chore: bump lint plugins and resolve floating-version fallout

[cryptodev-2s]

Summary

• Bumps eslint-plugin-import-x, eslint-plugin-n, eslint-import-resolver-typescript, and prettier to the latest versions matching their semver ranges (4.6.1 → 4.16.2, 17.15.1 → 18.0.1, 3.10.1 → 4.4.4, 3.4.2 → 3.8.3).
• Fixes the five pre-existing lint issues the newer plugins surface so the lockfile can stay fresh without the workaround resolutions PR feat: add @metamask/platform-api-docs package #8012 added.

Why

PR #8012 (feat/messenger-docs-site) carries scoped resolutions for these four packages to keep yarn lint deterministic. Investigating those (per r3326274335) showed they aren't resolving a transitive-dep conflict — yarn why confirms each is consumed only by the root workspace. They exist purely to prevent the lockfile from drifting forward to plugin versions that the codebase hasn't been cleaned against.

Bumping the plugins here and addressing the five resulting lint errors means #8012 can drop those resolutions without re-introducing CI failures, and main stays on current plugin versions going forward.

Changes

• eslint.config.mjs: import.meta.dirname is only stable in Node 22.16+/24+, but the repo's engines field is ^18.18 || >=20. eslint-plugin-n@18's no-unsupported-features rule catches this. Resolve the config dir through dirname(fileURLToPath(import.meta.url)) so the config works across the supported Node range.
• packages/chain-agnostic-permission/src/scope/constants.ts: eslint-plugin-import-x@4.16 enables no-named-as-default by default. @metamask/api-specs exports MetaMaskOpenRPCDocument as both a named export and the default; switch to the named-import form so the reference is unambiguous.
• packages/react-data-query/package.json: adds @metamask/messenger to devDependencies (used in createUIQueryClient.test.ts).
• packages/transaction-pay-controller/package.json: adds @metamask/keyring-controller to dependencies (used in src/strategy/relay/hyperliquid-withdraw{,.test}.ts).
• packages/messenger-cli/package.json: yarn constraints --fix rolled its prettier range forward to match the new root range.

Test plan

• yarn lint:eslint is clean
• yarn constraints is clean
• yarn dedupe --check is clean
• yarn lint:misc:check is clean
• chain-agnostic-permission, react-data-query, transaction-pay-controller tests pass at 100% coverage
• CI green on this PR

---

Note

Low Risk
Tooling and dependency-declaration changes only; no runtime auth, security, or payment logic changes.

Overview
Bumps root eslint tooling (eslint-plugin-import-x, eslint-plugin-n, eslint-import-resolver-typescript, prettier) and refreshes yarn.lock so CI can stay on current plugin versions without pinned resolutions.

eslint.config.mjs stops using import.meta.dirname (Node 22.16+ only) and sets tsconfigRootDir via dirname(fileURLToPath(import.meta.url)) so n/no-unsupported-features passes on the repo’s ^18.18 || >=20 engines.

chain-agnostic-permission switches @metamask/api-specs to a named MetaMaskOpenRPCDocument import for import-x/no-named-as-default. react-data-query and transaction-pay-controller declare @metamask/messenger (dev) and @metamask/keyring-controller (prod) where code already imported them. messenger-cli aligns its prettier devDependency with the root bump.

^{Reviewed by Cursor Bugbot for commit 2bfbb91. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-plugin-import-x@​4.6.1 ⏵ 4.16.2			+1
	eslint-import-resolver-typescript@​3.7.0 ⏵ 4.4.4	+1
	prettier@​3.4.2 ⏵ 3.8.3	+1		+1
	semver@​7.7.4 ⏵ 7.8.1	+1		+1
	eslint-plugin-n@​17.15.1 ⏵ 18.0.1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm @emnapi/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @tybys/wasm-util in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@tybys/wasm-util@0.10.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm napi-postinstall in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/napi-postinstall@0.3.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm unrs-resolver in module child_process Module: child_process Location: Package overview From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/unrs-resolver@1.12.2 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm unrs-resolver during postinstall Install script: postinstall Source: node postinstall.js From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/unrs-resolver@1.12.2 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: No explicit evidence of overt malware (network exfiltration, credential theft, backdoors, or filesystem/process activity) appears in this fragment. However, the module contains high-sensitivity dynamic execution capabilities: napi_run_script performs eval-like execution of a JavaScript string obtained from WebAssembly, and emnapiCreateFunction can use the Function constructor for wrapper generation. Combined with wasm-driven indirect callback dispatch and reflective object mutation, this runtime is security-sensitive and should only be used with fully trusted WebAssembly and tightly controlled inputs. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: Primary concern is direct dynamic code execution. napi_run_script uses eval() on a string originating from wasm-provided input, and ee uses new Function(...) to construct wrapper functions. If the wasm module or its inputs are attacker-controlled, this provides JavaScript code execution in the host context. Aside from these dynamic execution sinks, the remaining code mainly performs wasm memory/table management and worker async orchestration typical of such runtimes, with no clear hardcoded exfiltration or backdoor behavior in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @emnapi/core is 100.0% likely to have a medium risk anomaly Notes: This module appears to be a legitimate wasm-to-JS/Node-API bridge/runtime, but it contains high-impact dynamic execution capabilities: napi_run_script uses eval() on a string originating from the WASM/handle side, and the binding layer can generate functions via new Function(). It also performs indirect host callback invocation based on runtime handles selected by worker/work-queue control. No explicit exfiltration/backdoor behavior is visible in the provided fragment, so malware likelihood is low, but security risk is moderate-to-high due to host-context code execution if the WASM module or its inputs are not fully trusted. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@emnapi/core@1.10.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-plugin-import-x@4.16.2 → npm/eslint-import-resolver-typescript@4.4.4 → npm/@unrs/resolver-binding-wasm32-wasi@1.12.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report