chore!: Drop Node 18 and 20

[FrederikBolding]

Explanation

Node 18 and 20 are EOL, we should not support them anymore. This PR makes a breaking change to every single package in the monorepo. This also reduces the number of jobs we need to run in CI.

References

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

[Mrtenz]

Staged publishing needs at least 22.14.0 IIRC. We also don't need to support Node.js 23 and 25 (both EOL). We can support 26 (current, soon LTS) though:

Suggested change

	"node": ">=22"
	"node": "^22.14.0 || ^24 || >=26"

[FrederikBolding]

I was under the impression we wouldn't want to support 26 until it is LTS.

[FrederikBolding]

2209eba

[Mrtenz]

I don't see a reason to not support it? It's the current version. AFAIK we supported 24 before it was LTS too in some other repositories too.

[FrederikBolding]

Do we want to use 26 for build and lint then?

[Mrtenz]

Sure, might as well.

[FrederikBolding]

89bba68

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	minipass@​7.1.2 ⏵ 7.1.3	+1		+1
	yargs@​17.7.2 ⏵ 17.7.3	-16		+1
	tar@​7.4.3 ⏵ 7.5.16		+61		+42
	@​lavamoat/​allow-scripts@​3.2.0 ⏵ 5.1.0	+1			+8

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Obfuscated code: npm yargs is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package.json → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Publisher changed: npm yargs is now published by shadowspawn Author: shadowspawn From: package.json → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is unstable ownership? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Try to reduce the number of authors you depend on to reduce the risk to malicious actors gaining access to your supply chain. Packages should remove inactive collaborators with publishing rights from packages on npm. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: npm glob in module globalThis["fetch"] Module: globalThis["fetch"] Location: Package overview From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/glob@13.0.6 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@13.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @npmcli/git is 64.0% likely to have a medium risk anomaly Notes: The code reads the user's git configuration and applies defaults to streamline automation, notably by auto-accepting new SSH host keys and bypassing prompts. This reduces friction for automation but lowers interactive security. Not inherently malicious, but the default behavior should be clearly documented and optionally opt-in or restricted per-project to mitigate potential risk. Confidence: 0.64 Severity: 0.55 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/@npmcli/git@7.0.2 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/git@7.0.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm glob is 68.0% likely to have a medium risk anomaly Notes: The Glob utilities implement a conventional and well-structured filesystem glob-walking mechanism with robust control flow (abort signals, backpressure) and safe output semantics. There is no evidence of malicious behavior, backdoors, or data exfiltration within this fragment. Risks mainly relate to how downstream consumers may handle emitted paths, not to the library itself. Confidence: 0.68 Severity: 0.50 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/glob@13.0.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@13.0.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm node-gyp is 75.0% likely to have a medium risk anomaly Notes: The code is a legitimate Windows registry query and filesystem readability utility, with no inherent malware or backdoors. Primary security concerns are data exposure through verbose logging and the potential misuse of reg.exe with untrusted inputs. Mitigations include restricting input sources, redacting sensitive outputs in logs, and ensuring callers handle registry data securely. Overall security risk is moderate due to sensitive operations and logging exposure, but no active malicious behavior detected. Confidence: 0.75 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/node-gyp@12.4.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@12.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm tar is 66.0% likely to have a medium risk anomaly Notes: This module acts as a standard tar extraction wrapper using synchronous and asynchronous code paths. There is no evident malicious activity within this fragment. Security risk hinges on the behavior of the Unpack/UnpackSync implementation and how tar entries are written to disk (e.g., path traversal). No hardcoded secrets or network calls are present here. Recommend ensuring tar extraction handles path traversal and destination path sanitization in Unpack, and consider validating opt.file presence and type before streaming. Confidence: 0.66 Severity: 0.56 From: packages/foundryup/package.json → npm/tar@7.5.16 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/tar@7.5.16. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 75.0% likely to have a medium risk anomaly Notes: The analyzed code appears to implement a standard in-memory cache batch operation flow (put/delete) with careful handling of response bodies by buffering and storing bytes for caching. No signs of malware, data exfiltration, backdoors, or obfuscated behavior were found. The primary security considerations relate to memory usage from buffering potentially large response bodies and ensuring robust validation within batch operations to prevent cache state corruption. Overall risk is moderate, driven by in-memory data handling rather than external communication. Confidence: 0.75 Severity: 0.60 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/undici@6.27.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 68.0% likely to have a medium risk anomaly Notes: The analyzed code implements a conventional HTTP/WebSocket-like upgrade handler with proper input validation, abort signal integration, and asynchronous callback management. It does not exhibit malicious activity such as data exfiltration or backdoors. The deliberate onHeaders error path is consistent with protocol expectations to reject non-upgrade responses. Overall security risk remains low to moderate, contingent on integration context, but no indicators of malware or obfuscation are detected in this fragment. Confidence: 0.68 Severity: 0.50 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/undici@6.27.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 65.0% likely to have a medium risk anomaly Notes: The code is a focused error-handling helper for HTTP responses that safely parses small payloads to include in an error object. It includes protective measures (chunk limits, controlled parsing, microtask-based callbacks) but uses unusual, brittle content-type checks and suppresses stack traces for debugging concealment. There is no evidence of malicious activity, data exfiltration, or backdoors within this fragment. The main risk is potential silent data loss if payloads exceed the chunk limit or mismatched content-type handling leads to missing payloads, but this is a functional trade-off rather than malicious. Suggested improvements include robust content-type parsing, clearer error signaling when payload is truncated, and optional logging to aid debugging without exposing stack traces in production. Confidence: 0.65 Severity: 0.58 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/undici@6.27.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm undici is 77.0% likely to have a medium risk anomaly Notes: The script performs an in-place, lossy re-encoding of a local file from UTF-8 to Latin-1 and rewrites it without backups or validation. This is unsafe due to potential data loss and code corruption, and could be exploited to tamper with source files in a supply chain. It does not exhibit active malware behavior, but its destructive nature warrants removal or strict safeguards (backups, explicit intent, error handling). Confidence: 0.77 Severity: 0.65 From: ? → npm/@lavamoat/allow-scripts@5.1.0 → npm/undici@6.27.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/undici@6.27.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm yargs is 65.0% likely to have a medium risk anomaly Notes: The code fragment serves as a standard CLI command-definition utility with a notable security consideration: if an untrusted builder function is supplied, it can execute arbitrary code via the builder callback. There is no evidence of malware, exfiltration, or obfuscated techniques in this fragment. In trusted use, risk remains low; in contexts allowing untrusted inputs, this fragment requires strict input validation or sandboxing to mitigate arbitrary code execution. The recommended security posture is to avoid invoking untrusted builder callbacks or to constrain them to benign shapes and to sanitize or restrict what those builders can access. Confidence: 0.65 Severity: 0.60 From: package.json → npm/yargs@17.7.3 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report