Upgrade to MM eslint-config-* v15 + ESLint 9

[mcmire]

The ESLint configuration is behind for this package. Keeping up to date with our current lint rules and lint config format helps to debug issues with ESLint now and in the future, and aligns this repo with our other repos.

A list of changes:

• Upgrade @metamask/eslint-config and @metamask/eslint-config-* packages to 15.0.0
• Upgrade ESLint to 9.x
• Upgrade TypeScript ESLint packages to 8.25.x
• Upgrade other ESLint packages to fulfill peer dependencies
• Fix lint violations as a result of the upgrade
• Ensure that all configuration files are being linted (some, such as the Babel config file, were being excluded)

Note that the rules for jsdoc/require-jsdoc have been refined. In performing this upgrade, many violations appeared that I thought didn't help readability. We may consider porting these back to the eslint-config repo.

---

Note

Upgrade lint stack to ESLint 9 + MetaMask eslint-config v15 (flat config) and apply code/test fixes to satisfy new rules.

• Tooling/Config:
  • Replace legacy .eslintrc.cjs with flat eslint.config.mjs; add ignores and import-x settings; override .cjs/.js to script mode (except bin/create-release-branch.js).
  • Upgrade to eslint@9, @metamask/eslint-config(-*)@15, @typescript-eslint v8; adopt eslint-plugin-import-x, eslint-import-resolver-typescript, eslint-plugin-n, eslint-plugin-promise.
  • Update package.json scripts (eslint .) and dev deps; add LavaMoat allowlist for eslint-plugin-import-x>unrs-resolver.
• Lint rules:
  • Enforce refined jsdoc/require-jsdoc and jsdoc/no-blank-blocks.
  • Enforce @typescript-eslint/explicit-function-return-type (expressions allowed).
• Code adjustments (lint fixes):
  • Add/clarify return types (e.g., Promise<void>, string), refine types and exports, reorder/import updates.
  • Use getErrorMessage for logging; small message tweaks and safer reductions.
  • Minor behavior polish (UI open browser Promise handling); tests updated to new imports/mocks.
• Misc:
  • Minor formatting/commas; keep Babel config functional; no runtime feature changes intended.

^{Written by Cursor Bugbot for commit b62321e. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​typescript-eslint/​parser@​5.62.0 ⏵ 8.49.0			+1
	typescript-eslint@​8.49.0
	@​metamask/​eslint-config-jest@​10.0.0 ⏵ 15.0.0	+3		+8	+8
	@​typescript-eslint/​eslint-plugin@​5.62.0 ⏵ 8.49.0			+2
	eslint-plugin-promise@​7.2.1
	@​metamask/​eslint-config@​10.0.0 ⏵ 15.0.0	+3		+8	+8
	@​metamask/​eslint-config-nodejs@​10.0.0 ⏵ 15.0.0	+4		+11	+5
	@​metamask/​eslint-config-typescript@​10.0.0 ⏵ 15.0.0	+1		+7	+8
	eslint-plugin-n@​17.23.1
	eslint-plugin-import-x@​4.16.1
	eslint-import-resolver-typescript@​3.10.1
	eslint@​8.39.0 ⏵ 9.39.1	+1			+45
	eslint-plugin-jsdoc@​39.6.2 ⏵ 50.8.0			+1	+1
	eslint-plugin-jest@​26.9.0 ⏵ 28.14.0			+1	+1

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm acorn is 100.0% likely to have a medium risk anomaly Notes: Overall, the analyzed code is a legitimate, well-structured Acorn 8.x parser fragment with robust handling for ES2020+ features. There is no direct malicious payload, backdoor, or exfiltration mechanism within this fragment. The primary security considerations relate to safe handling of untrusted input to avoid DoS via complex/ pathological RegExp usage or verbose error reporting. In a typical extension usage, isolate parsing to a sandbox and limit resource usage to mitigate potential abuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/[email protected] → npm/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm ignore is 100.0% likely to have a medium risk anomaly Notes: The code fragment represents a conventional, well-structured path-ignore utility with caching and recursive parent-directory evaluation. Windows path normalization is present for compatibility but does not indicate malicious intent. No indicators of data leakage, external communication, or covert backdoors were found. Security impact primarily revolves around correct ignore semantics rather than intrinsic vulnerabilities. The component remains appropriate for use in a broader security-conscious pipeline if used with careful awareness of what is being ignored. Confidence: 1.00 Severity: 0.60 From: ? → npm/@typescript-eslint/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @unrs/[email protected]
• [email protected]
• @tybys/[email protected]
• [email protected]
• @emnapi/[email protected]
• @typescript-eslint/[email protected]
• @typescript-eslint/[email protected]

View full report

[mcmire]

@SocketSecurity ignore npm/@emnapi/[email protected]

This package is used to read WASM files, which require the use of fetch.

[mcmire]

@SocketSecurity ignore npm/@tybys/[email protected]

This package is also used to read WASM files, which requires the use of fetch.

[mcmire]

@SocketSecurity ignore npm/[email protected]

This PR disables the post-install script for this package.

[mcmire]

@SocketSecurity ignore npm/@unrs/[email protected]

This package is also used to read WASM files, which requires the use of fetch.

[mcmire]

@SocketSecurity ignore npm/@typescript-eslint/[email protected]

This is a known false positive.

[mcmire]

@SocketSecurity ignore npm/@typescript-eslint/[email protected]

This is a known false positive.

[mcmire]

@SocketSecurity ignore npm/[email protected]

This package seems to download packages from the NPM registry as one of its tasks.

It is used by unrs-resolver, which calls napi-postinstall in its postinstall script: https://socket.dev/npm/package/unrs-resolver/files/1.11.1/package.json#T551-596. But we have disabled that script, so no network access should be occurring.

[mcmire]

@property is now no longer allowed as a tag. I wanted a consistent way that we could document properties going forward, accounting for intersections or unions, so I made up this format. Let me know what you think.

[mcmire]

Writing out the return type for this function was going to be a huge chore, so I refactored the setup of these mocks.

[mcmire]

I decided to convert this to a "quasi-enum" as it made it easier to adapt to the new lint violations.

[mcmire]

As stated in the PR description, I found the new changes to this rule in MetaMask/eslint-config#394 rather strict. I removed TSPropertySignature as it began asking that properties in adhoc object types were documented. For instance:

function foo(): {
  // This is now required to be documented
  bar: string;
} {
  // ...
}

I also found a similar thing for arrow functions:

// The arrow function here is now required to be documented
foo(() => {
  // ...
})


foo({
  // The arrow function here is now required to be documented
  bar: () => {
    // ...
  }
})

So, I amended what this rule is looking for, which is explained in the comments below. I feel like this makes more sense, but happy to know y'all's thoughts.

[mcmire]

For future reference, I used https://astexplorer.net/ to test out the selectors (make sure to select @typescript-eslint/parser and Transform > ESLint v8).

[mcmire]

I realized that this existed and I found this to be a helpful rule. It seemed that with the new JSDoc rules, running yarn eslint --fix added a bunch of empty JSDoc blocks to various symbols. With this enabled, I was able to quickly find those and fill them in.

[mcmire]

Again, I found that this new rule was too strict. For instance:

return {
  // A return type is now required for this function
  message: () => 'foo',
  pass: false,
}