Skip to content

Add CLI tool for asset management and improve documentation#1715

Open
drqsatoshi wants to merge 6 commits intoMetaMask:masterfrom
drqsatoshi:mh/add-cli-to-update-tokens
Open

Add CLI tool for asset management and improve documentation#1715
drqsatoshi wants to merge 6 commits intoMetaMask:masterfrom
drqsatoshi:mh/add-cli-to-update-tokens

Conversation

@drqsatoshi
Copy link

@drqsatoshi drqsatoshi commented Feb 5, 2026
edited by cursor bot
Loading

Introduce a CLI tool for managing CAIP-19 contract metadata and icons, along with comprehensive documentation. This update also includes bug fixes and tests to ensure functionality, such as verifying asset integrity and handling image format changes.

Note

Medium Risk
Introduces new filesystem- and network-touching CLI behavior (downloading/writing/removing asset files) plus new dependency (zod), which could affect contributor workflows if edge cases aren’t handled.

Overview
Adds a new cli-update-asset.js command-line tool to create/update, verify, and list CAIP-19 assets, including downloading icons from URLs, validating metadata with zod, and cleaning up stale icon files when formats change.

Updates package.json with asset:* scripts and adds tests covering icon replacement and verify robustness, plus expands documentation in README.md and adds AI instruction pointers (.cursorrules, CLAUDE.md, .github/copilot-instructions.md).

Written by Cursor Bugbot for commit a11139b. This will update automatically on new commits. Configure here.

blurpesec and others added 6 commits February 2, 2026 14:25
@blurpesec
feat: added a cli tool and docs for use in editing the files
aec27ec
@blurpesec
chore: updated to patch claude
88324e0
@blurpesec
fix: patched bugs
1749406
@blurpesec
feat: added cursor rules
08930a0
@drqsatoshi
Add tests for asset management in CLI
53dcf2a 
- Implemented a test to ensure that the old icon is removed when the asset's image format changes from PNG to SVG.
- Added a test to verify that the CLI does not crash when the metadata.logo field is missing.
- Included cleanup logic to remove temporary files and directories created during tests.
@drqsatoshi
cli
a11139b
@drqsatoshi drqsatoshi requested review from a team and MRabenda as code owners February 5, 2026 19:52
@socket-security
Copy link

socket-security bot commented Feb 5, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedzod@​4.3.610010010095100

View full report

@socket-security
Copy link

socket-security bot commented Feb 5, 2026

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm @types/node in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/ethereumjs-util@5.2.1npm/@types/node@25.2.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@types/node@25.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly

Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation.

Confidence: 1.00

Severity: 0.60

From: package.jsonnpm/zod@4.3.6

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

cursor[bot]
cursor bot reviewed Feb 5, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

cli-update-asset.js
const CAIP19Schema = z.string().regex(
/^[-a-z0-9]{3,8}:[-a-zA-Z0-9]{1,32}\/[-a-z0-9]{3,8}:[a-zA-Z0-9]+$/,
'Invalid CAIP-19 format. Expected: namespace:chainId/assetNamespace:assetReference'
);
Copy link

@cursor cursor bot Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CAIP-19 regex rejects valid asset references with hyphens

Medium Severity

The CAIP19Schema regex uses [a-zA-Z0-9]+ for the asset reference segment, but the CAIP-19 specification defines asset references as [-a-zA-Z0-9]{1,64}. The regex is missing the hyphen character class and the max-length constraint. This causes the tool to reject valid CAIP-19 identifiers whose asset references contain hyphens, which some chain ecosystems may use. The fix would be changing the trailing segment to [-a-zA-Z0-9]{1,64}.

Fix in Cursor Fix in Web

Copy link
Author

@drqsatoshi drqsatoshi Feb 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ooooo this is why Regex is hard. trailing commas, trailing egements.... segmentation faults suck.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@MRabenda MRabenda Awaiting requested review from MRabenda MRabenda is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@drqsatoshi @blurpesec