Ramps-Controller #6999

pkowalski · 2025-10-29T19:50:59Z

Explanation

Ramps currently depends on an sdk to handle all connections to the RAMPS api. We now have 2 different offerings which each use their own SDK. All of this routing logic is done on the mobile app. If this logic were to be extended to pdapp or extension it would require rework on those codebases. Additionally many other teams already use this controller design pattern. By moving towards this we can handle all business logic in 1 controller. It lets us expose Ramps data and apis to other experiences without those experiences requiring any knowledge of business logic. Lastly it would speed up any Ramps api integrations on extension and pdapp in the future.

References

Related to TRAM-2783

Checklist

I've updated the test suite for new or updated code as appropriate
I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
I've communicated my changes to consumers by updating changelogs for packages I've changed, highlighting breaking changes as necessary
I've prepared draft pull requests for clients and consumer packages to resolve any breaking changes

Note

Introduce ramps-controller package with RampsController, tests, docs, and build/tooling setup.

New package: packages/ramps-controller
- Core: Implements RampsController in src/RampsController.ts and exports public API via src/index.ts.
- Tests: Adds src/RampsController.test.ts and jest.config.js.
- Tooling/Build: Adds package.json, tsconfig.json, tsconfig.build.json, and typedoc.json.
- Docs/Meta: Adds README.md, initializes CHANGELOG.md, and includes LICENSE.
Repo config: Updates root tsconfig.build.json to integrate the new package.

^{Written by Cursor Bugbot for commit 4c43415. This will update automatically on new commits. Configure here.}

packages/ramps-controller/src/RampsController.ts

socket-security · 2025-11-05T17:37:47Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance
	@lavamoat/preinstall-always-fail@2.1.0 ⏵ 2.1.1
	@yarnpkg/types@4.0.0 ⏵ 4.0.1	⁺¹		⁺³	⁺¹
	@yarnpkg/cli@4.5.3 ⏵ 4.10.3	^-1		⁺³	⁺³
	simple-git-hooks@2.11.1 ⏵ 2.13.1	⁺¹
	@typescript-eslint/parser@8.19.1 ⏵ 8.46.2	⁺¹			⁺²
	eslint-config-prettier@9.1.0 ⏵ 9.1.2
	@types/node-fetch@2.6.12 ⏵ 2.6.13
	@metamask/keyring-internal-api@9.1.0 ⏵ 9.1.1				⁺³
	@babel/preset-typescript@7.24.7 ⏵ 7.28.5
	typescript-eslint@8.19.1 ⏵ 8.46.2			^-1
	@yarnpkg/core@4.1.6 ⏵ 4.4.4			⁺¹
	@types/bn.js@5.1.6 ⏵ 5.2.0
	@babel/plugin-transform-modules-commonjs@7.24.8 ⏵ 7.27.1	⁺¹			^-1
	@types/semver@7.5.8 ⏵ 7.7.1			⁺¹
	@metamask/keyring-snap-client@8.1.0 ⏵ 8.1.1				⁺³
	@types/yargs@16.0.9 ⏵ 17.0.34	⁺¹		⁺¹
	@metamask/snaps-controllers@14.0.1 ⏵ 14.2.2	⁺¹		⁺²
	prettier-plugin-packagejson@2.5.2 ⏵ 2.5.19
	@metamask/snaps-sdk@9.0.0 ⏵ 10.0.0	⁺¹		⁺²	^-2
	@yarnpkg/fslib@3.1.1 ⏵ 3.1.3	⁺¹		⁺²	⁺⁴
	@ethersproject/providers@5.7.2 ⏵ 5.8.0	⁺¹		⁺¹
	@babel/runtime@7.25.4 ⏵ 7.28.4	⁺¹	⁺⁸		^-2
	@babel/core@7.26.0 ⏵ 7.28.5
	@typescript-eslint/eslint-plugin@8.19.1 ⏵ 8.46.2			⁺¹	⁺²
	@metamask/safe-event-emitter@3.1.1 ⏵ 3.1.2	⁺¹
	bignumber.js@9.1.2 ⏵ 9.3.1
	@types/node@18.19.68 ⏵ 16.18.126	⁺¹
	yaml@2.8.0 ⏵ 2.8.1
	tsx@4.20.5 ⏵ 4.20.6
	ulid@2.3.0 ⏵ 2.4.0	⁺¹
	@metamask/nonce-tracker@6.0.0 ⏵ 6.1.0	⁺¹		⁺¹	^-2
	@metamask/rpc-errors@7.0.2 ⏵ 7.0.3
See 18 more rows in the dashboard

