Upgrade to yarn 4 (#20249)

2023-08-01 17:19:19 -05:00 · 2023-08-01 17:19:19 -05:00 · 038eb63eb0
parent 5b5ca4599e
commit 038eb63eb0
11 changed files with 11954 additions and 12457 deletions
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@ -694,6 +694,9 @@ jobs:
      - run:
          name: lockfile-lint
          command: yarn lint:lockfile
+      - run:
+          name: check yarn resolutions
+          command: yarn --check-resolutions

  test-lint-changelog:
    executor: node-browsers
@ -729,7 +732,7 @@ jobs:
          at: .
      - run:
          name: yarn audit
-          command: .circleci/scripts/yarn-audit.sh
+          command: yarn audit

  test-deps-depcheck:
    executor: node-browsers
--- a/.circleci/scripts/yarn-audit.sh
+++ b/.circleci/scripts/yarn-audit.sh
@ -1,24 +0,0 @@
-#!/usr/bin/env bash
-
-set -e
-set -u
-set -x
-set -o pipefail
-
-# use `improved-yarn-audit` since that allows for exclude
-# exclusions are in .iyarc now
-yarn run improved-yarn-audit \
-    --ignore-dev-deps \
-    --min-severity moderate \
-    --fail-on-missing-exclusions
-
-audit_status="$?"
-
-if [[ "$audit_status" != 0 ]]
-then
-    count="$(yarn npm audit --severity moderate --environment production --json | tail -1 | jq '.data.vulnerabilities.moderate + .data.vulnerabilities.high + .data.vulnerabilities.critical')"
-    printf "Audit shows %s moderate or high severity advisories _in the production dependencies_\n" "$count"
-    exit 1
-else
-    printf "Audit shows _zero_ moderate or high severity advisories _in the production dependencies_\n"
-fi
--- a/.depcheckrc.yml
+++ b/.depcheckrc.yml
@ -45,7 +45,6 @@ ignores:
  - 'playwright'
  - 'wait-on'
  # development tool
-  - 'improved-yarn-audit'
  - 'nyc'
  # storybook
  - '@storybook/cli'
--- a/.iyarc
+++ b/.iyarc
@ -1,7 +0,0 @@
-# improved-yarn-audit advisory exclusions
-GHSA-257v-vj4p-3w2h
-
-# Prototype pollution
-# Not easily patched
-# Minimal risk to us because we're using lockdown which also prevents this case of prototype pollution
-GHSA-h755-8qp9-cq85
--- a/.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch
+++ b/.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch
@ -1,69 +0,0 @@
-# Improved yarn audit is patched to work with yarn version 2+. The primary need
-# is to retool the script to first use yarn's new audit command and parameters
-# as well as to change the process for how it reads the result due to an update
-# in returned shape of audit command's data.
-diff --git a/bin/improved-yarn-audit b/bin/improved-yarn-audit
-index 52df548151aa28289565e3335b2cd7a92fa38325..7e058df6a4a159596df72c9475a36b747580cd98 100755
--- a/bin/improved-yarn-audit
-+++ b/bin/improved-yarn-audit
-@@ -15,6 +15,7 @@ const { tmpdir } = require("os")
- const path = require("path")
- const { env, exit, platform } = require("process")
- const { createInterface } = require("readline")
-+const { Stream } = require("stream")
- 
- const GITHUB_ADVISORY_CODE = "GHSA"
- 
-@@ -250,7 +251,15 @@ async function iterateOverAuditResults(action) {
-   const auditResultsFileStream = getAuditResultsFileStream("r")
-   const iterator = createInterface(auditResultsFileStream)
- 
-  iterator.on("line", action)
-+  iterator.on("line", async (result) => {
-+    const parsed = parseAuditJson(result);
-+    const advisories = Stream.Readable.from(
-+      Object.values(parsed.advisories).map(advisory => JSON.stringify(advisory))
-+    );
-+    for await (const data of advisories) {
-+      action(data);
-+    }
-+  });
- 
-   await new Promise((resolve) => iterator.on("close", resolve))
- 
-@@ -305,10 +314,10 @@ async function streamYarnAuditOutput(auditParams, auditResultsFileStream) {
- }
- 
- async function invokeYarnAudit() {
-  const auditParams = ["audit", "--json", `--level=${minSeverityName}`]
-+  const auditParams = ["npm", "audit", "--recursive", "--json", `--severity=${minSeverityName}`]
- 
-   if (ignoreDevDependencies) {
-    auditParams.push("--groups=dependencies")
-+    auditParams.push("--environment=production")
-   }
- 
-   cleanupAuditResultsFile()
-@@ -420,17 +429,17 @@ async function runAuditReport() {
-   let devDependencyAdvisories = []
-   let devDependencyAdvisoryIds = []
- 
-  await iterateOverAuditResults((resultJson) => {
-    const potentialResult = parseAuditJson(resultJson)
-+  await iterateOverAuditResults((resultJsonString) => {
-+    const potentialResult = parseAuditJson(resultJsonString);
- 
-     if (
-      typeof potentialResult.type !== "string" ||
-      potentialResult.type !== "auditAdvisory"
-+      typeof potentialResult.github_advisory_id !== "string"
-     ) {
-       return
-     }
- 
-    const result = potentialResult.data.advisory
-+
-+    const result = potentialResult;
- 
-     allAdvisories.push(result)
- 
--- a/.yarn/plugins/@yarnpkg/plugin-version.cjs
+++ b/.yarn/plugins/@yarnpkg/plugin-version.cjs
--- a/.yarn/releases/yarn-3.2.4.cjs
+++ b/.yarn/releases/yarn-3.2.4.cjs
--- a/.yarn/releases/yarn-4.0.0-rc.48.cjs
+++ b/.yarn/releases/yarn-4.0.0-rc.48.cjs
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@ -1,3 +1,7 @@
+compressionLevel: mixed
+
+enableGlobalCache: false
+
 enableScripts: false

 enableTelemetry: false
@ -8,21 +12,101 @@ logFilters:

 nodeLinker: node-modules

+npmAuditIgnoreAdvisories:
+  ### Advisories:
+
+  # Issue: yargs-parser Vulnerable to Prototype Pollution
+  # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
+  # The affected version (<5.0.0) is only included via @ensdomains/ens via
+  # 'solc' which is not used in the imports we use from this package.
+  - 1088783
+
+  # Issue: protobufjs Prototype Pollution vulnerability
+  # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
+  # Not easily patched. Minimally effects the extension due to usage of
+  # LavaMoat lockdown.
+  - 1092429
+
+  # Issue: Regular Expression Denial of Service (ReDOS)
+  # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
+  # color-string is listed as a dependency of 'color' which is brought in by
+  # @metamask/jazzicon v2.0.0 but there is work done on that repository to
+  # remove the color dependency. We should upgrade
+  - 1089718
+
+  # Issue: semver vulnerable to Regular Expression Denial of Service
+  # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
+  # semver is used in the solidity compiler portion of @truffle/codec that does
+  # not appear to be used.
+  - 1092461
+
+  ### Package Deprecations:
+
+  # React-tippy brings in popper.js and react-tippy has not been updated in
+  # three years.
+  - 'popper.js (deprecation)'
+
+  # React-router is out of date and brings in the following deprecated package
+  - 'mini-create-react-context (deprecation)'
+
+  # The affected version, which is less than 7.0.0, is brought in by
+  # ethereumjs-wallet version 0.6.5 used in the extension but only in a single
+  # file app/scripts/account-import-strategies/index.js, which may be easy to
+  # upgrade.
+  - 'uuid (deprecation)'
+
+  # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
+  # main.js file, which can be upgraded to remove this dependency in favor of
+  # @npmcli/fs
+  - '@npmcli/move-file (deprecation)'
+
+  # Upgrading babel will result in the following deprecated packages being
+  # updated:
+  - 'core-js (deprecation)'
+
+  # Material UI dependencies are planned for removal
+  - '@material-ui/core (deprecation)'
+  - '@material-ui/styles (deprecation)'
+  - '@material-ui/system (deprecation)'
+
+  # @ensdomains/ens should be explored for upgrade. The following packages are
+  # deprecated and would be resolved by upgrading to newer versions of
+  # ensdomains packages:
+  - '@ensdomains/ens (deprecation)'
+  - '@ensdomains/resolver (deprecation)'
+  - 'testrpc (deprecation)'
+
+  # Dependencies brought in by @truffle/decoder that are deprecated:
+  - 'cids (deprecation)' # via @ensdomains/content-hash
+  - 'multibase (deprecation)' # via cids
+  - 'multicodec (deprecation)' # via cids
+
+  # MetaMask owned repositories brought in by other MetaMask dependencies that
+  # can be resolved by updating the versions throughout the dependency tree
+  - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
+  - '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller
+  - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
+
+  # @metamask-institutional relies upon crypto which is deprecated
+  - 'crypto (deprecation)'
+
+  # @metamask/providers uses webextension-polyfill-ts which has been moved to
+  # @types/webextension-polyfill
+  - 'webextension-polyfill-ts (deprecation)'
+
 npmRegistries:
-  "https://npm.pkg.github.com":
+  'https://npm.pkg.github.com':
    npmAlwaysAuth: true
-    npmAuthToken: "${GITHUB_PACKAGE_READ_TOKEN-}"
+    npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}'

