Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[UPDATE] - Yarn Audit Updates #5978

Merged
merged 1 commit into from
Mar 17, 2023
Merged

[UPDATE] - Yarn Audit Updates #5978

merged 1 commit into from
Mar 17, 2023

Conversation

sethkfman
Copy link
Contributor

Development & PR Process

  1. Follow MetaMask Mobile Coding Standards
  2. Add release-xx label to identify the PR slated for a upcoming release (will be used in release discussion)
  3. Add needs-dev-review label when work is completed
  4. Add needs-qa label when dev review is completed
  5. Add QA Passed label when QA has signed off

Description

This is a fix and update to the .iyarc file used for excluding yarn audit elements. Old audits that were no longer valid have been removed.

A new audit was added for exclusion per the warning we are maintain our project and there is currently no patch.
(Ref: GHSA-p8p7-x288-28g6)

Screenshots/Recordings

NA

Issue

Progresses #???

Checklist

  • [NA] There is a related GitHub issue
  • [NA] Tests are included if applicable
  • [NA] Any added code is fully documented

@sethkfman
fixed iyarc format removed exclusions not needed, added exclusion for…
4b7ae03 
… production value since the project is stilll maintained
@sethkfman sethkfman requested a review from a team as a code owner March 16, 2023 22:06
@github-actions
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

tommasini
tommasini approved these changes Mar 16, 2023
View reviewed changes
Copy link
Contributor

@tommasini tommasini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@blackdevelopa blackdevelopa mentioned this pull request Mar 17, 2023
Merged
3 tasks
@sethkfman sethkfman merged commit 1b4ca5c into main Mar 17, 2023
@sethkfman sethkfman deleted the fix/yarn-audit-update branch March 17, 2023 17:22
@github-actions github-actions bot locked and limited conversation to collaborators Mar 17, 2023
legobeat
legobeat reviewed Apr 21, 2023
View reviewed changes
.iyarc
@@ -1,2 +1,3 @@
GHSA-p8p7-x288-28g6
Copy link
Contributor

@legobeat legobeat Apr 21, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sethkfman @tommasini How was the assessment made that this is not a vulnerability for MM Mobile? It looks like this can actually breaks TLS security by a protocol redirect?

This was patched in extension: MetaMask/metamask-extension#18208

If the request package is indeed staying for now, perhaps we can consider moving to the more recently maintained cypress fork with this fix: cypress-io/request#28

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@legobeat legobeat legobeat left review comments

@tommasini tommasini tommasini approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@sethkfman @tommasini @legobeat