chore: migrate ESLint to v9 flat config

[Mrtenz]

Summary

Migrates ESLint from v7 + .eslintrc.js to v9 + flat config, adopting the @metamask/eslint-config* v15 family from the module template. Closes the four open Dependabot PRs that couldn't merge while we were still on v7 (#130, #131, #132, #133).

Tooling changes

• eslint: ^7.24.0 → ^9.11.0
• @metamask/eslint-config*: ^7 → ^15
• prettier: ^2.2.1 → ^3.3.3 (peer dep)
• Drop @typescript-eslint/eslint-plugin + @typescript-eslint/parser — replaced by the typescript-eslint metapackage.
• Drop eslint-plugin-import, eslint-plugin-node — replaced by eslint-plugin-import-x and eslint-plugin-n.
• Add eslint-plugin-jsdoc, eslint-plugin-promise, eslint-import-resolver-typescript (peer deps of the v15 configs).

tsconfig split

ESLint v9 with type-aware rules needs all .ts files (including tests) in some tsconfig. Since tsc here still emits lib/ for ncc to bundle, we can't use the template's noEmit: true directly. Instead:

• tsconfig.json: noEmit: true, includes everything, used by ESLint and the IDE.
• tsconfig.build.json: extends tsconfig.json, adds emit settings, excludes tests. Used by yarn build:tsc.

engines.node bump

Bumps engines.node from >=14.0.0 to ^20 || ^22 || >=24 (template's range). This is enforced by eslint-plugin-n, which flagged node: prefix imports as unsupported under the old range. It's also already true in practice: Yarn 4 + Corepack require Node ≥ 16, and .nvmrc is already lts/*. The Action runs on the consumer's Node, set via their setup-node step, so this field is informational.

Source fixes

• Switch 'fs'/'path'/'assert'/'process' imports to the node: prefix.
• Drop the unused _ binding in catch (_) (ESLint v9 allows binding-less catch).
• Convert interface → type where module-augmentation didn't force interface.
• Mark a deliberately-floating import('.') in index.test.ts with an inline disable (the test relies on side-effects firing on the next tick).

Rules deliberately turned off

• jsdoc/require-* — this repo doesn't JSDoc internals.
• import-x/no-nodejs-modules — this is a Node Action, so Node builtins are the norm.
• @typescript-eslint/explicit-function-return-type — the codebase relies on inference.
• @typescript-eslint/naming-convention — allow UPPER_CASE for type members so env-var-shaped types match the actual env var names.

dist/index.js

Regenerates with minor structural changes after the lockfile churn (different ncc chunking). Source behaviour is unchanged.

Part of an opportunistic module-template sync.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-prettier@​8.3.0 ⏵ 9.1.2	+1		+1
	typescript-eslint@​8.61.0
	@​metamask/​eslint-config-jest@​7.0.0 ⏵ 15.0.0	+3		+8	+1
	eslint-plugin-import-x@​4.16.2
	@​metamask/​eslint-config-nodejs@​7.0.1 ⏵ 15.0.0	+3		+12
	@​metamask/​eslint-config-typescript@​7.0.1 ⏵ 15.0.0			+8	+1
	@​metamask/​eslint-config@​7.0.1 ⏵ 15.0.0			+7	-3
	eslint-plugin-promise@​7.3.0
	eslint-import-resolver-typescript@​3.10.1
	eslint-plugin-jest@​24.3.6 ⏵ 28.14.0			+1	+1
	eslint-plugin-prettier@​3.4.0 ⏵ 5.5.6	+1
	eslint-plugin-n@​17.24.0
	eslint-plugin-jsdoc@​50.8.0
	prettier@​3.8.4
	eslint@​7.27.0 ⏵ 9.39.4	+1			+47

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@3.10.1 → npm/@unrs/resolver-binding-wasm32-wasi@1.12.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code represents a conventional, non-obfuscated part of AJV’s custom keyword support. No direct malicious actions are evident within this module. Security concerns mainly arise from the broader supply chain: the external rule implementation (dotjs/custom), the definition schema, and any user-supplied keyword definitions. The dynamic compilation path (compile(metaSchema, true)) should be exercised with trusted inputs. Recommended follow-up: review the contents of the external modules and monitor the inputs supplied to addKeyword/definitionSchema to ensure no unsafe behavior is introduced during validation or data handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward build script to bundle and minify a specified package using Browserify and UglifyJS. The primary security concern is potential path manipulation: json.main is used to form a require path without validating that it stays within the target package directory. If a malicious or misconfigured package.json includes an absolute path or traversal outside the package, the script could bundle unintended files. Otherwise, the script does not perform network access, data exfiltration, or backdoor actions, and there is no hard-coded secrets or dynamic code execution beyond standard bundling/minification. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ajv is 100.0% likely to have a medium risk anomaly Notes: The code augments a meta-schema to permit remote dereferencing of keyword schemas via a hardcoded data.json resource. This introduces network dependency and potential changes to validation semantics at runtime. While not inherently malicious, the remote reference constitutes a notable security and reliability risk that should be mitigated with local fallbacks, input validation, and explicit remote-resource governance. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/ajv@6.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ajv@6.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm cross-spawn is 100.0% likely to have a medium risk anomaly Notes: This file is a minimal, legitimate wrapper around Node.js child_process.spawn and spawnSync to provide improved ENOENT (command not found) error handling. It does not perform any network requests, dynamic code evaluation, secret disclosure, or telemetry. The only “sink” is the intended execution of local processes as directed by the calling application. No malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/cross-spawn@7.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/cross-spawn@7.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm flat-cache is 100.0% likely to have a medium risk anomaly Notes: The code implements a filesystem-backed cache with potential path traversal vulnerabilities due to unvalidated docId/cacheDir inputs that influence file paths. While not inherently malicious, the lack of input sanitization creates risk of reading/writing/deleting arbitrary files, especially in a public package context where inputs could be user-controlled. No evidence of deliberate malware or obfuscated logic is present, but the security risk due to path handling is non-trivial and should be mitigated by validating and constraining input paths, using safe defaults, and isolating cache storage. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint@9.39.4 → npm/flat-cache@4.0.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/flat-cache@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/typescript-eslint@8.61.0 → npm/eslint-plugin-jest@28.14.0 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• unrs-resolver@1.12.2
• napi-postinstall@0.3.4
• @emnapi/core@1.10.0
• eslint-plugin-n@17.24.0
• @tybys/wasm-util@0.10.2
• js-yaml@4.2.0
• @typescript-eslint/eslint-plugin@8.61.0

View full report

[Mrtenz]

@SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.61.0
@SocketSecurity ignore npm/js-yaml@4.2.0
@SocketSecurity ignore npm/@emnapi/core@1.10.0

These look fine.

@SocketSecurity ignore npm/@tybys/wasm-util@0.10.2
@SocketSecurity ignore npm/eslint-plugin-n@17.24.0
@SocketSecurity ignore npm/napi-postinstall@0.3.4

Network access ok.

@SocketSecurity ignore npm/unrs-resolver@1.12.2

Shell access ok.