From 3a52e22933f35b98d6ea8ae570adb1cde9796499 Mon Sep 17 00:00:00 2001 From: github-actions Date: Thu, 14 Aug 2025 20:55:01 +0000 Subject: [PATCH 1/5] 5.0.1 --- CHANGELOG.md | 49 ++++++++++++++++++++++++++++++++++++++++++++++--- package.json | 2 +- 2 files changed, 47 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 3209c68..2af171f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,4 +1,5 @@ # Changelog + All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), @@ -6,25 +7,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +## [5.0.1] + +### Uncategorized + +- fix: add overflow protection on very long urls ([#198](https://github.com/MetaMask/phishing-warning/pull/198)) + ## [5.0.0] + ### Added + - Update MetaMask phishing image ([#190](https://github.com/MetaMask/phishing-warning/pull/190)) ### Fixed + - **BREAKING**: `data:` and `vbscript:` are now disallowed protocols alongside `javascript:` ([#175](https://github.com/MetaMask/phishing-warning/pull/175)) - Resolve issues with deployment scripts ([#191](https://github.com/MetaMask/phishing-warning/pull/191)) - Avoid creating playwright artifact with same name across node versions ([#192](https://github.com/MetaMask/phishing-warning/pull/192)) ## [4.1.0] + ### Added -- Redesign UI of the phishing warning page ([#176](https://github.com/MetaMask/phishing-warning/pull/176)) + +- Redesign UI of the phishing warning page ([#176](https://github.com/MetaMask/phishing-warning/pull/176)) ## [4.0.0] + ### Changed + - **BREAKING**: Update `phishingSafelistStream` to send `origin` instead of `hostname` as a parameter for `safelistPhishingDomain` method ([#165](https://github.com/MetaMask/phishing-warning/pull/165)) ## [3.0.4] + ### Changed + - Update index.html - update attribution copy ([#161](https://github.com/MetaMask/phishing-warning/pull/161)) - chore(devdeps): @lavamoat/allow-scripts@^2.3.1->^3.0.4 ([#157](https://github.com/MetaMask/phishing-warning/pull/157)) - Enabling MetaMask security code scanner ([#151](https://github.com/MetaMask/phishing-warning/pull/151)) @@ -32,30 +48,40 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Bump @metamask/post-message-stream from 7.0.0 to 8.0.0 ([#146](https://github.com/MetaMask/phishing-warning/pull/146)) ## [3.0.3] + ### Changed + - Update `ses` to `v1.1.0` ([#143](https://github.com/MetaMask/phishing-warning/pull/143)) ## [3.0.2] + ### Fixed + - change to hostname for Github issues ([#127](https://github.com/MetaMask/phishing-warning/pull/127)) ## [3.0.1] + ### Changed + - Using href url param only for suspect site ([#124](https://github.com/MetaMask/phishing-warning/pull/124)) ## [3.0.0] + ### Changed + - **BREAKING**: Increase minimum Node.js version to 16 ([#107](https://github.com/MetaMask/phishing-warning/pull/107)) - **BREAKING**: This package now returns streams conforming to the API of readable-stream@3.x. ([#122](https://github.com/MetaMask/phishing-warning/pull/122)) ([#104](https://github.com/MetaMask/phishing-warning/pull/104)) - Bump @metamask/post-message-stream from ^6.2.0 to ^7.0.0 ([#104](https://github.com/MetaMask/phishing-warning/pull/104)) - Upgrade obj-multiplex to @metamask/object-multiplex@^2.0.0 ([#122](https://github.com/MetaMask/phishing-warning/pull/122)) ### Fixed -- Bump ses from ^0.18.7 to ^0.18.8 ([#120](https://github.com/MetaMask/phishing-warning/pull/120)) +- Bump ses from ^0.18.7 to ^0.18.8 ([#120](https://github.com/MetaMask/phishing-warning/pull/120)) ## [2.1.1] + ### Fixed + - Dependency updates ([#105](https://github.com/MetaMask/phishing-warning/pull/105)) - Move @types/punycode from dependencies to devDependencies - Update @metamask/design-tokens from ^1.6.0 to ^1.12.0 @@ -64,37 +90,51 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update ses from ^0.18.1 to ^0.18.7 ## [2.1.0] + ### Changed + - "Back to safety" button now triggers a `backToSafetyPhishingWarning` message to be sent on the `phishingSafelistStream` ([#84](https://github.com/MetaMask/phishing-warning/pull/84)) ## [2.0.1] + ### Fixed + - Restore iframe warning and "open in new tab" link ([#73](https://github.com/MetaMask/phishing-warning/pull/73)) ## [2.0.0] + ### Changed + - **BREAKING:** Dynamically lookup the source of a block ([#57](https://github.com/MetaMask/phishing-warning/pull/57)) - The query parameter `newIssueUrl` is no longer accepted. Instead this page will look up the source of