release: 13.13.2

[metamaskbot]

🚀 v13.13.2 Testing & Release Quality Process

Hi Team,
As part of our new MetaMask Release Quality Process, here’s a quick overview of the key processes, testing strategies, and milestones to ensure a smooth and high-quality deployment.

---

📋 Key Processes

Testing Strategy

• Developer Teams:
  Conduct regression and exploratory testing for your functional areas, including automated and manual tests for critical workflows.
• QA Team:
  Focus on exploratory testing across the wallet, prioritize high-impact areas, and triage any Sentry errors found during testing.
• Customer Success Team:
  Validate new functionalities and provide feedback to support release monitoring.

GitHub Signoff

• Each team must sign off on the Release Candidate (RC) via GitHub by the end of the validation timeline (Tuesday EOD PT).
• Ensure all tests outlined in the Testing Plan are executed, and any identified issues are addressed.

Issue Resolution

• Resolve all Release Blockers (Sev0 and Sev1) by Tuesday EOD PT.
• For unresolved blockers, PRs may be reverted, or feature flags disabled to maintain release quality and timelines.

Cherry-Picking Criteria

• Only critical fixes meeting outlined criteria will be cherry-picked.
• Developers must ensure these fixes are thoroughly reviewed, tested, and merged by Tuesday EOD PT.

---

🗓️ Timeline and Milestones

1. Today (Friday): Begin Release Candidate validation.
2. Tuesday EOD PT: Finalize RC with all fixes and cherry-picks.
3. Wednesday: Buffer day for final checks.
4. Thursday: Submit release to app stores and begin rollout to 1% of users.
5. Monday: Scale deployment to 10%.
6. Tuesday: Full rollout to 100%.

---

✅ Signoff Checklist

Each team is responsible for signing off via GitHub. Use the checkbox below to track signoff completion:

Team sign-off checklist

• Extension Platform

This process is a major step forward in ensuring release stability and quality. Let’s stay aligned and make this release a success! 🚀

Feel free to reach out if you have questions or need clarification.

Many thanks in advance

Reference

• Testing plan sheet - https://docs.google.com/spreadsheets/d/1tsoodlAlyvEUpkkcNcbZ4PM9HuC9cEM80RZeoVv5OCQ/edit?gid=404070372#gid=404070372

---

Note

Prepares v13.13.2 release with dependency and CI updates.

• Bumps version to 13.13.2 and updates CHANGELOG.md links/entries
• Upgrades @metamask/tron-wallet-snap to ^1.17.0 and @metamask/keyring-api to ^21.3.0; pins qs to ^6.14.1 and refreshes yarn.lock/attribution.txt
• Updates Lavamoat policies to reference mockttp>express>qs instead of browserify>url>qs
• Adds environment: pr-comment to CI jobs (E2E failure alerts, identify-codeowners, publish-prerelease) for PR commenting

^{Written by Cursor Bugbot for commit 2205f3c. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​tron-wallet-snap@​1.16.0 ⏵ 1.17.0	+1		+1	+1
	@​metamask/​keyring-api@​21.2.0 ⏵ 21.3.0	+1			-4

View full report

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

📜 @MetaMask/policy-reviewers (7 files, +14 -14)

• 📁 lavamoat/
  • 📁 browserify/
    • 📁 beta/
      • 📄 policy.json +2 -2
    • 📁 experimental/
      • 📄 policy.json +2 -2
    • 📁 flask/
      • 📄 policy.json +2 -2
    • 📁 main/
      • 📄 policy.json +2 -2
  • 📁 build-system/
    • 📄 policy.json +2 -2
  • 📁 webpack/
    • 📁 mv2/
      • 📄 policy.json +2 -2
    • 📁 mv3/
      • 📄 policy.json +2 -2

Tip

Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.

[metamaskbotv2]

Builds ready [9a31195]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1220 ± 97 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1220	1013	1544	97	1280	1371
			load	1020	870	1284	82	1064	1187
			domContentLoaded	1014	867	1279	80	1059	1163
			domInteractive	25	14	97	19	21	82
			firstPaint	463	87	1183	379	947	1121
			backgroundConnect	214	196	247	12	220	241
			firstReactRender	28	20	77	9	32	43
			getState	38	15	158	25	39	104
			initialActions	1	0	8	1	1	2
			loadScripts	807	658	1078	78	850	960
			setupStore	11	7	23	3	12	19
			numNetworkReqs	26	18	89	20	18	84
	Browserify	Power User Home	uiStartup	1969	1652	2483	172	2071	2275
			load	1033	887	1515	122	1038	1332
			domContentLoaded	1020	883	1491	122	1024	1317
			domInteractive	34	18	133	22	34	94
			firstPaint	480	102	1532	362	935	1063
			backgroundConnect	258	205	711	101	234	514
			firstReactRender	55	42	119	10	59	68
			getState	183	136	664	94	182	238
			initialActions	1	0	5	1	1	2
			loadScripts	806	683	1267	120	809	1106
			setupStore	15	9	42	5	17	21
			numNetworkReqs	139	66	283	52	185	235
	Webpack	Standard Home	uiStartup	863	737	1144	85	909	1033
			load	667	588	855	68	713	798
			domContentLoaded	662	584	848	67	708	792
			domInteractive	26	17	101	17	24	72
			firstPaint	252	91	790	178	235	712
			backgroundConnect	11	6	82	9	10	18
			firstReactRender	28	21	46	6	33	41
			getState	26	14	98	12	33	44
			initialActions	1	0	3	1	1	2
			loadScripts	659	582	845	66	705	787
			setupStore	11	7	29	4	13	19
			numNetworkReqs	26	18	81	18	18	78
	Webpack	Power User Home	uiStartup	1505	1206	2016	200	1538	1952
			load	678	594	1000	83	682	890
			domContentLoaded	668	588	995	84	674	885
			domInteractive	35	18	126	26	33	108
			firstPaint	271	100	738	169	321	686
			backgroundConnect	51	7	571	131	16	516
			firstReactRender	56	44	83	7	61	68
			getState	164	128	646	51	167	193
			initialActions	1	0	4	1	1	2
			loadScripts	666	586	987	82	672	876
			setupStore	16	7	48	7	17	36
			numNetworkReqs	160	66	351	58	205	287
Firefox	Browserify	Standard Home	uiStartup	1314	1069	2135	167	1421	1578
			load	1081	905	1840	122	1140	1271
			domContentLoaded	1080	905	1839	122	1135	1270
			domInteractive	59	31	207	37	80	123
			firstPaint	-	-	-	-	-	-
			backgroundConnect	50	23	173	31	66	102
			firstReactRender	22	18	48	5	23	34
			getState	12	6	80	11	12	27
			initialActions	1	0	2	1	1	2
			loadScripts	1051	889	1806	115	1109	1227
			setupStore	12	6	178	18	10	31
			numNetworkReqs	28	18	86	19	22	79
	Browserify	Power User Home	uiStartup	2591	1903	4955	456	2667	3541
			load	1186	957	2281	199	1227	1636
			domContentLoaded	1185	957	2281	199	1227	1636
			domInteractive	117	32	547	102	116	395
			firstPaint	-	-	-	-	-	-
			backgroundConnect	136	25	979	153	136	417
			firstReactRender	61	37	195	21	67	97
			getState	289	65	896	235	454	782
			initialActions	2	0	3	1	2	3
			loadScripts	1149	941	1849	169	1191	1559
			setupStore	144	7	861	186	172	611
			numNetworkReqs	85	53	222	41	88	203
	Webpack	Standard Home	uiStartup	1517	1321	1943	144	1584	1843
			load	1260	1124	1504	84	1310	1441
			domContentLoaded	1260	1124	1503	84	1310	1441
			domInteractive	75	31	235	41	91	135
			firstPaint	-	-	-	-	-	-
			backgroundConnect	49	20	207	35	47	129
			firstReactRender	27	19	70	10	31	62
			getState	12	7	76	9	13	23
			initialActions	1	0	2	0	2	2
			loadScripts	1233	1084	1417	76	1286	1378
			setupStore	17	5	143	26	12	85
			numNetworkReqs	28	18	92	19	26	80
	Webpack	Power User Home	uiStartup	2963	2256	5495	717	2999	4646
			load	1542	1131	3330	481	1563	2869
			domContentLoaded	1541	1130	3329	481	1563	2869
			domInteractive	125	30	1097	139	108	413
			firstPaint	-	-	-	-	-	-
			backgroundConnect	203	28	1601	277	186	1005
			firstReactRender	64	40	200	27	64	106
			getState	282	53	1546	266	390	852
			initialActions	2	1	3	1	2	3
			loadScripts	1445	1114	2991	363	1468	2481
			setupStore	149	6	807	195	176	612
			numNetworkReqs	86	58	308	51	72	215

[cursor]

Lavamoat policy references dev dependency path for production module

Medium Severity

The qs module policy entry changed from browserify>url>qs to mockttp>express>qs, but mockttp is a devDependency not included in production builds. The policy now grants browserify>url access to mockttp>express>qs, which may cause a module identity mismatch at runtime. If Lavamoat cannot match the production qs module (accessed via browserify>url) to the policy entry keyed under a dev dependency path, security sandboxing for the qs module may not be correctly applied. This affects all Lavamoat policy files across browserify and webpack builds.

🔬 Verification Test

Why verification test was not possible:
This requires running the actual MetaMask extension build with Lavamoat enabled to verify whether the policy is correctly applied at runtime. The issue depends on Lavamoat's internal module identity resolution mechanism, which cannot be tested without the full build infrastructure. The concern is that the policy generator used mockttp>express>qs as the canonical name during development (when mockttp is present), but in production the module would be identified differently since mockttp isn't bundled.

Additional Locations (2)

• lavamoat/browserify/main/policy.json#L5593-L5594
• lavamoat/webpack/mv3/policy.json#L3286-L3291