Upgrade to yarn 4 (#20249)
This commit is contained in:
parent
5b5ca4599e
commit
038eb63eb0
|
@ -694,6 +694,9 @@ jobs:
|
|||
- run:
|
||||
name: lockfile-lint
|
||||
command: yarn lint:lockfile
|
||||
- run:
|
||||
name: check yarn resolutions
|
||||
command: yarn --check-resolutions
|
||||
|
||||
test-lint-changelog:
|
||||
executor: node-browsers
|
||||
|
@ -729,7 +732,7 @@ jobs:
|
|||
at: .
|
||||
- run:
|
||||
name: yarn audit
|
||||
command: .circleci/scripts/yarn-audit.sh
|
||||
command: yarn audit
|
||||
|
||||
test-deps-depcheck:
|
||||
executor: node-browsers
|
||||
|
|
|
@ -1,24 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
set -e
|
||||
set -u
|
||||
set -x
|
||||
set -o pipefail
|
||||
|
||||
# use `improved-yarn-audit` since that allows for exclude
|
||||
# exclusions are in .iyarc now
|
||||
yarn run improved-yarn-audit \
|
||||
--ignore-dev-deps \
|
||||
--min-severity moderate \
|
||||
--fail-on-missing-exclusions
|
||||
|
||||
audit_status="$?"
|
||||
|
||||
if [[ "$audit_status" != 0 ]]
|
||||
then
|
||||
count="$(yarn npm audit --severity moderate --environment production --json | tail -1 | jq '.data.vulnerabilities.moderate + .data.vulnerabilities.high + .data.vulnerabilities.critical')"
|
||||
printf "Audit shows %s moderate or high severity advisories _in the production dependencies_\n" "$count"
|
||||
exit 1
|
||||
else
|
||||
printf "Audit shows _zero_ moderate or high severity advisories _in the production dependencies_\n"
|
||||
fi
|
|
@ -45,7 +45,6 @@ ignores:
|
|||
- 'playwright'
|
||||
- 'wait-on'
|
||||
# development tool
|
||||
- 'improved-yarn-audit'
|
||||
- 'nyc'
|
||||
# storybook
|
||||
- '@storybook/cli'
|
||||
|
|
7
.iyarc
7
.iyarc
|
@ -1,7 +0,0 @@
|
|||
# improved-yarn-audit advisory exclusions
|
||||
GHSA-257v-vj4p-3w2h
|
||||
|
||||
# Prototype pollution
|
||||
# Not easily patched
|
||||
# Minimal risk to us because we're using lockdown which also prevents this case of prototype pollution
|
||||
GHSA-h755-8qp9-cq85
|
|
@ -1,69 +0,0 @@
|
|||
# Improved yarn audit is patched to work with yarn version 2+. The primary need
|
||||
# is to retool the script to first use yarn's new audit command and parameters
|
||||
# as well as to change the process for how it reads the result due to an update
|
||||
# in returned shape of audit command's data.
|
||||
diff --git a/bin/improved-yarn-audit b/bin/improved-yarn-audit
|
||||
index 52df548151aa28289565e3335b2cd7a92fa38325..7e058df6a4a159596df72c9475a36b747580cd98 100755
|
||||
--- a/bin/improved-yarn-audit
|
||||
+++ b/bin/improved-yarn-audit
|
||||
@@ -15,6 +15,7 @@ const { tmpdir } = require("os")
|
||||
const path = require("path")
|
||||
const { env, exit, platform } = require("process")
|
||||
const { createInterface } = require("readline")
|
||||
+const { Stream } = require("stream")
|
||||
|
||||
const GITHUB_ADVISORY_CODE = "GHSA"
|
||||
|
||||
@@ -250,7 +251,15 @@ async function iterateOverAuditResults(action) {
|
||||
const auditResultsFileStream = getAuditResultsFileStream("r")
|
||||
const iterator = createInterface(auditResultsFileStream)
|
||||
|
||||
- iterator.on("line", action)
|
||||
+ iterator.on("line", async (result) => {
|
||||
+ const parsed = parseAuditJson(result);
|
||||
+ const advisories = Stream.Readable.from(
|
||||
+ Object.values(parsed.advisories).map(advisory => JSON.stringify(advisory))
|
||||
+ );
|
||||
+ for await (const data of advisories) {
