Resolve two new security advisories (#19940)

Two new security advisories have been resolved. These advisories are causing CI to fail on `develop`. Neither presents any risk to us, as they are prototype pollution issues that are prevented by lockdown. The first advisory isn't easy for us to patch. It's caused by an outdated version of `protobufjs` used by `@trezor/transport`. It has been ignored for now, until Trezor updates that package. For the second advisory (related to `tough-cookie`), it was resolved by updating that dependency in our lockfile.
2024-10-22 03:12:42 +02:00 · 2023-07-10 12:56:34 -02:30 · 2023-07-10 12:56:34 -02:30 · 9c278c3610
commit 9c278c3610
parent 57519235bb
2 changed files with 42 additions and 5 deletions
--- a/.iyarc
+++ b/.iyarc
@ -4,3 +4,8 @@ GHSA-257v-vj4p-3w2h
 # request library is subject to SSRF.
 # addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
 GHSA-p8p7-x288-28g6
+
+# Prototype pollution
+# Not easily patched
+# Minimal risk to us because we're using lockdown which also prevents this case of prototype pollution
+GHSA-h755-8qp9-cq85
--- a/yarn.lock
+++ b/yarn.lock
@ -28818,6 +28818,13 @@ __metadata:
  languageName: node
  linkType: hard

+"querystringify@npm:^2.1.1":
+  version: 2.2.0
+  resolution: "querystringify@npm:2.2.0"
+  checksum: 5641ea231bad7ef6d64d9998faca95611ed4b11c2591a8cae741e178a974f6a8e0ebde008475259abe1621cb15e692404e6b6626e927f7b849d5c09392604b15
+  languageName: node
+  linkType: hard
+
 "queue-microtask@npm:^1.2.3":
  version: 1.2.3
  resolution: "queue-microtask@npm:1.2.3"
@ -30320,6 +30327,13 @@ __metadata:
  languageName: node
  linkType: hard

+"requires-port@npm:^1.0.0":
+  version: 1.0.0
+  resolution: "requires-port@npm:1.0.0"
+  checksum: eee0e303adffb69be55d1a214e415cf42b7441ae858c76dfc5353148644f6fd6e698926fc4643f510d5c126d12a705e7c8ed7e38061113bdf37547ab356797ff
+  languageName: node
+  linkType: hard
+
 "reselect@npm:^3.0.1":
  version: 3.0.1
  resolution: "reselect@npm:3.0.1"
@ -33418,13 +33432,14 @@ __metadata:
  linkType: hard

 "tough-cookie@npm:>=2.3.3, tough-cookie@npm:^4.0.0":
-  version: 4.0.0
-  resolution: "tough-cookie@npm:4.0.0"
+  version: 4.1.3
+  resolution: "tough-cookie@npm:4.1.3"
  dependencies:
    psl: ^1.1.33
    punycode: ^2.1.1
-    universalify: ^0.1.2
-  checksum: 0891b37eb7d17faa3479d47f0dce2e3007f2583094ad272f2670d120fbcc3df3b0b0a631ba96ecad49f9e2297d93ff8995ce0d3292d08dd7eabe162f5b224d69
+    universalify: ^0.2.0
+    url-parse: ^1.5.3
+  checksum: c9226afff36492a52118432611af083d1d8493a53ff41ec4ea48e5b583aec744b989e4280bcf476c910ec1525a89a4a0f1cae81c08b18fb2ec3a9b3a72b91dcc
  languageName: node
  linkType: hard

@ -34316,13 +34331,20 @@ __metadata:
  languageName: node
  linkType: hard

-"universalify@npm:^0.1.0, universalify@npm:^0.1.2":
+"universalify@npm:^0.1.0":
  version: 0.1.2
  resolution: "universalify@npm:0.1.2"
  checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff
  languageName: node
  linkType: hard

+"universalify@npm:^0.2.0":
+  version: 0.2.0
+  resolution: "universalify@npm:0.2.0"
+  checksum: e86134cb12919d177c2353196a4cc09981524ee87abf621f7bc8d249dbbbebaec5e7d1314b96061497981350df786e4c5128dbf442eba104d6e765bc260678b5
+  languageName: node
+  linkType: hard
+
 "universalify@npm:^2.0.0":
  version: 2.0.0
  resolution: "universalify@npm:2.0.0"
@ -34478,6 +34500,16 @@ __metadata:
  languageName: node
  linkType: hard

+"url-parse@npm:^1.5.3":
+  version: 1.5.10
+  resolution: "url-parse@npm:1.5.10"
+  dependencies:
+    querystringify: ^2.1.1
+    requires-port: ^1.0.0
+  checksum: fbdba6b1d83336aca2216bbdc38ba658d9cfb8fc7f665eb8b17852de638ff7d1a162c198a8e4ed66001ddbf6c9888d41e4798912c62b4fd777a31657989f7bdf
+  languageName: node
+  linkType: hard
+
 "url@npm:~0.11.0":
  version: 0.11.0
  resolution: "url@npm:0.11.0"