Skip to content

chore: Update @metamask/eslint-config-typescript to v13#26125

Draft
Gudahtt wants to merge 1 commit intomainfrom
update-typescript-eslint-config
Draft

chore: Update @metamask/eslint-config-typescript to v13#26125
Gudahtt wants to merge 1 commit intomainfrom
update-typescript-eslint-config

Conversation

@Gudahtt
Copy link
Member

@Gudahtt Gudahtt commented Feb 16, 2026

Description

The ESLint configuration for TypeScript has been updated to prepare for ESLint v9 (this is the last major version before ESLint v9 is required). Various related libraries needed to be updated as well.

The most disruptive part is that in v13, eslint-plugin-import was replaced with eslint-plugin-import-x. This required widespread changes to any reference to an import/ rule (it's now import-x/), but there should be no functional changes. eslint-plugin-import-x is a drop-in replacement for eslint-plugin-import.

Changelog

CHANGELOG entry: null

Related issues

N/A

Manual testing steps

N/A

Screenshots/Recordings

N/A

Pre-merge author checklist

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@metamaskbot metamaskbot added the team-core-platform Core Platform team label Feb 16, 2026
@Gudahtt Gudahtt force-pushed the update-typescript-eslint-config branch from 4d9f943 to c0df069 Compare February 16, 2026 14:24
@socket-security
Copy link

socket-security bot commented Feb 16, 2026

@socket-security
Copy link

socket-security bot commented Feb 16, 2026

Caution

MetaMask internal reviewing guidelines:

  • Do not ignore-all
  • Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
  • Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
    @SocketSecurity ignore npm/PACKAGE@VERSION
Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Network access: npm @emnapi/core in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/@emnapi/core@1.8.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.8.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @tybys/wasm-util in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/@tybys/wasm-util@0.10.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @typescript-eslint/eslint-plugin in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: package.jsonnpm/@typescript-eslint/eslint-plugin@8.55.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@typescript-eslint/eslint-plugin@8.55.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm @unrs/resolver-binding-wasm32-wasi in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/@unrs/resolver-binding-wasm32-wasi@1.11.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
Network access: npm napi-postinstall in module globalThis["fetch"]

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/napi-postinstall@0.3.4

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
System shell access: npm unrs-resolver in module child_process

Module: child_process

Location: Package overview

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/unrs-resolver@1.11.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Install-time scripts: npm unrs-resolver during postinstall

Install script: postinstall

Source: napi-postinstall unrs-resolver 1.11.1 check

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/unrs-resolver@1.11.1

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @napi-rs/wasm-runtime is 100.0% likely to have a medium risk anomaly

Notes: The fragment appears to implement a substantial WASI/N-API bridge with comprehensive memory and filesystem interfacing. There is no concrete evidence of malicious payloads such as data exfiltration, backdoors, or remote command execution in this snippet. The primary concerns relate to the unusual in-browser input path (readStdin) and the large surface area for data flows across threads and FFI boundaries. A targeted, broader audit of the complete module and any wasm payloads loaded through these bindings is recommended to ensure rights enforcement and memory safety. Overall risk is moderate but current evidence does not indicate active malware.

Confidence: 1.00

Severity: 0.60

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/@napi-rs/wasm-runtime@0.2.12

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@napi-rs/wasm-runtime@0.2.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm @unrs/resolver-binding-wasm32-wasi is 100.0% likely to have a medium risk anomaly

Notes: This loader establishes a Node.js WASI/worker environment that: 1) passes the entire host process.env into the WASI instance (exposing all environment variables, including secrets, to loaded modules); 2) preopens the filesystem root (granting broad file read/write access under the host’s root directory); and 3) implements importScripts via synchronous fs.readFileSync + eval (allowing any local JS file to be executed in the loader context). If an untrusted or compromised WASM module or script is provided, it can read sensitive environment variables, access or modify arbitrary files, and execute arbitrary JavaScript—posing a moderate security risk. Recommended mitigations: restrict WASI preopens to a minimal directory, limit or sanitize environment variables passed into WASI, and replace or sandbox the eval-based importScripts mechanism.

Confidence: 1.00

Severity: 0.60

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/@unrs/resolver-binding-wasm32-wasi@1.11.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly

Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored.

Confidence: 1.00

Severity: 0.60

From: ?npm/@typescript-eslint/eslint-plugin@8.55.0npm/ignore@7.0.5

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ignore@7.0.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): npm unrs-resolver is 100.0% likely to have a medium risk anomaly

Notes: This command itself is a legitimate-looking native postinstall invocation, but it runs an arbitrary executable (napi-postinstall) supplied by the package ecosystem. That executable could be benign (installing/validating native binaries) or malicious (downloading and executing arbitrary code, installing backdoors, modifying files). Inspect the source of the napi-postinstall binary (or the package that supplies it), its network activity, and any downloaded artifacts before trusting it.

Confidence: 1.00

Severity: 0.60

From: ?npm/eslint-import-resolver-typescript@3.10.1npm/eslint-plugin-import-x@4.16.1npm/unrs-resolver@1.11.1

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@Gudahtt Gudahtt force-pushed the update-typescript-eslint-config branch 3 times, most recently from 96334b5 to d0e65bf Compare February 16, 2026 16:02
The ESLint configuration for TypeScript has been updated to prepare for
ESLint v9 (this is the last major version before ESLint v9 is
required). Various related libraries needed to be updated as well.

The most disruptive part is that in v13, `eslint-plugin-import` was
replaced with `eslint-plugin-import-x`. This required widespread
changes to any reference to an `import/` rule (it's now `import-x/`),
but there should be no functional changes. `eslint-plugin-import-x` is
a drop-in replacement for `eslint-plugin-import`.
@Gudahtt Gudahtt force-pushed the update-typescript-eslint-config branch from d0e65bf to 9fedc05 Compare February 16, 2026 16:11
@github-actions
Copy link
Contributor

🔍 Smart E2E Test Selection

  • Selected E2E tags: None (no tests recommended)
  • Selected Performance tags: None (no tests recommended)
  • Risk Level: low
  • AI Confidence: 92%
click to see 🤖 AI reasoning details

E2E Test Selection:
This PR is a pure linting/code style change that adds ESLint disable comments across approximately 100 files. The changes include:

  1. Adding /* eslint-disable import-x/prefer-default-export */ to files with single named exports
  2. Adding /* eslint-disable import-x/no-commonjs */ to files using CommonJS require()
  3. Adding /* eslint-disable import-x/no-namespace */ to files using namespace imports
  4. Adding /* eslint-disable import-x/no-extraneous-dependencies */ to mock files

Key observations:

  • NO functional code changes - only ESLint disable comments added
  • NO component behavior modifications
  • NO test logic changes (only linting comments in test files)
  • NO runtime behavior impact

The changes affect component library constants, hooks, styles, test files, and mock files, but all modifications are purely adding comment lines to suppress ESLint warnings from the import-x plugin.

Since there are no functional changes to the application code, no E2E tests are needed to validate this PR. The changes cannot affect user flows, UI rendering, or any application functionality.

Performance Test Selection:
This PR contains only ESLint disable comments added to files - no functional code changes that could impact performance. No UI rendering changes, no state management changes, no data loading changes, and no component behavior modifications. Performance tests are not needed for pure linting/code style changes.

View GitHub Actions results

@sonarqubecloud
Copy link

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants