[DO NOT MERGE]

[cmd-ob]

Description

This PR introduces an E2E test selection system that uses AI to analyse files changed and automatically run only the most relevant smoke tests, reducing CI time.

How It Works

1. Label your PR with ai-e2e, ai-e2e-ios, or ai-e2e-android
2. AI analyses your code changes and selects appropriate test tags
3. Tests run automatically on the selected platforms with optimal job splitting
4. Results posted back to the PR with detailed analysis

Key Features

• 🤖 AI-powered selection - Claude AI analyses diffs and recommends test tags
• 🎯 Risk assessment - Categorises changes as low/medium/high risk
• ⚡ Faster CI - Only runs relevant tests instead of full smoke suite
• 📊 Smart splitting - Automatically distributes tests across parallel jobs
• 📱 Platform support - Runs on iOS, Android, or both

Usage

For PRs:

Label: ai-e2e          # Both platforms
Label: ai-e2e-ios      # iOS only
Label: ai-e2e-android  # Android only
Label: ai-e2e-analysis # Analysis only - no builds or test

For local testing:

yarn ai-e2e --verbose  # See AI reasoning
yarn ai-e2e --output json  # Machine-readable

See ai-e2e-testing.md for complete details.

Changelog

CHANGELOG entry:

Related issues

Fixes:

Manual testing steps

Feature: my feature name

  Scenario: user [verb for user action]
    Given [describe expected initial app state]

    When user [verb for user action]
    Then [describe expected outcome]

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​react-native@​0.70.13 ⏵ 0.73.0			-40
	npm/​@​types/​easy-table@​1.2.0 ⏵ 1.2.3	+1
	npm/​@​esbuild/​aix-ppc64@​0.25.10
	npm/​@​esbuild/​openbsd-arm64@​0.25.10
	npm/​@​esbuild/​netbsd-arm64@​0.25.10
	npm/​@​unrs/​resolver-binding-android-arm-eabi@​1.11.1
	npm/​@​unrs/​resolver-binding-android-arm64@​1.11.1
	npm/​@​unrs/​resolver-binding-darwin-arm64@​1.11.1
	npm/​@​unrs/​resolver-binding-darwin-x64@​1.11.1
	npm/​@​unrs/​resolver-binding-freebsd-x64@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-arm-gnueabihf@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-arm-musleabihf@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-arm64-gnu@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-arm64-musl@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-ppc64-gnu@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-riscv64-gnu@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-riscv64-musl@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-s390x-gnu@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-x64-gnu@​1.11.1
	npm/​@​unrs/​resolver-binding-linux-x64-musl@​1.11.1
	npm/​@​unrs/​resolver-binding-win32-arm64-msvc@​1.11.1
	npm/​@​unrs/​resolver-binding-win32-ia32-msvc@​1.11.1
	npm/​@​unrs/​resolver-binding-win32-x64-msvc@​1.11.1
	npm/​@​swc/​core-darwin-x64@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-win32-x64-msvc@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-linux-x64-gnu@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-linux-x64-musl@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-win32-ia32-msvc@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-linux-arm-gnueabihf@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-darwin-arm64@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-linux-arm64-gnu@​1.3.95 ⏵ 1.13.5	+1		+4	+2
	npm/​@​swc/​core-linux-arm64-musl@​1.3.95 ⏵ 1.13.5	+1		+4	+2
See 968 more rows in the dashboard

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		npm/@browserstack/ai-sdk-node@1.5.9 has Obfuscated code. Confidence: 1.00 Location: Package overview From: yarn.lock → npm/@browserstack/ai-sdk-node@1.5.9 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@browserstack/ai-sdk-node@1.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/ripemd160@2.0.3 has Unstable ownership. Author: ljharb From: yarn.lock → npm/ripemd160@2.0.3 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ripemd160@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@browserstack/ai-sdk-node@1.5.9 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@browserstack/ai-sdk-node@1.5.9 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@browserstack/ai-sdk-node@1.5.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@emnapi/core@1.5.0 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@emnapi/core@1.5.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@expo/sudo-prompt@9.3.2 has Shell access. Module: child_process Location: Package overview From: yarn.lock → npm/@expo/sudo-prompt@9.3.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@expo/sudo-prompt@9.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@firebase/ai@1.4.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@firebase/ai@1.4.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@firebase/ai@1.4.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@firebase/util@1.12.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@firebase/util@1.12.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@firebase/util@1.12.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@percy/sdk-utils@1.31.2 has Network access. Module: https Location: Package overview From: yarn.lock → npm/@percy/sdk-utils@1.31.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@percy/sdk-utils@1.31.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@percy/sdk-utils@1.31.2 has Network access. Module: http Location: Package overview From: yarn.lock → npm/@percy/sdk-utils@1.31.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@percy/sdk-utils@1.31.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@tybys/wasm-util@0.10.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@tybys/wasm-util@0.10.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/crossws@0.3.5 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/crossws@0.3.5 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/crossws@0.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/napi-postinstall@0.3.3 has Network access. Module: globalThis["fetch"] Location: Package overview From: yarn.lock → npm/napi-postinstall@0.3.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/on-headers@1.1.0 has Network access. Module: http Location: Package overview From: yarn.lock → npm/on-headers@1.1.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/on-headers@1.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/secp256k1@4.0.4 has Native code. Location: Package overview From: yarn.lock → npm/eciesjs@0.3.21 → npm/secp256k1@4.0.4 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/secp256k1@4.0.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/unrs-resolver@1.11.1 has Shell access. Module: child_process Location: Package overview From: yarn.lock → npm/unrs-resolver@1.11.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@lavamoat/git-safe-dependencies@0.2.2 has a New author. New Author: naugtur Previous Author: lmbot From: package.json → npm/@lavamoat/git-safe-dependencies@0.2.2 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@lavamoat/git-safe-dependencies@0.2.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/addon-controls@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: package.json → npm/@storybook/addon-controls@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/addon-controls@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/blocks@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/blocks@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/blocks@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/builder-webpack5@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: package.json → npm/@storybook/builder-webpack5@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/builder-webpack5@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/channels@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/channels@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/channels@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/client-logger@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/client-logger@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/client-logger@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/components@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/components@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/components@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/core-common@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/core-common@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/core-common@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/core-events@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/core-events@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/core-events@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@storybook/core-webpack@7.6.20 has a New author. New Author: valentinpalkovic Previous Author: shilman From: yarn.lock → npm/@storybook/core-webpack@7.6.20 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@storybook/core-webpack@7.6.20. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 42 more rows in the dashboard

Ignoring alerts on:

• npm/@anthropic-ai/sdk@0.62.0

View full report

[github-actions]

Bitrise

❌❌❌ pr_smoke_e2e_pipeline failed on Bitrise! ❌❌❌

Commit hash: 6d1a021
Build link: https://app.bitrise.io/app/be69d4368ee7e86d/pipelines/6c275afb-4c7a-46e8-8965-07af1811b286

Note

• You can rerun any failed steps by opening the Bitrise build, tapping Rebuild on the upper right then Rebuild unsuccessful Workflows
• You can kick off another pr_smoke_e2e_pipeline on Bitrise by removing and re-applying the run-ios-e2e-smoke label on the pull request

Tip

• Check the documentation if you have any doubts on how to understand the failure on bitrise

[github-actions]

🤖 Smart E2E Test Analysis ⏸️

Risk Level: high | Selected Tags: SmokeAccounts, SmokeConfirmations, SmokeConfirmationsRedesigned, SmokeIdentity, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeTrade, SmokeWalletPlatform

Final Results:

• iOS Jobs: 0 (Result: skipped)
• Android Jobs: 20 (Result: cancelled)
• Total CI Jobs: 20
• Overall Status: Cancelled

Platform Configuration:

• iOS enabled: false
• Android enabled: true

⏸️ View complete workflow run • Smart E2E AI Selection

[github-actions]

🔍 AI E2E Analysis Report

Risk Level: high | Selected Tags: SmokeAccounts, SmokeConfirmations, SmokeConfirmationsRedesigned, SmokeIdentity, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeTrade, SmokeWalletPlatform

🤖 AI Analysis:

Dependency changes (yarn.lock/package.json) detected with 314 total files changed including critical core infrastructure (app/core/, app/store/, app/reducers/), confirmation flows, account management, network handling, and extensive UI components. The scale and breadth of changes across multiple functional areas warrants running all smoke test tags to ensure system stability.

📊 Analysis Results:

• Mode: Analysis-Only ✅ (no builds or tests)
• Confidence: 95%

🔍 View complete analysis • Analysis completed successfully

[cursor]

Bug: Hook Placement Causes Infinite Re-renders

Moving the setDestToken dispatch calls from useEffect directly into the useInitialDestToken hook body causes them to execute on every render. This can lead to infinite re-renders and performance issues.