View full report

socket-security · 2025-11-05T17:37:52Z

Caution

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Network access: npm `@emnapi/core` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/@emnapi/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@firebase/ai` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@firebase/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@firebase/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@firebase/util` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@firebase/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@firebase/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@sigstore/sign` in module http2 Module: http2 Location: Package overview From: `?` → `npm/@yarnpkg/[email protected]` → `npm/@sigstore/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@sigstore/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@tybys/wasm-util` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/@tybys/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@tybys/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@unrs/resolver-binding-wasm32-wasi` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/@unrs/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@unrs/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `hpagent` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `hpagent` in module https Module: https Location: Package overview From: `?` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `hpagent` in module http Module: http Location: Package overview From: `?` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `napi-postinstall` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `simple-git-hooks` in module child_process Module: child_process Location: Package overview From: package.json → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `unrs-resolver` in module child_process Module: child_process Location: Package overview From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `@npmcli/fs` is now published by npm-cli-ops instead of lukekarrys New Author: npm-cli-ops Previous Author: lukekarrys From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` → `npm/@npmcli/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@npmcli/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `@yarnpkg/plugin-catalog` is now published by yarnbot instead of arcanis New Author: yarnbot Previous Author: arcanis From: `?` → `npm/@yarnpkg/[email protected]` → `npm/@yarnpkg/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@yarnpkg/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `async-function` is now published by ljharb instead of eduardorfs New Author: ljharb Previous Author: eduardorfs From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/@metamask/[email protected]` → `npm/@types/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `negotiator` is now published by blakeembrey instead of wesleytodd New Author: blakeembrey Previous Author: wesleytodd From: `?` → `npm/@lavamoat/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `negotiator` is now published by wesleytodd instead of dougwilson New Author: wesleytodd Previous Author: dougwilson From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `ripemd160` is now published by ljharb instead of dcousens New Author: ljharb Previous Author: dcousens From: `?` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `sha.js` is now published by ljharb instead of dcousens New Author: ljharb Previous Author: dcousens From: `?` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `ulid` is now published by perrymitchell instead of alizain New Author: perrymitchell Previous Author: alizain From: packages/keyring-controller/package.json → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `unique-filename` is now published by npm-cli-ops instead of lukekarrys New Author: npm-cli-ops Previous Author: lukekarrys From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm `unique-slug` is now published by npm-cli-ops instead of lukekarrys New Author: npm-cli-ops Previous Author: lukekarrys From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` → `npm/@yarnpkg/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm `@firebase/util` during postinstall Install script: postinstall Source: `node ./postinstall.js` From: `?` → `npm/@firebase/[email protected]` ℹ Read more on: This package \| This alert \| What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@firebase/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm `unrs-resolver` during postinstall Install script: postinstall Source: `napi-postinstall unrs-resolver 1.11.1 check` From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/[email protected]` ℹ Read more on: This package \| This alert \| What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm `@unrs/resolver-binding-wasm32-wasi` is 100.0% likely to have a medium risk anomaly Notes: The file itself does not contain overt malicious code (no network calls, no obfuscated payloads, no hardcoded credentials). However, it deliberately exposes powerful capabilities to loaded WASM modules and local scripts: it passes all environment variables into WASI and preopens the filesystem root, and it implements importScripts by reading and eval-ing local files. These choices make the environment capable of data theft or system access if untrusted wasm or scripts are executed. Treat wasm modules and files loaded via importScripts as fully trusted/native — do not run untrusted modules with this loader. Recommend restricting WASI preopens to a minimal directory and avoid passing full process.env, and avoid eval-based importScripts when possible. Confidence: 1.00 Severity: 0.60 From: `?` → `npm/[email protected]` → `npm/[email protected]` → `npm/@unrs/[email protected]` ℹ Read more on: This package \| This alert \| What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `[email protected]`. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@unrs/[email protected]`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 11 more rows in the dashboard

View full report

This comment was marked as outdated.

Sign in to view

cursor bot reviewed Oct 29, 2025

View reviewed changes

packages/ramps-controller/src/RampsController.ts Show resolved Hide resolved

packages/ramps-controller/src/RampsController.ts Outdated Show resolved Hide resolved

pkowalski marked this pull request as draft October 29, 2025 20:49

pkowalski force-pushed the feature/ramps-controller branch from 801ed14 to e7317d2 Compare November 5, 2025 17:36

pkowalski added 9 commits November 5, 2025 13:48

feat: add foundation for ramps controller TRAM-2787

fe8d37b

chore: add ramp-controller to build

1710301

feat: first foundations of native calls

4cf362b

feat: simplify RampsController

73ab5fe

chore: clean up dependencies

7e91f05

fix: patch url for new regions endpoint:

a7ad8c0

feat: replace fetch with axios

f1e5914

chore: change axios version

faa28ac

chore: update yarn.lock

29ff020

pkowalski force-pushed the feature/ramps-controller branch from b1d9793 to 29ff020 Compare November 5, 2025 19:50

chore: fix changelog

4f13784

pkowalski closed this Nov 6, 2025

pkowalski deleted the feature/ramps-controller branch November 6, 2025 16:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Ramps-Controller #6999

Ramps-Controller #6999

Uh oh!

pkowalski commented Oct 29, 2025 •

edited

Loading

Uh oh!

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

socket-security bot commented Nov 5, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Nov 5, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

Uh oh!

Ramps-Controller #6999

Ramps-Controller #6999

Uh oh!

Conversation

pkowalski commented Oct 29, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Explanation

References

Checklist

Uh oh!

This comment was marked as outdated.

Uh oh!

Uh oh!

Uh oh!

socket-security bot commented Nov 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Nov 5, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

2 participants

pkowalski commented Oct 29, 2025 •

edited

Loading

socket-security bot commented Nov 5, 2025 •

edited

Loading

socket-security bot commented Nov 5, 2025 •

edited

Loading