feat: add `@metamask/messenger-docs` package by cryptodev-2s · Pull Request #8012 · MetaMask/core

cryptodev-2s · 2026-02-22T18:53:00Z

Explanation

Adds @metamask/messenger-docs, a publishable package that generates and serves searchable Messenger API documentation for MetaMask controller packages.

The package scans TypeScript source files and .d.cts declaration files for messenger action/event types, then generates a Docusaurus site with per-namespace pages, JSDoc descriptions, source links, and local search.

Features

Extracts messenger actions and events from both type aliases and interface declarations
Scans packages/*/src/ for .ts source files and node_modules/@metamask/ for .d.cts declarations
Generates per-namespace markdown pages grouped by actions and events
Source links auto-resolve to the correct GitHub repo via git remote
Docusaurus site with dark/light mode and offline search (no Algolia)
Configurable scanDirs via package.json or --scan-dir CLI flag

Core monorepo

yarn workspace @metamask/messenger-docs docs:dev
yarn workspace @metamask/messenger-docs docs:serve

Client projects (Extension, Mobile)

Install as a dev dependency and add a script:

{
  "scripts": {
    "docs:messenger": "messenger-docs --serve"
  },
  "messenger-docs": {
    "scanDirs": ["app", "src"]
  }
}

The tool scans the client's node_modules/@metamask/ for declaration files and any configured source directories for local messenger types.

References

WPC-82

Checklist

I've updated the test suite for new or updated code as appropriate
I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
I've communicated my changes to consumers by updating changelogs for packages I've changed
I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

socket-security · 2026-02-22T23:21:58Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Package	Supply Chain Security	Vulnerability	Quality
@docusaurus/preset-classic@3.9.2
@docusaurus/types@3.9.2
@easyops-cn/docusaurus-search-local@0.55.0
@docusaurus/core@3.9.2
@docusaurus/theme-common@3.9.2
lodash@4.17.21 ⏵ 4.17.23	^-5	⁺²	⁺¹
@types/react@18.3.28
react@18.3.1
@mdx-js/react@3.1.1
prism-react-renderer@2.4.1
semver@7.7.3 ⏵ 7.7.4
react-dom@18.3.1

View full report

socket-security · 2026-02-22T23:22:00Z

Caution

MetaMask internal reviewing guidelines:

