Resolve yarn peer dependency warnings

[jeffsmale90]

📝 Description

Update dependencies to resolve yarn warnings in preparation for stable launch.

This is intended as a first step towards resolving dependency security alerts.

Now:

➜ yarn
➤ YN0000: · Yarn 4.10.1
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed

Before:

➜ yarn
➤ YN0000: · Yarn 4.10.1
➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed
➤ YN0000: ┌ Post-resolution validation
➤ YN0060: │ @types/node is listed by your project with version 20.16.11 (p71921e), which doesn't satisfy what vite (via vitest) and other dependencies request (^20.19.0 || >=22.12.0).
➤ YN0060: │ @types/node is listed by your project with version 20.16.11 (pc04a4e), which doesn't satisfy what vite (via vitest) and other dependencies request (^20.19.0 || >=22.12.0).
➤ YN0060: │ @types/node is listed by your project with version 20.16.11 (pcb6609), which doesn't satisfy what vite (via vitest) and other dependencies request (^20.19.0 || >=22.12.0).
➤ YN0060: │ eslint-plugin-import is listed by your project with version 2.31.0 (p43a0df), which doesn't satisfy what @metamask/eslint-config and other dependencies request (~2.26.0).
➤ YN0060: │ eslint-plugin-prettier is listed by your project with version 5.2.6 (p17cb0f), which doesn't satisfy what @metamask/eslint-config requests (^4.2.1).
➤ YN0060: │ prettier is listed by your project with version 3.5.3 (p442b96), which doesn't satisfy what @metamask/eslint-config and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ prettier is listed by your project with version 3.5.3 (p5e14ef), which doesn't satisfy what @metamask/eslint-config and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ prettier is listed by your project with version 3.5.3 (p7ef423), which doesn't satisfy what @metamask/eslint-config and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ typescript is listed by your project with version 5.0.4 (p483df8), which doesn't satisfy what ox (via viem) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ typescript is listed by your project with version 5.0.4 (p5ff341), which doesn't satisfy what ox (via viem) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0060: │ typescript is listed by your project with version 5.0.4 (pe294b8), which doesn't satisfy what ox (via viem) and other dependencies request (but they have non-overlapping ranges!).
➤ YN0002: │ @metamask/7715-permission-types@workspace:packages/7715-permission-types doesn't provide prettier (pbc8a5c), requested by @metamask/auto-changelog.
➤ YN0002: │ @metamask/delegation-abis@workspace:packages/delegation-abis doesn't provide prettier (p1c6378), requested by @metamask/auto-changelog.
➤ YN0002: │ @metamask/delegation-core@workspace:packages/delegation-core doesn't provide prettier (p220cdc), requested by @metamask/auto-changelog.
➤ YN0002: │ @metamask/delegation-deployments@workspace:packages/delegation-deployments doesn't provide prettier (p149aed), requested by @metamask/auto-changelog.
➤ YN0002: │ @metamask/delegator-e2e@workspace:packages/delegator-e2e doesn't provide viem (p1f0b6e), requested by permissionless.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-config-prettier (p385a38), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-plugin-import (p3d3105), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-plugin-jsdoc (pc21b02), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-plugin-n (p9a7082), requested by @metamask/eslint-config-nodejs.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-plugin-prettier (p4c188d), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit [2a3fd] doesn't provide eslint-plugin-promise (p5ba430), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-config-prettier (pf53cf8), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-plugin-import (pe8fe64), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-plugin-jsdoc (p16a950), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-plugin-n (p2edc46), requested by @metamask/eslint-config-nodejs.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-plugin-prettier (p129e21), requested by @metamask/eslint-config.
➤ YN0002: │ @metamask/smart-accounts-kit@workspace:packages/smart-accounts-kit doesn't provide eslint-plugin-promise (p483e37), requested by @metamask/eslint-config.
➤ YN0086: │ Some peer dependencies are incorrectly met by your project; run yarn explain peer-requirements <hash> for details, where <hash> is the six-letter p-prefixed code.
➤ YN0086: │ Some peer dependencies are incorrectly met by dependencies; run yarn explain peer-requirements for details.
➤ YN0000: └ Completed
➤ YN0000: ┌ Fetch step
➤ YN0000: └ Completed
➤ YN0000: ┌ Link step
➤ YN0000: └ Completed

🔄 What Changed?

This got a little out of hand - I had to make a number of changes to resolve eslint issues. Look at individual changes to see it broken out.

Bump various dependencies:
Shared tooling / root package.json
• @metamask/eslint-config: ^12.0.0 → 14.1.0
• @metamask/eslint-config-nodejs: ^12.0.0 → 14.0.0
• @metamask/eslint-config-typescript: ^12.0.0 → 14.0.0
• eslint: ^8.56.0 → ^9.0.0
• eslint-config-prettier: ^8.5.0 → ^9.1.0
• eslint-plugin-jsdoc: ^41.1.2 → ^50.2.4
• eslint-plugin-n: ^15.7.0 → ^17.10.3
• eslint-plugin-prettier: “latest” → ^5.2.6
• eslint-plugin-promise: ^6.1.1 → ^7.1.0
• typescript: 5.0.4 → 5.5.4

(Also: eslint-plugin-import was replaced by eslint-plugin-import-x@^4.0.0, and typescript-eslint@^8.0.0 was added — new packages rather than bumps.)

⸻

packages/7715-permission-types/package.json
• typescript: 5.0.4 → 5.5.4

(Plus new prettier@^3.5.3.)

⸻

packages/delegation-abis/package.json
• typescript: 5.0.4 → 5.5.4

(Plus new prettier@^3.5.3.)

⸻

packages/delegation-core/package.json
• @types/node: ^20.10.6 → ^20.19.0
• typescript: 5.0.4 → 5.5.4

(Plus new prettier@^3.5.3.)

⸻

packages/delegation-deployments/package.json
• typescript: 5.0.4 → 5.5.4

(Plus new prettier@^3.5.3.)

⸻

packages/smart-accounts-kit/package.json
• @metamask/eslint-config: ^12.0.0 → 14.1.0
• @metamask/eslint-config-nodejs: ^12.0.0 → 14.0.0
• @metamask/eslint-config-typescript: ^12.0.0 → 14.0.0
• @types/node: ^20.10.6 → ^20.19.0
• eslint: ^8.56.0 → ^9.0.0
• prettier: ^3.3.3 → ^3.5.3
• typescript: 5.0.4 → 5.5.4

(Also adds eslint-config-prettier@^9.1.0, eslint-import-resolver-typescript@^3.6.1, eslint-plugin-import-x@^4.0.0, eslint-plugin-jsdoc@^50.2.4, eslint-plugin-n@^17.10.3, eslint-plugin-prettier@^5.5.4, eslint-plugin-promise@^7.1.0, and typescript-eslint@^8.0.0 as new dependencies.)

⸻

🚀 Why?

Resolves yarn warnings, and potentially broken developer functionality.

🧪 How to Test?

Describe how to test these changes:

Everything should work as normal

⚠️ Breaking Changes

List any breaking changes:

• No breaking changes
• Breaking changes (describe below):

📋 Checklist

Check off completed items:

• Code follows the project's coding standards
• Self-review completed
• Documentation updated (if needed)
• Tests added/updated
• Changelog updated (if needed)
• All CI checks pass

🔗 Related Issues

Link to related issues:
Closes #
Related to #

📚 Additional Notes

Any additional information, concerns, or context:

---

Note

Modernizes linting/TypeScript/tooling across the monorepo and fixes code to comply, eliminating Yarn peer warnings.

• Upgrade dev tooling: ESLint 9 + @MetaMask configs 14, TypeScript 5.5, add typescript-eslint, switch to eslint-plugin-import-x, bump @types/node, add missing prettier/viem; update LavaMoat and Yarn packageExtensions
• Introduce shared flat ESLint config (shared/config/base.eslint.mjs); migrate packages to eslint.config.mjs, add/lint scripts, remove legacy .eslintrc.*
• Widespread lint/typing cleanups: explicit return types, readonly fields, stricter hex/bytes typings, improved error handling, import/name tweaks, constant renames (UPPER_CASE), small logic guards; no API changes intended
• Deployment/e2e polish: stronger validation script (better RPC overrides, errors, exits), inline ENTRYPOINT in e2e, viem pinned
• Minor TS/tsconfig tweaks and dependency bumps across delegation-*, 7715-permission-types, and smart-accounts-kit

^{Written by Cursor Bugbot for commit 2407dee. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	eslint-config-prettier@​8.10.0 ⏵ 9.1.2	+1		+1
	typescript-eslint@​8.51.0
	@​types/​node@​20.16.11 ⏵ 20.19.27	+1		+1
	eslint-plugin-promise@​6.6.0 ⏵ 7.2.1
	@​metamask/​eslint-config-nodejs@​12.1.0 ⏵ 14.0.0	+1		+4	-2
	@​metamask/​eslint-config-typescript@​12.1.0 ⏵ 14.0.0			+2
	@​metamask/​eslint-config@​12.2.0 ⏵ 14.1.0			+2	+6
	eslint-plugin-n@​15.7.0 ⏵ 17.23.1	+2
	eslint-plugin-import-x@​4.16.1
	typescript@​5.0.4 ⏵ 5.5.4			+1
	prettier@​3.5.3 ⏵ 3.7.4	-7		+1
	eslint-plugin-prettier@​5.2.6 ⏵ 5.5.4	+1
	eslint@​8.57.1 ⏵ 9.39.2	-2		+1	+45
	eslint-plugin-jsdoc@​41.1.2 ⏵ 50.8.0			+1	+1

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm globals in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@metamask/[email protected] → npm/[email protected] → npm/@metamask/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm unrs-resolver in module child_process Module: child_process Location: Package overview From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm unrs-resolver during postinstall Install script: postinstall Source: napi-postinstall unrs-resolver 1.11.1 check From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm synckit is 100.0% likely to have a medium risk anomaly Notes: The code is a sophisticated, legitimate utility for managing worker threads with various TypeScript runtimes and global shims. It does not exhibit explicit malicious behavior, hardcoded secrets, or standard malware patterns. The main security considerations relate to the safe handling of workerPath/globalShims inputs and ensuring that only trusted, validated worker code is executed in worker contexts. Overall risk is moderate due to the dynamic nature of code loading, but the fragment itself is a standard, non-malicious utility module. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm unrs-resolver is 100.0% likely to have a medium risk anomaly Notes: This command itself is a legitimate-looking native postinstall invocation, but it runs an arbitrary executable (napi-postinstall) supplied by the package ecosystem. That executable could be benign (installing/validating native binaries) or malicious (downloading and executing arbitrary code, installing backdoors, modifying files). Inspect the source of the napi-postinstall binary (or the package that supplies it), its network activity, and any downloaded artifacts before trusting it. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @unrs/[email protected]
• @tybys/[email protected]
• [email protected]
• @emnapi/[email protected]
• [email protected]
• [email protected]
• [email protected]

View full report

[mj-kiwi]

The catch handler could be fail when the error isn't an Error object.

[jeffsmale90]

it'd only fail if error was undefined / null - but it would provide an unhelpful message. I've updated to say "Failed with: ${message}" and adopted your suggestion for extracting the message from error: unknown.

[mj-kiwi]

I think it would be better to provide more details of the error.

Suggested change

	} catch {
	console.error(`RPC Request failed for ${chain.name}: ${contractName}`);
	hasThisChainFailed = true;
	}
	} catch (error) {
	const errorMessage = error instanceof Error ? error.message : String(error);
	console.error(
	`RPC Request failed for ${chain.name}: ${contractName} - ${errorMessage}`
	);
	hasThisChainFailed = true;
	}

[jeffsmale90]

Good call - this is helpful. I've made the change as you suggested, and adopted the same error message format in the other catch block.

[mj-kiwi]

Is Record<string, never> a better choice than object here to represent an empty response type?

[jeffsmale90]

Probably - especially given the description above, but 1. I'm unsure where it's used, 2. I'm cautious to bundle a functional change into an already verbose PR 😢

I recommend if we want to change this, we bump it to a separate change. Also, I wonder if { status: "success" } wouldn't be a more helpful response than {}

[mj-kiwi]

Suggested change

	// TODO: Consider openning up permission types with Custom / Unknown permissions in subseqential versions.
	// TODO: Consider opening up permission types with Custom / Unknown permissions in subsequent versions.

[jeffsmale90]

nice

[mj-kiwi]

LGTM

[jeffsmale90]

@SocketSecurity ignore npm/@emnapi/[email protected]
@SocketSecurity ignore npm/@tybys/[email protected]
@SocketSecurity ignore npm/@unrs/[email protected]
@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]
@SocketSecurity ignore npm/[email protected]