel/types@7.29.0
  • esbuild@0.27.3
  • @esbuild/aix-ppc64@0.27.3
  • @esbuild/android-arm@0.27.3
  • @esbuild/android-arm64@0.27.3
  • @esbuild/android-x64@0.27.3
  • @esbuild/darwin-arm64@0.27.3
  • @esbuild/darwin-x64@0.27.3
  • @esbuild/freebsd-arm64@0.27.3
  • @esbuild/freebsd-x64@0.27.3
  • @esbuild/linux-arm@0.27.3
  • @esbuild/linux-arm64@0.27.3
  • @esbuild/linux-ia32@0.27.3
  • @esbuild/linux-loong64@0.27.3
  • @esbuild/linux-mips64el@0.27.3
  • @esbuild/linux-ppc64@0.27.3
  • @esbuild/linux-riscv64@0.27.3
  • @esbuild/linux-s390x@0.27.3
  • @esbuild/linux-x64@0.27.3
  • @esbuild/netbsd-arm64@0.27.3
  • @esbuild/netbsd-x64@0.27.3
  • @esbuild/openbsd-arm64@0.27.3
  • @esbuild/openbsd-x64@0.27.3
  • @esbuild/openharmony-arm64@0.27.3
  • @esbuild/sunos-x64@0.27.3
  • @esbuild/win32-arm64@0.27.3
  • @esbuild/win32-ia32@0.27.3
  • @esbuild/win32-x64@0.27.3
  • @expo/vector-icons@15.1.1
  • @react-navigation/bottom-tabs@7.15.5
  • @react-navigation/elements@2.9.10
  • @react-navigation/native@7.1.33
  • expo@54.0.33
  • expo-camera@17.0.10
  • expo-constants@18.0.13
  • expo-font@14.0.11
  • expo-haptics@15.0.8
  • expo-image@3.0.11
  • expo-linking@8.0.11
  • expo-router@6.0.23
  • expo-splash-screen@31.0.13
  • expo-status-bar@3.0.9
  • expo-symbols@1.0.8
  • expo-system-ui@6.0.9
  • expo-web-browser@15.0.10
  • react-native-reanimated@4.1.6
  • react-native-safe-area-context@5.6.2
  • react-native-worklets@0.5.2
  • @babel/core@7.29.0
  • eslint@9.39.4
  • globals@16.5.0
  • @eslint/eslintrc@3.3.5
  • @tailwindcss/postcss@4.2.1
  • @types/react-dom@19.2.3
  • tailwindcss@4.2.1
  • csstype@3.2.3
  • send@0.19.2
  • axios@1.13.6
  • nan@2.25.0
  • get-tsconfig@4.13.6
  • @react-navigation/core@7.16.1
  • react-is@19.2.4
  • @babel/runtime@7.28.6
  • @expo/cli@54.0.23
  • @expo/config@12.0.13
  • @expo/config-plugins@54.0.4
  • @expo/devtools@0.1.8
  • @expo/fingerprint@0.15.4
  • @expo/metro@54.2.0
  • @expo/metro-config@54.0.14
  • babel-preset-expo@54.0.10
  • expo-asset@12.0.12
  • expo-file-system@19.0.21
  • expo-keep-awake@15.0.8
  • expo-modules-autolinking@3.0.24
  • expo-modules-core@3.0.29
  • @expo/env@2.0.11
  • @expo/schema-utils@0.1.8
  • @react-navigation/native-stack@7.14.4
  • expo-server@1.0.5
  • react-native-is-edge-to-edge@1.3.1
  • sf-symbols-typescript@2.2.0
  • @expo/prebuild-config@54.0.8
  • metro@0.83.5
  • metro-config@0.83.5
  • metro-core@0.83.5
  • metro-babel-transformer@0.83.5
  • metro-cache@0.83.5
  • metro-cache-key@0.83.5
  • metro-file-map@0.83.5
  • metro-resolver@0.83.5
  • metro-transform-plugins@0.83.5
  • metro-transform-worker@0.83.5
  • metro-minify-terser@0.83.5
  • @babel/traverse@7.29.0
  • @babel/traverse--for-generate-function-map@7.29.0
  • @babel/plugin-transform-class-properties@7.28.6
  • @babel/plugin-transform-classes@7.28.6
  • @babel/plugin-transform-nullish-coalescing-operator@7.28.6
  • @babel/plugin-transform-optional-chaining@7.28.6
  • @babel/generator@7.29.1
  • @babel/helper-compilation-targets@7.28.6
  • @babel/helper-module-transforms@7.28.6
  • @babel/helpers@7.28.6