a block dynamically. - We no longer show on the page which project is responsible for the block. This will be restored in a future version. - Redesign the phishing warning page ([#52](https://github.com/MetaMask/phishing-warning/pull/52)) ## [1.2.2] + ### Changed + - Update `ses` version from v0.12.4 to v10.18.1 ([#53](https://github.com/MetaMask/phishing-warning/pull/53)) - Update @metamask/design-tokens from 1.9.0 to 1.11.1 ([#46](https://github.com/MetaMask/phishing-warning/pull/46)) - This includes minor color updates. ## [1.2.1] + ### Fixed + - Fix build script to exclude file imports from `@metamask/post-message-stream` which expect to only run in the context of a Web worker ([#27](https://github.com/MetaMask/phishing-warning/pull/27)) ## [1.2.0] [DEPRECATED] + ### Added + - Add a check for the protocol of the url being blocked. Remove `continue at your own risk` option if protocol is disallowed ([#16](https://github.com/MetaMask/phishing-warning/pull/16)) - Add optional arg `newIssueUrl` to `getUrl` function so that the correct link to direct disputes can be specified by a hash query param. ([#23](https://github.com/MetaMask/phishing-warning/pull/23)) ## [1.1.0] + ### Added + - Add service worker for offline caching ([#9](https://github.com/MetaMask/phishing-warning/pull/9)) - Add favicons ([#8](https://github.com/MetaMask/phishing-warning/pull/8)) - Add actions to publish to gh-pages ([#3](https://github.com/MetaMask/phishing-warning/pull/3)) @@ -107,11 +147,14 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - A script was added to the HTML file to detect when the frame is being embedded. If it detects that it is embedded, a separate design is used that prompts the user to open the warning page in a new tab to proceed. This ensures the blocked page cannot be added to the safelist via a clickjacking attack. ## [1.0.0] + ### Changed + - Initial implementation of the phishing warning page - This should behave identically to the phishing warning page built into the MetaMask extension. -[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...HEAD +[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.1...HEAD +[5.0.1]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...v5.0.1 [5.0.0]: https://github.com/MetaMask/phishing-warning/compare/v4.1.0...v5.0.0 [4.1.0]: https://github.com/MetaMask/phishing-warning/compare/v4.0.0...v4.1.0 [4.0.0]: https://github.com/MetaMask/phishing-warning/compare/v3.0.4...v4.0.0 diff --git a/package.json b/package.json index 7625593..697f9d7 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@metamask/phishing-warning", - "version": "5.0.0", + "version": "5.0.1", "description": "A page to warn users about a suspected phishing site.", "repository": { "type": "git", From e56edc18953495d58a6e9f4fc1821c6fbc3e600e Mon Sep 17 00:00:00 2001 From: mindofmar Date: Thu, 14 Aug 2025 16:04:12 -0500 Subject: [PATCH 2/5] trigger ci --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 02a1937..1f7f26c 100644 --- a/README.md +++ b/README.md @@ -78,3 +78,4 @@ The project follows the same release process as the other libraries in the MetaM - Be very careful to use a clean local environment to publish the release, and follow exactly the same steps used during CI. - Use `npm publish --dry-run` to examine the release contents to ensure the correct files are included. Compare to previous releases if necessary (e.g. using `https://unpkg.com/browse/[package name]@[package version]/`). - Once you are confident the release contents are correct, publish the release using `npm publish`. + From e6d39ff2c5107284475aa7f20f37a6e8bdba989f Mon Sep 17 00:00:00 2001 From: mindofmar Date: Thu, 14 Aug 2025 16:47:56 -0500 Subject: [PATCH 3/5] undo previous change --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 1f7f26c..02a1937 100644 --- a/README.md +++ b/README.md @@ -78,4 +78,3 @@ The project follows the same release process as the other libraries in the MetaM - Be very careful to use a clean local environment to publish the release, and follow exactly the same steps used during CI. - Use `npm publish --dry-run` to examine the release contents to ensure the correct files are included. Compare to previous releases if necessary (e.g. using `https://unpkg.com/browse/[package name]@[package version]/`). - Once you are confident the release contents are correct, publish the release using `npm