feat: expose SmartTransactionsController methods through messenger

[cryptodev-2s]

Summary

• Expose SmartTransactionsController methods through the messenger pattern, aligning with the ongoing effort across all controllers
• Add generate-method-action-types script for automated method/action type generation
• Upgrade TypeScript from ~4.8.4 to ~5.3.3 required to run the generation script

New exported messenger actions

• SmartTransactionsController:checkPoll
• SmartTransactionsController:initializeSmartTransactionsForChainId
• SmartTransactionsController:poll
• SmartTransactionsController:stop
• SmartTransactionsController:setOptInState
• SmartTransactionsController:trackStxStatusChange
• SmartTransactionsController:isNewSmartTransaction
• SmartTransactionsController:updateSmartTransaction
• SmartTransactionsController:updateSmartTransactions
• SmartTransactionsController:fetchSmartTransactionsStatus
• SmartTransactionsController:clearFees
• SmartTransactionsController:getFees
• SmartTransactionsController:submitSignedTransactions
• SmartTransactionsController:cancelSmartTransaction
• SmartTransactionsController:fetchLiveness
• SmartTransactionsController:setStatusRefreshInterval
• SmartTransactionsController:getTransactions
• SmartTransactionsController:getSmartTransactionByMinedTxHash
• SmartTransactionsController:wipeSmartTransactions

Test plan

• yarn test passes
• yarn build succeeds
• Type-checking passes with tsc --noEmit

---

Note

Medium Risk
Adds many new messenger-exposed method actions and upgrades TypeScript to v5, which can break consumers via allowlist/API surface and type-checking changes.

Overview
Exposes SmartTransactionsController methods via the messenger by registering method action handlers for a new MESSENGER_EXPOSED_METHODS allowlist, and expands SmartTransactionsControllerActions to include the newly exposed method actions.

Adds an auto-generation pipeline for method action types (scripts/generate-method-action-types.ts) plus a generated SmartTransactionsController-method-action-types.ts, and exports these action types from src/index.ts.

BREAKING: upgrades TypeScript to ~5.3.3 and updates linting to enforce generated action types are checked/kept in sync (adds tsx, yargs, and related lockfile/lavamoat updates).

^{Written by Cursor Bugbot for commit 0ccc5fa. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​types/​eslint@​9.6.1
	tsx@​4.21.0
	typescript@​4.8.4 ⏵ 5.3.3	+1		-10		+10

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Network access: npm esbuild in module https Module: https Location: Package overview From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: npm esbuild in module child_process Module: child_process Location: Package overview From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm esbuild in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: npm esbuild during postinstall Install script: postinstall Source: node install.js From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: The code represents a thorough and sophisticated installer for esbuild with multiple fallback mechanisms to acquire platform-appropriate binaries. While largely legitimate, its use of direct tarball downloads, manual extraction without explicit integrity validation, and the override/wrapper mechanism create nontrivial supply-chain and abuse risks. Recommend enabling strict binary integrity checks (checksums/signatures), minimizing or auditing the override/wrapper feature, and implementing tighter error visibility and logging to reduce operational risk and potential misuse. Confidence: 1.00 Severity: 0.60 From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: The analyzed fragment is a legitimate esbuild runtime bootstrapper handling cross-platform binary loading and IPC. No explicit malware behavior detected. Security risk is moderate due to binary provenance and deployment considerations; ensure integrity checks and secured deployment workflows. Improved confidence in assessment: higher than prior due to focused evaluation of the supply-chain and IPC aspects. Confidence: 1.00 Severity: 0.60 From: ? → npm/tsx@4.21.0 → npm/esbuild@0.27.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/esbuild@0.27.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: This fragment appears to be a bundler-generated bootstrap/initialization piece that imports many modules and executes an initialization function (r). No explicit malicious activity is evident within this fragment itself, but the risk stems from side effects of the imported modules on load. A careful review of the implementations of the imported modules (especially those exporting r and those performing initialization, build-time, or network/file operations) is recommended to rule out hidden telemetry, backdoors, or undesired side effects. Confidence: 1.00 Severity: 0.60 From: package.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: No clear indicators of classic malware (no reverse shell, no network connections, no child_process usage, no hard-coded credentials). The primary risk is information leakage: the loader posts module load events and dependency paths to external consumers via p.port and O.send. In contexts where those channels are controlled by an untrusted or remote party, this could leak local file paths or project structure. The module otherwise performs expected loader duties (file reads, tsconfig handling, transforming CJS to ESM, returning data: URLs). Review runtime consumers of O and any provided p.port to ensure they are trusted before using this loader in a sensitive environment. Confidence: 1.00 Severity: 0.60 From: package.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: This module installs signal handlers and actively hides them from inspection by monkeypatching listener inspection APIs. In the main thread it can forward SIGINT/SIGTERM events to a remote client (via client.connectingToServer) and may exit the process after forwarding. The concealment is a noteworthy red flag: it makes detection and auditing harder and may be used to implement covert telemetry or control. The file alone is not conclusively malicious, but the combination of hiding handlers and forwarding signals to an external component warrants careful review of the client module (client-D6NvIMSC.cjs) and any network destinations it uses before trusting this package in sensitive environments. Confidence: 1.00 Severity: 0.60 From: package.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tsx is 100.0% likely to have a medium risk anomaly Notes: The module installs hidden signal handlers for SIGINT and SIGTERM, hides them from other code by monkey-patching process.listenerCount and process.listeners, forwards signals to an external client callback, and may force exit. That stealthy interception of process signals is suspicious from a supply-chain/security perspective because it can be used to intercept or suppress normal shutdown behavior and to forward events to another module which may perform network I/O or exfiltration. There is no direct evidence in this file of data exfiltration, reverse shell, or explicit malicious payload, but the hiding behavior and delegation to an external client warrant caution and further inspection of the imported client and cjs modules. Recommend auditing the client callback and cjs/index.cjs for network operations or data-leaking behavior before trusting this package. Confidence: 1.00 Severity: 0.60 From: package.json → npm/tsx@4.21.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tsx@4.21.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[mcmire]

LGTM!

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

[cursor]

extractMethodSignature and signature field are dead code

Low Severity

The extractMethodSignature function computes a value stored in MethodInfo.signature, but this field is never read anywhere. generateActionTypesContent only accesses method.name and method.jsDoc — method.signature is unused. This adds an unnecessary function, a type field, and two assignment sites (line 375-379 and line 554) that all contribute dead code.

Additional Locations (2)

• scripts/generate-method-action-types.ts#L15-L16
• scripts/generate-method-action-types.ts#L374-L379