  • @babel/template@7.28.6
  • @eslint-community/eslint-utils@4.9.1
  • @eslint/config-array@0.21.2
  • @eslint/config-helpers@0.4.2
  • @eslint/core@0.17.0
  • @eslint/js@9.39.4
  • @eslint/plugin-kit@0.4.1
  • ajv@6.14.0
  • esquery@1.7.0
  • @typescript-eslint/eslint-plugin@8.56.1
  • @typescript-eslint/parser@8.56.1
  • caniuse-lite@1.0.30001777
  • sharp@0.34.5
  • js-yaml@3.14.2
  • js-yaml@4.1.1
  • @tailwindcss/node@4.2.1
  • @tailwindcss/oxide@4.2.1
  • @rushstack/eslint-patch@1.16.1
  • form-data@4.0.5
  • @react-navigation/routers@7.5.3
  • @expo/code-signing-certificates@0.0.6
  • @expo/devcert@1.2.1
  • @expo/image-utils@0.8.12
  • @expo/json-file@10.0.12
  • @expo/osascript@2.4.2
  • @expo/package-manager@1.10.3
  • @expo/plist@0.4.8
  • @expo/xcpretty@4.4.1
  • node-forge@1.3.3
  • undici@6.23.0
  • @expo/config-types@54.0.10
  • resolve-workspace-root@2.0.1
  • browserslist@4.28.1
  • lightningcss@1.31.1
  • lightningcss@1.32.0
  • @babel/helper-module-imports@7.28.6
  • @babel/plugin-proposal-decorators@7.29.0
  • @babel/plugin-syntax-export-default-from@7.28.6
  • @babel/plugin-transform-class-static-block@7.28.6
  • @babel/plugin-transform-modules-commonjs@7.28.6
  • @babel/plugin-transform-object-rest-spread@7.28.6
  • @babel/plugin-transform-private-methods@7.28.6
  • @babel/plugin-transform-private-property-in-object@7.28.6
  • @babel/plugin-transform-runtime@7.29.0
  • terser@5.46.0
  • @babel/helper-plugin-utils@7.28.6
  • @babel/helper-create-class-features-plugin@7.28.6
  • @babel/helper-replace-supers@7.28.6
  • @babel/plugin-syntax-jsx@7.28.6
  • @babel/plugin-transform-typescript@7.28.6
  • @babel/compat-data@7.29.0
  • @typescript-eslint/scope-manager@8.56.1
  • @typescript-eslint/type-utils@8.56.1
  • @typescript-eslint/utils@8.56.1
  • @typescript-eslint/visitor-keys@8.56.1
  • ts-api-utils@2.4.0
  • @typescript-eslint/types@8.56.1
  • @typescript-eslint/typescript-estree@8.56.1
  • es-iterator-helpers@1.2.2
  • @img/colour@1.1.0
  • @img/sharp-darwin-arm64@0.34.5
  • @img/sharp-darwin-x64@0.34.5
  • @img/sharp-libvips-darwin-arm64@1.2.4
  • @img/sharp-libvips-darwin-x64@1.2.4
  • @img/sharp-libvips-linux-arm@1.2.4
  • @img/sharp-libvips-linux-arm64@1.2.4
  • @img/sharp-libvips-linux-ppc64@1.2.4
  • @img/sharp-libvips-linux-s390x@1.2.4
  • @img/sharp-libvips-linux-x64@1.2.4
  • @img/sharp-libvips-linuxmusl-arm64@1.2.4
  • @img/sharp-libvips-linuxmusl-x64@1.2.4
  • @img/sharp-linux-arm@0.34.5
  • @img/sharp-linux-arm64@0.34.5
  • @img/sharp-linux-ppc64@0.34.5
  • @img/sharp-linux-s390x@0.34.5
  • @img/sharp-linux-x64@0.34.5
  • @img/sharp-linuxmusl-arm64@0.34.5
  • @img/sharp-linuxmusl-x64@0.34.5
  • @img/sharp-wasm32@0.34.5
  • @img/sharp-win32-arm64@0.34.5
  • @img/sharp-win32-ia32@0.34.5
  • @img/sharp-win32-x64@0.34.5
  • enhanced-resolve@5.20.0
  • @tailwindcss/oxide-android-arm64@4.2.1
  • @tailwindcss/oxide-darwin-arm64@4.2.1
  • @tailwindcss/oxide-darwin-x64@4.2.1
  • @tailwindcss/oxide-freebsd-x64@4.2.1
  • @tailwindcss/oxide-linux-arm-gnueabihf@4.2.1
  • @tailwindcss/oxide-linux-arm64-gnu@4.2.1
