chore: Update @metamask/eslint-config-typescript to v13

[Gudahtt]

Description

The ESLint configuration for TypeScript has been updated to prepare for ESLint v9 (this is the last major version before ESLint v9 is required). Various related libraries needed to be updated as well.

The most disruptive part is that in v13, eslint-plugin-import was replaced with eslint-plugin-import-x. This required widespread changes to any reference to an import/ rule (it's now import-x/), but there should be no functional changes. eslint-plugin-import-x is a drop-in replacement for eslint-plugin-import.

Changelog

CHANGELOG entry: null

Related issues

N/A

Manual testing steps

N/A

Screenshots/Recordings

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​typescript-eslint/​parser@​8.55.0
	npm/​@​typescript-eslint/​eslint-plugin@​8.55.0
	npm/​@​metamask/​eslint-config-typescript@​10.0.0 ⏵ 13.0.0			+4	+1
	npm/​eslint-plugin-import-x@​4.16.1
	npm/​eslint-import-resolver-typescript@​3.5.4 ⏵ 3.10.1	+1		+1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm @emnapi/core in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/@emnapi/core@1.8.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @tybys/wasm-util in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/@tybys/wasm-util@0.10.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @typescript-eslint/eslint-plugin in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/@typescript-eslint/eslint-plugin@8.55.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.55.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @unrs/resolver-binding-wasm32-wasi in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm napi-postinstall in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/napi-postinstall@0.3.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm unrs-resolver in module child_process Module: child_process Location: Package overview From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/unrs-resolver@1.11.1 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm unrs-resolver during postinstall Install script: postinstall Source: napi-postinstall unrs-resolver 1.11.1 check From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/unrs-resolver@1.11.1 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @napi-rs/wasm-runtime is 100.0% likely to have a medium risk anomaly Notes: The fragment appears to implement a substantial WASI/N-API bridge with comprehensive memory and filesystem interfacing. There is no concrete evidence of malicious payloads such as data exfiltration, backdoors, or remote command execution in this snippet. The primary concerns relate to the unusual in-browser input path (readStdin) and the large surface area for data flows across threads and FFI boundaries. A targeted, broader audit of the complete module and any wasm payloads loaded through these bindings is recommended to ensure rights enforcement and memory safety. Overall risk is moderate but current evidence does not indicate active malware. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/@napi-rs/wasm-runtime@0.2.12 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@napi-rs/wasm-runtime@0.2.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/@unrs/resolver-binding-wasm32-wasi@1.11.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/@typescript-eslint/eslint-plugin@8.55.0 → npm/ignore@7.0.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm unrs-resolver is 100.0% likely to have a medium risk anomaly Notes: This command itself is a legitimate-looking native postinstall invocation, but it runs an arbitrary executable (napi-postinstall) supplied by the package ecosystem. That executable could be benign (installing/validating native binaries) or malicious (downloading and executing arbitrary code, installing backdoors, modifying files). Inspect the source of the napi-postinstall binary (or the package that supplies it), its network activity, and any downloaded artifacts before trusting it. Confidence: 1.00 Severity: 0.60 From: ? → npm/eslint-import-resolver-typescript@3.10.1 → npm/eslint-plugin-import-x@4.16.1 → npm/unrs-resolver@1.11.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: None (no tests recommended)
• Selected Performance tags: None (no tests recommended)
• Risk Level: low
• AI Confidence: 95%

click to see 🤖 AI reasoning details

E2E Test Selection:
This PR is a pure linting/code style change that adds ESLint disable comments across 100 files. The changes include:

1. Adding /* eslint-disable import-x/prefer-default-export */ to files with named exports
2. Adding /* eslint-disable import-x/no-commonjs */ to files using require() statements
3. Adding /* eslint-disable import-x/no-nodejs-modules */ to files using Node.js modules
4. Adding /* eslint-disable import-x/no-namespace */ to test files using namespace imports
5. Adding /* eslint-disable import-x/no-extraneous-dependencies */ to mock files
6. Adding /* eslint-disable import-x/no-unresolved */ to files with unresolved imports

These are purely cosmetic changes that add ESLint disable comments to suppress linting warnings. No functional code is being modified:

• No business logic changes
• No component behavior changes
• No user flow modifications
• No test assertion changes
• No API or data handling changes

The application behavior remains exactly the same. This is a very low-risk change that doesn't require E2E testing since the changes are only adding comments to the codebase.

Performance Test Selection:
This PR only adds ESLint disable comments across files. No functional code changes are made that could impact app performance. The changes are purely cosmetic/linting-related and don't affect rendering, data loading, state management, or any other performance-sensitive areas.

View GitHub Actions results