publish`. - From 550b32f93f7087ebc1cff22c1b81d85fe6d71158 Mon Sep 17 00:00:00 2001 From: mindofmar Date: Fri, 15 Aug 2025 09:59:14 -0500 Subject: [PATCH 4/5] update changelog linting & fix uncategorized changes issue --- CHANGELOG.md | 49 +++++-------------------------------------------- 1 file changed, 5 insertions(+), 44 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2af171f..c217778 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,4 @@ # Changelog - All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), @@ -8,39 +7,28 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] ## [5.0.1] - -### Uncategorized - +### Fixed - fix: add overflow protection on very long urls ([#198](https://github.com/MetaMask/phishing-warning/pull/198)) ## [5.0.0] - ### Added - - Update MetaMask phishing image ([#190](https://github.com/MetaMask/phishing-warning/pull/190)) ### Fixed - - **BREAKING**: `data:` and `vbscript:` are now disallowed protocols alongside `javascript:` ([#175](https://github.com/MetaMask/phishing-warning/pull/175)) - Resolve issues with deployment scripts ([#191](https://github.com/MetaMask/phishing-warning/pull/191)) - Avoid creating playwright artifact with same name across node versions ([#192](https://github.com/MetaMask/phishing-warning/pull/192)) ## [4.1.0] - ### Added - -- Redesign UI of the phishing warning page ([#176](https://github.com/MetaMask/phishing-warning/pull/176)) +- Redesign UI of the phishing warning page ([#176](https://github.com/MetaMask/phishing-warning/pull/176)) ## [4.0.0] - ### Changed - - **BREAKING**: Update `phishingSafelistStream` to send `origin` instead of `hostname` as a parameter for `safelistPhishingDomain` method ([#165](https://github.com/MetaMask/phishing-warning/pull/165)) ## [3.0.4] - ### Changed - - Update index.html - update attribution copy ([#161](https://github.com/MetaMask/phishing-warning/pull/161)) - chore(devdeps): @lavamoat/allow-scripts@^2.3.1->^3.0.4 ([#157](https://github.com/MetaMask/phishing-warning/pull/157)) - Enabling MetaMask security code scanner ([#151](https://github.com/MetaMask/phishing-warning/pull/151)) @@ -48,40 +36,30 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Bump @metamask/post-message-stream from 7.0.0 to 8.0.0 ([#146](https://github.com/MetaMask/phishing-warning/pull/146)) ## [3.0.3] - ### Changed - - Update `ses` to `v1.1.0` ([#143](https://github.com/MetaMask/phishing-warning/pull/143)) ## [3.0.2] - ### Fixed - - change to hostname for Github issues ([#127](https://github.com/MetaMask/phishing-warning/pull/127)) ## [3.0.1] - ### Changed - - Using href url param only for suspect site ([#124](https://github.com/MetaMask/phishing-warning/pull/124)) ## [3.0.0] - ### Changed - - **BREAKING**: Increase minimum Node.js version to 16 ([#107](https://github.com/MetaMask/phishing-warning/pull/107)) - **BREAKING**: This package now returns streams conforming to the API of readable-stream@3.x. ([#122](https://github.com/MetaMask/phishing-warning/pull/122)) ([#104](https://github.com/MetaMask/phishing-warning/pull/104)) - Bump @metamask/post-message-stream from ^6.2.0 to ^7.0.0 ([#104](https://github.com/MetaMask/phishing-warning/pull/104)) - Upgrade obj-multiplex to @metamask/object-multiplex@^2.0.0 ([#122](https://github.com/MetaMask/phishing-warning/pull/122)) ### Fixed - - Bump ses from ^0.18.7 to ^0.18.8 ([#120](https://github.com/MetaMask/phishing-warning/pull/120)) -## [2.1.1] +## [2.1.1] ### Fixed - - Dependency updates ([#105](https://github.com/MetaMask/phishing-warning/pull/105)) - Move @types/punycode from dependencies to devDependencies - Update @metamask/design-tokens from ^1.6.0 to ^1.12.0 @@ -90,51 +68,37 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Update ses from ^0.18.1 to ^0.18.7 ## [2.1.0] - ### Changed - - "Back to safety" button now triggers a `backToSafetyPhishingWarning` message to be sent on the `phishingSafelistStream` ([#84](https://github.com/MetaMask/phishing-warning/pull/84)) ## [2.0.1] - ### Fixed - - Restore iframe warning and "open in new tab" link ([#73](https://github.com/MetaMask/phishing-warning/pull/73)) ## [2.0.0] - ### Changed - - **BREAKING:** Dynamically lookup the source of a block ([#57](https://github.com/MetaMask/phishing-warning/pull/57)) - The query parameter `newIssueUrl` is no longer accepted. Instead this page will look up the source of a block dynamically. - We no longer show on the page which project is responsible for the block. This will be restored in a future version. - Redesign the phishing warning page ([#52](https://github.com/MetaMask/phishing-warning/pull/52)) ## [1.2.2] - ### Changed - - Update `ses` version from v0.12.4 to v10.18.1 ([#53](https://github.com/MetaMask/phishing-warning/pull/53)) - Update @metamask/design-tokens from 1.9.0 to 1.11.1 ([#46](https://github.com/MetaMask/phishing-warning/pull/46)) - This includes minor color updates. ## [1.2.1] - ### Fixed - - Fix build script to exclude file imports from `@metamask/post-message-stream` which expect to only run in the context of a Web worker ([#27](https://github.com/MetaMask/phishing-warning/pull/27)) ## [1.2.0] [DEPRECATED] - ### Added - - Add a check for the protocol of the url being blocked. Remove `continue at your own risk` option if protocol is disallowed ([#16](https://github.com/MetaMask/phishing-warning/pull/16)) - Add optional arg `newIssueUrl` to `getUrl` function so that the correct link to direct disputes can be specified by a hash query param. ([#23](https://github.com/MetaMask/phishing-warning/pull/23)) ## [1.1.0] - ### Added - - Add service worker for offline caching ([#9](https://github.com/MetaMask/phishing-warning/pull/9)) - Add favicons ([#8](https://github.com/MetaMask/phishing-warning/pull/8)) - Add actions to publish to gh-pages ([#3](https://github.com/MetaMask/phishing-warning/pull/3)) @@ -147,14 +111,11 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - A script was added to the HTML file to detect when the frame is being embedded. If it detects that it is embedded, a separate design is used that prompts the user to open the warning page in a new tab to proceed. This ensures the blocked page cannot be added to the safelist via a clickjacking attack. ## [1.0.0] - ### Changed - - Initial implementation of the phishing warning page - This should behave identically to the phishing warning page built into the MetaMask extension. -[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.1...HEAD -[5.0.1]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...v5.0.1 +[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...HEAD [5.0.0]: https://github.com/MetaMask/phishing-warning/compare/v4.1.0...v5.0.0 [4.1.0]: https://github.com/MetaMask/phishing-warning/compare/v4.0.0...v4.1.0 [4.0.0]: https://github.com/MetaMask/phishing-warning/compare/v3.0.4...v4.0.0 @@ -171,4 +132,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [1.2.1]: https://github.com/MetaMask/phishing-warning/compare/v1.2.0...v1.2.1 [1.2.0]: https://github.com/MetaMask/phishing-warning/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/MetaMask/phishing-warning/compare/v1.0.0...v1.1.0 -[1.0.0]: https://github.com/MetaMask/phishing-warning/releases/tag/v1.0.0 +[1.0.0]: https://github.com/MetaMask/phishing-warning/releases/tag/v1.0.0 \ No newline at end of file From 807b7cb8adbc2bcf65c5fb6a358df447e72ad9cc Mon Sep 17 00:00:00 2001 From: mindofmar Date: Fri, 15 Aug 2025 13:48:45 -0500 Subject: [PATCH 5/5] fix changelog linting issues --- CHANGELOG.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index c217778..3ea9465 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -115,7 +115,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Initial implementation of the phishing warning page - This should behave identically to the phishing warning page built into the MetaMask extension. -[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...HEAD +[Unreleased]: https://github.com/MetaMask/phishing-warning/compare/v5.0.1...HEAD +[5.0.1]: https://github.com/MetaMask/phishing-warning/compare/v5.0.0...v5.0.1 [5.0.0]: https://github.com/MetaMask/phishing-warning/compare/v4.1.0...v5.0.0 [4.1.0]: https://github.com/MetaMask/phishing-warning/compare/v4.0.0...v4.1.0 [4.0.0]: https://github.com/MetaMask/phishing-warning/compare/v3.0.4...v4.0.0 @@ -132,4 +133,4 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 [1.2.1]: https://github.com/MetaMask/phishing-warning/compare/v1.2.0...v1.2.1 [1.2.0]: https://github.com/MetaMask/phishing-warning/compare/v1.1.0...v1.2.0 [1.1.0]: https://github.com/MetaMask/phishing-warning/compare/v1.0.0...v1.1.0 -[1.0.0]: https://github.com/MetaMask/phishing-warning/releases/tag/v1.0.0 \ No newline at end of file +[1.0.0]: https://github.com/MetaMask/phishing-warning/releases/tag/v1.0.0