-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
.yarnrc.yml
127 lines (100 loc) · 5.05 KB
/
.yarnrc.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
compressionLevel: mixed
enableGlobalCache: false
enableScripts: false
enableTelemetry: false
logFilters:
- code: YN0004
level: discard
nodeLinker: node-modules
npmAuditIgnoreAdvisories:
### Advisories:
# Issue: yargs-parser Vulnerable to Prototype Pollution
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
# The affected version (<5.0.0) is only included via @ensdomains/ens via
# 'solc' which is not used in the imports we use from this package.
- 1088783
# Issue: protobufjs Prototype Pollution vulnerability
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
# Not easily patched. Minimally effects the extension due to usage of
# LavaMoat lockdown. Additional id added that resolves to the same advisory
# but has a different entry due to it being a new dependency of
# @trezor/connect-web. Upgrading
- 1092429
- 1095136
# Issue: Regular Expression Denial of Service (ReDOS)
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
# color-string is listed as a dependency of 'color' which is brought in by
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
# remove the color dependency. We should upgrade
- 1089718
# Issue: semver vulnerable to Regular Expression Denial of Service
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
# semver is used in the solidity compiler portion of @truffle/codec that does
# not appear to be used.
- 1092461
# Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
# This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
- 'ts-custom-error (deprecation)'
- 'text-encoding (deprecation)'
### Package Deprecations:
# React-tippy brings in popper.js and react-tippy has not been updated in
# three years.
- 'popper.js (deprecation)'
# React-router is out of date and brings in the following deprecated package
- 'mini-create-react-context (deprecation)'
# The affected version, which is less than 7.0.0, is brought in by
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
# file app/scripts/account-import-strategies/index.js, which may be easy to
# upgrade.
- 'uuid (deprecation)'
# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
# main.js file, which can be upgraded to remove this dependency in favor of
# @npmcli/fs
- '@npmcli/move-file (deprecation)'
# Upgrading babel will result in the following deprecated packages being
# updated:
- 'core-js (deprecation)'
# Material UI dependencies are planned for removal
- '@material-ui/core (deprecation)'
- '@material-ui/styles (deprecation)'
- '@material-ui/system (deprecation)'
# @ensdomains/ens should be explored for upgrade. The following packages are
# deprecated and would be resolved by upgrading to newer versions of
# ensdomains packages:
- '@ensdomains/ens (deprecation)'
- '@ensdomains/resolver (deprecation)'
- 'testrpc (deprecation)'
# Dependencies brought in by @truffle/decoder that are deprecated:
- 'cids (deprecation)' # via @ensdomains/content-hash
- 'multibase (deprecation)' # via cids
- 'multicodec (deprecation)' # via cids
# MetaMask owned repositories brought in by other MetaMask dependencies that
# can be resolved by updating the versions throughout the dependency tree
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
- '@metamask/controller-utils (deprecation)' # via @metamask/phishing-controller
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
# @metamask-institutional relies upon crypto which is deprecated
- 'crypto (deprecation)'
# @metamask/providers uses webextension-polyfill-ts which has been moved to
# @types/webextension-polyfill
- 'webextension-polyfill-ts (deprecation)'
# Imported in @trezor/blockchain-link@npm:2.1.8, but not actually depended on
# by MetaMask
- 'ripple-lib (deprecation)'
# Brought in by ethereumjs-utils, which is used in the extension and in many
# other dependencies. At the time of this exclusion, the extension has three
# old versions of ethereumjs-utils which should be upgraded to
# @ethereumjs/utils throughout our owned repositories. However even doing
# that may be insufficient due to dependencies we do not own still relying
# upon old versions of ethereumjs-utils.
- 'ethereum-cryptography (deprecation)'
# Currently in use for the network list drag and drop functionality.
# Maintenance has stopped and the project will be archived in 2025.
- 'react-beautiful-dnd (deprecation)'
# New package name format for new versions: @ethereumjs/wallet.
- 'ethereumjs-wallet (deprecation)'
plugins:
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'