113 lines
4.1 KiB
YAML
113 lines
4.1 KiB
YAML
compressionLevel: mixed
|
|
|
|
enableGlobalCache: false
|
|
|
|
enableScripts: false
|
|
checksumBehavior: "ignore"
|
|
enableTelemetry: false
|
|
|
|
logFilters:
|
|
- code: YN0004
|
|
level: discard
|
|
|
|
nodeLinker: node-modules
|
|
|
|
npmAuditIgnoreAdvisories:
|
|
### Advisories:
|
|
|
|
# Issue: yargs-parser Vulnerable to Prototype Pollution
|
|
# URL - https://github.com/advisories/GHSA-p9pc-299p-vxgp
|
|
# The affected version (<5.0.0) is only included via @ensdomains/ens via
|
|
# 'solc' which is not used in the imports we use from this package.
|
|
- 1088783
|
|
|
|
# Issue: protobufjs Prototype Pollution vulnerability
|
|
# URL - https://github.com/advisories/GHSA-h755-8qp9-cq85
|
|
# Not easily patched. Minimally effects the extension due to usage of
|
|
# LavaMoat lockdown.
|
|
- 1092429
|
|
|
|
# Issue: Regular Expression Denial of Service (ReDOS)
|
|
# URL: https://github.com/advisories/GHSA-257v-vj4p-3w2h
|
|
# color-string is listed as a dependency of 'color' which is brought in by
|
|
# @metamask/jazzicon v2.0.0 but there is work done on that repository to
|
|
# remove the color dependency. We should upgrade
|
|
- 1089718
|
|
|
|
# Issue: semver vulnerable to Regular Expression Denial of Service
|
|
# URL: https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
|
|
# semver is used in the solidity compiler portion of @truffle/codec that does
|
|
# not appear to be used.
|
|
- 1092461
|
|
|
|
### Package Deprecations:
|
|
|
|
# React-tippy brings in popper.js and react-tippy has not been updated in
|
|
# three years.
|
|
- 'popper.js (deprecation)'
|
|
|
|
# React-router is out of date and brings in the following deprecated package
|
|
- 'mini-create-react-context (deprecation)'
|
|
|
|
# The affected version, which is less than 7.0.0, is brought in by
|
|
# ethereumjs-wallet version 0.6.5 used in the extension but only in a single
|
|
# file app/scripts/account-import-strategies/index.js, which may be easy to
|
|
# upgrade.
|
|
- 'uuid (deprecation)'
|
|
|
|
# @npmcli/move-file is brought in via CopyWebpackPlugin used in the storybook
|
|
# main.js file, which can be upgraded to remove this dependency in favor of
|
|
# @npmcli/fs
|
|
- '@npmcli/move-file (deprecation)'
|
|
|
|
# Upgrading babel will result in the following deprecated packages being
|
|
# updated:
|
|
- 'core-js (deprecation)'
|
|
|
|
# Material UI dependencies are planned for removal
|
|
- '@material-ui/core (deprecation)'
|
|
- '@material-ui/styles (deprecation)'
|
|
- '@material-ui/system (deprecation)'
|
|
|
|
# @ensdomains/ens should be explored for upgrade. The following packages are
|
|
# deprecated and would be resolved by upgrading to newer versions of
|
|
# ensdomains packages:
|
|
- '@ensdomains/ens (deprecation)'
|
|
- '@ensdomains/resolver (deprecation)'
|
|
- 'testrpc (deprecation)'
|
|
|
|
# Dependencies brought in by @truffle/decoder that are deprecated:
|
|
- 'cids (deprecation)' # via @ensdomains/content-hash
|
|
- 'multibase (deprecation)' # via cids
|
|
- 'multicodec (deprecation)' # via cids
|
|
|
|
# MetaMask owned repositories brought in by other MetaMask dependencies that
|
|
# can be resolved by updating the versions throughout the dependency tree
|
|
- 'eth-sig-util (deprecation)' # via @metamask/eth-ledger-bridge-keyring
|
|
- '@metamask/controller-utils (deprecation)' # via @metamask/phishin-controller
|
|
- 'safe-event-emitter (deprecation)' # via eth-block-tracker and others
|
|
|
|
# @metamask-institutional relies upon crypto which is deprecated
|
|
- 'crypto (deprecation)'
|
|
|
|
# @metamask/providers uses webextension-polyfill-ts which has been moved to
|
|
# @types/webextension-polyfill
|
|
- 'webextension-polyfill-ts (deprecation)'
|
|
|
|
npmRegistries:
|
|
'https://npm.pkg.github.com':
|
|
npmAlwaysAuth: true
|
|
npmAuthToken: '${GITHUB_PACKAGE_READ_TOKEN-}'
|
|
|
|
npmScopes:
|
|
metamask:
|
|
npmRegistryServer: '${METAMASK_NPM_REGISTRY:-https://registry.yarnpkg.com}'
|
|
|
|
plugins:
|
|
- path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
|
|
spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'
|
|
- path: .yarn/plugins/@yarnpkg/plugin-engines.cjs
|
|
spec: 'https://raw.githubusercontent.com/devoto13/yarn-plugin-engines/main/bundles/%40yarnpkg/plugin-engines.js'
|
|
|
|
yarnPath: .yarn/releases/yarn-4.0.0-rc.48.cjs
|