Upgrade to yarn 4 (#20249)

.circleci/config.yml

@@ -694,6 +694,9 @@ jobs:
       - run:
           name: lockfile-lint
           command: yarn lint:lockfile
+      - run:
+          name: check yarn resolutions
+          command: yarn --check-resolutions
 
   test-lint-changelog:
     executor: node-browsers
@@ -729,7 +732,7 @@ jobs:
           at: .
       - run:
           name: yarn audit
-          command: .circleci/scripts/yarn-audit.sh
+          command: yarn audit
 
   test-deps-depcheck:
     executor: node-browsers

.circleci/scripts/yarn-audit.sh

@@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -u
-set -x
-set -o pipefail
-
-# use `improved-yarn-audit` since that allows for exclude
-# exclusions are in .iyarc now
-yarn run improved-yarn-audit \
-    --ignore-dev-deps \
-    --min-severity moderate \
-    --fail-on-missing-exclusions
-
-audit_status="$?"
-
-if [[ "$audit_status" != 0 ]]
-then
-    count="$(yarn npm audit --severity moderate --environment production --json | tail -1 | jq '.data.vulnerabilities.moderate + .data.vulnerabilities.high + .data.vulnerabilities.critical')"
-    printf "Audit shows %s moderate or high severity advisories _in the production dependencies_\n" "$count"
-    exit 1
-else
-    printf "Audit shows _zero_ moderate or high severity advisories _in the production dependencies_\n"
-fi

.depcheckrc.yml

@@ -45,7 +45,6 @@ ignores:
   - 'playwright'
   - 'wait-on'
   # development tool
-  - 'improved-yarn-audit'
   - 'nyc'
   # storybook
   - '@storybook/cli'

.iyarc

@@ -1,7 +0,0 @@
-# improved-yarn-audit advisory exclusions
-GHSA-257v-vj4p-3w2h
-
-# Prototype pollution
-# Not easily patched
-# Minimal risk to us because we're using lockdown which also prevents this case of prototype pollution
-GHSA-h755-8qp9-cq85

.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch

@@ -1,69 +0,0 @@
-# Improved yarn audit is patched to work with yarn version 2+. The primary need
-# is to retool the script to first use yarn's new audit command and parameters
-# as well as to change the process for how it reads the result due to an update
-# in returned shape of audit command's data.
-diff --git a/bin/improved-yarn-audit b/bin/improved-yarn-audit
-index 52df548151aa28289565e3335b2cd7a92fa38325..7e058df6a4a159596df72c9475a36b747580cd98 100755
---- a/bin/improved-yarn-audit
-+++ b/bin/improved-yarn-audit
-@@ -15,6 +15,7 @@ const { tmpdir } = require("os")
- const path = require("path")
- const { env, exit, platform } = require("process")
- const { createInterface } = require("readline")
-+const { Stream } = require("stream")
- 
- const GITHUB_ADVISORY_CODE = "GHSA"
- 
-@@ -250,7 +251,15 @@ async function iterateOverAuditResults(action) {
-   const auditResultsFileStream = getAuditResultsFileStream("r")
-   const iterator = createInterface(auditResultsFileStream)
- 
--  iterator.on("line", action)
-+  iterator.on("line", async (result) => {
-+    const parsed = parseAuditJson(result);
-+    const advisories = Stream.Readable.from(
-+      Object.values(parsed.advisories).map(advisory => JSON.stringify(advisory))
-+    );
-+    for await (const data of advisories) {
-+      action(data);
-+    }
-+  });
- 
-   await new Promise((resolve) => iterator.on("close", resolve))
- 
-@@ -305,10 +314,10 @@ async function streamYarnAuditOutput(auditParams, auditResultsFileStream) {
- }
- 
- async function invokeYarnAudit() {
--  const auditParams = ["audit", "--json", `--level=${minSeverityName}`]
-+  const auditParams = ["npm", "audit", "--recursive", "--json", `--severity=${minSeverityName}`]
- 
-   if (ignoreDevDependencies) {
--    auditParams.push("--groups=dependencies")
-+    auditParams.push("--environment=production")
-   }
- 
-   cleanupAuditResultsFile()
-@@ -420,17 +429,17 @@ async function runAuditReport() {
-   let devDependencyAdvisories = []
-   let devDependencyAdvisoryIds = []
- 
--  await iterateOverAuditResults((resultJson) => {
--    const potentialResult = parseAuditJson(resultJson)
-+  await iterateOverAuditResults((resultJsonString) => {
-+    const potentialResult = parseAuditJson(resultJsonString);
- 
-     if (
--      typeof potentialResult.type !== "string" ||
--      potentialResult.type !== "auditAdvisory"
-+      typeof potentialResult.github_advisory_id !== "string"
-     ) {
-       return
-     }
- 
--    const result = potentialResult.data.advisory
-+
-+    const result = potentialResult;
- 
-     allAdvisories.push(result)
- 

.yarnrc.yml

@@ -1,3 +1,7 @@
+compressionLevel: mixed
+
+enableGlobalCache: false
+
 enableScripts: false
 
 enableTelemetry: false
@@ -8,21 +12,101 @@ logFilters:
 
 nodeLinker: node-modules
 
+npmAuditIgnoreAdvisories:
+  ### Advisories:
+
+  # Issue: yargs-parser Vulnerable to Prototype Pollution
+  # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
+  # The affected version (<5.0.0) is only included via @ensdomains/ens via
+  # 'solc' which is not used in the imports we use from this package.
+  - 1088783
+
+  # Issue: protobufjs Prototype Pollution vulnerability
+  # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
+  # Not easily patched. Minimally effects the extension due to usage of
+  # LavaMoat lockdown.
+  - 1092429
+
+  # Issue: Regular Expression Denial of Service (ReDOS)
+  # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
+  # color-string is listed as a dependency of 'color' which is brought in by
+  # @metamask/jazzicon v2.0.0 but there is work done on that repository to
+  # remove the color dependency. We should upgrade
+  - 1089718
+
+  # Issue: semver vulnerable to Regular Expression Denial of Service
+  # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
+  # semver is used in the solidity compiler portion of @truffle/codec that does
+  # not appear to be used.
+  - 1092461
+
+  ### Package Deprecations:
+
+  # React-tippy brings in popper.js and react-tippy has not been updated in
+  # three years.
+  - 'popper.js (deprecation)'
+
+  # React-router is out of date and brings in the following deprecated package
+  - 'mini-create-react-context (deprecation)'
+
+  # The affected version, which is less than 7.0.0, is brought in by
+  # ethereumjs-wallet version 0.6.5 used in the extension but only in a single
+  # file app/scripts/account-import-strategies/index.js, which may be easy to
+  # upgrade.
+  - 'uuid (deprecation)'
+
+  # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
+  # main.js file, which can be upgraded to remove this dependency in favor of
+  # @npmcli/fs
+  - '@npmcli/move-file (deprecation)'
+
+  # Upgrading babel will result in the following deprecated packages being
+  # updated:
+  - 'core-js (deprecation)'
+
+  # Material UI dependencies are planned for removal
+  - '@material-ui/core (deprecation)'
+  - '@material-ui/styles (deprecation)'
+  - '@material-ui/system (deprecation)'
+
+  # @ensdomains/ens should be explored for upgrade. The following packages are
+  # deprecated and would be resolved by upgrading to newer versions of
+  # ensdomains packages:
+  - '@ensdomains/ens (deprecation)'
+  - '@ensdomains/resolver (deprecation)'
+  - 'testrpc (deprecation)'
+
+  # Dependencies brought in by @truffle/decoder that are deprecated:
+  - 'cids (deprecation)' # via @ensdomains/content-hash
+  - 'multibase (deprecation)' # via cids
+  - 'multicodec (deprecation)' # via cids
+
+  # MetaMask owned repositories brought in by other MetaMask dependencies that
+  # can be resolved by updating the versions throughout the dependency tree
+  - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
+  - '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller
+  - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
+
+  # @metamask-institutional relies upon crypto which is deprecated
+  - 'crypto (deprecation)'
+
+  # @metamask/providers uses webextension-polyfill-ts which has been moved to
+  # @types/webextension-polyfill
+  - 'webextension-polyfill-ts (deprecation)'
+
 npmRegistries:
-  "https://npm.pkg.github.com":
+  'https://npm.pkg.github.com':
     npmAlwaysAuth: true
-    npmAuthToken: "${GITHUB_PACKAGE_READ_TOKEN-}"
+    npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}'
 
 npmScopes:
   metamask:
-    npmRegistryServer: "${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}"
+    npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}'
 
 plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
-    spec: "https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js"
-  - path: .yarn/plugins/@yarnpkg/plugin-version.cjs
-    spec: "@yarnpkg/plugin-version"
+    spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
   - path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
-    spec: "https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js"
+    spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
 
-yarnPath: .yarn/releases/yarn-3.2.4.cjs
+yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs

package.json

@@ -97,7 +97,8 @@
     "generate-beta-commit": "node ./development/generate-beta-commit.js",
     "validate-branch-name": "validate-branch-name",
     "add-release-label-to-pr-and-linked-issues": "ts-node ./.github/scripts/add-release-label-to-pr-and-linked-issues.ts",
-    "check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts"
+    "check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts",
+    "audit": "yarn npm audit --recursive --environment production --severity moderate"
   },
   "resolutions": {
     "simple-update-notifier@^1.0.0": "^2.0.0",
@@ -190,7 +191,6 @@
     "stylelint@^13.6.1": "patch:stylelint@npm%3A13.6.1#./.yarn/patches/stylelint-npm-13.6.1-47aaddf62b.patch",
     "luxon@^3.0.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
     "luxon@^3.2.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
-    "improved-yarn-audit@^3.0.0": "patch:improved-yarn-audit@npm%3A3.0.0#./.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch",
     "symbol-observable": "^2.0.3",
     "async-done@~1.3.2": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
     "async-done@^1.2.0": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
@@ -491,7 +491,6 @@
     "gulp-zip": "^5.1.0",
     "history": "^5.0.0",
     "husky": "^8.0.3",
-    "improved-yarn-audit": "^3.0.0",
     "ini": "^3.0.0",
     "istanbul-lib-coverage": "^3.2.0",
     "istanbul-lib-report": "^3.0.0",
@@ -560,7 +559,7 @@
   },
   "engines": {
     "node": ">= 18",
-    "yarn": "^3.2.4"
+    "yarn": "^4.0.0-rc.48"
   },
   "lavamoat": {
     "allowScripts": {
@@ -630,5 +629,5 @@
       "@storybook/react-webpack5>@storybook/preset-react-webpack>@pmmmwh/react-refresh-webpack-plugin>core-js-pure": false
     }
   },
-  "packageManager": "yarn@3.2.4"
+  "packageManager": "yarn@4.0.0-rc.48"
 }