|
||||
+ action(data);
|
||||
+ }
|
||||
+ });
|
||||
|
||||
await new Promise((resolve) => iterator.on("close", resolve))
|
||||
|
||||
@@ -305,10 +314,10 @@ async function streamYarnAuditOutput(auditParams, auditResultsFileStream) {
|
||||
}
|
||||
|
||||
async function invokeYarnAudit() {
|
||||
- const auditParams = ["audit", "--json", `--level=${minSeverityName}`]
|
||||
+ const auditParams = ["npm", "audit", "--recursive", "--json", `--severity=${minSeverityName}`]
|
||||
|
||||
if (ignoreDevDependencies) {
|
||||
- auditParams.push("--groups=dependencies")
|
||||
+ auditParams.push("--environment=production")
|
||||
}
|
||||
|
||||
cleanupAuditResultsFile()
|
||||
@@ -420,17 +429,17 @@ async function runAuditReport() {
|
||||
let devDependencyAdvisories = []
|
||||
let devDependencyAdvisoryIds = []
|
||||
|
||||
- await iterateOverAuditResults((resultJson) => {
|
||||
- const potentialResult = parseAuditJson(resultJson)
|
||||
+ await iterateOverAuditResults((resultJsonString) => {
|
||||
+ const potentialResult = parseAuditJson(resultJsonString);
|
||||
|
||||
if (
|
||||
- typeof potentialResult.type !== "string" ||
|
||||
- potentialResult.type !== "auditAdvisory"
|
||||
+ typeof potentialResult.github_advisory_id !== "string"
|
||||
) {
|
||||
return
|
||||
}
|
||||
|
||||
- const result = potentialResult.data.advisory
|
||||
+
|
||||
+ const result = potentialResult;
|
||||
|
||||
allAdvisories.push(result)
|
||||
|
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
File diff suppressed because one or more lines are too long
100
.yarnrc.yml
100
.yarnrc.yml
|
@ -1,3 +1,7 @@
|
|||
compressionLevel: mixed
|
||||
|
||||
enableGlobalCache: false
|
||||
|
||||
enableScripts: false
|
||||
|
||||
enableTelemetry: false
|
||||
|
@ -8,21 +12,101 @@ logFilters:
|
|||
|
||||
nodeLinker: node-modules
|
||||
|
||||
npmAuditIgnoreAdvisories:
|
||||
### Advisories:
|
||||
|
||||
# Issue: yargs-parser Vulnerable to Prototype Pollution
|
||||
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
|
||||
# The affected version (<5.0.0) is only included via @ensdomains/ens via
|
||||
# 'solc' which is not used in the imports we use from this package.
|
||||
- 1088783
|
||||
|
||||
# Issue: protobufjs Prototype Pollution vulnerability
|
||||
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
|
||||
# Not easily patched. Minimally effects the extension due to usage of
|
||||
# LavaMoat lockdown.
|
||||
- 1092429
|
||||
|
||||
# Issue: Regular Expression Denial of Service (ReDOS)
|
||||
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
|
||||
# color-string is listed as a dependency of 'color' which is brought in by
|
||||
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
|
||||
# remove the color dependency. We should upgrade
|
||||
- 1089718
|
||||
|
||||
# Issue: semver vulnerable to Regular Expression Denial of Service
|
||||
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
|
||||
# semver is used in the solidity compiler portion of @truffle/codec that does
|
||||
# not appear to be used.
|
||||
- 1092461
|
||||
|
||||
### Package Deprecations:
|
||||
|
||||
# React-tippy brings in popper.js and react-tippy has not been updated in
|
||||
# three years.
|
||||
- 'popper.js (deprecation)'
|
||||
|
||||
# React-router is out of date and brings in the following deprecated package
|
||||
- 'mini-create-react-context (deprecation)'
