All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
- Fixed extension performance issues (#4853)
- Changed the c2 blocklist fetch interval from 15 minutes to 5 minutes (#4850)
- Update the phishing detector validation to drop invalid configs from detector (#4820)
- Produce and export ESM-compatible TypeScript type declaration files in addition to CommonJS-compatible declaration files (#4648)
- Previously, this package shipped with only one variant of type declaration
files, and these files were only CommonJS-compatible, and the
exportsfield inpackage.jsonlinked to these files. This is an anti-pattern and was rightfully flagged by the "Are the Types Wrong?" tool as "masquerading as CJS". All of the ATTW checks now pass.
- Previously, this package shipped with only one variant of type declaration
files, and these files were only CommonJS-compatible, and the
- Remove chunk files (#4648).
- Previously, the build tool we used to generate JavaScript files extracted common code to "chunk" files. While this was intended to make this package more tree-shakeable, it also made debugging more difficult for our development teams. These chunk files are no longer present.
- Add
getHostnameFromUrlutility function to standardize hostname extraction from URLs (#4645)
- Update
test,isBlockedRequest, andbypassmethods to use the hostname for allowlist checks instead of the full origin (#4645)- The previous approach of using the full origin had limitations in dealing with subdomains or variations in the URL structure, which could lead to inconsistent results or false negatives.
- Add allowlist functionality to the C2 domain detection system (#4464)
- Add
PhishingControllerfunctionality for blocking client-side C2 requests by managing a hashed C2 request blocklist (#4526)- Add
requestBlocklisttype toListTypes. - Add
isBlockedRequestmethod toPhishingController. - Add
isMaliciousRequestDomainmethod toPhishingDetector. - Add handling of
requestBlocklistinPhishingDetectorconfiguration. - Add logic to update and check
requestBlocklistwhen updating a stale list. - Add
sha256Hashfunction to generate SHA-256 hash of a domain.
- Add
- Define and export new types:
PhishingControllerGetStateAction,PhishingControllerStateChangeEvent,PhishingControllerEvents(#4633)
- BREAKING: Add
@noble/hashes^1.4.0as dependency (#4526) - BREAKING:: Add
ethereum-cryptography^2.1.2as dependency (#4526) - BREAKING:
PhishingControllerMessengermust allow internal events defined in thePhishingControllerEventstype (#4633) - Widen
PhishingControllerActionsto include thePhishingController:getStateaction (#4633) - Bump
@metamask/base-controllerfrom^6.0.2to^6.0.3(#4625) - Bump
@metamask/controller-utilsfrom^11.0.2to^11.1.0(#4639)
- BREAKING: Remove the Phishfort list from the PhishingController (#4621)
- Bump TypeScript version to
~5.0.4and setmoduleResolutionoption toNode16(#3645) - Bump
@metamask/base-controllerfrom^6.0.1to^6.0.2(#4544) - Bump
@metamask/controller-utilsfrom^11.0.1to^11.0.2(#4544)
- Port
PhishingDetectorfrometh-phishing-detector; add TypeScript types (#4137) - Add support for IPFS CID blocking to
PhishingDetector(#4465)
- BREAKING: Bump minimum Node version to 18.18 (#3611)
- Bump
@metamask/base-controllerto^6.0.0(#4352) - Bump
@metamask/controller-utilsto^11.0.0(#4352)
- Bump
@metamask/controller-utilsto^10.0.0(#4342)
- Update phishing detection API endpoint from
*.metafi.codefi.networkto*.api.cx.metamask.io(#4301)
- Changed Stalelist and hotlist update intervals (#4202)
- Updated the Stalelist update interval to 30 days and the hotlist update interval to 5 mins
- Bump
@metamask/controller-utilsversion to~9.1.0(#4153) - Bump TypeScript version to
~4.9.5(#4084) - Bump
@metamask/base-controllerto^5.0.2
- Fix
typesfield inpackage.json(#4047)
- BREAKING: Add ESM build (#3998)
- It's no longer possible to import files from
./distdirectly.
- It's no longer possible to import files from
- BREAKING: Bump
@metamask/base-controllerto^5.0.0(#4039)- This version has a number of breaking changes. See the changelog for more.
- Bump
@metamask/controller-utilsto^9.0.0(#4039)
- Bump
@metamask/base-controllerto^4.1.1(#3760, #3821) - Bump
@metamask/controller-utilsto^8.0.2(#3821)
- Bump
@metamask/base-controllerto^4.0.1(#3695) - Bump
@metamask/controller-utilsto^8.0.1(#3695, #3678, #3667, #3580)
- BREAKING: Bump
@metamask/base-controllerto ^4.0.0 (#2063)- This is breaking because the type of the
messengerhas backward-incompatible changes. See the changelog for this package for more.
