chore: update webpack and related deps

[davidmurdoch]

Description

Update webpack and related deps.

Changelog

CHANGELOG entry: null

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Updates the build toolchain and security policies to align with newer webpack and plugin releases.

• Bumps webpack to ^5.104.1 and updates related deps: terser ^5.44.1, terser-webpack-plugin ^5.3.16, copy-webpack-plugin ^13.0.1, html-bundler-webpack-plugin ^4.22.0, @pmmmwh/react-refresh-webpack-plugin ^0.6.2; refreshes yarn.lock and transitive deps (e.g., browserslist, es-module-lexer, enhanced-resolve, schema-utils).
• Adjusts LavaMoat configs: refines policy.json/policy-override.json package mappings (notably eslint-scope paths), tweaks allowed globals (console.info, console.trace, process), and adds explicit entries for new scopes.
• In LavamoatPlugin/index.ts, stops setting compiler.options.experiments.layers, keeping the unsafe layer rule/assignment logic unchanged.

^{Written by Cursor Bugbot for commit 9779cd4. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[davidmurdoch]

@metamaskbot update-policies

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	schema-utils@​4.3.2 ⏵ 4.3.3
	copy-webpack-plugin@​13.0.0 ⏵ 13.0.1
	@​pmmmwh/​react-refresh-webpack-plugin@​0.6.1 ⏵ 0.6.2
	terser@​5.43.1 ⏵ 5.44.1	-1
	browserslist@​4.26.3 ⏵ 4.28.1			+1
	webpack@​5.99.9 ⏵ 5.104.1	-3		+1
	terser-webpack-plugin@​5.3.14 ⏵ 5.3.16
	html-bundler-webpack-plugin@​4.21.1 ⏵ 4.22.0	+1		+1	-2

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm loader-runner is now published by evilebottnawi instead of sokra New Author: evilebottnawi Previous Author: sokra From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm html-bundler-webpack-plugin is 90.0% likely to have a medium risk anomaly Notes: The code is a thin wrapper around vm.Script and is not itself obfuscated or demonstrably malicious. However it is inherently risky: it executes arbitrary code strings in a vm context that inherits any objects supplied by the caller. If untrusted code or an unsafe context is used, this can lead to arbitrary code execution, data leakage, or access to OS resources. Mitigations would be to ensure contexts do not contain host capabilities, add execution time/memory limits, and validate or sandbox inputs. No hardcoded secrets or obvious backdoors were found in this fragment. Confidence: 0.90 Severity: 0.65 From: package.json → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• [email protected]

View full report

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[davidmurdoch]

@metamaskbot update-policies

[metamaskbot]

Policy update failed. You can review the logs or retry the policy update here

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

📜 @MetaMask/policy-reviewers (2 files, +24 -15)

• 📁 lavamoat/
  • 📁 build-system/
    • 📄 policy-override.json +0 -6
    • 📄 policy.json +24 -9

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

[davidmurdoch]

@metamaskbot update-policies

[metamaskbot]

Policy update failed. You can review the logs or retry the policy update here

[davidmurdoch]

@metamaskbot update-policies

[metamaskbot]

Policies updated.
👀 Please review the diff for suspicious new powers.

🧠 Learn how: https://lavamoat.github.io/guides/policy-diff/#what-to-look-for-when-reviewing-a-policy-diff

[metamaskbotv2]

