Skip to content

feat(ramps-controller): Transak native order status via Pusher#9541

Open
georgeweiler wants to merge 2 commits into
mainfrom
feat/transak-native-order-websockets
Open

feat(ramps-controller): Transak native order status via Pusher#9541
georgeweiler wants to merge 2 commits into
mainfrom
feat/transak-native-order-websockets

Conversation

@georgeweiler

Copy link
Copy Markdown
Contributor

Summary

  • Subscribe pending Transak Native (transak-native / transak-native-staging) orders to Transak's public Pusher order-ID channels for real-time status wake-ups
  • On each ORDER_* event, debounce and call existing #refreshOrder so status stays normalized by the MetaMask on-ramp API
  • Skip HTTP polling for subscribed native orders while Pusher is connected; fall back to the existing 30s poller when disconnected
  • Add pusher-js, export isTransakNativeProvider / createPusherTransakOrderUpdatesClient, and bump @metamask/ramps-controller to 17.1.0

Test plan

  • yarn workspace @metamask/ramps-controller test (100% coverage)
  • Manual: create a pending Transak Native deposit order and confirm status advances without waiting for the 30s poll interval
  • Manual: disconnect network / kill Pusher and confirm HTTP polling still updates the order
  • Confirm aggregator (non-native) orders still poll over HTTP only

Made with Cursor

Use Transak public order-ID Pusher channels as wake-ups for pending
transak-native orders, then refresh normalized status through the
MetaMask on-ramp API. Keep HTTP polling as fallback when disconnected.

Co-authored-by: Cursor <cursoragent@cursor.com>
@georgeweiler
georgeweiler requested review from a team as code owners July 16, 2026 12:16
Co-authored-by: Cursor <cursoragent@cursor.com>
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedpusher-js@​8.5.08710010084100

View full report

@socket-security

Copy link
Copy Markdown

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block High
Obfuscated code: npm pusher-js is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pusher-js in module http

Module: http

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pusher-js in module https

Module: https

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pusher-js in module net

Module: net

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm pusher-js in module tls

Module: tls

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm pusher-js in module child_process

Module: child_process

Location: Package overview

From: packages/ramps-controller/package.jsonnpm/pusher-js@8.5.0

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pusher-js@8.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 2 potential issues.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 7b354a1. Configure here.

this.#transakOrderUpdates.destroy();
this.#transakOrderUpdates = null;
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

getOrder skips Pusher subscribe

High Severity

getOrder merges pending Transak Native orders into controller state but never calls the Transak Pusher subscribe helper, unlike addOrder. If order polling is already running, startOrderPolling will not run #ensureTransakOrderSubscriptions again, so those orders never join a Pusher channel and only advance on the 30s HTTP poll.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7b354a1. Configure here.

}
});

this.#maybeSubscribeTransakOrder(healedOrder);

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Terminal updates leave Pusher subscribed

Medium Severity

When a Transak Native order moves to a terminal status via addOrder or getOrder, #maybeSubscribeTransakOrder returns early and does not tear down an existing Pusher subscription. Only #refreshOrder calls #unsubscribeTransakOrder on terminal status, so terminal orders updated outside that path can keep channel listeners until stopOrderPolling.

Additional Locations (1)
Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit 7b354a1. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant