chore(runway): cherry-pick chore: cp-8.0.0 bump transaction-controller to 68.1.0 and transaction-pay-controller to 23.13.0

[runway-github]

• chore: cp-8.0.0 bump transaction-controller to 68.1.0 and transaction-pay-controller to 23.13.0 (chore: cp-8.0.0 bump transaction-controller to 68.1.0 and transaction-pay-controller to 23.13.0 #32080)

Description

Bumps @metamask/transaction-controller from 68.0.1 to 68.1.0 and
@metamask/transaction-pay-controller from 23.9.0 to 23.13.0.

The lockfile picks up tighter transitive requirements from the new Pay
controller version (@metamask/assets-controllers@109.2.0,
@metamask/ramps-controller@14.3.0) and dedupes them against the
existing direct ranges, leaving a single resolved version for each.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

N/A

Screenshots/Recordings

N/A

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor
  Docs and MetaMask Mobile
  Coding
  Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format
  if applicable
• I've applied the right labels on the PR (see labeling
  guidelines).
  Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
• Use these power-user
  SRPs
  to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production
  performance metrics
• See trace() for usage and
  addToken
  for an example

For performance guidelines and tooling, see the Performance
Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the
  app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described
  in the ticket it closes and includes the necessary testing evidence such
  as recordings and or screenshots.

---

Note

Medium Risk
Patch/minor bumps on transaction and pay controllers affect core
send/confirm and pay-token flows at runtime, though the diff is
lockfile-only with no local code changes.

Overview
Dependency-only update for the 8.0.0 line: bumps
@metamask/transaction-controller from 68.0.1 to 68.1.0 and
@metamask/transaction-pay-controller from 23.9.0 to
23.13.0 in package.json (direct deps and the resolutions pin
for transaction-controller).

yarn.lock refreshes so Pay’s newer transitive ranges resolve to
@metamask/assets-controllers@109.2.0,
@metamask/ramps-controller@14.3.0, and aligned
keyring-controller / profile-sync-controller versions,
deduped with existing direct ranges. No application source changes in
this PR.

^{Reviewed by Cursor Bugbot for commit
fbd7364. Bugbot is set up for automated
code reviews on this repo. Configure
here.}

[f6fb465](https://github.com/MetaMask/metamask-mobile/commit/f6fb4653e236460876da0395424438f477d9d6c3)

[github-actions]

🔍 Smart E2E Test Selection

⏭️ Smart E2E selection skipped - PR targets a release or stable branch (release/* or stable)

All E2E tests pre-selected.

View GitHub Actions results

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​metamask/​ramps-controller@​14.2.0 ⏵ 14.3.0	+1		+1	+1
	npm/​@​metamask/​transaction-pay-controller@​23.9.0 ⏵ 23.13.0	+1		+1	+1
	npm/​@​metamask/​transaction-controller@​68.0.1 ⏵ 68.1.0			+1
	npm/​@​metamask/​assets-controllers@​109.1.0 ⏵ 109.2.0	+1		+1	+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @metamask/transaction-controller is 75.0% likely to have a medium risk anomaly Notes: The code performs straightforward signature verification using ethers.js, returning true when the recovered signer matches the provided publicKey. While generally safe, the silent catch and potential mismatch between data formatting and signing process should be addressed to avoid silent failures. Overall, a benign utility with moderate input-format sensitivity. Confidence: 0.75 Severity: 0.50 From: package.json → npm/@metamask/transaction-controller@68.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/transaction-controller@68.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud