fix(deps): Bump @metamask/eth-json-rpc-middleware to ^14.0.0, @metamask/transaction-controller to ^35.1.1 (#26143)

## **Description**

Updates `@metamask/eth-json-rpc-middleware` from `^12.1.1` to `^14.0.0`.
- This version bump comes with a large number of regressions, most of
them type errors.
- This is because the package's dependencies are also updated by
multiple major versions, and the changes include improved, stricter
types (especially in `@metamask/utils`).

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/26143?quickstart=1)

## **Related issues**

- Closes #26287
- Blocks:
  - MetaMask/MetaMask-planning#2991
  - MetaMask/MetaMask-planning#2810
  - #25733

## Changelog

### Added

- Add and export `PPOMMiddlewareRequest` type for `JsonRpcRequest` types
that include the `securityAlertResponse` property.
  - `securityAlertResponse` is defined as both optional and nullable.
- Add `PPOMRequest` type for `eth-sendTransaction` requests.

### Changed

- **BREAKING:** Bump `@metamask/eth-json-rpc-middleware` from `^12.1.1`
to `^14.0.0`.
- **BREAKING:** Bump `@metamask/transaction-controller` from `^34.0.0`
to `^35.1.1`.
- **BREAKING:** Redefine `SecurityAlertsAPIRequest` as a
`JsonRpcRequest` type that accepts `unknown[]` as its `params` type.
- Widen the `request` parameters of the functions
`validateWithController` and `validateWithAPI` to include
`SecurityAlertsAPIRequest`.
- Bump `@trezor/connect-web` from `9.2.2` to `9.3.0`.

### Fixed

- **BREAKING:** Narrow `Params` generic parameter of
`createPPOMMiddleware` function from `JsonRpcParams` to `(string | { to:
string })[]`.
- Add `Params` generic parameter to `handleSnapRequest` function, which
defaults to `JsonRpcParams`.
- `handleSnapRequest` can now be typed correctly with any `params`
object.

### Security

- **BREAKING:** Typed signature validation only replaces `0X` prefix
with `0x`, and contract address normalization is removed for decimal and
octal values.
- Threat actors have been manipulating `eth_signTypedData_v4` fields to
cause failures in blockaid's detectors.
- Extension crashes with an error when performing Malicious permit with
a non-0x prefixed integer address.
- This fixes an issue where the key value row or petname component
disappears if a signed address is prefixed by "0X" instead of "0x".

## **Manual testing steps**

## **Screenshots/Recordings**

## **Pre-merge author checklist**

- [x] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md).
- [x] I've completed the PR template to the best of my ability
- [x] I’ve included tests if applicable
- [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [x] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

---------

Co-authored-by: MetaMask Bot <[email protected]>

Author: MajorLift

.yarn/patches/@trezor-connect-web-npm-9.3.0-040ab10d9a.patch

@@ -0,0 +1,33 @@
+diff --git a/lib/impl/core-in-iframe.js b/lib/impl/core-in-iframe.js
+index c47cf3bff860d6b1855341c00b80fc6c40f9d6d5..275eb0f312ff396819fa406c154a3562842db49d 100644
+--- a/lib/impl/core-in-iframe.js
++++ b/lib/impl/core-in-iframe.js
+@@ -116,7 +116,9 @@ class CoreInIframe {
+         this._log.enabled = !!this._settings.debug;
+         window.addEventListener('message', this.boundHandleMessage);
+         window.addEventListener('unload', this.boundDispose);
+-        await iframe.init(this._settings);
++        const modifiedSettings = Object.assign({}, this.settings);
++        modifiedSettings.env = 'webextension';
++        await iframe.init(modifiedSettings);
+         if (this._settings.sharedLogger !== false) {
+             iframe.initIframeLogger();
+         }
+diff --git a/lib/popup/index.js b/lib/popup/index.js
+index 9b13c370a5ac8b4e4fc0315ed40cdf615d0bb0cb..4dbd97fc28df49beb73379451974ec48a8a42ea7 100644
+--- a/lib/popup/index.js
++++ b/lib/popup/index.js
+@@ -229,10 +229,12 @@ class PopupManager extends events_1.default {
+         }
+         else if (message.type === events_2.POPUP.LOADED) {
+             this.handleMessage(message);
++            const modifiedSettings = Object.assign({}, this.settings);
++            modifiedSettings.env = 'webextension';
+             this.channel.postMessage({
+                 type: events_2.POPUP.INIT,
+                 payload: {
+-                    settings: this.settings,
++                    settings: modifiedSettings,
+                     useCore: true,
+                 },
+             });