Do not ignore-all
Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
@SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert (click "▶" to expand/collapse)
Block		Obfuscated code: npm `lunr-languages` is 95.0% likely obfuscated Confidence: 0.95 Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/lunr-languages@1.14.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lunr-languages@1.14.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `lunr-languages` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/lunr-languages@1.14.0` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/lunr-languages@1.14.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Obfuscated code: npm `svgo` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docusaurus/core@3.9.2` → `npm/svgo@3.3.2` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/svgo@3.3.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/abtesting` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/abtesting@1.15.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/abtesting@1.15.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-abtesting` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-abtesting@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-abtesting@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-analytics` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-analytics@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-analytics@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-insights` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-insights@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-insights@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-personalization` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-personalization@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-personalization@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-query-suggestions` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-query-suggestions@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-query-suggestions@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/client-search` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/client-search@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/client-search@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/ingestion` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/ingestion@1.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/ingestion@1.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/monitoring` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/monitoring@1.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/monitoring@1.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/recommend` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/recommend@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/recommend@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/requester-fetch` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/requester-fetch@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/requester-fetch@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/requester-node-http` in module http Module: http Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/requester-node-http@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/requester-node-http@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@algolia/requester-node-http` in module https Module: https Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@algolia/requester-node-http@5.49.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@algolia/requester-node-http@5.49.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@docsearch/react` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docsearch/react@4.6.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@docsearch/react@4.6.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@docusaurus/core` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/messenger-docs/package.json → `npm/@docusaurus/core@3.9.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@docusaurus/core@3.9.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@docusaurus/theme-search-algolia` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docusaurus/theme-search-algolia@3.9.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@docusaurus/theme-search-algolia@3.9.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@easyops-cn/docusaurus-search-local` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/messenger-docs/package.json → `npm/@easyops-cn/docusaurus-search-local@0.55.0` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@easyops-cn/docusaurus-search-local@0.55.0`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@emnapi/core` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/@emnapi/core@1.8.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@emnapi/core@1.8.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@node-rs/jieba-wasm32-wasi` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/@node-rs/jieba-wasm32-wasi@1.10.4` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@node-rs/jieba-wasm32-wasi@1.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm `@node-rs/jieba` in module child_process Module: child_process Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/@node-rs/jieba@1.10.4` ℹ Read more on: This package \| This alert \| What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@node-rs/jieba@1.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@pnpm/npm-conf` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@docusaurus/core@3.9.2` → `npm/@pnpm/npm-conf@3.0.2` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@pnpm/npm-conf@3.0.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@tybys/wasm-util` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/@tybys/wasm-util@0.10.1` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@tybys/wasm-util@0.10.1`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@types/react` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/messenger-docs/package.json → `npm/@types/react@18.3.28` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@types/react@18.3.28`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm `@types/react` in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: `?` → `npm/@easyops-cn/docusaurus-search-local@0.55.0` → `npm/@docusaurus/types@3.9.2` → `npm/@docusaurus/preset-classic@3.9.2` → `npm/@docusaurus/theme-common@3.9.2` → `npm/@docusaurus/core@3.9.2` → `npm/@types/react@19.2.14` ℹ Read more on: This package \| This alert \| What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@types/react@19.2.14`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 128 more rows in the dashboard

View full report

cryptodev-2s · 2026-02-23T22:40:34Z

@metamaskbot publish-preview

github-actions · 2026-02-23T22:48:00Z

Preview builds have been published. See these instructions for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-tree-controller": "4.1.1-preview-980f677",
  "@metamask-previews/accounts-controller": "36.0.1-preview-980f677",
  "@metamask-previews/address-book-controller": "7.0.1-preview-980f677",
  "@metamask-previews/ai-controllers": "0.1.0-preview-980f677",
  "@metamask-previews/analytics-controller": "1.0.0-preview-980f677",
  "@metamask-previews/analytics-data-regulation-controller": "0.0.0-preview-980f677",
  "@metamask-previews/announcement-controller": "8.0.0-preview-980f677",
  "@metamask-previews/app-metadata-controller": "2.0.0-preview-980f677",
  "@metamask-previews/approval-controller": "8.0.0-preview-980f677",
  "@metamask-previews/assets-controller": "2.0.2-preview-980f677",
  "@metamask-previews/assets-controllers": "100.0.2-preview-980f677",
  "@metamask-previews/base-controller": "9.0.0-preview-980f677",
  "@metamask-previews/bridge-controller": "67.1.1-preview-980f677",
  "@metamask-previews/bridge-status-controller": "67.0.1-preview-980f677",
  "@metamask-previews/build-utils": "3.0.4-preview-980f677",
  "@metamask-previews/chain-agnostic-permission": "1.4.0-preview-980f677",
  "@metamask-previews/claims-controller": "0.4.2-preview-980f677",
  "@metamask-previews/client-controller": "1.0.0-preview-980f677",
  "@metamask-previews/compliance-controller": "1.0.1-preview-980f677",
  "@metamask-previews/composable-controller": "12.0.0-preview-980f677",
  "@metamask-previews/connectivity-controller": "0.1.0-preview-980f677",
  "@metamask-previews/controller-utils": "11.19.0-preview-980f677",
  "@metamask-previews/core-backend": "6.0.0-preview-980f677",
  "@metamask-previews/delegation-controller": "2.0.1-preview-980f677",
  "@metamask-previews/earn-controller": "11.1.1-preview-980f677",
  "@metamask-previews/eip-5792-middleware": "2.1.0-preview-980f677",
  "@metamask-previews/eip-7702-internal-rpc-middleware": "0.1.0-preview-980f677",
  "@metamask-previews/eip1193-permission-middleware": "1.0.3-preview-980f677",
  "@metamask-previews/ens-controller": "19.0.3-preview-980f677",
  "@metamask-previews/error-reporting-service": "3.0.1-preview-980f677",
  "@metamask-previews/eth-block-tracker": "15.0.1-preview-980f677",
  "@metamask-previews/eth-json-rpc-middleware": "23.1.0-preview-980f677",
  "@metamask-previews/eth-json-rpc-provider": "6.0.0-preview-980f677",
  "@metamask-previews/foundryup": "1.0.1-preview-980f677",
  "@metamask-previews/gas-fee-controller": "26.0.3-preview-980f677",
  "@metamask-previews/gator-permissions-controller": "2.0.0-preview-980f677",
  "@metamask-previews/json-rpc-engine": "10.2.2-preview-980f677",
  "@metamask-previews/json-rpc-middleware-stream": "8.0.8-preview-980f677",
  "@metamask-previews/keyring-controller": "25.1.0-preview-980f677",
  "@metamask-previews/logging-controller": "7.0.1-preview-980f677",
  "@metamask-previews/message-manager": "14.1.0-preview-980f677",
  "@metamask-previews/messenger": "0.3.0-preview-980f677",
  "@metamask-previews/multichain-account-service": "7.0.0-preview-980f677",
  "@metamask-previews/multichain-api-middleware": "1.2.7-preview-980f677",
  "@metamask-previews/multichain-network-controller": "3.0.4-preview-980f677",
  "@metamask-previews/multichain-transactions-controller": "7.0.1-preview-980f677",
  "@metamask-previews/name-controller": "9.0.0-preview-980f677",
  "@metamask-previews/network-controller": "30.0.0-preview-980f677",
  "@metamask-previews/network-enablement-controller": "4.1.2-preview-980f677",
  "@metamask-previews/notification-services-controller": "22.0.0-preview-980f677",
  "@metamask-previews/permission-controller": "12.2.0-preview-980f677",
  "@metamask-previews/permission-log-controller": "5.0.0-preview-980f677",
  "@metamask-previews/perps-controller": "0.0.0-preview-980f677",
  "@metamask-previews/phishing-controller": "16.3.0-preview-980f677",
  "@metamask-previews/polling-controller": "16.0.3-preview-980f677",
  "@metamask-previews/preferences-controller": "22.1.0-preview-980f677",
  "@metamask-previews/profile-metrics-controller": "3.0.1-preview-980f677",
  "@metamask-previews/profile-sync-controller": "27.1.0-preview-980f677",
  "@metamask-previews/ramps-controller": "10.0.0-preview-980f677",
  "@metamask-previews/rate-limit-controller": "7.0.0-preview-980f677",
  "@metamask-previews/remote-feature-flag-controller": "4.0.0-preview-980f677",
  "@metamask-previews/sample-controllers": "4.0.3-preview-980f677",
  "@metamask-previews/seedless-onboarding-controller": "8.1.0-preview-980f677",
  "@metamask-previews/selected-network-controller": "26.0.3-preview-980f677",
  "@metamask-previews/shield-controller": "5.0.1-preview-980f677",
  "@metamask-previews/signature-controller": "39.0.4-preview-980f677",
  "@metamask-previews/storage-service": "1.0.0-preview-980f677",
  "@metamask-previews/subscription-controller": "6.0.0-preview-980f677",
  "@metamask-previews/transaction-controller": "62.18.0-preview-980f677",
  "@metamask-previews/transaction-pay-controller": "16.0.0-preview-980f677",
  "@metamask-previews/user-operation-controller": "41.0.3-preview-980f677"
}

cryptodev-2s · 2026-02-24T15:28:03Z

@metamaskbot publish-preview

cryptodev-2s · 2026-02-24T15:31:27Z

@metamaskbot publish-preview

cryptodev-2s · 2026-02-24T16:26:21Z

@metamaskbot publish-preview

Docusaurus site for browsing controller messenger actions/events, with offline search powered by docusaurus-search-local.

…ency tree

## Explanation The messenger docs generation currently lives in `scripts/generate-messenger-docs/` and the Docusaurus site template in `docs-site/`. This makes it unusable by external clients (metamask-extension, metamask-mobile) without access to this monorepo. This PR extracts both into a new `@metamask/messenger-docs` package at `packages/messenger-docs/` with a CLI, so any project with `@metamask` controller dependencies can generate and serve messenger API docs. ### Usage ```bash # Default: scans cwd for node_modules/@MetaMask controller/service packages npx @metamask/messenger-docs # Scan a specific project npx @metamask/messenger-docs /path/to/project # Generate + build static site npx @metamask/messenger-docs --build # Generate + serve (build + http server) npx @metamask/messenger-docs --serve # Generate + dev server (hot reload) npx @metamask/messenger-docs --dev # Scan source .ts files instead of .d.cts (for monorepo development) npx @metamask/messenger-docs --source # Custom output directory (default: .messenger-docs) npx @metamask/messenger-docs --output ./my-docs ``` ## References - Builds on top of `feat/messenger-docs-site` ## Checklist - [ ] I've updated the test suite for new or updated code as appropriate - [ ] I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate - [ ] I've communicated my changes to consumers by [updating changelogs for packages I've changed](https://github.com/MetaMask/core/tree/main/docs/processes/updating-changelogs.md) - [ ] I've introduced [breaking changes](https://github.com/MetaMask/core/tree/main/docs/processes/breaking-changes.md) in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

cryptodev-2s · 2026-02-25T17:55:47Z

@metamaskbot publish-preview

github-actions · 2026-02-25T18:04:19Z

Preview builds have been published. See these instructions for more information about preview builds.

Expand for full list of packages and versions.

