-
Notifications
You must be signed in to change notification settings - Fork 5k
/
.yarnrc.yml
135 lines (105 loc) · 5.32 KB
/
.yarnrc.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
compressionLevel: mixed
enableGlobalCache: false
enableScripts: false
enableTelemetry: false
logFilters:
- code: YN0004
level: discard
nodeLinker: node-modules
npmAuditIgnoreAdvisories:
### Advisories:
# Issue: yargs-parser Vulnerable to Prototype Pollution
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
# The affected version (<5.0.0) is only included via @ensdomains/ens via
# 'solc' which is not used in the imports we use from this package.
- 1088783
# Issue: protobufjs Prototype Pollution vulnerability
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
# Not easily patched. Minimally effects the extension due to usage of
# LavaMoat lockdown. Additional id added that resolves to the same advisory
# but has a different entry due to it being a new dependency of
# @trezor/connect-web. Upgrading
- 1092429
- 1095136
# Issue: Regular Expression Denial of Service (ReDOS)
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
# color-string is listed as a dependency of 'color' which is brought in by
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
# remove the color dependency. We should upgrade
- 1089718
# Issue: semver vulnerable to Regular Expression Denial of Service
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
# semver is used in the solidity compiler portion of @truffle/codec that does
# not appear to be used.
- 1092461
# Issue: Malware in @solana/web3.js
# URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m
# we patched this to ensure the vulnerable versions are not included, but the advisory
# was mistakenly originally created to flag all versions as vulnerable
- 1101059
# Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
# This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
- 'ts-custom-error (deprecation)'
- 'text-encoding (deprecation)'
### Package Deprecations:
# React-tippy brings in popper.js and react-tippy has not been updated in
# three years.
- 'popper.js (deprecation)'
# React-router is out of date and brings in the following deprecated package
- 'mini-create-react-context (deprecation)'
# The affected version, which is less than 7.0.0, is brought in by
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
# file app/scripts/account-import-strategies/index.js, which may be easy to
# upgrade.
- 'uuid (deprecation)'
# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
# main.js file, which can be upgraded to remove this dependency in favor of
# @npmcli/fs
- '@npmcli/move-file (deprecation)'
# Upgrading babel will result in the following deprecated packages being
# updated:
- 'core-js (deprecation)'
# Material UI dependencies are planned for removal
- '@material-ui/core (deprecation)'
- '@material-ui/styles (deprecation)'
- '@material-ui/system (deprecation)'
# @ensdomains/ens should be explored for upgrade. The following packages are
# deprecated and would be resolved by upgrading to newer versions of
# ensdomains packages:
- '@ensdomains/ens (deprecation)'
- '@ensdomains/resolver (deprecation)'
- 'testrpc (deprecation)'
# Dependencies brought in by @truffle/decoder that are deprecated:
- 'cids (deprecation)' # via @ensdomains/content-hash
- 'multibase (deprecation)' # via cids
- 'multicodec (deprecation)' # via cids
# MetaMask owned repositories brought in by other MetaMask dependencies that
# can be resolved by updating the versions throughout the dependency tree
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
- '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
# @metamask-institutional relies upon crypto which is deprecated
- 'crypto (deprecation)'
# @metamask/providers uses webextension-polyfill-ts which has been moved to
# @types/webextension-polyfill
- 'webextension-polyfill-ts (deprecation)'
# Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on
# by MetaMask
- 'ripple-lib (deprecation)'
# Brought in by ethereumjs-utils, which is used in the extension and in many
# other dependencies. At the time of this exclusion, the extension has three
# old versions of ethereumjs-utils which should be upgraded to
# @ethereumjs/utils throughout our owned repositories. However even doing
# that may be insufficient due to dependencies we do not own still relying
# upon old versions of ethereumjs-utils.
- 'ethereum-cryptography (deprecation)'
# Currently in use for the network list drag and drop functionality.
# Maintenance has stopped and the project will be archived in 2025.
- 'react-beautiful-dnd (deprecation)'
# New package name format for new versions: @ethereumjs/wallet.
- 'ethereumjs-wallet (deprecation)'
plugins:
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'