chore: update a few dependencies

[shane-t]

Note

Upgrade Node to 22.8 and modernize tooling and Snap dependencies, plus snap config/manifest tweaks (localhost origin, platform v9.3).

• Tooling/Engines:
  • Bump Node to v22.8.0 (.nvmrc, engines.node) and upgrade package manager to yarn@4.9.1.
  • Update dev tooling: eslint@^9, Prettier ^3, TypeScript ~5.8.3, and related ESLint configs/plugins; refresh lockfile.
• Snap package (packages/snap):
  • Upgrade MetaMask deps: @metamask/keyring-api@^21.2.0, @metamask/keyring-snap-sdk@^7.1.0, @metamask/snaps-sdk@^9.3.0, @metamask/snaps-cli@^8.1.0.
  • Align dev deps (Prettier 3, ESLint ecosystem) with root.
• Config/Manifest:
  • snap.config.ts: remove explicit bundler, add stats.builtIns.ignore list.
  • snap.manifest.json: add http://localhost:8000 to allowedOrigins; bump platformVersion to 9.3.0; update source.shasum.

^{Written by Cursor Bugbot for commit 249fcc2. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-prettier@​9.1.2
	@​metamask/​keyring-snap-sdk@​7.0.0 ⏵ 7.1.1	+27		+1	+3
	@​metamask/​snaps-cli@​6.7.0 ⏵ 8.3.0	-1			+11
	@​metamask/​eslint-config-jest@​14.1.0
	eslint-plugin-promise@​7.2.1
	depcheck@​1.4.7
	@​metamask/​eslint-config-nodejs@​14.0.0
	@​metamask/​eslint-config@​14.1.0
	@​metamask/​eslint-config-typescript@​14.1.0
	eslint-plugin-n@​17.23.1
	@​metamask/​keyring-api@​21.2.0
	typescript@​5.8.3
	prettier@​3.7.1
	eslint-plugin-prettier@​5.5.4
	eslint@​9.39.1
	eslint-plugin-jsdoc@​50.8.0
	eslint-plugin-jest@​28.14.0

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm content-disposition is now published by ulisesgascon Author: ulisesgascon From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/content-disposition@1.0.1 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/content-disposition@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm http-errors is now published by ulisesgascon Author: ulisesgascon From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/http-errors@2.0.1 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-errors@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/snaps-sandbox in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: packages/snap/package.json → npm/@metamask/snaps-cli@8.3.0 → npm/@metamask/snaps-sandbox@1.0.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/snaps-sandbox@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @typescript-eslint/typescript-estree in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-plugin-jest@28.14.0 → npm/@typescript-eslint/typescript-estree@8.48.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/typescript-estree@8.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @typescript-eslint/utils in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/eslint-plugin-jest@28.14.0 → npm/@typescript-eslint/utils@8.48.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/utils@8.48.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @vue/compiler-sfc in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/depcheck@1.4.7 → npm/@vue/compiler-sfc@3.5.25 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@vue/compiler-sfc@3.5.25. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm prettier in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/prettier@3.7.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.7.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm accepts is now published by wesleytodd instead of dougwilson New Author: wesleytodd Previous Author: dougwilson From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/accepts@2.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/accepts@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm async-function is now published by ljharb instead of eduardorfs New Author: ljharb Previous Author: eduardorfs From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/async-function@1.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async-function@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm content-disposition is now published by ulisesgascon instead of wesleytodd New Author: ulisesgascon Previous Author: wesleytodd From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/content-disposition@1.0.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/content-disposition@1.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm encodeurl is now published by blakeembrey instead of dougwilson New Author: blakeembrey Previous Author: dougwilson From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/encodeurl@2.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/encodeurl@2.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm http-errors is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/http-errors@2.0.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/http-errors@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm iconv-lite is now published by bsebas instead of ashtuchkin New Author: bsebas Previous Author: ashtuchkin From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/iconv-lite@0.7.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/iconv-lite@0.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm loader-runner is now published by evilebottnawi instead of sokra New Author: evilebottnawi Previous Author: sokra From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/loader-runner@4.3.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/loader-runner@4.3.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm negotiator is now published by wesleytodd instead of dougwilson New Author: wesleytodd Previous Author: dougwilson From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/negotiator@1.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/negotiator@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm router is now published by ulisesgascon instead of wesleytodd New Author: ulisesgascon Previous Author: wesleytodd From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/router@2.2.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/router@2.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm statuses is now published by ulisesgascon instead of dougwilson New Author: ulisesgascon Previous Author: dougwilson From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/statuses@2.0.2 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/statuses@2.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm type-is is now published by ulisesgascon instead of wesleytodd New Author: ulisesgascon Previous Author: wesleytodd From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/type-is@2.0.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/type-is@2.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/helper-wasm-section is 100.0% likely to have a medium risk anomaly Notes: The code appears to be a legitimate utility for inserting an empty section into a WebAssembly module binary and updating both the in-memory AST and the binary buffer. There is no evidence of data leakage, remote control, or malicious behavior in this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/@webassemblyjs/helper-wasm-section@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/helper-wasm-section@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @webassemblyjs/wasm-parser is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate WebAssembly binary decoder/AST builder. It decodes a WASM module into a rich AST representation without performing harmful actions, network activity, or data exfiltration. The primary security considerations are ensuring trust in the library's source and keeping dependencies current, as with any third-party tool. If kept updated and used with proper input validation, the component poses no immediate malicious risk based on this fragment. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/@webassemblyjs/wasm-parser@1.14.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@webassemblyjs/wasm-parser@1.14.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/acorn@8.15.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/acorn@8.15.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm function-bind is 100.0% likely to have a medium risk anomaly Notes: The code is a standard Function.prototype.bind polyfill implementation. It carefully handles this binding, constructor behavior, and argument binding without introducing observable malicious behavior. The dynamic Function constructor is used as part of a legitimate polyfill technique and does not indicate an attack by itself in this context. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/function-bind@1.1.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/function-bind@1.1.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module. Confidence: 1.00 Severity: 0.60 From: package.json → npm/eslint-plugin-prettier@5.5.4 → npm/synckit@0.11.11 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/synckit@0.11.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm terser is 100.0% likely to have a medium risk anomaly Notes: Conclusion: The fragment is a benign static list of DOM/Web API identifiers used for tooling purposes (e.g., property enumeration, whitelist checks, or code generation). There is no evidence of malicious behavior, data exfiltration, or backdoors within this fragment alone. Overall security risk is low for this isolated piece; assessment should consider how the list is used in the broader codebase. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/snaps-cli@8.3.0 → npm/terser@5.44.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/terser@5.44.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm webpack is 100.0% likely to have a medium risk anomaly Notes: This is a straightforward wasm-based hash wrapper. There is no evident malware behavior, external data leakage, or suspicious network/activity. The usage pattern is benign: loading a precompiled wasm blob and exposing a hashing function through a wrapper. No hardcoded secrets, no environment-variable use, and no dynamic code evaluation observed. However, the embedded wasm payload represents a potential supply chain risk if the binary is tampered in distribution; integrity verification (hashes/signatures) is essential. Confidence: 1.00 Severity: 0.60 From: packages/snap/package.json → npm/@metamask/snaps-cli@8.3.0 → npm/webpack@5.103.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.103.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Bug: Deleted patch file still referenced in resolutions

The @noble/hashes patch file at .yarn/patches/@noble-hashes-npm-1.7.1-4106ab26c5.patch was deleted, but the resolutions field still references it for three version ranges. Yarn will fail when attempting to apply the non-existent patch during installation, breaking the build process.

 

[cursor]

Bug: Incompatible Prettier and eslint-plugin-prettier versions

The snap package updated prettier to ^3.5.3 but kept eslint-plugin-prettier at ^4.2.1. Prettier 3.x introduced breaking API changes that require eslint-plugin-prettier version 5.x or higher. This mismatch will cause runtime errors when ESLint attempts to run Prettier, such as prettier.resolveConfig.sync is not a function.

 

[shane-t]

No longer needed due to @ccharly 's PR