1
0
mirror of https://github.com/kremalicious/metamask-extension.git synced 2024-11-25 11:28:51 +01:00

Resolve two new security advisories (#19940)

Two new security advisories have been resolved. These advisories are
causing CI to fail on `develop`. Neither presents any risk to us,
as they are prototype pollution issues that are prevented by lockdown.

The first advisory isn't easy for us to patch. It's caused by an
outdated version of `protobufjs` used by `@trezor/transport`. It has
been ignored for now, until Trezor updates that package.

For the second advisory (related to `tough-cookie`), it was resolved
by updating that dependency in our lockfile.
This commit is contained in:
Mark Stacey 2023-07-10 12:56:34 -02:30 committed by GitHub
parent 57519235bb
commit 9c278c3610
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 42 additions and 5 deletions

5
.iyarc
View File

@ -4,3 +4,8 @@ GHSA-257v-vj4p-3w2h
# request library is subject to SSRF. # request library is subject to SSRF.
# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch # addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
GHSA-p8p7-x288-28g6 GHSA-p8p7-x288-28g6
# Prototype pollution
# Not easily patched
# Minimal risk to us because we're using lockdown which also prevents this case of prototype pollution
GHSA-h755-8qp9-cq85

View File

@ -28818,6 +28818,13 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"querystringify@npm:^2.1.1":
version: 2.2.0
resolution: "querystringify@npm:2.2.0"
checksum: 5641ea231bad7ef6d64d9998faca95611ed4b11c2591a8cae741e178a974f6a8e0ebde008475259abe1621cb15e692404e6b6626e927f7b849d5c09392604b15
languageName: node
linkType: hard
"queue-microtask@npm:^1.2.3": "queue-microtask@npm:^1.2.3":
version: 1.2.3 version: 1.2.3
resolution: "queue-microtask@npm:1.2.3" resolution: "queue-microtask@npm:1.2.3"
@ -30320,6 +30327,13 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"requires-port@npm:^1.0.0":
version: 1.0.0
resolution: "requires-port@npm:1.0.0"
checksum: eee0e303adffb69be55d1a214e415cf42b7441ae858c76dfc5353148644f6fd6e698926fc4643f510d5c126d12a705e7c8ed7e38061113bdf37547ab356797ff
languageName: node
linkType: hard
"reselect@npm:^3.0.1": "reselect@npm:^3.0.1":
version: 3.0.1 version: 3.0.1
resolution: "reselect@npm:3.0.1" resolution: "reselect@npm:3.0.1"
@ -33418,13 +33432,14 @@ __metadata:
linkType: hard linkType: hard
"tough-cookie@npm:>=2.3.3, tough-cookie@npm:^4.0.0": "tough-cookie@npm:>=2.3.3, tough-cookie@npm:^4.0.0":
version: 4.0.0 version: 4.1.3
resolution: "tough-cookie@npm:4.0.0" resolution: "tough-cookie@npm:4.1.3"
dependencies: dependencies:
psl: ^1.1.33 psl: ^1.1.33
punycode: ^2.1.1 punycode: ^2.1.1
universalify: ^0.1.2 universalify: ^0.2.0
checksum: 0891b37eb7d17faa3479d47f0dce2e3007f2583094ad272f2670d120fbcc3df3b0b0a631ba96ecad49f9e2297d93ff8995ce0d3292d08dd7eabe162f5b224d69 url-parse: ^1.5.3
checksum: c9226afff36492a52118432611af083d1d8493a53ff41ec4ea48e5b583aec744b989e4280bcf476c910ec1525a89a4a0f1cae81c08b18fb2ec3a9b3a72b91dcc
languageName: node languageName: node
linkType: hard linkType: hard
@ -34316,13 +34331,20 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"universalify@npm:^0.1.0, universalify@npm:^0.1.2": "universalify@npm:^0.1.0":
version: 0.1.2 version: 0.1.2
resolution: "universalify@npm:0.1.2" resolution: "universalify@npm:0.1.2"
checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff checksum: 40cdc60f6e61070fe658ca36016a8f4ec216b29bf04a55dce14e3710cc84c7448538ef4dad3728d0bfe29975ccd7bfb5f414c45e7b78883567fb31b246f02dff
languageName: node languageName: node
linkType: hard linkType: hard
"universalify@npm:^0.2.0":
version: 0.2.0
resolution: "universalify@npm:0.2.0"
checksum: e86134cb12919d177c2353196a4cc09981524ee87abf621f7bc8d249dbbbebaec5e7d1314b96061497981350df786e4c5128dbf442eba104d6e765bc260678b5
languageName: node
linkType: hard
"universalify@npm:^2.0.0": "universalify@npm:^2.0.0":
version: 2.0.0 version: 2.0.0
resolution: "universalify@npm:2.0.0" resolution: "universalify@npm:2.0.0"
@ -34478,6 +34500,16 @@ __metadata:
languageName: node languageName: node
linkType: hard linkType: hard
"url-parse@npm:^1.5.3":
version: 1.5.10
resolution: "url-parse@npm:1.5.10"
dependencies:
querystringify: ^2.1.1
requires-port: ^1.0.0
checksum: fbdba6b1d83336aca2216bbdc38ba658d9cfb8fc7f665eb8b17852de638ff7d1a162c198a8e4ed66001ddbf6c9888d41e4798912c62b4fd777a31657989f7bdf
languageName: node
linkType: hard
"url@npm:~0.11.0": "url@npm:~0.11.0":
version: 0.11.0 version: 0.11.0
resolution: "url@npm:0.11.0" resolution: "url@npm:0.11.0"