app/scripts/lib/accounts/BalancesController.ts

@@ -224,9 +224,10 @@ export class BalancesController extends BaseController<
    * @param accountId - The account ID.
    */
   #getAccount(accountId: string): InternalAccount {
-    const account: InternalAccount = this.#listMultichainAccounts().find(
-      (multichainAccount) => multichainAccount.id === accountId,
-    );
+    const account: InternalAccount | undefined =
+      this.#listMultichainAccounts().find(
+        (multichainAccount) => multichainAccount.id === accountId,
+      );
 
     if (!account) {
       throw new Error(`Unknown account: ${accountId}`);
@@ -247,13 +248,15 @@ export class BalancesController extends BaseController<
     const account = this.#getAccount(accountId);
     const partialState: BalancesControllerState = { balances: {} };
 
-    partialState.balances[account.id] = await this.#getBalances(
-      account.id,
-      account.metadata.snap.id,
-      isBtcMainnetAddress(account.address)
-        ? BTC_MAINNET_ASSETS
-        : BTC_TESTNET_ASSETS,
-    );
+    if (account.metadata.snap) {
+      partialState.balances[account.id] = await this.#getBalances(
+        account.id,
+        account.metadata.snap.id,
+        isBtcMainnetAddress(account.address)
+          ? BTC_MAINNET_ASSETS
+          : BTC_TESTNET_ASSETS,
+      );
+    }
 
     this.update((state: Draft<BalancesControllerState>) => ({
       ...state,
@@ -292,7 +295,7 @@ export class BalancesController extends BaseController<
     return (
       !isEvmAccountType(account.type) &&
       // Non-EVM accounts are backed by a Snap for now
-      account.metadata.snap
+      account.metadata.snap !== undefined
     );
   }
 

app/scripts/lib/createDupeReqFilterStream.test.ts

@@ -3,7 +3,7 @@ import OurReadableStream from 'readable-stream';
 import ReadableStream2 from 'readable-stream-2';
 import ReadableStream3 from 'readable-stream-3';
 
-import type { JsonRpcRequest } from '@metamask/utils';
+import type { JsonRpcNotification, JsonRpcRequest } from '@metamask/utils';
 import createDupeReqFilterStream, {
   THREE_MINUTES,
 } from './createDupeReqFilterStream';
@@ -26,7 +26,7 @@ function createTestStream(output: JsonRpcRequest[] = [], S = Transform) {
 }
 
 function runStreamTest(
-  requests: JsonRpcRequest[] = [],
+  requests: (JsonRpcRequest | JsonRpcNotification)[] = [],
   advanceTimersTime = 10,
   S = Transform,
 ) {
@@ -54,12 +54,12 @@ describe('createDupeReqFilterStream', () => {
     const requests = [
       { id: 1, method: 'foo' },
       { id: 2, method: 'bar' },
-    ];
+    ].map((request) => ({ ...request, jsonrpc: '2.0' as const }));
 
     const expectedOutput = [
       { id: 1, method: 'foo' },
       { id: 2, method: 'bar' },
-    ];
+    ].map((output) => ({ ...output, jsonrpc: '2.0' }));
 
     const output = await runStreamTest(requests);
     expect(output).toEqual(expectedOutput);
@@ -69,18 +69,25 @@ describe('createDupeReqFilterStream', () => {
     const requests = [
       { id: 1, method: 'foo' },
       { id: 1, method: 'foo' }, // duplicate
-    ];
+    ].map((request) => ({ ...request, jsonrpc: '2.0' as const }));
 
