diff --git a/.yarnrc.yml b/.yarnrc.yml index 4431d98e0dc..a77108a323a 100644 --- a/.yarnrc.yml +++ b/.yarnrc.yml @@ -13,48 +13,150 @@ logFilters: nodeLinker: node-modules npmAuditIgnoreAdvisories: + ### Advisories: + + # Issue: yargs-parser Vulnerable to Prototype Pollution + # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp + # The affected version (<5.0.0) is only included via @ensdomains/ens via + # 'solc' which is not used in the imports we use from this package. - 1088783 + + # Issue: protobufjs Prototype Pollution vulnerability + # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85 + # Not easily patched. Minimally effects the extension due to usage of + # LavaMoat lockdown. Additional id added that resolves to the same advisory + # but has a different entry due to it being a new dependency of + # @trezor/connect-web. Upgrading - 1092429 - 1095136 + + # Issue: Regular Expression Denial of Service (ReDOS) + # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h + # color-string is listed as a dependency of 'color' which is brought in by + # @metamask/jazzicon v2.0.0 but there is work done on that repository to + # remove the color dependency. We should upgrade - 1089718 + + # Issue: semver vulnerable to Regular Expression Denial of Service + # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw + # semver is used in the solidity compiler portion of @truffle/codec that does + # not appear to be used. - 1092461 + + # Issue: Malware in @solana/web3.js + # URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m + # we patched this to ensure the vulnerable versions are not included, but the advisory + # was mistakenly originally created to flag all versions as vulnerable - 1101059 + + # Issue: axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL + # URL: https://github.com/advisories/GHSA-jr5f-v2jv-69x6 + # We are ignoring this on March 11, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users - 1102472 + + # Issue: Issue: Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups + # We are ignoring this on March 12, 2025 and April 24, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users - 1103026 - 1104001 + + # Issue: ses's global contour bindings leak into Compartment lexical scope + # URL: https://github.com/advisories/GHSA-h9w6-f932-gq62 + # We are ignoring this on April 24, 2025 as it does not affect the codebase. - 1103932 + + # Issue: React Router allows pre-render data spoofing on React-Router framework mode + # URL: https://github.com/MetaMask/metamask-extension/security/dependabot/228 + # will be fixed in https://github.com/MetaMask/MetaMask-planning/issues/3261 - 1104031 - 1104032 - - ts-custom-error (deprecation) - - text-encoding (deprecation) - - popper.js (deprecation) - - mini-create-react-context (deprecation) - - uuid (deprecation) + + # Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix + # This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299 + - 'ts-custom-error (deprecation)' + - 'text-encoding (deprecation)' + + ### Package Deprecations: + + # React-tippy brings in popper.js and react-tippy has not been updated in + # three years. + - 'popper.js (deprecation)' + + # React-router is out of date and brings in the following deprecated package + - 'mini-create-react-context (deprecation)' + + # The affected version, which is less than 7.0.0, is brought in by + # ethereumjs-wallet version 0.6.5 used in the extension but only in a single + # file app/scripts/account-import-strategies/index.js, which may be easy to + # upgrade. + - 'uuid (deprecation)' + + # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook + # main.js file, which can be upgraded to remove this dependency in favor of + # @npmcli/fs - '@npmcli/move-file (deprecation)' - - core-js (deprecation) + + # Upgrading babel will result in the following deprecated packages being + # updated: + - 'core-js (deprecation)' + + # Material UI dependencies are planned for removal - '@material-ui/core (deprecation)' - '@material-ui/styles (deprecation)' - '@material-ui/system (deprecation)' + + # @ensdomains/ens should be explored for upgrade. The following packages are + # deprecated and would be resolved by upgrading to newer versions of + # ensdomains packages: - '@ensdomains/ens (deprecation)' - '@ensdomains/resolver (deprecation)' - - testrpc (deprecation) - - cids (deprecation) - - multibase (deprecation) - - multicodec (deprecation) - - eth-sig-util (deprecation) - - '@metamask/controller-utils (deprecation)' - - safe-event-emitter (deprecation) - - crypto (deprecation) - - webextension-polyfill-ts (deprecation) - - ripple-lib (deprecation) - - ethereum-cryptography (deprecation) - - react-beautiful-dnd (deprecation) - - ethereumjs-wallet (deprecation) - - '@trezor/connect-web (deprecation)' - - '@solana/web3.js (deprecation)' + - 'testrpc (deprecation)' + + # Dependencies brought in by @truffle/decoder that are deprecated: + - 'cids (deprecation)' # via @ensdomains/content-hash + - 'multibase (deprecation)' # via cids + - 'multicodec (deprecation)' # via cids + + # MetaMask owned repositories brought in by other MetaMask dependencies that + # can be resolved by updating the versions throughout the dependency tree + - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring + - '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller + - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others -npmRegistryServer: 'https://registry.npmjs.org/' + # @metamask-institutional relies upon crypto which is deprecated + - 'crypto (deprecation)' + # @metamask/providers uses webextension-polyfill-ts which has been moved to + # @types/webextension-polyfill + - 'webextension-polyfill-ts (deprecation)' + + # Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on + # by MetaMask + - 'ripple-lib (deprecation)' + + # Brought in by ethereumjs-utils, which is used in the extension and in many + # other dependencies. At the time of this exclusion, the extension has three + # old versions of ethereumjs-utils which should be upgraded to + # @ethereumjs/utils throughout our owned repositories. However even doing + # that may be insufficient due to dependencies we do not own still relying + # upon old versions of ethereumjs-utils. + - 'ethereum-cryptography (deprecation)' + + # Currently in use for the network list drag and drop functionality. + # Maintenance has stopped and the project will be archived in 2025. + - 'react-beautiful-dnd (deprecation)' + # New package name format for new versions: @ethereumjs/wallet. + - 'ethereumjs-wallet (deprecation)' + + # The new trezor version breaks the webpack build due to issues with ESM and CommonJS + # Leading to this error on start: `Uncaught ReferenceError: exports is not defined` + # We temporarily ignore the audit failure until we can safely upgrade to the new version without breaking the webpack build + # Check Trezor 9.5.X Changelog for more info: https://github.com/trezor/trezor-suite/blob/develop/packages/connect/CHANGELOG.md + - '@trezor/connect-web (deprecation)' + + # We temporarily ignore the deprecation notice to unblock ci + # Issue: @solana/web3.js version 2.0 is now @solana/kit! Remove @solana/web3.js@2 from your dependencies and replace it with @solana/kit. + # As needed, upgrade all of your @solana-program/* dependencies to the latest versions that use Kit. + - '@solana/web3.js (deprecation)' plugins: - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'