Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

setup changes #29954

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
+7,117 −6,076
Open

setup changes #29954

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
137 changes: 27 additions & 110 deletions .yarnrc.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13,123 +13,40 @@ logFilters:
nodeLinker: node-modules

npmAuditIgnoreAdvisories:
### Advisories:

# Issue: yargs-parser Vulnerable to Prototype Pollution
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
# The affected version (<5.0.0) is only included via @ensdomains/ens via
# 'solc' which is not used in the imports we use from this package.
- 1088783

# Issue: protobufjs Prototype Pollution vulnerability
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
# Not easily patched. Minimally effects the extension due to usage of
# LavaMoat lockdown. Additional id added that resolves to the same advisory
# but has a different entry due to it being a new dependency of
# @trezor/connect-web. Upgrading
- 1092429
- 1095136

# Issue: Regular Expression Denial of Service (ReDOS)
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
# color-string is listed as a dependency of 'color' which is brought in by
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
# remove the color dependency. We should upgrade
- 1089718

# Issue: semver vulnerable to Regular Expression Denial of Service
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
# semver is used in the solidity compiler portion of @truffle/codec that does
# not appear to be used.
- 1092461

# Issue: Malware in @solana/web3.js
# URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m
# we patched this to ensure the vulnerable versions are not included, but the advisory
# was mistakenly originally created to flag all versions as vulnerable
- 1101059



# Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
# This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
- 'ts-custom-error (deprecation)'
- 'text-encoding (deprecation)'

### Package Deprecations:

# React-tippy brings in popper.js and react-tippy has not been updated in
# three years.
- 'popper.js (deprecation)'

# React-router is out of date and brings in the following deprecated package
- 'mini-create-react-context (deprecation)'

# The affected version, which is less than 7.0.0, is brought in by
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
# file app/scripts/account-import-strategies/index.js, which may be easy to
# upgrade.
- 'uuid (deprecation)'

# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
# main.js file, which can be upgraded to remove this dependency in favor of
# @npmcli/fs
- '@npmcli/move-file (deprecation)'

# Upgrading babel will result in the following deprecated packages being
# updated:
- 'core-js (deprecation)'

# Material UI dependencies are planned for removal
- '@material-ui/core (deprecation)'
- '@material-ui/styles (deprecation)'
- '@material-ui/system (deprecation)'

# @ensdomains/ens should be explored for upgrade. The following packages are
# deprecated and would be resolved by upgrading to newer versions of
# ensdomains packages:
- '@ensdomains/ens (deprecation)'
- '@ensdomains/resolver (deprecation)'
- 'testrpc (deprecation)'

# Dependencies brought in by @truffle/decoder that are deprecated:
- 'cids (deprecation)' # via @ensdomains/content-hash
- 'multibase (deprecation)' # via cids
- 'multicodec (deprecation)' # via cids

# MetaMask owned repositories brought in by other MetaMask dependencies that
# can be resolved by updating the versions throughout the dependency tree
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
- '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others

# @metamask-institutional relies upon crypto which is deprecated
- 'crypto (deprecation)'

# @metamask/providers uses webextension-polyfill-ts which has been moved to
# @types/webextension-polyfill
- 'webextension-polyfill-ts (deprecation)'

# Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on
# by MetaMask
- 'ripple-lib (deprecation)'

# Brought in by ethereumjs-utils, which is used in the extension and in many
# other dependencies. At the time of this exclusion, the extension has three
# old versions of ethereumjs-utils which should be upgraded to
# @ethereumjs/utils throughout our owned repositories. However even doing
# that may be insufficient due to dependencies we do not own still relying
# upon old versions of ethereumjs-utils.
- 'ethereum-cryptography (deprecation)'

# Currently in use for the network list drag and drop functionality.
# Maintenance has stopped and the project will be archived in 2025.
- 'react-beautiful-dnd (deprecation)'
# New package name format for new versions: @ethereumjs/wallet.
- 'ethereumjs-wallet (deprecation)'
- ts-custom-error (deprecation)
- text-encoding (deprecation)
- popper.js (deprecation)
- mini-create-react-context (deprecation)
- uuid (deprecation)
- "@npmcli/move-file (deprecation)"
- core-js (deprecation)
- "@material-ui/core (deprecation)"
- "@material-ui/styles (deprecation)"
- "@material-ui/system (deprecation)"
- "@ensdomains/ens (deprecation)"
- "@ensdomains/resolver (deprecation)"
- testrpc (deprecation)
- cids (deprecation)
- multibase (deprecation)
- multicodec (deprecation)
- eth-sig-util (deprecation)
- "@metamask/controller-utils (deprecation)"
- safe-event-emitter (deprecation)
- crypto (deprecation)
- webextension-polyfill-ts (deprecation)
- ripple-lib (deprecation)
- ethereum-cryptography (deprecation)
- react-beautiful-dnd (deprecation)
- ethereumjs-wallet (deprecation)

plugins:
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
spec: "https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js"
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
spec: "https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js"
Loading
Loading