Builds ready [2c45442]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• lavamoat build viz: Build System
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1260 ± 95 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1260	1055	1527	95	1321	1418
			load	1053	847	1360	89	1100	1199
			domContentLoaded	1048	841	1350	89	1092	1192
			domInteractive	25	15	89	18	22	75
			firstPaint	151	64	1068	111	183	297
			backgroundConnect	212	192	249	10	219	231
			firstReactRender	14	9	28	4	16	22
			getState	38	17	110	16	43	62
			initialActions	1	0	5	1	1	2
			loadScripts	842	652	1149	89	887	989
			setupStore	12	7	28	4	13	21
			numNetworkReqs	17	11	71	17	11	68
	Browserify	Power User Home	uiStartup	-	-	-	-	-	-
			load	-	-	-	-	-	-
			domContentLoaded	-	-	-	-	-	-
			domInteractive	-	-	-	-	-	-
			firstPaint	-	-	-	-	-	-
			backgroundConnect	-	-	-	-	-	-
			firstReactRender	-	-	-	-	-	-
			getState	-	-	-	-	-	-
			initialActions	-	-	-	-	-	-
			loadScripts	-	-	-	-	-	-
			setupStore	-	-	-	-	-	-
			numNetworkReqs	-	-	-	-	-	-
	Webpack	Standard Home	uiStartup	775	651	1003	69	810	884
			load	625	571	798	53	644	764
			domContentLoaded	620	565	791	52	638	757
			domInteractive	23	15	93	17	19	79
			firstPaint	101	59	289	49	126	208
			backgroundConnect	31	5	133	31	50	98
			firstReactRender	14	11	30	4	16	20
			getState	32	15	123	16	43	55
			initialActions	1	0	5	1	1	1
			loadScripts	617	563	782	51	635	749
			setupStore	11	6	36	6	11	29
			numNetworkReqs	17	11	72	17	11	68
	Webpack	Power User Home	uiStartup	-	-	-	-	-	-
			load	-	-	-	-	-	-
			domContentLoaded	-	-	-	-	-	-
			domInteractive	-	-	-	-	-	-
			firstPaint	-	-	-	-	-	-
			backgroundConnect	-	-	-	-	-	-
			firstReactRender	-	-	-	-	-	-
			getState	-	-	-	-	-	-
			initialActions	-	-	-	-	-	-
			loadScripts	-	-	-	-	-	-
			setupStore	-	-	-	-	-	-
			numNetworkReqs	-	-	-	-	-	-
Firefox	Browserify	Standard Home	uiStartup	1371	1081	1890	168	1487	1659
			load	1086	930	1316	98	1166	1260
			domContentLoaded	1086	929	1315	98	1166	1259
			domInteractive	67	31	236	38	87	133
			firstPaint	-	-	-	-	-	-
			backgroundConnect	54	20	203	46	70	178
			firstReactRender	12	9	40	4	12	17
			getState	14	6	107	16	11	31
			initialActions	1	0	3	1	1	2
			loadScripts	1053	916	1243	83	1118	1213
			setupStore	14	4	118	17	11	44
			numNetworkReqs	19	9	81	19	13	75
	Browserify	Power User Home	uiStartup	2519	1525	3885	553	2926	3281
			load	1717	962	2693	527	2183	2483
			domContentLoaded	1716	961	2693	526	2182	2482
			domInteractive	79	32	362	79	84	298
			firstPaint	-	-	-	-	-	-
			backgroundConnect	394	21	1322	398	551	1155
			firstReactRender	19	11	58	8	24	28
			getState	99	61	189	27	111	165
			initialActions	2	1	7	1	2	3
			loadScripts	1417	946	2515	444	1932	2232
			setupStore	70	4	1119	206	36	253
			numNetworkReqs	68	20	186	36	75	165
	Webpack	Standard Home	uiStartup	1637	1301	2140	179	1753	1974
			load	1342	1132	1699	123	1418	1597
			domContentLoaded	1341	1132	1698	123	1417	1597
			domInteractive	86	31	333	55	107	192
			firstPaint	-	-	-	-	-	-
			backgroundConnect	60	19	244	45	65	157
			firstReactRender	15	11	56	5	16	24
			getState	17	6	159	27	14	92
			initialActions	1	0	3	1	2	2
			loadScripts	1306	1117	1642	117	1370	1575
			setupStore	22	6	152	30	18	98
			numNetworkReqs	20	9	91	21	13	84
	Webpack	Power User Home	uiStartup	2761	1593	4667	562	3155	3405
			load	2045	1154	2908	516	2490	2727
			domContentLoaded	2045	1153	2908	516	2490	2726
			domInteractive	77	29	921	106	73	203
			firstPaint	-	-	-	-	-	-
			backgroundConnect	319	24	1178	315	363	1103
			firstReactRender	19	12	63	8	23	30
			getState	115	59	992	126	104	213
			initialActions	2	0	3	1	2	2
			loadScripts	1816	1131	2737	455	2211	2553
			setupStore	54	4	1119	149	55	180
			numNetworkReqs	68	25	191	37	73	177

