chore: Migrate SIWE dependency to @signinwithethereum/siwe v4#8419
Open
caveman-eth wants to merge 1 commit intoMetaMask:mainfrom
Open
chore: Migrate SIWE dependency to @signinwithethereum/siwe v4#8419caveman-eth wants to merge 1 commit intoMetaMask:mainfrom
caveman-eth wants to merge 1 commit intoMetaMask:mainfrom
Conversation
Swap out unmaintained SpruceID SIWE packages for the @signinwithethereum successors. Updated dependencies and imports: controller-utils now depends on @signinwithethereum/siwe-parser (^4.1.0) and imports ParsedMessage in siwe.ts and siwe.test.ts; profile-sync-controller now depends on @signinwithethereum/siwe (^4.1.0) and imports SiweMessage in flow-siwe.ts. CHANGELOGs updated to document the migration. The public APIs used (ParsedMessage / SiweMessage) remain unchanged.
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Explanation
Current state
The monorepo depends on two SIWE (Sign-In With Ethereum / EIP-4361) packages originally maintained by Spruce:
@spruceid/siwe-parserv2.1.0 — used by@metamask/controller-utilsto detect and parse SIWE messages viadetectSIWE()siwev2.3.2 — used by@metamask/profile-sync-controllerto construct SIWE login messages vianew SiweMessage({...}).prepareMessage()The Spruce
siwepackage is no longer actively maintained.Stewardship of the SIWE standard has moved to the Ethereum Identity Foundation (GitHub).
@signinwithethereum/siweis the official successor TypeScript implementation.Similar migrations:
x402-foundation/x402 x402-foundation/x402#1917,
magiclabs/magic-js magiclabs/magic-js#1074
What this PR does
Swaps the abandoned packages for the actively maintained successors. The
ParsedMessageandSiweMessageclass APIs are identical — same constructors, same fields, same methods. This is purely a dependency swap with import path updates.Files changed:
controller-utilspackage.json@spruceid/siwe-parser→@signinwithethereum/siwe-parsercontroller-utilssrc/siwe.tscontroller-utilssrc/siwe.test.tsprofile-sync-controllerpackage.jsonsiwe→@signinwithethereum/siweprofile-sync-controllersrc/sdk/authentication-jwt-bearer/flow-siwe.tsNotable changes in the new packages
SiweParseError(with.errors: string[]) instead of genericError— no impact sincedetectSIWEcatches all errors genericallyethersis now an optional peer dependency of@signinwithethereum/siwe(was required insiwe) — no impact sinceprofile-sync-controlleronly callsprepareMessage(), notverify()@stablelib/random,uri-js,valid-urlBufferusage in the new packages (improved bundler compat)This repo (
core) does not patch the SIWE parser and is unaffected by this section. However, bothmetamask-extensionandmetamask-mobilemaintain their own patches on@spruceid/siwe-parserto disable EIP-55 address checksum enforcement — the parser strictly rejects non-checksummed (e.g. all-lowercase) Ethereum addresses, but many dApps produce lowercase addresses in SIWE messages.Those patches live in the client repos, not here:
.yarn/patches/@spruceid-siwe-parser-npm-2.1.0-060b7ede7a.patchpatches/@spruceid+siwe-parser+2.1.0.patchThey target
@spruceid/siwe-parserby package name. When the client repos upgrade to this new version ofcontroller-utils, the old package will disappear from their dependency trees and those patches will silently stop applying. The new@signinwithethereum/siwe-parserwill arrive unpatched with EIP-55 enforcement active.Action for client teams before upgrading: Create equivalent patches for
@signinwithethereum/siwe-parserthat remove theisEIP55Addresscheck from the address callback in the compiled output. Same concept — remove a ~5-lineifblock — just targeting the new package name.References
@signinwithethereum/siwe-parseron npm: https://www.npmjs.com/package/@signinwithethereum/siwe-parser@signinwithethereum/siweon npm: https://www.npmjs.com/package/@signinwithethereum/siweNote
Medium Risk
Swaps core SIWE parsing/message-construction dependencies used in signature and auth flows; behavior should be compatible but parser differences or peer dependency changes could affect SIWE detection/login in edge cases.
Overview
Updates SIWE dependencies to the Ethereum Identity Foundation maintained packages, replacing
@spruceid/siwe-parserwith@signinwithethereum/siwe-parserincontroller-utilsand replacingsiwewith@signinwithethereum/siweinprofile-sync-controller.Updates the corresponding imports (
ParsedMessage,SiweMessage) and refreshes changelogs andyarn.lockto reflect the new packages and transitive dependency changes.Reviewed by Cursor Bugbot for commit 5cd254a. Bugbot is set up for automated code reviews on this repo. Configure here.