chore: Migrate SIWE dependency to @signinwithethereum/siwe v4

[caveman-eth]

#edit:

superseeded by #8497

.

Explanation

Current state

The monorepo depends on two SIWE (Sign-In With Ethereum / EIP-4361) packages originally maintained by Spruce:

• @spruceid/siwe-parser v2.1.0 — used by @metamask/controller-utils to detect and parse SIWE messages via detectSIWE()
• siwe v2.3.2 — used by @metamask/profile-sync-controller to construct SIWE login messages via new SiweMessage({...}).prepareMessage()

The Spruce siwe package is no longer maintained.

Stewardship of the SIWE standard has moved to the Ethereum Identity Foundation (GitHub).
@signinwithethereum/siwe is the official successor TypeScript implementation.

Similar migrations:

x402-foundation/x402 x402-foundation/x402#1917,
magiclabs/magic-js magiclabs/magic-js#1074

What this PR does

Swaps the abandoned packages for the actively maintained successors. The ParsedMessage and SiweMessage class APIs are identical - same constructors, same fields, same methods. This is purely a dependency swap with import path updates.

Files changed:

Package	File	Change
controller-utils	package.json	Replaced dependency
controller-utils	src/siwe.ts	Import path updated
controller-utils	src/siwe.test.ts	Import path updated
profile-sync-controller	package.json	Replaced dependency
profile-sync-controller	src/sdk/authentication-jwt-bearer/flow-siwe.ts	Import path updated

EIP-55 patches in client repos become obsolete

The old version strictly rejected non checksummed Ethereum addresses in SIWE messages. Because many dApps produce lowercase addresses, both MetaMask client repos maintain patches to disable the check — otherwise detectSIWE returns { isSIWEMessage: false } and users don't see the specialized SIWE approval screen.

@signinwithethereum/siwe-parser v4.2.0 (release notes) relaxes this:

• All-lowercase and all-uppercase addresses now parse successfully with a non-fatal warning on the new warnings: string[] field of ParsedMessage
• Only mixed-case addresses with an incorrect checksum still fail to parse
• Verification is case-insensitive for EOA signature recovery
• Object-constructed SiweMessage instances are normalized to EIP-55

If the client repos upgrade to this version of controller-utils, they can delete these patches and any related package.json resolutions:

• metamask-extension/.yarn/patches/@spruceid-siwe-parser-npm-2.1.0-060b7ede7a.patch
• metamask-mobile/patches/@spruceid+siwe-parser+2.1.0.patch

References

• Release notes for v4.2.0
• New maintainer repo
• @signinwithethereum/siwe-parser on npm
• @signinwithethereum/siwe on npm
• EIP-4361 spec

Checklist

• I've updated the test suite for new or updated code as appropriate
• I've updated documentation (JSDoc, Markdown, etc.) for new or updated code as appropriate
• I've communicated my changes to consumers by updating changelogs for packages I've changed
• I've introduced breaking changes in this PR and have prepared draft pull requests for clients and consumer packages to resolve them

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	@​signinwithethereum/​siwe@​4.1.0
	@​signinwithethereum/​siwe-parser@​4.1.0

View full report

[caveman-eth]

temp closing to wait 3 day window for package update - we have a new version that impliments the EIP55 patch that you guys have made, natively into the siwe package

Extension: .yarn/patches/@spruceid-siwe-parser-npm-2.1.0-060b7ede7a.patch
Mobile: patches/@spruceid+siwe-parser+2.1.0.patch