chore: align external dep ranges with core monorepo

[cryptodev-2s]

Explanation

MetaMask/core's yarn.config.cjs enforces consistent version ranges for every external dependency across all monorepo packages (expectConsistentDependenciesAndDevDependencies), and expectUpToDateWorkspaceDependenciesAndDevDependencies requires internal @metamask/* ranges to track the current in-monorepo version. This PR aligns or removes every remaining drift point so the migrated package doesn't fail constraints.

Aligned

Dep	Source (before)	Aligned to core
@babel/runtime	^7.24.1	^7.23.9
@lavamoat/allow-scripts	^3.2.1	^3.0.4
typescript-eslint	^8.39.0	^8.48.0
@metamask/profile-sync-controller	^28.1.1	^28.2.0 (core released 28.2.0 since the previous alignment in #590)

Removed (unused)

• @types/node — no Node API usage anywhere in source (no fs/path/crypto/process/Buffer; tsconfig lib is ["ES2020", "DOM"]).
• @types/eslint — no import 'eslint' anywhere.
• @types/jest — Jest 29 ships its own types via @jest/globals.
• @types/lodash — transitively available; tsconfig.skipLibCheck makes it irrelevant for source builds.

(Transitive consumers that need any of these install their own copy.)

Not aligned (intentional)

nock stays at ^14.0.0-beta.7. Downgrading to core's ^13.3.1 causes 22 test failures (the v14-beta mock interceptors don't match in v13). Two options for Phase B:

• Add nock to ALLOWED_INCONSISTENT_DEPENDENCIES in core's yarn.config.cjs, OR
• Bump core's nock from v13 to v14 separately

Source-only deps (not in core, will migrate as-is)

@ethersproject/bytes, @ethersproject/keccak256, @ethersproject/transactions (runtime), @arethetypeswrong/cli, prettier-plugin-packagejson (dev — Phase B PR #10 will strip the dev ones).

Verification

• ✅ yarn build
• ✅ yarn lint
• ✅ yarn jest — 196/196 pass

References

• Constraint rules: yarn.config.cjs:222 expectUpToDateWorkspaceDependenciesAndDevDependencies and yarn.config.cjs:885 expectConsistentDependenciesAndDevDependencies

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​babel/​runtime@​7.24.1 ⏵ 7.29.7	+1	+2
	nock@​14.0.0-beta.7 ⏵ 14.0.15	-11		+1	-1
	@​metamask/​profile-sync-controller@​28.2.0
	@​lavamoat/​allow-scripts@​3.3.0 ⏵ 3.4.3	+1			+4

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm @npmcli/git is 100.0% likely to have a medium risk anomaly Notes: The code reads the user's git configuration and applies defaults to streamline automation, notably by auto-accepting new SSH host keys and bypassing prompts. This reduces friction for automation but lowers interactive security. Not inherently malicious, but the default behavior should be clearly documented and optionally opt-in or restricted per-project to mitigate potential risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@3.4.3 → npm/@npmcli/git@7.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/git@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm node-gyp is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate Windows registry query and filesystem readability utility, with no inherent malware or backdoors. Primary security concerns are data exposure through verbose logging and the potential misuse of reg.exe with untrusted inputs. Mitigations include restricting input sources, redacting sensitive outputs in logs, and ensuring callers handle registry data securely. Overall security risk is moderate due to sensitive operations and logging exposure, but no active malicious behavior detected. Confidence: 1.00 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@3.4.3 → npm/node-gyp@12.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@12.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm resolve is 100.0% likely to have a medium risk anomaly Notes: This manifest uses a non-registry, relative-path dependency ('resolve': '../../../') which is a significant supply-chain risk because it allows arbitrary local code to be pulled in and executed without registry protections. Combined with the 'lerna bootstrap' postinstall script (which can trigger other lifecycle scripts across the monorepo), this setup increases the chance of untrusted code execution and other malicious behavior. Inspect the target of the relative path, all bootstrap-linked packages, and any lifecycle scripts before running npm install in an untrusted environment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@3.4.3 → npm/resolve@1.22.10 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/resolve@1.22.10. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tar is 100.0% likely to have a medium risk anomaly Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming. Confidence: 1.00 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@3.4.3 → npm/tar@7.5.16 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @mswjs/interceptors@0.41.9
• undici@6.26.0
• glob@13.0.6
• nock@14.0.15

View full report

[cryptodev-2s]

I could also update in core if it's better

[Mrtenz]

We can do that after the merge. This is fine for now.

[cryptodev-2s]

I could also update in core if it`s better

[Mrtenz]

Please review the Socket report before merging.

[cryptodev-2s]

@SocketSecurity ignore npm/glob@13.0.6

False positive. The "fetch" identifiers Socket detected come from lru-cache (bundled into glob 13's minified output), not HTTP fetch. They are LRUCache's in-memory cache loader API (fetchMethod, fetchAborted, fetchDispatched, etc.). Transitive devDep of @lavamoat/allow-scripts; no HTTP access occurs.

[cryptodev-2s]

@SocketSecurity ignore npm/nock@14.0.15

False positive. nock's source (lib/intercept.js, index.js, etc.) is unobfuscated, readable JavaScript with normal identifiers and JSDoc. The signal is likely triggered by minified bundles. Industry-standard HTTP mocking library used here as a devDep for tests only.

[cryptodev-2s]

@SocketSecurity ignore npm/@mswjs/interceptors@0.41.9

False positive. The "obfuscation" detection is triggered by hash-suffixed chunk filenames (e.g. fetchUtils-umV5xXBy.cjs, BatchInterceptor-BGhH8z1z.cjs) that modern bundlers produce for cache busting. Chunk contents and src/ TypeScript files are readable with proper identifiers. Transitive devDep of nock@14; used only at test time.

[cryptodev-2s]

@SocketSecurity ignore npm/undici@6.26.0

All 5 alerts checked, all false positives.

• Network access in globalThis.fetch: undici is Node.js's official fetch implementation (powers globalThis.fetch since Node 18). HTTP access is its purpose. Maintained by Matteo Collina (Node.js TSC). Homepage: undici.nodejs.org.
• AI anomaly (UTF-8 → Latin-1 re-encoding): This is scripts/strip-comments.js, a build-time script that transcodes undici's own browser bundle (undici-fetch.js) for CDN/bundler compatibility. Not runtime code; operates only on undici's own internal file at build time.
• AI anomaly (cache batch operations): HTTP response caching. The Socket AI's own notes state: "No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found."
• AI anomaly (HTTP/WebSocket upgrade handler): Standard protocol handling. The Socket AI's own notes state: "no indicators of malware or obfuscation are detected."
• AI anomaly (4th): Same class of HTTP-client behaviour signal as the others.

Transitive devDep of @lavamoat/allow-scripts (build/install tooling). Not used at runtime by this package.