compressionLevel: mixed enableGlobalCache: false enableScripts: false enableTelemetry: false logFilters: - code: YN0004 level: discard nodeLinker: node-modules npmAuditIgnoreAdvisories: ### Advisories: # Issue: yargs-parser Vulnerable to Prototype Pollution # URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp # The affected version (<5.0.0) is only included via @ensdomains/ens via # 'solc' which is not used in the imports we use from this package. - 1088783 # Issue: protobufjs Prototype Pollution vulnerability # URL - https://github.com/advisories/GHSA-h755-8qp9-cq85 # Not easily patched. Minimally effects the extension due to usage of # LavaMoat lockdown. - 1092429 # Issue: Regular Expression Denial of Service (ReDOS) # URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h # color-string is listed as a dependency of 'color' which is brought in by # @metamask/jazzicon v2.0.0 but there is work done on that repository to # remove the color dependency. We should upgrade - 1089718 # Issue: semver vulnerable to Regular Expression Denial of Service # URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw # semver is used in the solidity compiler portion of @truffle/codec that does # not appear to be used. - 1092461 ### Package Deprecations: # React-tippy brings in popper.js and react-tippy has not been updated in # three years. - 'popper.js (deprecation)' # React-router is out of date and brings in the following deprecated package - 'mini-create-react-context (deprecation)' # The affected version, which is less than 7.0.0, is brought in by # ethereumjs-wallet version 0.6.5 used in the extension but only in a single # file app/scripts/account-import-strategies/index.js, which may be easy to # upgrade. - 'uuid (deprecation)' # @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook # main.js file, which can be upgraded to remove this dependency in favor of # @npmcli/fs - '@npmcli/move-file (deprecation)' # Upgrading babel will result in the following deprecated packages being # updated: - 'core-js (deprecation)' # Material UI dependencies are planned for removal - '@material-ui/core (deprecation)' - '@material-ui/styles (deprecation)' - '@material-ui/system (deprecation)' # @ensdomains/ens should be explored for upgrade. The following packages are # deprecated and would be resolved by upgrading to newer versions of # ensdomains packages: - '@ensdomains/ens (deprecation)' - '@ensdomains/resolver (deprecation)' - 'testrpc (deprecation)' # Dependencies brought in by @truffle/decoder that are deprecated: - 'cids (deprecation)' # via @ensdomains/content-hash - 'multibase (deprecation)' # via cids - 'multicodec (deprecation)' # via cids # MetaMask owned repositories brought in by other MetaMask dependencies that # can be resolved by updating the versions throughout the dependency tree - 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring - '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller - 'safe-event-emitter (deprecation)' # via eth-block-tracker and others # @metamask-institutional relies upon crypto which is deprecated - 'crypto (deprecation)' # @metamask/providers uses webextension-polyfill-ts which has been moved to # @types/webextension-polyfill - 'webextension-polyfill-ts (deprecation)' npmRegistries: 'https://npm.pkg.github.com': npmAlwaysAuth: true npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}' npmScopes: metamask: npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}' plugins: - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js' - path: .yarn/plugins/@yarnpkg/plugin-engines.cjs spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js' yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs