chore: bump deps, replace ErrorReportingService with messenger.captureException

[cryptodev-2s]

What

• Replace ErrorReportingService:captureException messenger action with messenger.captureException
• Remove @metamask/error-reporting-service dependency (deprecated in v3.0.1)
• Move controller packages from peer to direct dependencies and bump to latest majors:
  • @metamask/network-controller ^25 → ^30
  • @metamask/transaction-controller ^61 → ^63
  • @metamask/remote-feature-flag-controller ^2 → ^4.1
  • @metamask/polling-controller ^15 → ^16
  • @metamask/gas-fee-controller ^22 → ^26 (dev)

Why

@metamask/error-reporting-service is deprecated in favor of Messenger.captureException. This removes the dependency and the ErrorReportingService:captureException allowed action from the messenger, so consumers must stop allowlisting it.

Bumping polling-controller and gas-fee-controller resolves peer dependency warnings against network-controller ^30.

Breaking changes

• ErrorReportingService:captureException is no longer an allowed action on the messenger
• @metamask/error-reporting-service is no longer a dependency

---

Note

Medium Risk
Introduces a breaking messenger API change by removing the ErrorReportingService:captureException allowed action, and upgrades several controller dependencies to new major versions which may affect integration behavior.

Overview
Updates error reporting to use messenger.captureException directly, removing the ErrorReportingService:captureException messenger action (and updating tests accordingly).

Moves key MetaMask controller packages from peerDependencies to direct dependencies and bumps to newer major versions (notably network-controller, transaction-controller, remote-feature-flag-controller, polling-controller, plus gas-fee-controller in dev), with corresponding lavamoat allowlist additions and lockfile updates.

^{Written by Cursor Bugbot for commit 03e734e. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​polling-controller@​12.0.3 ⏵ 16.0.3	+1			+2
	@​metamask/​remote-feature-flag-controller@​2.0.1 ⏵ 4.1.0			+1
	@​metamask/​gas-fee-controller@​22.0.1 ⏵ 26.1.0			+3	+4
	@​metamask/​controller-utils@​11.16.0 ⏵ 11.19.0	-1		+1	+1
	@​metamask/​transaction-controller@​61.0.0 ⏵ 63.0.0	-3		+1	+1
	@​metamask/​superstruct@​3.1.0 ⏵ 3.2.1	+1
	@​metamask/​utils@​10.0.1 ⏵ 11.10.0			+1	-1
	@​metamask/​json-rpc-engine@​10.1.1 ⏵ 10.2.3				+3
	@​metamask/​network-controller@​25.0.0 ⏵ 30.0.0	+4		+23	+5