{
  "@metamask-previews/account-tree-controller": "4.1.1-preview-17adacd",
  "@metamask-previews/accounts-controller": "36.0.1-preview-17adacd",
  "@metamask-previews/address-book-controller": "7.0.1-preview-17adacd",
  "@metamask-previews/ai-controllers": "0.1.0-preview-17adacd",
  "@metamask-previews/analytics-controller": "1.0.0-preview-17adacd",
  "@metamask-previews/analytics-data-regulation-controller": "0.0.0-preview-17adacd",
  "@metamask-previews/announcement-controller": "8.0.0-preview-17adacd",
  "@metamask-previews/app-metadata-controller": "2.0.0-preview-17adacd",
  "@metamask-previews/approval-controller": "8.0.0-preview-17adacd",
  "@metamask-previews/assets-controller": "2.0.2-preview-17adacd",
  "@metamask-previews/assets-controllers": "100.0.3-preview-17adacd",
  "@metamask-previews/base-controller": "9.0.0-preview-17adacd",
  "@metamask-previews/base-data-service": "0.0.0-preview-17adacd",
  "@metamask-previews/bridge-controller": "67.2.0-preview-17adacd",
  "@metamask-previews/bridge-status-controller": "67.0.1-preview-17adacd",
  "@metamask-previews/build-utils": "3.0.4-preview-17adacd",
  "@metamask-previews/chain-agnostic-permission": "1.4.0-preview-17adacd",
  "@metamask-previews/claims-controller": "0.4.2-preview-17adacd",
  "@metamask-previews/client-controller": "1.0.0-preview-17adacd",
  "@metamask-previews/compliance-controller": "1.0.1-preview-17adacd",
  "@metamask-previews/composable-controller": "12.0.0-preview-17adacd",
  "@metamask-previews/connectivity-controller": "0.1.0-preview-17adacd",
  "@metamask-previews/controller-utils": "11.19.0-preview-17adacd",
  "@metamask-previews/core-backend": "6.0.0-preview-17adacd",
  "@metamask-previews/delegation-controller": "2.0.1-preview-17adacd",
  "@metamask-previews/earn-controller": "11.1.1-preview-17adacd",
  "@metamask-previews/eip-5792-middleware": "2.1.0-preview-17adacd",
  "@metamask-previews/eip-7702-internal-rpc-middleware": "0.1.0-preview-17adacd",
  "@metamask-previews/eip1193-permission-middleware": "1.0.3-preview-17adacd",
  "@metamask-previews/ens-controller": "19.0.3-preview-17adacd",
  "@metamask-previews/error-reporting-service": "3.0.1-preview-17adacd",
  "@metamask-previews/eth-block-tracker": "15.0.1-preview-17adacd",
  "@metamask-previews/eth-json-rpc-middleware": "23.1.0-preview-17adacd",
  "@metamask-previews/eth-json-rpc-provider": "6.0.0-preview-17adacd",
  "@metamask-previews/foundryup": "1.0.1-preview-17adacd",
  "@metamask-previews/gas-fee-controller": "26.0.3-preview-17adacd",
  "@metamask-previews/gator-permissions-controller": "2.0.0-preview-17adacd",
  "@metamask-previews/json-rpc-engine": "10.2.2-preview-17adacd",
  "@metamask-previews/json-rpc-middleware-stream": "8.0.8-preview-17adacd",
  "@metamask-previews/keyring-controller": "25.1.0-preview-17adacd",
  "@metamask-previews/logging-controller": "7.0.1-preview-17adacd",
  "@metamask-previews/message-manager": "14.1.0-preview-17adacd",
  "@metamask-previews/messenger": "0.3.0-preview-17adacd",
  "@metamask-previews/messenger-docs": "0.0.0-preview-17adacd",
  "@metamask-previews/multichain-account-service": "7.0.0-preview-17adacd",
  "@metamask-previews/multichain-api-middleware": "1.2.7-preview-17adacd",
  "@metamask-previews/multichain-network-controller": "3.0.4-preview-17adacd",
  "@metamask-previews/multichain-transactions-controller": "7.0.1-preview-17adacd",
  "@metamask-previews/name-controller": "9.0.0-preview-17adacd",
  "@metamask-previews/network-controller": "30.0.0-preview-17adacd",
  "@metamask-previews/network-enablement-controller": "4.1.2-preview-17adacd",
  "@metamask-previews/notification-services-controller": "22.0.0-preview-17adacd",
  "@metamask-previews/permission-controller": "12.2.0-preview-17adacd",
  "@metamask-previews/permission-log-controller": "5.0.0-preview-17adacd",
  "@metamask-previews/perps-controller": "0.0.0-preview-17adacd",
  "@metamask-previews/phishing-controller": "16.3.0-preview-17adacd",
  "@metamask-previews/polling-controller": "16.0.3-preview-17adacd",
  "@metamask-previews/preferences-controller": "22.1.0-preview-17adacd",
  "@metamask-previews/profile-metrics-controller": "3.0.1-preview-17adacd",
  "@metamask-previews/profile-sync-controller": "27.1.0-preview-17adacd",
  "@metamask-previews/ramps-controller": "10.0.0-preview-17adacd",
  "@metamask-previews/rate-limit-controller": "7.0.0-preview-17adacd",
  "@metamask-previews/remote-feature-flag-controller": "4.1.0-preview-17adacd",
  "@metamask-previews/sample-controllers": "4.0.3-preview-17adacd",
  "@metamask-previews/seedless-onboarding-controller": "8.1.0-preview-17adacd",
  "@metamask-previews/selected-network-controller": "26.0.3-preview-17adacd",
  "@metamask-previews/shield-controller": "5.0.1-preview-17adacd",
  "@metamask-previews/signature-controller": "39.0.4-preview-17adacd",
  "@metamask-previews/storage-service": "1.0.0-preview-17adacd",
  "@metamask-previews/subscription-controller": "6.0.0-preview-17adacd",
  "@metamask-previews/transaction-controller": "62.19.0-preview-17adacd",
  "@metamask-previews/transaction-pay-controller": "16.1.0-preview-17adacd",
  "@metamask-previews/user-operation-controller": "41.0.3-preview-17adacd"
}

cryptodev-2s self-assigned this Feb 22, 2026

cryptodev-2s added the no-changelog label Feb 22, 2026

cryptodev-2s force-pushed the feat/messenger-docs-site branch 4 times, most recently from 63f3188 to 7c63a0d Compare February 22, 2026 22:26

cryptodev-2s force-pushed the feat/messenger-docs-site branch 3 times, most recently from b55b682 to 980f677 Compare February 23, 2026 22:31

cryptodev-2s force-pushed the feat/messenger-docs-site branch from 980f677 to f49a7dd Compare February 24, 2026 15:09

cryptodev-2s force-pushed the feat/messenger-docs-site branch from f49a7dd to 44fb063 Compare February 24, 2026 16:22

cryptodev-2s changed the title ~~feat: add Messenger API docs site with local search~~ feat: add @metamask/messenger-docs Feb 24, 2026

cryptodev-2s changed the title ~~feat: add @metamask/messenger-docs~~ feat: add @metamask/messenger-docs Feb 24, 2026

cryptodev-2s changed the title ~~feat: add @metamask/messenger-docs~~ feat: add @metamask/messenger-docs package Feb 24, 2026

cryptodev-2s and others added 8 commits February 25, 2026 18:55

feat: add Messenger API docs site with local search

9af5f7d

Docusaurus site for browsing controller messenger actions/events, with offline search powered by docusaurus-search-local.

feat: add --client flag to generate messenger docs from client depend…

6f5169f

…ency tree

refactor: split generate-messenger-docs into modular folder structure

09b2c92

refactor: replace sync fs calls with async fs/promises

9396df8

docs: update messenger-docs README with monorepo and client usage

195a811

fix: restore eslint.config.js scripts changes

15006c5

fix: derive GitHub Pages URL from repo owner and name

17adacd

cryptodev-2s force-pushed the feat/messenger-docs-site branch from cb82c24 to 17adacd Compare February 25, 2026 17:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

feat: add `@metamask/messenger-docs` package#8012

feat: add `@metamask/messenger-docs` package#8012
cryptodev-2s wants to merge 8 commits intomainfrom
feat/messenger-docs-site

cryptodev-2s commented Feb 22, 2026 •

edited by atlassian bot

Loading

Uh oh!

socket-security bot commented Feb 22, 2026 •

edited

Loading

Uh oh!

socket-security bot commented Feb 22, 2026 •

edited

Loading

Uh oh!

cryptodev-2s commented Feb 23, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 25, 2026

Uh oh!

github-actions bot commented Feb 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Uh oh!

Conversation

cryptodev-2s commented Feb 22, 2026 • edited by atlassian bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Explanation

Features

Core monorepo

Client projects (Extension, Mobile)

References

Checklist

Uh oh!

socket-security bot commented Feb 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Feb 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

cryptodev-2s commented Feb 23, 2026

Uh oh!

github-actions bot commented Feb 23, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 24, 2026

Uh oh!

cryptodev-2s commented Feb 25, 2026

Uh oh!

github-actions bot commented Feb 25, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

cryptodev-2s commented Feb 22, 2026 •

edited by atlassian bot

Loading

socket-security bot commented Feb 22, 2026 •

edited

Loading

socket-security bot commented Feb 22, 2026 •

edited

Loading