📊 Page Load Benchmark Results

Current Commit: 2c45442 | Date: 1/7/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.05s (±55ms) 🟡 | historical mean value: 1.05s ⬇️ (historical data)
• domContentLoaded-> current mean value: 732ms (±52ms) 🟢 | historical mean value: 729ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 78ms (±14ms) 🟢 | historical mean value: 77ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.05s	55ms	1.02s	1.35s	1.07s	1.35s
domContentLoaded	732ms	52ms	705ms	1.03s	757ms	1.03s
firstPaint	78ms	14ms	60ms	204ms	84ms	204ms
firstContentfulPaint	78ms	14ms	60ms	204ms	84ms	204ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 58 Bytes (0%)
• ui: 0 Bytes (0%)
• common: 23 Bytes (0%)

[metamaskbotv2]

Builds ready [9779cd4]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• lavamoat build viz: Build System
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1275 ± 105 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1275	1067	1565	105	1348	1478
			load	1066	868	1317	99	1127	1226
			domContentLoaded	1060	862	1311	98	1123	1221
			domInteractive	25	16	116	19	21	79
			firstPaint	141	65	871	92	182	263
			backgroundConnect	212	197	251	10	215	234
			firstReactRender	13	9	29	3	15	21
			getState	38	19	143	15	41	67
			initialActions	1	0	5	1	1	1
			loadScripts	855	650	1114	100	918	1022
			setupStore	12	7	36	5	14	23
			numNetworkReqs	18	11	82	17	11	68
	Browserify	Power User Home	uiStartup	1705	1415	2201	173	1786	2041
			load	1024	847	1337	109	1093	1214
			domContentLoaded	1011	840	1330	107	1078	1199
			domInteractive	27	16	102	18	25	75
			firstPaint	181	63	1260	160	208	274
			backgroundConnect	241	187	609	76	242	455
			firstReactRender	15	10	35	3	16	19
			getState	175	133	282	30	191	235
			initialActions	1	0	3	1	1	2
			loadScripts	807	649	1131	105	872	999
			setupStore	15	5	40	8	14	36
			numNetworkReqs	68	52	240	31	62	127
	Webpack	Standard Home	uiStartup	799	652	1052	80	846	965
			load	641	574	905	63	660	777
			domContentLoaded	636	569	896	62	655	772
			domInteractive	24	15	90	17	21	75
			firstPaint	104	60	339	55	134	221
			backgroundConnect	28	5	118	31	34	106
			firstReactRender	15	10	29	4	16	25
			getState	31	14	130	16	41	53
			initialActions	1	0	5	1	1	2
			loadScripts	633	566	893	61	653	762
			setupStore	11	5	37	6	12	26
			numNetworkReqs	17	11	71	16	11	67
	Webpack	Power User Home	uiStartup	1180	946	1845	194	1227	1664
			load	724	600	1150	96	808	893
			domContentLoaded	717	593	1143	96	798	888
			domInteractive	31	17	149	28	24	102
			firstPaint	130	64	829	99	146	263
			backgroundConnect	45	7	581	104	36	329
			firstReactRender	16	12	23	2	16	19
			getState	139	121	211	13	145	162
			initialActions	1	0	2	1	1	1
			loadScripts	714	590	1134	94	793	879
			setupStore	14	9	48	7	13	34
			numNetworkReqs	66	52	222	25	61	126
Firefox	Browserify	Standard Home	uiStartup	1378	1117	2130	194	1494	1687
			load	1108	943	1630	136	1188	1386
			domContentLoaded	1107	943	1629	136	1187	1385
			domInteractive	65	32	195	36	85	135
			firstPaint	-	-	-	-	-	-
			backgroundConnect	52	18	314	49	55	153
			firstReactRender	13	10	26	3	13	22
			getState	14	6	124	15	13	33
			initialActions	1	0	2	0	2	2
			loadScripts	1076	920	1604	121	1120	1310
			setupStore	22	5	842	84	12	46
			numNetworkReqs	19	9	85	19	14	76
	Browserify	Power User Home	uiStartup	2589	1599	4083	563	2947	3336
			load	1740	1005	2707	555	2219	2561
			domContentLoaded	1739	1005	2707	555	2219	2561
			domInteractive	84	30	897	95	92	207
			firstPaint	-	-	-	-	-	-
			backgroundConnect	414	25	1290	412	916	1113
			firstReactRender	21	11	134	14	25	37
			getState	115	57	955	98	119	228
			initialActions	2	1	4	1	2	3
			loadScripts	1419	972	2541	463	1961	2380
			setupStore	48	5	1000	142	25	165
			numNetworkReqs	75	50	156	27	93	137
	Webpack	Standard Home	uiStartup	1583	1284	2020	170	1686	1958
			load	1328	1099	1739	111	1372	1567
			domContentLoaded	1328	1098	1738	111	1372	1567
			domInteractive	79	28	151	34	106	131
			firstPaint	-	-	-	-	-	-
			backgroundConnect	59	18	229	40	72	145
			firstReactRender	15	10	61	5	16	20
			getState	18	5	281	32	14	53
			initialActions	1	0	2	1	2	2
			loadScripts	1295	1087	1722	104	1335	1537
			setupStore	18	4	116	23	15	85
			numNetworkReqs	19	8	80	19	14	74
	Webpack	Power User Home	uiStartup	2678	1647	3705	551	3077	3434
			load	2017	1179	3040	518	2447	2668
			domContentLoaded	2017	1178	3040	518	2447	2668
			domInteractive	102	29	997	171	73	426
			firstPaint	-	-	-	-	-	-
			backgroundConnect	339	22	1138	371	381	1112
			firstReactRender	21	13	93	11	23	46
			getState	101	59	297	38	106	186
			initialActions	2	1	8	1	2	3
			loadScripts	1753	1159	3023	469	2202	2508
			setupStore	53	5	1054	165	17	164
			numNetworkReqs	68	40	155	30	89	127

