Bump @metamask/json-rpc-engine from 10.0.3 to 10.2.0

[dependabot]

Bumps @metamask/json-rpc-engine from 10.0.3 to 10.2.0.

Commits

• fcb43e6 Release/687.0.0 (#7202)
• 39f7d66 add tron filtering options to token-selectors (#7198)
• 85855a0 fix: generate-method-action-types works for services as well (#7200)
• 9e5d8c4 Revert "Release 687.0.0" (#7201)
• b557946 Release 687.0.0 (#7190)
• 88a7542 feat: get gas fee tokens action (#7197)
• 901f63a feat: add address scanning to phishing controller (#7118)
• 2c96855 Follow up to eth-json-rpc-middleware rewrite PR (#7138)
• 3ef1b23 fix: relay quote gas fee calculation if multiple steps (#7191)
• 3317996 Release/686.0.0 (#7189)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Note

Upgrade @metamask/json-rpc-engine to 10.2.0 and update/add related transitive dependencies in yarn.lock.

• Dependencies:
  • Upgrade @metamask/json-rpc-engine from 10.0.3 to 10.2.0.
  • Update transitive deps: @metamask/utils to ^11.8.1.
  • Add new transitive deps: @types/deep-freeze-strict, deep-freeze-strict, klona, @types/lodash.
  • Lockfile updated accordingly.

^{Written by Cursor Bugbot for commit 7855af9. This will update automatically on new commits. Configure here.}

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm klona is 100.0% likely to have a medium risk anomaly Notes: The analyzed code is a deep clone utility (klona) with careful handling to avoid prototype pollution and to clone common JavaScript types. The primary concern is that objects with non-plain constructors are instantiated via new x.constructor(), which could execute user-defined constructor logic and potentially have side effects. Aside from that, there are no malicious behaviors such as data exfiltration, backdoors, or network activity. Overall security risk is low to moderate depending on trust in input objects; the constructor path is the main anomaly to monitor in usage. Confidence: 1.00 Severity: 0.60 From: ? → npm/@metamask/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report