|
||||
|
||||
# The affected version, which is less than 7.0.0, is brought in by
|
||||
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
|
||||
# file app/scripts/account-import-strategies/index.js, which may be easy to
|
||||
# upgrade.
|
||||
- 'uuid (deprecation)'
|
||||
|
||||
# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
|
||||
# main.js file, which can be upgraded to remove this dependency in favor of
|
||||
# @npmcli/fs
|
||||
- '@npmcli/move-file (deprecation)'
|
||||
|
||||
# Upgrading babel will result in the following deprecated packages being
|
||||
# updated:
|
||||
- 'core-js (deprecation)'
|
||||
|
||||
# Material UI dependencies are planned for removal
|
||||
- '@material-ui/core (deprecation)'
|
||||
- '@material-ui/styles (deprecation)'
|
||||
- '@material-ui/system (deprecation)'
|
||||
|
||||
# @ensdomains/ens should be explored for upgrade. The following packages are
|
||||
# deprecated and would be resolved by upgrading to newer versions of
|
||||
# ensdomains packages:
|
||||
- '@ensdomains/ens (deprecation)'
|
||||
- '@ensdomains/resolver (deprecation)'
|
||||
- 'testrpc (deprecation)'
|
||||
|
||||
# Dependencies brought in by @truffle/decoder that are deprecated:
|
||||
- 'cids (deprecation)' # via @ensdomains/content-hash
|
||||
- 'multibase (deprecation)' # via cids
|
||||
- 'multicodec (deprecation)' # via cids
|
||||
|
||||
# MetaMask owned repositories brought in by other MetaMask dependencies that
|
||||
# can be resolved by updating the versions throughout the dependency tree
|
||||
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
|
||||
- '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller
|
||||
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
|
||||
|
||||
# @metamask-institutional relies upon crypto which is deprecated
|
||||
- 'crypto (deprecation)'
|
||||
|
||||
# @metamask/providers uses webextension-polyfill-ts which has been moved to
|
||||
# @types/webextension-polyfill
|
||||
- 'webextension-polyfill-ts (deprecation)'
|
||||
|
||||
npmRegistries:
|
||||
"https://npm.pkg.github.com":
|
||||
'https://npm.pkg.github.com':
|
||||
npmAlwaysAuth: true
|
||||
npmAuthToken: "${GITHUB_PACKAGE_READ_TOKEN-}"
|
||||
npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}'
|
||||
|
||||
npmScopes:
|
||||
metamask:
|
||||
npmRegistryServer: "${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}"
|
||||
npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}'
|
||||
|
||||
plugins:
|
||||
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
|
||||
spec: "https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js"
|
||||
- path: .yarn/plugins/@yarnpkg/plugin-version.cjs
|
||||
spec: "@yarnpkg/plugin-version"
|
||||
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
|
||||
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
|
||||
spec: "https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js"
|
||||
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
|
||||
|
||||
yarnPath: .yarn/releases/yarn-3.2.4.cjs
|
||||
yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs
|
||||
|
|
|
@ -97,7 +97,8 @@
|
|||
"generate-beta-commit": "node ./development/generate-beta-commit.js",
|
||||
"validate-branch-name": "validate-branch-name",
|
||||
"add-release-label-to-pr-and-linked-issues": "ts-node ./.github/scripts/add-release-label-to-pr-and-linked-issues.ts",
|
||||
"check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts"
|
||||
"check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts",
|
||||
"audit": "yarn npm audit --recursive --environment production --severity moderate"
|
||||
},
|
||||
"resolutions": {
|
||||
"simple-update-notifier@^1.0.0": "^2.0.0",
|
||||
|
@ -190,7 +191,6 @@
|
|||
"stylelint@^13.6.1": "patch:stylelint@npm%3A13.6.1#./.yarn/patches/stylelint-npm-13.6.1-47aaddf62b.patch",
|
||||
"luxon@^3.0.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
|
||||
"luxon@^3.2.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
|
||||
"improved-yarn-audit@^3.0.0": "patch:improved-yarn-audit@npm%3A3.0.0#./.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch",
|
||||
"symbol-observable": "^2.0.3",
|
||||
"async-done@~1.3.2": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
|
||||
"async-done@^1.2.0": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
|
||||
|
@ -491,7 +491,6 @@
|
|||
"gulp-zip": "^5.1.0",
|
||||
"history": "^5.0.0",
|
||||
"husky": "^8.0.3",
|
||||
"improved-yarn-audit": "^3.0.0",
|
||||
"ini": "^3.0.0",
|
||||
"istanbul-lib-coverage": "^3.2.0",
|
||||
"istanbul-lib-report": "^3.0.0",
|
||||
|
@ -560,7 +559,7 @@
|
|||
},
|
||||
"engines": {
|
||||
"node": ">= 18",
|
||||
"yarn": "^3.2.4"
|
||||
"yarn": "^4.0.0-rc.48"
|
||||
},
|
||||
"lavamoat": {
|
||||
"allowScripts": {
|
||||
|
@ -630,5 +629,5 @@
|
|||
"@storybook/react-webpack5>@storybook/preset-react-webpack>@pmmmwh/react-refresh-webpack-plugin>core-js-pure": false
|
||||
}
|
||||
},
|
||||
"packageManager": "yarn@3.2.4"
|
||||
"packageManager": "yarn@4.0.0-rc.48"
|
||||
}
|
||||
|
|
Loading…
Reference in New Issue