📊 Page Load Benchmark Results

Current Commit: 9779cd4 | Date: 1/7/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.06s (±62ms) 🟡 | historical mean value: 1.04s ⬆️ (historical data)
• domContentLoaded-> current mean value: 739ms (±60ms) 🟢 | historical mean value: 725ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 78ms (±11ms) 🟢 | historical mean value: 77ms ⬆️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.06s	62ms	1.03s	1.33s	1.27s	1.33s
domContentLoaded	739ms	60ms	711ms	997ms	949ms	997ms
firstPaint	78ms	11ms	64ms	172ms	92ms	172ms
firstContentfulPaint	78ms	11ms	64ms	172ms	92ms	172ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs [🚨 Warning! Bundle size has increased!]

• background: 58 Bytes (0%)
• ui: 0 Bytes (0%)
• common: 23 Bytes (0%)

[davidmurdoch]

@SocketSecurity ignore npm/[email protected]

[davidmurdoch]

concerning? 🤔

[cursor]

Removal of experiments.layers may break LavaMoat layer isolation

High Severity

The line compiler.options.experiments.layers = true was removed, but the plugin still uses webpack's layer functionality via issuerLayer: 'unsafe' and entryData.options.layer. Webpack's layers feature requires experiments.layers to be enabled. If not enabled by default in webpack 5.104.1, this would cause the unsafe layer isolation to silently fail—security-sensitive entries (scripts/inpage.js, bootstrap, service-worker.ts) that should run outside LavaMoat protection may not be properly isolated. This could be a silent security regression.

 

[davidmurdoch]

its default in webpack now