mirror of
https://github.com/kremalicious/metamask-extension.git
synced 2024-12-23 09:52:26 +01:00
dacdaf031c
* security: patch request for CVE-2023-28155 GHSA-p8p7-x288-28g6 Ported from https://github.com/request/request/pull/3444 * add iyarc exclusion
22 lines
1.0 KiB
Plaintext
22 lines
1.0 KiB
Plaintext
# improved-yarn-audit advisory exclusions
|
|
GHSA-257v-vj4p-3w2h
|
|
|
|
# yarn berry's `yarn npm audit` script reports the following vulnerability but
|
|
# it is a false positive. The offending version of 'ws' that is installed is
|
|
# 7.1.1 and is included only via remote-redux-devtools which is a devDependency
|
|
GHSA-6fc8-4gx4-v693
|
|
|
|
# yarn npm audit reports on a fast-json-patch version < 3.1.1 but due to patch
|
|
# resolution, the only version of fast-json-patch that we use is 3.1.1. We also
|
|
# have 2.2.1 installed but it is a dev only dependency. The "violation" reports
|
|
# smart-transacton-controller as the culprit but if you run
|
|
# `yarn info -A -R dependents fast-json-patch` you can see that only 2.2.1 and
|
|
# 3.3.1 are installed and that smart-transaction-controller resolves to the
|
|
# patched version of 3.3.1. We can remove this once the
|
|
# smart-transaction-controller updates its dependency.
|
|
GHSA-8gh8-hqwg-xf34
|
|
|
|
# request library is subject to SSRF.
|
|
# addressed by temporary patch in .yarn/patches/request-npm-2.88.2-f4a57c72c4.patch
|
|
GHSA-p8p7-x288-28g6
|