- This is breaking because the type of the
- Bump
@metamask/controller-utilsto ^6.0.0 (#2063)
- Bump dependency on
@metamask/base-controllerto ^3.2.3 (#1747) - Bump dependency on
@metamask/controller-utilsto ^5.0.2 (#1747)
- BREAKING: Migrate
PhishingControllerto BaseControllerV2 (#1705)PhishingControllernow expects amessengeroption (and corresponding typePhishingControllerMessengeris now available)- The constructor takes a single argument, an options bag, instead of three arguments
- The
disabledconfiguration is no longer supported
- Update TypeScript to v4.8.x (#1718)
- Bump dependency on
@metamask/controller-utilsto ^5.0.0
- Bump dependency on
@metamask/base-controllerto ^3.2.1 - Bump dependency on
@metamask/controller-utilsto ^4.3.2
- BREAKING: Remove fallback phishing configuration (#1527)
- The default configuration is now blank. A custom initial configuration can still be specified via the constructor to preserve the old behavior.
- BREAKING: Bump to Node 16 (#1262)
- BREAKING: Switch to new phishing configuration API that returns a diff since the last update (#1123)
- The "hotlist" has been replaced by a service that returns any configuration changes since the last update. This should reduce network traffic even further.
- The endpoints used are now
https://phishing-detection.metafi.codefi.network/v1/stalelistandhttps://phishing-detection.metafi.codefi.network/v1/diffsSince/:lastUpdated
- BREAKING:: The phishing controller state now keeps the MetaMask and PhishFort configuration separate, allowing for proper attribution of each block (#1123)
- The
listStatestate property has been replaced with an array of phishing list state objects (one entry for MetaMask, one for PhishFort). - The PhishFort config is deduplicated server-side, so it should have zero overlap with the MetaMask configuration (which helps reduce memory/disk usage)
- The
- BREAKING: Remove
isomorphic-fetch(#1106)- Consumers must now import
isomorphic-fetchor another polyfill themselves if they are running in an environment withoutfetch
- Consumers must now import
- BREAKING: Refactor to Cost-Optimized Phishing List Data Architecture. (#1080)
- Rather than periodically downloading two separate configurations (MetaMask and Phishfort), we now download a combined "stalelist" and "hotlist". The stalelist is downloaded every 4 days, and the hotlist is downloaded every 30 minutes. The hotlist only includes data from the last 8 days, which should dramatically reduce the required network traffic for phishing config updates.
- When a site is blocked, we no longer know which list is responsible due to the combined format. We will need to come up with another way to attribute blocks to a specific list; this controller will no longer be responsible for that.
- This change includes the removal of the exports:
METAMASK_CONFIG_FILEandPHISHFORT_HOTLIST_FILE(replaced byMETAMASK_STALELIST_FILEandMETAMASK_HOTLIST_DIFF_FILE)METAMASK_CONFIG_URLandPHISHFORT_HOTLIST_URL(replaced byMETAMASK_STALELIST_URLandMETAMASK_HOTLIST_DIFF_URL)EthPhishingResponse(replaced byPhishingStalelistfor the API response andPhishingListStatefor the list in controller state, as they're now different)
- The configuration has changed:
- Instead of accepting a
refreshInterval, we now accept a separate interval for the stalelist and hotlist (stalelistRefreshIntervalandhotlistRefreshInterval)
- Instead of accepting a
- The controller state has been updated:
- The phishing list itself has been renamed from
phishingtolistState, and the shape has changed. Removing the oldphishingstate would be advised, as it will get replaced by an updated configuration immediately anyway. lastFetchedhas been replaced byhotlistLastFetchedandstalelistLastFetched. The oldlastFetchedstate can be removed as well (it never needed to be persisted anyway).
- The phishing list itself has been renamed from
- The
setRefreshIntervalmethod has been replaced bysetStalelistRefreshIntervalandsetHotlistRefreshInterval - The
isOutOfDatemethod has been replaced byisStalelistOutOfDateandisHotlistOutOfDate - The
maybeUpdatePhishingListsmethod has been replaced bymaybeUpdateState - The
updatePhishingListsmethod has been replaced byupdateStalelistandupdateHotlist
- Improve performance of phishing list update (#1086)
- We now use a
Set+hasmethod instead of the arrayincludesmethod for detecting overlap between phishing lists after an update.
- We now use a
- Add method to conditionally update the phishing lists (#986)
- Relax dependencies on
@metamask/base-controllerand@metamask/controller-utils(use^instead of~) (#998) - Expose
lastFetchedin PhishingController state (#986)
-
Initial release
-
As a result of converting our shared controllers repo into a monorepo (#831), we've created this package from select parts of
@metamask/controllersv33.0.0, namely:src/third-party/PhishingController.tssrc/third-party/PhishingController.test.ts
All changes listed after this point were applied to this package following the monorepo conversion.
-