chore: bump @metamask/* dependencies

[cryptodev-2s]

Summary

Bumps production @metamask/* dependencies to the latest versions available in the core monorepo. All changelogs were reviewed for breaking changes; the only required code change was migrating tests/helpers.ts off the removed providerFromEngine (eth-json-rpc-provider@6.0) to InternalProvider.

Dependencies bumped

Package	From	To
@metamask/base-controller	^9.0.0	^9.1.0
@metamask/controller-utils	^11.0.0	^12.1.0
@metamask/eth-json-rpc-provider	^4.1.6	^6.0.1
@metamask/messenger	^1.1.0	^1.2.0
@metamask/network-controller	^30.0.0	^32.0.0
@metamask/polling-controller	^16.0.0	^16.0.6
@metamask/profile-sync-controller	^28.0.2	^28.1.0
@metamask/remote-feature-flag-controller	^4.1.0	^4.2.1
@metamask/transaction-controller	^64.3.0	^65.4.0

Breaking changes reviewed

• controller-utils 12.0 — ServicePolicy.onDegraded payload changed; not subscribed in STX.
• eth-json-rpc-provider 5.0 / 6.0 — 'data' event removed (unused); providerFromEngine removed — replaced in tests/helpers.ts with new InternalProvider({ engine }).
• network-controller 31.0 / 32.0 — Event payload additions (not subscribed); default networks pruned (no STX code impact).
• transaction-controller 65.0 — Requires clients to add KeyringController:getState to the TransactionController messenger's allowed actions. STX only consumes TransactionController actions, so no STX-side change is needed; downstream consumers (mobile/extension) will already handle this.

yarn dedupe was run to consolidate @metamask/json-rpc-engine to a single resolution.

Test plan

• yarn test (jest + attw) passes — 196 tests
• yarn lint passes (pre-existing warnings only)

---

Note

Medium Risk
Primarily dependency upgrades across core controller packages; risk comes from pulling in new major versions (e.g., @metamask/controller-utils, @metamask/eth-json-rpc-provider) that can subtly change runtime behavior despite minimal local code changes.

Overview
Updates the project to newer @metamask/* package versions (notably @metamask/controller-utils ^12.1.0, @metamask/eth-json-rpc-provider ^6.0.1, and @metamask/transaction-controller ^65.4.0), with corresponding yarn.lock resolution changes.

Adjusts tests/helpers.ts to stop using the removed providerFromEngine helper and instead construct an InternalProvider around a JsonRpcEngine. The CHANGELOG.md Unreleased section is updated to record the dependency bumps.

^{Reviewed by Cursor Bugbot for commit 54ed3b0. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​metamask/​polling-controller@​16.0.4 ⏵ 16.0.6				+4
	@​metamask/​gas-fee-controller@​26.1.1 ⏵ 26.2.2			+1	+4
	@​metamask/​remote-feature-flag-controller@​4.2.0 ⏵ 4.2.1				+2
	@​metamask/​controller-utils@​12.1.0
	@​metamask/​messenger@​1.1.1 ⏵ 1.2.0	+1		+1
	@​metamask/​network-controller@​30.0.1 ⏵ 32.0.0			+1	+4
	@​metamask/​transaction-controller@​64.3.0 ⏵ 65.4.0	+1		+1
	@​metamask/​profile-sync-controller@​28.0.2 ⏵ 28.1.0			+1
	@​metamask/​utils@​11.10.0 ⏵ 11.11.0	+1		+1
	@​metamask/​json-rpc-engine@​10.2.4 ⏵ 10.5.0				+6

View full report

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

• @metamask/transaction-controller@65.4.0

View full report

[cryptodev-2s]

@metamaskbot publish-preview

[cryptodev-2s]

@SocketSecurity ignore npm/@metamask/transaction-controller@65.4.0

[mcmire]

LGTM.