-    const expectedOutput = [{ id: 1, method: 'foo' }];
+    const expectedOutput = [{ id: 1, method: 'foo' }].map((output) => ({
+      ...output,
+      jsonrpc: '2.0',
+    }));
 
     const output = await runStreamTest(requests);
     expect(output).toEqual(expectedOutput);
   });
 
   it("lets through requests if they don't have an id", async () => {
-    const requests = [{ method: 'notify1' }, { method: 'notify2' }];
+    const requests = [{ method: 'notify1' }, { method: 'notify2' }].map(
+      (request) => ({ ...request, jsonrpc: '2.0' as const }),
+    );
 
-    const expectedOutput = [{ method: 'notify1' }, { method: 'notify2' }];
+    const expectedOutput = [{ method: 'notify1' }, { method: 'notify2' }].map(
+      (output) => ({ ...output, jsonrpc: '2.0' }),
+    );
 
     const output = await runStreamTest(requests);
     expect(output).toEqual(expectedOutput);
@@ -95,15 +102,15 @@ describe('createDupeReqFilterStream', () => {
       { method: 'notify2' },
       { id: 2, method: 'bar' },
       { id: 3, method: 'baz' },
-    ];
+    ].map((request) => ({ ...request, jsonrpc: '2.0' as const }));
 
     const expectedOutput = [
       { id: 1, method: 'foo' },
       { method: 'notify1' },
       { id: 2, method: 'bar' },
       { method: 'notify2' },
       { id: 3, method: 'baz' },
-    ];
+    ].map((output) => ({ ...output, jsonrpc: '2.0' }));
 
     const output = await runStreamTest(requests);
     expect(output).toEqual(expectedOutput);

app/scripts/lib/createDupeReqFilterStream.ts

@@ -54,7 +54,8 @@ export default function createDupeReqFilterStream() {
     transform(chunk: JsonRpcRequest, _, cb) {
       // JSON-RPC notifications have no ids; our only recourse is to let them through.
       const hasNoId = chunk.id === undefined;
-      const requestNotYetSeen = seenRequestIds.add(chunk.id);
+      const requestNotYetSeen =
+        chunk.id !== null && seenRequestIds.add(chunk.id);
 
       if (hasNoId || requestNotYetSeen) {
         cb(null, chunk);

app/scripts/lib/ppom/ppom-middleware.test.ts

@@ -1,8 +1,4 @@
-import {
-  type Hex,
-  JsonRpcRequestStruct,
-  JsonRpcResponseStruct,
-} from '@metamask/utils';
+import { type Hex, JsonRpcResponseStruct } from '@metamask/utils';
 import * as ControllerUtils from '@metamask/controller-utils';
 
 import { CHAIN_IDS } from '../../../../shared/constants/network';
@@ -12,7 +8,7 @@ import {
   BlockaidResultType,
 } from '../../../../shared/constants/security-provider';
 import { flushPromises } from '../../../../test/lib/timer-helpers';
-import { createPPOMMiddleware } from './ppom-middleware';
+import { createPPOMMiddleware, PPOMMiddlewareRequest } from './ppom-middleware';
 import {
   generateSecurityAlertId,
   handlePPOMError,
@@ -32,6 +28,12 @@ const SECURITY_ALERT_RESPONSE_MOCK: SecurityAlertResponse = {
   reason: BlockaidReason.permitFarming,
 };
 
+const REQUEST_MOCK = {
+  params: [],
+  id: '',
+  jsonrpc: '2.0' as const,
+};
+
 const createMiddleware = (
   options: {
     chainId?: Hex;
@@ -117,14 +119,14 @@ describe('PPOMMiddleware', () => {
     });
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
     await middlewareFunction(
       req,
-      { ...JsonRpcResponseStruct },
+      { ...JsonRpcResponseStruct.TYPE },
       () => undefined,
     );
 
@@ -141,20 +143,20 @@ describe('PPOMMiddleware', () => {
   it('adds loading response to confirmation requests while validation is in progress', async () => {
     const middlewareFunction = createMiddleware();
 
-    const req = {
-      ...JsonRpcRequestStruct,
+    const req: PPOMMiddlewareRequest<(string | { to: string })[]> = {
+      ...REQUEST_MOCK,
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
     await middlewareFunction(
       req,
-      { ...JsonRpcResponseStruct },
+      { ...JsonRpcResponseStruct.TYPE },
       () => undefined,
     );
 
-    expect(req.securityAlertResponse.reason).toBe(BlockaidReason.inProgress);
-    expect(req.securityAlertResponse.result_type).toBe(
+    expect(req.securityAlertResponse?.reason).toBe(BlockaidReason.inProgress);
+    expect(req.securityAlertResponse?.result_type).toBe(
       BlockaidResultType.Loading,
     );
   });
@@ -165,11 +167,12 @@ describe('PPOMMiddleware', () => {
     });
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
+    // @ts-expect-error Passing in invalid input for testing purposes
     await middlewareFunction(req, undefined, () => undefined);
 
     expect(req.securityAlertResponse).toBeUndefined();
@@ -183,14 +186,14 @@ describe('PPOMMiddleware', () => {
     });
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
     await middlewareFunction(
       req,
-      { ...JsonRpcResponseStruct },
+      { ...JsonRpcResponseStruct.TYPE },
       () => undefined,
     );
 
@@ -202,14 +205,14 @@ describe('PPOMMiddleware', () => {
     const middlewareFunction = createMiddleware();
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       method: 'eth_someRequest',
       securityAlertResponse: undefined,
     };
 
     await middlewareFunction(
       req,
-      { ...JsonRpcResponseStruct },
+      { ...JsonRpcResponseStruct.TYPE },
       () => undefined,
     );
 
@@ -221,15 +224,15 @@ describe('PPOMMiddleware', () => {
     const middlewareFunction = createMiddleware();
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       params: [{ to: INTERNAL_ACCOUNT_ADDRESS }],
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
     await middlewareFunction(
       req,
-      { ...JsonRpcResponseStruct },
+      { ...JsonRpcResponseStruct.TYPE },
       () => undefined,
     );
 
@@ -249,7 +252,7 @@ describe('PPOMMiddleware', () => {
         '0x935e73edb9ff52e23bac7f7e043a1ecd06d05477',
         'Example password',
       ],
-      jsonrpc: '2.0',
+      jsonrpc: '2.0' as const,
       id: 2974202441,
       origin: 'https://metamask.github.io',
       networkClientId: 'mainnet',
@@ -276,6 +279,7 @@ describe('PPOMMiddleware', () => {
       },
     });
 
+    // @ts-expect-error Passing invalid input for testing purposes
     await middlewareFunction(req, undefined, () => undefined);
 
     expect(req.securityAlertResponse).toBeUndefined();
@@ -287,8 +291,8 @@ describe('PPOMMiddleware', () => {
     const nextMock = jest.fn();
 
     await middlewareFunction(
-      { ...JsonRpcRequestStruct, method: 'eth_sendTransaction' },
-      { ...JsonRpcResponseStruct },
+      { ...REQUEST_MOCK, method: 'eth_sendTransaction' },
+      { ...JsonRpcResponseStruct.TYPE },
       nextMock,
     );
 
@@ -304,12 +308,12 @@ describe('PPOMMiddleware', () => {
     const middlewareFunction = createMiddleware({ error });
 
     const req = {
-      ...JsonRpcRequestStruct,
+      ...REQUEST_MOCK,
       method: 'eth_sendTransaction',
       securityAlertResponse: undefined,
     };
 
-    await middlewareFunction(req, { ...JsonRpcResponseStruct }, nextMock);
+    await middlewareFunction(req, { ...JsonRpcResponseStruct.TYPE }, nextMock);
 
     expect(req.securityAlertResponse).toStrictEqual(
       SECURITY_ALERT_RESPONSE_MOCK,