  • @tailwindcss/oxide-linux-arm64-musl@4.2.1
  • @tailwindcss/oxide-linux-x64-gnu@4.2.1
  • @tailwindcss/oxide-linux-x64-musl@4.2.1
  • @tailwindcss/oxide-wasm32-wasi@4.2.1
  • @napi-rs/wasm-runtime@1.1.1
  • @tailwindcss/oxide-win32-arm64-msvc@4.2.1
  • @tailwindcss/oxide-win32-x64-msvc@4.2.1
  • axe-core@4.11.1
  • sax@1.5.0
  • baseline-browser-mapping@2.10.0
  • electron-to-chromium@1.5.307
  • node-releases@2.0.36
  • update-browserslist-db@1.2.3
  • lightningcss-android-arm64@1.31.1
  • lightningcss-android-arm64@1.32.0
  • lightningcss-darwin-arm64@1.31.1
  • lightningcss-darwin-arm64@1.32.0
  • lightningcss-darwin-x64@1.31.1
  • lightningcss-darwin-x64@1.32.0
  • lightningcss-freebsd-x64@1.31.1
  • lightningcss-freebsd-x64@1.32.0
  • lightningcss-linux-arm-gnueabihf@1.31.1
  • lightningcss-linux-arm-gnueabihf@1.32.0
  • lightningcss-linux-arm64-gnu@1.31.1
  • lightningcss-linux-arm64-gnu@1.32.0
  • lightningcss-linux-arm64-musl@1.31.1
  • lightningcss-linux-arm64-musl@1.32.0
  • lightningcss-linux-x64-gnu@1.31.1
  • lightningcss-linux-x64-gnu@1.32.0
  • lightningcss-linux-x64-musl@1.31.1
  • lightningcss-linux-x64-musl@1.32.0
  • lightningcss-win32-arm64-msvc@1.31.1
  • lightningcss-win32-arm64-msvc@1.32.0
  • lightningcss-win32-x64-msvc@1.31.1
  • lightningcss-win32-x64-msvc@1.32.0
  • @babel/plugin-syntax-decorators@7.28.6
  • @babel/plugin-syntax-flow@7.28.6
  • babel-plugin-polyfill-corejs2@0.4.16
  • babel-plugin-polyfill-regenerator@0.6.7
  • @babel/plugin-transform-react-jsx@7.28.6
  • @babel/plugin-transform-async-generator-functions@7.29.0
  • @babel/plugin-transform-async-to-generator@7.28.6
  • @babel/plugin-transform-block-scoping@7.28.6
  • @babel/plugin-transform-computed-properties@7.28.6
  • @babel/plugin-transform-logical-assignment-operators@7.28.6
  • @babel/plugin-transform-named-capturing-groups-regex@7.29.0
  • @babel/plugin-transform-numeric-separator@7.28.6
  • @babel/plugin-transform-optional-catch-binding@7.28.6
  • @babel/plugin-transform-regenerator@7.29.0
  • @babel/plugin-transform-spread@7.28.6
  • @sinclair/typebox@0.27.10
  • react-remove-scroll@2.7.2
  • @types/yargs@17.0.35
  • @babel/plugin-syntax-typescript@7.28.6
  • flatted@3.4.0
  • @typescript-eslint/project-service@8.56.1
  • @typescript-eslint/tsconfig-utils@8.56.1
  • es-abstract@1.24.1
  • @emnapi/runtime@1.8.1
  • @emnapi/core@1.8.1
  • fastq@1.20.1
  • @babel/helper-define-polyfill-provider@0.6.7
  • core-js-compat@3.48.0
  • @babel/plugin-syntax-import-attributes@7.28.6
  • which-typed-array@1.1.20
  • @babel/helper-wrap-function@7.28.6

View full report

@chakra-guy
Copy link
Collaborator Author

chakra-guy commented Mar 9, 2026

@SocketSecurity ignore-all (all of those packages that are being ignored are just for the demo apps, no real change)

@chakra-guy chakra-guy merged commit 4ec9fe1 into main Mar 9, 2026
12 checks passed
@chakra-guy chakra-guy deleted the release/14.0.0 branch March 9, 2026 14:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adonesky1 adonesky1 adonesky1 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chakra-guy @adonesky1