forked from MetaMask/metamask-extension
-
Notifications
You must be signed in to change notification settings - Fork 0
/
.yarnrc.yml
112 lines (86 loc) · 4.03 KB
/
.yarnrc.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
compressionLevel: mixed
enableGlobalCache: false
enableScripts: false
enableTelemetry: false
logFilters:
- code: YN0004
level: discard
nodeLinker: node-modules
npmAuditIgnoreAdvisories:
### Advisories:
# Issue: yargs-parser Vulnerable to Prototype Pollution
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
# The affected version (<5.0.0) is only included via @ensdomains/ens via
# 'solc' which is not used in the imports we use from this package.
- 1088783
# Issue: protobufjs Prototype Pollution vulnerability
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
# Not easily patched. Minimally effects the extension due to usage of
# LavaMoat lockdown.
- 1092429
# Issue: Regular Expression Denial of Service (ReDOS)
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
# color-string is listed as a dependency of 'color' which is brought in by
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
# remove the color dependency. We should upgrade
- 1089718
# Issue: semver vulnerable to Regular Expression Denial of Service
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
# semver is used in the solidity compiler portion of @truffle/codec that does
# not appear to be used.
- 1092461
### Package Deprecations:
# React-tippy brings in popper.js and react-tippy has not been updated in
# three years.
- 'popper.js (deprecation)'
# React-router is out of date and brings in the following deprecated package
- 'mini-create-react-context (deprecation)'
# The affected version, which is less than 7.0.0, is brought in by
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
# file app/scripts/account-import-strategies/index.js, which may be easy to
# upgrade.
- 'uuid (deprecation)'
# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
# main.js file, which can be upgraded to remove this dependency in favor of
# @npmcli/fs
- '@npmcli/move-file (deprecation)'
# Upgrading babel will result in the following deprecated packages being
# updated:
- 'core-js (deprecation)'
# Material UI dependencies are planned for removal
- '@material-ui/core (deprecation)'
- '@material-ui/styles (deprecation)'
- '@material-ui/system (deprecation)'
# @ensdomains/ens should be explored for upgrade. The following packages are
# deprecated and would be resolved by upgrading to newer versions of
# ensdomains packages:
- '@ensdomains/ens (deprecation)'
- '@ensdomains/resolver (deprecation)'
- 'testrpc (deprecation)'
# Dependencies brought in by @truffle/decoder that are deprecated:
- 'cids (deprecation)' # via @ensdomains/content-hash
- 'multibase (deprecation)' # via cids
- 'multicodec (deprecation)' # via cids
# MetaMask owned repositories brought in by other MetaMask dependencies that
# can be resolved by updating the versions throughout the dependency tree
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
- '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
# @metamask-institutional relies upon crypto which is deprecated
- 'crypto (deprecation)'
# @metamask/providers uses webextension-polyfill-ts which has been moved to
# @types/webextension-polyfill
- 'webextension-polyfill-ts (deprecation)'
npmRegistries:
'https://npm.pkg.github.com':
npmAlwaysAuth: true
npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}'
npmScopes:
metamask:
npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}'
plugins:
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs