chore: bump lint plugins and resolve floating-version fallout

[cryptodev-2s]

Explanation

PR #8012 (feat/messenger-docs-site) originally carried scoped resolutions for eslint-plugin-import-x, eslint-plugin-n, eslint-import-resolver-typescript, and prettier. Investigating those (per r3326274335) showed they weren't resolving a transitive-dep conflict — yarn why confirms each is consumed only by the root workspace. They existed purely to prevent the lockfile from drifting forward to plugin versions that the codebase hadn't been cleaned against. #8012 has since dropped them.

This PR is the follow-up: bump those plugins to the latest versions matching their (newly-widened) semver ranges and fix the two pre-existing lint issues the newer plugins surface, so the lockfile can stay current without the workaround resolutions ever coming back:

• eslint-plugin-import-x: 4.6.1 → ^4.16.2
• eslint-plugin-n: 17.15.1 → ^18.0.1
• eslint-import-resolver-typescript: 3.10.1 → ^4.4.4
• prettier: 3.4.2 → ^3.8.3

Lint fallout fixed

• eslint.config.mjs: import.meta.dirname is only stable in Node 22.16+/24+, but the repo's engines field is ^18.18 || >=20. eslint-plugin-n@18's no-unsupported-features rule catches this. Resolve the config dir through dirname(fileURLToPath(import.meta.url)) so the config works across the supported Node range.
• packages/chain-agnostic-permission/src/scope/constants.ts: eslint-plugin-import-x@4.16 enables no-named-as-default by default. @metamask/api-specs exports MetaMaskOpenRPCDocument as both a named export and the default; switch to the named-import form so the reference is unambiguous.
• packages/messenger-cli/package.json: yarn constraints --fix rolled its prettier range forward to match the new root range.

Shipped separately

Two import-x/no-extraneous-dependencies violations that surface under the bumped plugins were extracted into their own PRs and have already merged:

• chore(react-data-query): declare @metamask/messenger as a devDep #8971 declared @metamask/messenger on react-data-query (devDep)
• chore(transaction-pay-controller): declare @metamask/keyring-controller as a dependency #8972 declared @metamask/keyring-controller on transaction-pay-controller (runtime dep)

References

• Companion feat: add @metamask/platform-api-docs package #8012 — already dropped its scoped resolutions in bb6d436d5; this PR keeps the lockfile from drifting back to versions that need them
• Companion chore(typescript): bump eslint-import-resolver-typescript peer to ^4.4.4 eslint-config#444 — widens shared-config peer for eslint-import-resolver-typescript to ^4.0.0 so consumers using @metamask/eslint-config-typescript don't see a peer-dep mismatch

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed — N/A, no consumer-facing package surface changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them — N/A

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-plugin-import-x@​4.6.1 ⏵ 4.16.2			+1
	prettier@​3.4.2 ⏵ 3.8.3	+1		+1
	eslint-import-resolver-typescript@​3.7.0 ⏵ 4.4.4	+1
	semver@​7.7.4 ⏵ 7.8.1	+1		+1
	eslint-plugin-n@​17.15.1 ⏵ 18.0.1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm @emnapi/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @tybys/wasm-util in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@tybys/wasm-util@0.10.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm napi-postinstall in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/napi-postinstall@0.3.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm unrs-resolver in module child_process Module: child_process Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/unrs-resolver@1.12.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm unrs-resolver during postinstall Install script: postinstall Source: node postinstall.js From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/unrs-resolver@1.12.2 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: No explicit evidence of overt malware (network exfiltration, credential theft, backdoors, or filesystem/process activity) appears in this fragment. However, the module contains high-sensitivity dynamic execution capabilities: napi_run_script performs eval-like execution of a JavaScript string obtained from WebAssembly, and emnapiCreateFunction can use the Function constructor for wrapper generation. Combined with wasm-driven indirect callback dispatch and reflective object mutation, this runtime is security-sensitive and should only be used with fully trusted WebAssembly and tightly controlled inputs. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: Primary concern is direct dynamic code execution. napi_run_script uses eval() on a string originating from wasm-provided input, and ee uses new Function(...) to construct wrapper functions. If the wasm module or its inputs are attacker-controlled, this provides JavaScript code execution in the host context. Aside from these dynamic execution sinks, the remaining code mainly performs wasm memory/table management and worker async orchestration typical of such runtimes, with no clear hardcoded exfiltration or backdoor behavior in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: This module appears to be a legitimate wasm-to-JS/Node-API bridge/runtime, but it contains high-impact dynamic execution capabilities: napi_run_script uses eval() on a string originating from the WASM/handle side, and the binding layer can generate functions via new Function(). It also performs indirect host callback invocation based on runtime handles selected by worker/work-queue control. No explicit exfiltration/backdoor behavior is visible in the provided fragment, so malware likelihood is low, but security risk is moderate-to-high due to host-context code execution if the WASM module or its inputs are not fully trusted. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@unrs/resolver-binding-wasm32-wasi@1.12.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[0xEdouardEth]

Approve changes on chain-agnostic-permission

--

api-specs/src/index.ts

import MetaMaskOpenRPCDocument from "./build/openrpc.json";
import MultiChainOpenRPCDocument from "./build/multichain-openrpc.json";
export { MetaMaskOpenRPCDocument, MultiChainOpenRPCDocument };
export default MetaMaskOpenRPCDocument;

[adonesky1]

LGTM

[mcmire]

I'm not totally sure I understand why this is needed. We seem to be bumping two packages by a major version, which is fine if there are new changes we want to take advantage of. But I am not sure how it would make the lint step less deterministic as we are using ^ to indicate ranges, which should tell Yarn to stay within a minor version. Plus we now get two extra peer dependency warnings we didn't get before (I've noted them below).

[mcmire]

@metamask/eslint-config-typescript has a peer dependency on eslint-import-resolver-typescript ^3.6.3.

[cryptodev-2s]

Sorry I forget to move this to draft it will require the work here MetaMask/eslint-config#444 before

[mcmire]

@metamask/eslint-config-nodejs has a peer dependency on @metamask/eslint-config-nodejs ^17.10.3.

[cryptodev-2s]

Sorry I forget to move this to draft it will require the work here MetaMask/eslint-config#444 before