chore: bump @metamask dependencies

[cryptodev-2s]

Summary

• Bump @metamask/eth-json-rpc-provider from ^4.1.6 to ^6.0.1 (6.0.1)
  Replace SafeEventEmitterProvider with InternalProvider, migrate to JsonRpcEngineV2, remove providerFromEngine
• Bump @metamask/messenger from ^0.3.0 to ^1.0.0 (1.0.0)
  Stability promotion, no API changes
• Bump @metamask/controller-utils from ^11.0.0 to ^11.19.0 (11.19.0)
  Add new built-in networks (Base, Arbitrum, BSC, Optimism, Polygon, Sei, MegaETH, Monad), ServicePolicy improvements, HttpError class, time constants
• Bump @metamask/transaction-controller from ^63.0.0 to ^63.3.1 (63.3.1)
  Add perpsWithdraw and Money Account transaction types, fix Sentry unsubscribe issue
• Bump @metamask/utils from ^11.0.0 to ^11.9.0 (11.9.0)
  Add sha256 utility, areUint8ArraysEqual, CAIP namespace additions (Tron, Stellar), unit conversion utils, perf improvements
• Bump @metamask/base-controller from ^9.0.0 to ^9.0.1 (9.0.1)
  Dependency bumps only (messenger, utils)
• Bump @metamask/network-controller from ^30.0.0 to ^30.0.1 (30.0.1)
  Dependency bumps only
• Bump @metamask/polling-controller from ^16.0.0 to ^16.0.4 (16.0.4)
  Dependency bumps only
• Bump @metamask/remote-feature-flag-controller from ^4.1.0 to ^4.2.0 (4.2.0)
  Expose enable/disable messenger actions
• Migrate test helper from removed providerFromEngine to InternalProvider (breaking change in eth-json-rpc-provider v6)

Test plan

• Build passes
• Lint passes (no new warnings)
• All 184 tests pass
• Coverage thresholds met
• Type checks pass

---

Note

Medium Risk
Upgrades multiple MetaMask controller/provider dependencies, including a major bump of @metamask/eth-json-rpc-provider, which can introduce subtle runtime/typing behavior changes. The only direct code change is the test provider construction update, but transitive dependency updates broaden the regression surface.

Overview
Updates MetaMask dependency set, bumping core packages like @metamask/eth-json-rpc-provider (to v6), @metamask/messenger (to v1), @metamask/controller-utils, @metamask/transaction-controller, and related controllers/utilities, with corresponding yarn.lock refresh.

Adjusts tests for breaking provider API changes by replacing providerFromEngine usage with new InternalProvider({ engine }) in tests/helpers.ts.

^{Written by Cursor Bugbot for commit fc6c020. This will update automatically on new commits. Configure here.}

[cryptodev-2s]

@metamaskbot publish-preview

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​base-controller@​9.0.0 ⏵ 9.0.1	+1			+6
	@​metamask/​eth-json-rpc-provider@​4.1.8 ⏵ 6.0.1			+1	+6
	@​metamask/​polling-controller@​16.0.3 ⏵ 16.0.4
	@​metamask/​gas-fee-controller@​26.1.0 ⏵ 26.1.1				+1
	@​metamask/​remote-feature-flag-controller@​4.1.0 ⏵ 4.2.0			+1	+1
	@​metamask/​messenger@​1.0.0
	@​metamask/​network-controller@​30.0.0 ⏵ 30.0.1	-4		-22	-4
	@​metamask/​transaction-controller@​62.22.0 ⏵ 63.3.1			+1	+1
	@​metamask/​json-rpc-engine@​10.2.3 ⏵ 10.2.4	+1			+3

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Obfuscated code: npm @metamask/snaps-controllers is 98.0% likely obfuscated Confidence: 0.98 Location: Package overview From: ? → npm/@metamask/transaction-controller@63.3.1 → npm/@metamask/snaps-controllers@19.0.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/snaps-controllers@19.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm @metamask/network-controller in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: package.json → npm/@metamask/network-controller@30.0.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/network-controller@30.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report