chore: put comments back in .yarnrc.yml

.yarnrc.yml

@@ -13,50 +13,152 @@ logFilters:
 nodeLinker: node-modules
 
 npmAuditIgnoreAdvisories:
+  ### Advisories:
+
+  # Issue: yargs-parser Vulnerable to Prototype Pollution
+  # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
+  # The affected version (<5.0.0) is only included via @ensdomains/ens via
+  # 'solc' which is not used in the imports we use from this package.
   - 1088783
+
+  # Issue: protobufjs Prototype Pollution vulnerability
+  # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
+  # Not easily patched. Minimally effects the extension due to usage of
+  # LavaMoat lockdown. Additional id added that resolves to the same advisory
+  # but has a different entry due to it being a new dependency of
+  # @trezor/connect-web. Upgrading
   - 1092429
   - 1095136
+
+  # Issue: Regular Expression Denial of Service (ReDOS)
+  # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
+  # color-string is listed as a dependency of 'color' which is brought in by
+  # @metamask/jazzicon v2.0.0 but there is work done on that repository to
+  # remove the color dependency. We should upgrade
   - 1089718
+
+  # Issue: semver vulnerable to Regular Expression Denial of Service
+  # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
+  # semver is used in the solidity compiler portion of @truffle/codec that does
+  # not appear to be used.
   - 1092461
+
+  # Issue: Malware in @solana/web3.js
+  # URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m
+  # we patched this to ensure the vulnerable versions are not included, but the advisory
+  # was mistakenly originally created to flag all versions as vulnerable
   - 1101059
+
+  # Issue: axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL
+  # URL: https://github.com/advisories/GHSA-jr5f-v2jv-69x6
+  # We are ignoring this on March 11, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1102472
+
+  # Issue: Issue: Babel has inefficient RexExp complexity in generated code with .replace when transpiling named capturing groups
+  # We are ignoring this on March 12, 2025 and April 24, 2025 to unblock CI, we will follow with a proper fix or confirmation this does not affect our users
   - 1103026
   - 1104001
+
+  # Issue: ses's global contour bindings leak into Compartment lexical scope
+  # URL: https://github.com/advisories/GHSA-h9w6-f932-gq62
+  # We are ignoring this on April 24, 2025 as it does not affect the codebase.
   - 1103932
+
+  # Issue: React Router allows pre-render data spoofing on React-Router framework mode
+  # URL: https://github.com/MetaMask/metamask-extension/security/dependabot/228
+  # will be fixed in https://github.com/MetaMask/MetaMask-planning/issues/3261
   - 1104031
   - 1104032
-  - ts-custom-error (deprecation)
-  - text-encoding (deprecation)
-  - popper.js (deprecation)
-  - mini-create-react-context (deprecation)
-  - uuid (deprecation)
+
+  # Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
+  # This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
+  - 'ts-custom-error (deprecation)'
+  - 'text-encoding (deprecation)'
+
+  ### Package Deprecations:
+
+  # React-tippy brings in popper.js and react-tippy has not been updated in
+  # three years.
+  - 'popper.js (deprecation)'
+
+  # React-router is out of date and brings in the following deprecated package
+  - 'mini-create-react-context (deprecation)'
+
+  # The affected version, which is less than 7.0.0, is brought in by
+  # ethereumjs-wallet version 0.6.5 used in the extension but only in a single
+  # file app/scripts/account-import-strategies/index.js, which may be easy to
+  # upgrade.
+  - 'uuid (deprecation)'
+
+  # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
+  # main.js file, which can be upgraded to remove this dependency in favor of
+  # @npmcli/fs
   - '@npmcli/move-file (deprecation)'
-  - core-js (deprecation)
+
+  # Upgrading babel will result in the following deprecated packages being
+  # updated:
+  - 'core-js (deprecation)'
+
+  # Material UI dependencies are planned for removal
   - '@material-ui/core (deprecation)'
   - '@material-ui/styles (deprecation)'
   - '@material-ui/system (deprecation)'
+
+  # @ensdomains/ens should be explored for upgrade. The following packages are
+  # deprecated and would be resolved by upgrading to newer versions of
+  # ensdomains packages:
   - '@ensdomains/ens (deprecation)'
   - '@ensdomains/resolver (deprecation)'
-  - testrpc (deprecation)
-  - cids (deprecation)
-  - multibase (deprecation)
-  - multicodec (deprecation)
-  - eth-sig-util (deprecation)
-  - '@metamask/controller-utils (deprecation)'
-  - safe-event-emitter (deprecation)
-  - crypto (deprecation)
-  - webextension-polyfill-ts (deprecation)
-  - ripple-lib (deprecation)
-  - ethereum-cryptography (deprecation)
-  - react-beautiful-dnd (deprecation)
-  - ethereumjs-wallet (deprecation)
-  - '@trezor/connect-web (deprecation)'
-  - '@solana/web3.js (deprecation)'
+  - 'testrpc (deprecation)'
+
+  # Dependencies brought in by @truffle/decoder that are deprecated:
+  - 'cids (deprecation)' # via @ensdomains/content-hash
+  - 'multibase (deprecation)' # via cids
+  - 'multicodec (deprecation)' # via cids
+
+  # MetaMask owned repositories brought in by other MetaMask dependencies that
+  # can be resolved by updating the versions throughout the dependency tree
+  - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
+  - '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller
+  - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
 
-npmRegistryServer: 'https://registry.npmjs.org/'
+  # @metamask-institutional relies upon crypto which is deprecated
+  - 'crypto (deprecation)'
 
+  # @metamask/providers uses webextension-polyfill-ts which has been moved to
+  # @types/webextension-polyfill
+  - 'webextension-polyfill-ts (deprecation)'
+
+  # Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on
+  # by MetaMask
+  - 'ripple-lib (deprecation)'
+
+  # Brought in by ethereumjs-utils, which is used in the extension and in many
+  # other dependencies. At the time of this exclusion, the extension has three
+  # old versions of ethereumjs-utils which should be upgraded to
+  # @ethereumjs/utils throughout our owned repositories. However even doing
+  # that may be insufficient due to dependencies we do not own still relying
+  # upon old versions of ethereumjs-utils.
+  - 'ethereum-cryptography (deprecation)'
+
+  # Currently in use for the network list drag and drop functionality.
+  # Maintenance has stopped and the project will be archived in 2025.
+  - 'react-beautiful-dnd (deprecation)'
+  # New package name format for new versions: @ethereumjs/wallet.
+  - 'ethereumjs-wallet (deprecation)'
+
+  # The new trezor version breaks the webpack build due to issues with ESM and CommonJS
+  # Leading to this error on start: `Uncaught ReferenceError: exports is not defined`
+  # We temporarily ignore the audit failure until we can safely upgrade to the new version without breaking the webpack build
+  # Check Trezor 9.5.X Changelog for more info: https://github.com/trezor/trezor-suite/blob/develop/packages/connect/CHANGELOG.md
+  - '@trezor/connect-web (deprecation)'
+
+  # We temporarily ignore the deprecation notice to unblock ci
+  # Issue: @solana/web3.js version 2.0 is now @solana/kit! Remove @solana/web3.js@2 from your dependencies and replace it with @solana/kit.
+  # As needed, upgrade all of your @solana-program/* dependencies to the latest versions that use Kit.
+  - '@solana/web3.js (deprecation)'
 plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
     spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
   - path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
-    spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
+    spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'