feat: bump Accounts dependencies

[hmalik88]

Description

Aligns the mobile app's @metamask/accounts and @metamask/core dependency graphs with the just-released @metamask/core@952.0.0 packages and the latest published versions of every direct accounts-repo dep. #8584 removed InternalAccount.metadata.snap.{enabled, name}, account-tree-controller@7.2.0 expanded the account-type union with stellar:account, and the new core packages compile against @metamask/messenger@^1.2.0. The pre-existing pins caused multiple-version installs of keyring-api, keyring-internal-api, and messenger. This PR brings everything onto a single, consistent set.

Dependency changes

Direct accounts-repo bumps

Package	From	To
@metamask/account-api	^1.0.0	^1.0.4
@metamask/eth-hd-keyring	^13.0.0	^14.1.1
@metamask/eth-ledger-bridge-keyring	^11.4.0	^12.0.2
@metamask/eth-money-keyring	^2.0.0	^2.0.4
@metamask/eth-qr-keyring	^1.1.0	^2.0.2
@metamask/eth-snap-keyring	^20.0.0	^22.0.1
@metamask/hw-wallet-sdk	^0.7.0	^0.8.0
@metamask/keyring-api	^21.6.0	^23.1.0
@metamask/keyring-internal-api	^10.0.0	^11.0.1
@metamask/keyring-sdk	^1.1.0	^2.0.2
@metamask/keyring-snap-client	^8.2.1	^9.0.2

Major bumps (eth-hd-keyring, eth-ledger-bridge-keyring, eth-qr-keyring, eth-snap-keyring, keyring-api, keyring-internal-api, keyring-sdk, keyring-snap-client) have no source-code impact in this repo; verified via git grep for the moved/renamed *V2 symbols (none used) and tsc.

Core package bumps (from @metamask/core@952.0.0)

Package	From	To
@metamask/accounts-controller	^37.2.0	^38.0.0
@metamask/account-tree-controller	^7.1.0	^7.2.0
@metamask/earn-controller	^12.0.0	^12.1.0
@metamask/keyring-controller	^25.2.0	^25.4.0
@metamask/money-account-controller	^0.1.0	^0.2.0
@metamask/multichain-network-controller	^3.0.5	^3.1.0
@metamask/multichain-transactions-controller	^7.0.4	^7.1.0
@metamask/network-enablement-controller	^4.2.0	^5.1.0

Added resolutions

• "@metamask/messenger": "^1.1.0" — the new core packages compile against @metamask/messenger@^1.2.0, but mobile's source uses @metamask/messenger@^1.1.0. Without forcing a single version, TypeScript resolves controller messenger types from the nested 1.2.0 install while the local code uses helpers from 1.1.x — the two Messenger types are nominally distinct and the MessengerActions<...> / MessengerEvents<...> extractors return never, breaking ~70 messenger config files. The 1.2.0 changelog has no **BREAKING:** entries (additions: getAction, subscribeOnce, waitUntil); confirmed via git grep that none of the bumped packages use the 1.2.x-only methods at runtime.
• "@metamask/keyring-internal-api": "^11.0.1" — assets-controllers@105.x, bridge-controller@71.x, multichain-account-service@8.0.1, etc. carry nested keyring-internal-api@10.1.1 copies whose InternalAccount type union doesn't include stellar:account. Forcing 11.0.1 across the tree unifies the type and removes false not assignable errors at the type boundaries.

keyring-api resolutions trimmed

The pre-existing @metamask/keyring-api@npm:^X.Y.Z → 23.0.1 mappings have been retargeted to 23.1.0 and pruned to the four still-active ones:

• Kept: ^21.3.0, ^21.4.0, ^21.6.0, ^22.0.0 → 23.1.0 (each is triggered by at least one transitive consumer remaining in the tree; eth-hd-keyring@13.0.0, eth-snap-keyring@19.0.0 / keyring-snap-sdk@7.2.0, multichain-account-service@8.0.1, keyring-internal-snap-client@9.0.x / keyring-snap-client@8.2.x).
• Dropped: ^21.5.0 (no remaining consumer post-bump) and ^23.0.1 (redundant — caret-overlaps with ^23.1.0 and yarn dedupe handles it without forcing). Verified by removing each and confirming the lockfile still resolves to a single keyring-api@23.1.0.

Integration changes

accounts-controller@38.0.0 removed metadata.snap.{enabled, name} (#8584)

• app/core/Engine/messengers/accounts-controller-messenger/index.ts — dropped SnapControllerStateChangeEvent from the delegated events and the unused import; the new accounts-controller no longer accepts it.
• 7 mock fixture cleanups across test/util files (snap metadata literals no longer have name/enabled fields):
  • app/components/UI/Earn/hooks/useTronClaimUnstakedTrx.test.ts
  • app/components/hooks/useKeyringId.test.ts
  • app/core/Multichain/test/utils.test.ts
  • app/core/SnapKeyring/SnapKeyring.test.ts
  • app/util/address/index.test.ts
  • app/util/test/accountsControllerTestUtils.ts (3 sites)

keyring-controller@25.3.0+ widened withKeyring callback signature

The operation parameter is now ({ keyring, metadata }: KeyringEntry) with keyring: EthKeyring, instead of being parametrized by the SelectedKeyring generic. The mobile-side wrappers withLedgerKeyring and withQrKeyring previously narrowed the keyring type via that generic.

• app/core/Ledger/Ledger.ts, app/core/QrKeyring/QrKeyring.ts — keep the external wrapper signatures ({ keyring: LedgerKeyring … } / { keyring: QrKeyring … }) but narrow inside the inner callback via an instanceof LedgerKeyring / instanceof QrKeyring runtime guard. This uses TypeScript's flow-based narrowing with no as cast and an explicit error path that documents the invariant (the selector filters by keyring type, so the cast is sound).

Changelog

CHANGELOG entry: null

Related issues

Fixes: N/A

Manual testing steps

N/A

Screenshots/Recordings

N/A

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I've included tests if applicable
• I've documented my code using JSDoc format if applicable
• I've applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Performance checks (if applicable)

• I've tested on Android
  • Ideally on a mid-range device; emulator is acceptable
• I've tested with a power user scenario
  • Use these power-user SRPs to import wallets with many accounts and tokens
• I've instrumented key operations with Sentry traces for production performance metrics
  • See trace() for usage and addToken for an example

For performance guidelines and tooling, see the Performance Guide.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Medium Risk
Upgrades multiple @metamask/* controller/keyring dependencies and adjusts messenger/keyring integration points; while mostly type/test-driven, it touches hardware-wallet keyring access paths and messenger delegation typing.

Overview
Aligns the app’s accounts/core dependency graph with newer @metamask/* controller and keyring packages (plus updated yarn.lock/resolutions) to eliminate version skew.

Updates integration code to match the new APIs: removes the Snap controller state-change event from the AccountsController messenger delegation, and adds a type-erasing cast in rewards-controller-messenger to avoid TypeScript union-complexity errors.

Hardens withLedgerKeyring and withQrKeyring wrappers with instanceof runtime guards (throwing when a wrong keyring is returned) and adjusts related hardware-wallet tests to use real keyring instances/spies and updated account/snap metadata shapes (removing metadata.snap.name/enabled across fixtures).

^{Reviewed by Cursor Bugbot for commit 1bb588a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​metamask/​eth-snap-keyring@​20.0.0 ⏵ 22.0.1			-1	+2
	npm/​@​metamask/​keyring-internal-api@​10.1.1 ⏵ 11.0.1
	npm/​@​metamask/​eth-money-keyring@​2.0.0 ⏵ 2.0.4	+1			+3
	npm/​@​metamask/​money-account-controller@​0.1.0 ⏵ 0.2.0				+2
	npm/​@​metamask/​multichain-transactions-controller@​7.0.4 ⏵ 7.1.0			+1	-1
	npm/​@​metamask/​keyring-sdk@​1.2.0 ⏵ 2.0.2	+1		+1	+2
	npm/​@​metamask/​eth-qr-keyring@​1.1.0 ⏵ 2.0.2	+25		+7	+2
	npm/​@​metamask/​keyring-snap-client@​9.0.1 ⏵ 9.0.2
	npm/​@​metamask/​account-api@​1.0.3 ⏵ 1.0.4				+2
	npm/​@​metamask/​multichain-network-controller@​3.0.6 ⏵ 3.1.0			+1	-1
	npm/​@​metamask/​earn-controller@​12.0.0 ⏵ 12.1.0
	npm/​@​metamask/​keyring-controller@​25.2.0 ⏵ 25.4.0			+1	+2
	npm/​@​metamask/​account-tree-controller@​7.1.0 ⏵ 7.2.0	+1		+1
	npm/​@​metamask/​network-controller@​30.0.1 ⏵ 30.1.0			+1	+2
	npm/​@​metamask/​eth-json-rpc-middleware@​23.1.2 ⏵ 23.1.3	+1		+1	+1
	npm/​@​metamask/​eth-ledger-bridge-keyring@​11.4.0 ⏵ 12.0.2	+1		+3
	npm/​@​metamask/​eth-hd-keyring@​13.1.0 ⏵ 14.1.1	+1			+5
	npm/​@​metamask/​network-enablement-controller@​4.2.0 ⏵ 5.1.0

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 1fedf87. Configure here.}

[gantunesr]

Code looks good, will test HW flows. @hmalik88 do you know what other changes it should be considered for testing?

[gantunesr]

LGTM and tested ✅

[github-actions]

🔍 Smart E2E Test Selection

• Selected E2E tags: SmokeAccounts, SmokeConfirmations, SmokeIdentity, SmokeNetworkAbstractions, SmokeNetworkExpansion, SmokeSwap, SmokeStake, SmokeWalletPlatform, SmokeMoney, SmokePerps, SmokeMultiChainAPI, SmokePredictions, SmokeSeedlessOnboarding, SmokeBrowser, SmokeSnaps
• Selected Performance tags: @PerformanceAccountList, @PerformanceOnboarding, @PerformanceLogin, @PerformanceSwaps, @PerformanceLaunch, @PerformanceAssetLoading, @PerformancePredict, @PerformancePreps
• Risk Level: high
• AI Confidence: 100%

click to see 🤖 AI reasoning details

E2E Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/accounts-controller, @metamask/account-tree-controller, @metamask/earn-controller, @metamask/keyring-controller, @metamask/money-account-controller, @metamask/multichain-network-controller, @metamask/multichain-transactions-controller, @metamask/network-enablement-controller. Running all tests.

Performance Test Selection:
Hard rule (controller-version-update): @MetaMask controller package version updated in package.json: @metamask/accounts-controller, @metamask/account-tree-controller, @metamask/earn-controller, @metamask/keyring-controller, @metamask/money-account-controller, @metamask/multichain-network-controller, @metamask/multichain-transactions-controller, @metamask/network-enablement-controller. Running all tests.

View GitHub Actions results

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
100.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud