chore: modernise tsconfig and required toolchain

[Mrtenz]

Summary

Aligns tsconfig.json with the MetaMask module template, with deliberate exceptions where this Action repo's build pipeline diverges from an npm module:

tsconfig.json changes

Flag	From	To	Notes
target	ES2019	ES2020
lib	ES2020	ES2023
forceConsistentCasingInFileNames	—	true
exactOptionalPropertyTypes	—	true	Required TS bump
noUncheckedIndexedAccess	—	true
noErrorTruncation	—	true
typeRoots	["node_modules/@types"]	removed	Default behaviour, redundant
exclude	["src/**/*.test.ts"]	["./dist", "src/**/*.test.ts"]

Intentionally not adopted from the template

• noEmit: true — tsc here actually emits lib/ for ncc to bundle into dist/. Setting noEmit: true would break the build chain.
• module: Node16 / moduleResolution: Node16 — would require adding .js extensions to every relative import. No real benefit for an Action where ncc bundles everything into one file.

Toolchain bumps (required to unlock the new flags)

• typescript: ^4.2.4 → ~5.7.3 (template version).
• @types/node: ^18.6.1 → ^18.18 (TS 5 surfaces a typing bug in older @types/node@18.6).
• jest: ^26.6.3 → ^29.7.0.
• ts-jest: ^26.5.5 → ^29.1.0 — ts-jest 26 uses TS internals (ts.getMutableClone) that were removed in TS 5.
• @types/jest: ^26.0.22 → ^29.5.0.

Source change

src/utils.test.ts adjusts the GITHUB_WORKSPACE env-var restore in afterAll to satisfy exactOptionalPropertyTypes and to correctly delete the var when it wasn't set originally (the old if ('GITHUB_WORKSPACE' in process.env) check was a no-op because beforeAll always deletes it first).

Part of an opportunistic module-template sync.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	jest@​26.6.3 ⏵ 29.7.0			+1
	@​types/​jest@​26.0.23 ⏵ 29.5.14	+1		+1
	@​types/​node@​18.6.1 ⏵ 18.19.130
	typescript@​4.2.4 ⏵ 5.7.3	+1		-10		+10
	ts-jest@​26.5.6 ⏵ 29.4.11			+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The code defines a stack-trace manipulation utility that can selectively hide or reveal frames and inject synthetic frames into error traces. While not inherently malicious, its global alteration of Error.prepareStackTrace and stackTraceLimit enables obfuscation of error reporting and can hinder debugging or auditing. Use is advised with thorough documentation and restricted scope in security-sensitive environments. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/core@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/core@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helper-module-imports is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a Babel AST helper (ImportBuilder) used to construct import statements and interop-wrapped imports. It contains no indicators of malicious behavior, data exfiltration, backdoors, or runtime abuses. It operates within a compiler/transpiler context to produce code, not to execute arbitrary user data. Therefore, the code itself does not present security risks or malware indicators under normal usage. This is benign library behavior intended for code transformation. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/helper-module-imports@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-imports@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/helper-module-transforms@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/helper-string-parser@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a conventional Babel/TypeScript-style decorators runtime (applyDecs) responsible for applying decorators to class members and managing metadata and initializers. There is no evidence of malware, backdoors, or external data leakage within this module. While complex, the code behaves as a metadata-driven decorator processor and should be considered low risk when used as intended. Downstream risks depend on the decorators provided by consumers, not this utility itself. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/helpers@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The code fragment is a standard Babel decorator runtime helper (applyDecs2203). Its security posture hinges on the trustworthiness of the supplied decorators. If decorators are from untrusted sources, they can execute arbitrary code during decoration or initialization. The library itself does not exhibit malicious behavior, but this pattern introduces a high-risk surface via external inputs. Recommended mitigations include validating decorator outputs, enforcing sandboxing or runner boundaries for decorators, and auditing decorator sources in the application. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/@babel/helpers@7.29.7 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm escalade is 100.0% likely to have a medium risk anomaly Notes: This is a generic upward-directory traversal utility. It is not inherently malicious. Security posture hinges on the callback's implementation and proper termination guarantees. Risks include unhandled filesystem errors and potential unbounded traversal if the callback misbehaves or lacks proper termination checks. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/escalade@3.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/escalade@3.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm escalade is 100.0% likely to have a medium risk anomaly Notes: The code implements a standard upward-directory search utility driven by a callback. It is not inherently malicious, but its safety and determinism depend on the callback's implementation and the absence of unhandled I/O errors. Potential issues include lack of error handling, reliance on callback contract, and possible endless loops if the callback never signals an end. Use with trusted callbacks or add explicit error handling and input validation. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/escalade@3.2.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/escalade@3.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm graceful-fs is 100.0% likely to have a medium risk anomaly Notes: The fragment is a legitimate Graceful FS implementation designed to gracefully handle EMFILE/ENFILE errors by queuing and retrying I/O operations. It coordinates across multiple instances via a shared queue and patches core fs APIs accordingly. Primary risks are complexity and potential unintended interactions in large apps due to global patches, not malicious activity or data exfiltration. Confidence: 1.00 Severity: 0.60 From: ? → npm/@types/jest@29.5.14 → npm/jest@29.7.0 → npm/graceful-fs@4.2.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/graceful-fs@4.2.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm json5 is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment appears to be a conventional JSON5 library distribution with polyfills and a JSON5 parser/stringifier. No malicious activity, data exfiltration, or backdoors were detected within the provided code block. The main risk is typical for large bundled libraries (bundle size, maintenance, and potential outdated polyfills) rather than active security abuse. Proceed with standard dependency hygiene (version pinning, integrity checks, and regular updates). Confidence: 1.00 Severity: 0.60 From: ? → npm/ts-jest@29.4.11 → npm/jest@29.7.0 → npm/json5@2.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json5@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm json5 is 100.0% likely to have a medium risk anomaly Notes: This CLI wrapper for the JSON5 library reads the entire input stream into memory before parsing, which could be abused to cause a denial-of-service by supplying extremely large JSON5 payloads. In addition, the legacy ‑-convert option will write a new .json file alongside the input when no explicit output path is given, risking unintended file overwrites. There is no network activity, no dynamic code execution beyond JSON5.parse, and no embedded secrets or telemetry. Confidence: 1.00 Severity: 0.60 From: ? → npm/ts-jest@29.4.11 → npm/jest@29.7.0 → npm/json5@2.2.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/json5@2.2.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm semver is 100.0% likely to have a medium risk anomaly Notes: No malicious behavior detected. This is a legitimate SemVer utility implementation handling version validation, range filtering, and optional increments. Security risk is low for this code fragment; obfuscated indicators are absent. Overall malice likelihood is negligible. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/semver@6.3.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/semver@6.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm source-map-support is 100.0% likely to have a medium risk anomaly Notes: This file contains obfuscated logic, unusual error handling mechanisms, and dynamic code evaluation (e.g., eval usage) that deviate from typical coding practices. There is no confirmed indication of malicious intent, but these anomalies could pose a risk if leveraged by a malicious actor. Further review is advised to fully assess security implications. Confidence: 1.00 Severity: 0.60 From: ? → npm/jest@29.7.0 → npm/source-map-support@0.5.13 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/source-map-support@0.5.13. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ts-jest is 100.0% likely to have a medium risk anomaly Notes: No clear evidence of malware (e.g., network exfiltration, command execution, or credential theft) is present in this fragment. However, it implements a high-impact extensibility mechanism: it dynamically imports and executes a hook module specified by the TS_JEST_HOOKS environment variable and passes it full source code and transformer configuration. If the environment variable or hook file can be influenced by an attacker (common in compromised CI/dev environments), this becomes an arbitrary code execution vector during Jest/ts-jest transformation. Additionally, cache-key material and logs may expose sensitive project data if cache/log artifacts are accessible. Confidence: 1.00 Severity: 0.60 From: package.json → npm/ts-jest@29.4.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ts-jest@29.4.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• create-jest@29.7.0
• update-browserslist-db@1.2.3
• babel-plugin-istanbul@6.1.1
• convert-source-map@2.0.0

View full report

[Mrtenz]

@SocketSecurity ignore npm/update-browserslist-db@1.2.3

Shell access seems fine.

@SocketSecurity ignore npm/babel-plugin-istanbul@6.1.1
@SocketSecurity ignore npm/convert-source-map@2.0.0
@SocketSecurity ignore npm/create-jest@29.7.0

New author is ok.

[Gudahtt]

LGTM!