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Publisher changed: npm async-function is now published by ljharb instead of eduardorfs New Author: ljharb Previous Author: eduardorfs From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/eslint-plugin-import@2.26.0 → npm/async-function@1.0.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async-function@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm bs58 is now published by dcousens instead of jprichardson New Author: dcousens Previous Author: jprichardson From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/bs58@4.0.1 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bs58@4.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm md5.js is now published by cwmma instead of fanatid New Author: cwmma Previous Author: fanatid From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/md5.js@1.3.5 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/md5.js@1.3.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm ripemd160 is now published by ljharb instead of dcousens New Author: ljharb Previous Author: dcousens From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/ripemd160@2.0.3 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ripemd160@2.0.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm rlp is now published by ralxz instead of holgerd77 New Author: ralxz Previous Author: holgerd77 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/rlp@2.2.7 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rlp@2.2.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm sha.js is now published by ljharb instead of dcousens New Author: ljharb Previous Author: dcousens From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/sha.js@2.4.12 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/sha.js@2.4.12. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm ulid is now published by perrymitchell instead of alizain New Author: perrymitchell Previous Author: alizain From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/ulid@2.4.0 ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/ulid@2.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/core is 100.0% likely to have a medium risk anomaly Notes: The examined code is a standard, benign helper for constructing and wrapping configuration items from descriptors within Babel’s tooling. There is no evidence of data leakage, exfiltration, backdoors, or other malicious activity in this fragment. The combination of immutability, brand-based identity, and non-enumerable descriptor storage indicates a well-scoped internal utility rather than anything suspicious. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/jest@29.7.0 → npm/@babel/core@7.29.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/core@7.29.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helper-module-transforms is 100.0% likely to have a medium risk anomaly Notes: The code is a legitimate, static-code transformation utility used in Babel to ensure proper behavior of ES module bindings after transforms. There is no evidence of malicious behavior, data leakage, or external communications within this fragment. It operates purely on AST-level transformations consistent with module import/export handling. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/jest@29.7.0 → npm/@babel/helper-module-transforms@7.28.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-module-transforms@7.28.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helper-string-parser is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, well-structured parsing utility for JavaScript string literals and escapes (consistent with Babel’s helper-string-parser). It includes thorough validation, proper Unicode handling, and defensive error reporting. There is no evidence of malicious behavior, data leakage, or network activity within this fragment. The security risk is low when used as part of a trusted toolchain; the code otherwise poses no evident supply-chain threat based on the provided snippet. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/jest@29.7.0 → npm/@babel/helper-string-parser@7.27.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helper-string-parser@7.27.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @babel/helpers is 100.0% likely to have a medium risk anomaly Notes: The code fragment is a standard Babel decorator runtime helper (applyDecs2203). Its security posture hinges on the trustworthiness of the supplied decorators. If decorators are from untrusted sources, they can execute arbitrary code during decoration or initialization. The library itself does not exhibit malicious behavior, but this pattern introduces a high-risk surface via external inputs. Recommended mitigations include validating decorator outputs, enforcing sandboxing or runner boundaries for decorators, and auditing decorator sources in the application. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/jest@29.7.0 → npm/@babel/helpers@7.29.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@babel/helpers@7.29.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm fast-xml-parser is 100.0% likely to have a medium risk anomaly Notes: BufferSource.js implements a simple buffer-based parser for XML-like content, providing methods such as readCh, readChAt, readStr, readUpto, readUptoCloseTag, readFromBuffer, updateBufferBoundary, and canRead. While it contains no network calls, file writes, eval calls, or secret leaks, several methods lack full bounds checking (notably readChAt) and the custom stop-string matching in readUpto/readUptoCloseTag may exhibit off-by-one or out-of-bounds errors on malformed input. These shortcomings can lead to runtime exceptions or incorrect parsing state but do not constitute malicious behavior. Overall risk is low and limited to potential parser crashes under unexpected input. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/fast-xml-parser@4.5.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm fast-xml-parser is 100.0% likely to have a medium risk anomaly Notes: This module implements a Transform stream that accumulates all incoming data chunks into an in-memory buffer using a specified encoding (default utf8) and emits a ‘complete’ event (or callback) with the full contents when the stream ends. While functionally benign, unbounded buffering of large streams can result in high memory consumption, causing performance degradation or out-of-memory errors in resource-constrained environments. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/fast-xml-parser@4.5.4 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/fast-xml-parser@4.5.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm node-addon-api is 100.0% likely to have a medium risk anomaly Notes: The script is a legitimate formatting helper within a Node.js project. It orchestrates clang-format via git-clang-format, supports fix and diff modes, and provides actionable feedback to the developer. While operational dependencies exist, no malicious activity or data leakage is evident based on the provided code and typical usage. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/node-addon-api@5.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-addon-api@5.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm pbkdf2 is 100.0% likely to have a medium risk anomaly Notes: The code is a straightforward and correct PBKDF2 implementation using HMAC with support for multiple digests and standard input handling. No malicious behavior detected. Security risk mainly derives from correct usage (encodings, salt handling, and proper key length) and from the absence of explicit side-channel hardening within the function. Recommendations focus on careful integration and memory hygiene, and optional refinements for side-channel resilience in high-assurance contexts. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/pbkdf2@3.1.5 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/pbkdf2@3.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm readable-stream is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a standard, legitimate portion of the Node.js readable-stream implementation handling piping, flow control, and lifecycle events. There is no evidence of malicious behavior, data exfiltration, or unsafe operations within this fragment. It does not introduce backdoors or hidden communicative channels. Given the OpenVSX extension context, this fragment alone does not indicate supply chain risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/readable-stream@2.3.8 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/readable-stream@2.3.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm readable-stream is 100.0% likely to have a medium risk anomaly Notes: No malicious behavior detected. This is a standard, legitimate stream utility implementing pipe semantics with a backward-compatibility shim. The only notable concern is the internal _events manipulation in the prependListener polyfill, which should be revisited for future-proofing, but it does not constitute an immediate security risk. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/transaction-controller@63.0.0 → npm/readable-stream@4.7.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/readable-stream@4.7.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• @metamask/core-backend@6.1.1
• @metamask/snaps-controllers@17.2.1
• @metamask/snaps-sdk@10.4.0
• @metamask/snaps-sdk@11.0.0
• @metamask/snaps-utils@11.7.1
• @metamask/snaps-utils@12.1.1
• @metamask/profile-sync-controller@28.0.0
• @tanstack/query-core@5.91.0
• ethereumjs-wallet@1.0.2
• @metamask/phishing-controller@16.3.0
• @metamask/snaps-rpc-methods@14.3.0
• ses@1.15.0
• keccak@3.0.4
• secp256k1@4.0.4
• @metamask/gas-fee-controller@26.1.0

View full report

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/core-backend@6.1.1

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/gas-fee-controller@26.1.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/phishing-controller@16.3.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/profile-sync-controller@28.0.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-controllers@17.2.1

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-rpc-methods@14.3.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-sdk@10.4.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-sdk@11.0.0

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-utils@11.7.1

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/snaps-utils@12.1.1
@SocketSecurity ignore npm/@tanstack/query-core@5.91.0
@SocketSecurity ignore npm/keccak@3.0.4
@SocketSecurity ignore npm/secp256k1@4.0.4
@SocketSecurity ignore npm/ses@1.15.0
@SocketSecurity ignore npm/ethereumjs-wallet@1.0.2

[mcmire]

I looked over the dependencies you're bumping and didn't notice any breaking changes, although I would definitely test this change in the clients to confirm. Other than that I have one suggestion to the changelog.

[cryptodev-2s]

@metamaskbot publish-preview