[FEAT] Ledger Integration

[gantunesr]

Development & PR Process

1. Follow MetaMask Mobile Coding Standards
2. Add release-xx label to identify the PR slated for a upcoming release (will be used in release discussion)
3. Add needs-dev-review label when work is completed
4. Add needs-qa label when dev review is completed
5. Add QA Passed label when QA has signed off

Description

Write a short description of the changes included in this pull request, also include relevant motivation and context. Have in mind the following questions,
1. What is the reason for the change?
2. What is the improvement/solution?

Screenshots/Recordings

If applicable, add screenshots and/or recordings to visualize the before and after of your change

Issue

Progresses #1237
Progresses https://github.com/MetaMask/mobile-planning/issues/637

Checklist

• There is a related GitHub issue
• Tests are included if applicable
• Any added code is fully documented

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎

To accept the risk, merge this PR and you will not be notified again.

Issue	Package	Version	Note	Source
New author	@ledgerhq/metamask-keyring	0.3.2	New Author: gre Previous Author: juan-cortes	package.json
No contributors or author data	@ledgerhq/metamask-keyring	0.3.2	Location: package.json	package.json
New author	react-native-ble-plx	2.0.3	New Author: srgtuszy Previous Author: polidea	@ledgerhq/react-native-hw-transport-ble@6.28.0 via package.json package.json
Unmaintained	react-native-ble-plx	2.0.3	Last Publish: 11/4/2021, 12:40:59 PM	@ledgerhq/react-native-hw-transport-ble@6.28.0 via package.json package.json
No contributors or author data	@ledgerhq/react-native-hw-transport-ble	6.28.0	Location: package.json	package.json
No bug tracker	@metamask/browser-passworder	4.1.0	Location: package.json	@metamask/eth-keyring-controller@10.0.1, @metamask/keyring-controller@6.0.0-preview.2cf49aa via package.json

Next steps

What is new author?

A new npm collaborator published a version of the package for the first time. New collaborators are usually benign additions to a project, but do indicate a change to the security surface area of a package.

Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Why is contributor and author data important?

Package does not specify a list of contributors or an author in package.json.

Add a author field or contributors array to package.json.

What are unmaintained packages?

Package has not been updated in more than a year and may be unmaintained. Problems with the package may go unaddressed.

Package should publish periodic maintenance releases if they are maintained, or deprecate if they have no intention in further maintenance.

Why are bug trackers important?

Package does not have a linked bug tracker in package.json.

Add a bugs field to package.json. https://docs.npmjs.com/cli/v8/configuring-npm/package-json#bugs

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @ledgerhq/metamask-keyring@0.3.2
• @SocketSecurity ignore react-native-ble-plx@2.0.3
• @SocketSecurity ignore @ledgerhq/react-native-hw-transport-ble@6.28.0
• @SocketSecurity ignore @metamask/browser-passworder@4.1.0

[montelaidev]

I have read the CLA Document and I hereby sign the CLA

[gantunesr]

Revert before merge

[edsonayllon]

I've been looking forward to this!

No reviews?

[gantunesr]

Hey @edsonayllon! We're working fixing an issue that's currently a blocker for the Ledger integration on MetaMask mobile, sadly this was a dependency problem with our current version of RN that we hope to fix asap and carry on with the development and testing of the feature

[bertho-zero]

Hey @gantunesr! What is blocking? can we have more details about this?

[gantunesr]

Hi @bertho-zero, the blocker is related to our current RN version which the team is working into solving right now. The blocker should be resolved once the app is updated to the latest version of RN. Thank you for the patience!

[gantunesr]

This development is blocked by #6220

[socket-security]

New, updated, and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Packages	Version	New capabilities	Transitives	Size	Publisher
@metamask/eth-keyring-controller	10.0.1	None	+6	644 kB	metamaskbot
@ledgerhq/metamask-keyring	0.3.2	None	+7	7.21 MB	gre
@metamask/message-manager	1.0.2	None	+1	197 kB	metamaskbot
@metamask/scure-bip39	2.1.0	None	+0	174 kB	metamaskbot
react-native-ble-plx	2.0.3	None	+0	353 kB	srgtuszy
@ledgerhq/react-native-hw-transport-ble	6.28.0	None	+5	883 kB	sergii-shkolin
react-native-permissions	3.7.3	None	+0	432 kB	zoontek
typescript	4.4.2	None	+0	62.7 MB	typescript-bot
@metamask/eth-sig-util	4.0.1...6.0.0	None	+0/-0	150 kB	metamaskbot
ethers	5.7.0...5.7.1	None	+3/-1	12.1 MB	ricmoo

🚮 Removed packages: @metamask/keyring-controller@1.0.1