 npmScopes:
  metamask:
-    npmRegistryServer: "${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}"
+    npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}'

 plugins:
  - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
-    spec: "https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js"
-  - path: .yarn/plugins/@yarnpkg/plugin-version.cjs
-    spec: "@yarnpkg/plugin-version"
+    spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
  - path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
-    spec: "https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js"
+    spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'

-yarnPath: .yarn/releases/yarn-3.2.4.cjs
+yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs
--- a/package.json
+++ b/package.json
@ -97,7 +97,8 @@
    "generate-beta-commit": "node ./development/generate-beta-commit.js",
    "validate-branch-name": "validate-branch-name",
    "add-release-label-to-pr-and-linked-issues": "ts-node ./.github/scripts/add-release-label-to-pr-and-linked-issues.ts",
-    "check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts"
+    "check-pr-has-required-labels": "ts-node ./.github/scripts/check-pr-has-required-labels.ts",
+    "audit": "yarn npm audit --recursive --environment production --severity moderate"
  },
  "resolutions": {
    "simple-update-notifier@^1.0.0": "^2.0.0",
@ -190,7 +191,6 @@
    "stylelint@^13.6.1": "patch:stylelint@npm%3A13.6.1#./.yarn/patches/stylelint-npm-13.6.1-47aaddf62b.patch",
    "luxon@^3.0.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
    "luxon@^3.2.1": "patch:luxon@npm%3A3.2.1#./.yarn/patches/luxon-npm-3.2.1-56f8d97395.patch",
-    "improved-yarn-audit@^3.0.0": "patch:improved-yarn-audit@npm%3A3.0.0#./.yarn/patches/improved-yarn-audit-npm-3.0.0-3e37ee431a.patch",
    "symbol-observable": "^2.0.3",
    "async-done@~1.3.2": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
    "async-done@^1.2.0": "patch:async-done@npm%3A1.3.2#./.yarn/patches/async-done-npm-1.3.2-1f0a4a8997.patch",
@ -491,7 +491,6 @@
    "gulp-zip": "^5.1.0",
    "history": "^5.0.0",
    "husky": "^8.0.3",
-    "improved-yarn-audit": "^3.0.0",
    "ini": "^3.0.0",
    "istanbul-lib-coverage": "^3.2.0",
    "istanbul-lib-report": "^3.0.0",
@ -560,7 +559,7 @@
  },
  "engines": {
    "node": ">= 18",
-    "yarn": "^3.2.4"
+    "yarn": "^4.0.0-rc.48"
  },
  "lavamoat": {
    "allowScripts": {
@ -630,5 +629,5 @@
      "@storybook/react-webpack5>@storybook/preset-react-webpack>@pmmmwh/react-refresh-webpack-plugin>core-js-pure": false
    }
  },
-  "packageManager": "yarn@3.2.4"
+  "packageManager": "yarn@4.0.0-rc.48"
 }
--- a/yarn.lock
+++ b/yarn.lock