release(runway): cherry-pick fix: fix pbkdf2 yarn audit #33869
Merged
+310
−36
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Using a `resolutions` to upgrade `pbkdf2` package vulnerable versions for those 2 audit issues: - GHSA-v62p-rq8g-8h59 - GHSA-h7cp-r72f-jxh6   The patched version is `3.1.3`. [](https://codespaces.new/MetaMask/metamask-extension/pull/33863?quickstart=1) N/A N/A - [x] I've followed [MetaMask Contributor Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask Extension Coding Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md). - [x] I've completed the PR template to the best of my ability - [x] I’ve included tests if applicable - [x] I’ve documented my code using [JSDoc](https://jsdoc.app/) format if applicable - [x] I’ve applied the right labels on the PR (see [labeling guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)). Not required for external contributors. - [ ] I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed). - [ ] I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots. --------- Co-authored-by: MetaMask Bot <[email protected]>
Contributor
|
CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes. |
metamaskbot
added
the
team-runway-bot-deprecated
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
All alerts resolved. Learn more about Socket for GitHub. This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored. Ignoring alerts on: |
Collaborator
✨ Files requiring CODEOWNER review ✨🧩 @MetaMask/extension-devs
📜 @MetaMask/policy-reviewers Tip Follow the policy review process outlined in the LavaMoat Policy Review Process doc before expecting an approval from Policy Reviewers.
🔗 @MetaMask/supply-chain
|
Member
|
@SocketSecurity ignore npm/[email protected] New author OK, we know who that is. |
Collaborator
|
❌ test-e2e-chrome-api-specs failed. View the html report here. |
Collaborator
Builds ready [ded636a]
UI Startup Metrics (1238 ± 68 ms)
Benchmark value 16 exceeds gate value 15 for chrome browserify home mean getState Benchmark value 842 exceeds gate value 830 for chrome browserify home mean loadScripts Benchmark value 1372 exceeds gate value 1365 for chrome browserify home p95 uiStartup Benchmark value 956 exceeds gate value 940 for chrome browserify home p95 loadScripts Benchmark value 59 exceeds gate value 57 for chrome webpack home p95 domInteractive Benchmark value 257 exceeds gate value 65 for chrome webpack home p95 setupStore Benchmark value 1634 exceeds gate value 1615 for firefox webpack home mean uiStartup Benchmark value 1414 exceeds gate value 1380 for firefox webpack home mean load Benchmark value 1414 exceeds gate value 1380 for firefox webpack home mean domContentLoaded Benchmark value 44 exceeds gate value 38 for firefox webpack home mean firstReactRender Benchmark value 1395 exceeds gate value 1360 for firefox webpack home mean loadScripts Benchmark value 1996 exceeds gate value 1935 for firefox webpack home p95 uiStartup Benchmark value 1792 exceeds gate value 1660 for firefox webpack home p95 load Benchmark value 1791 exceeds gate value 1660 for firefox webpack home p95 domContentLoaded Benchmark value 157 exceeds gate value 156 for firefox webpack home p95 domInteractive Benchmark value 52 exceeds gate value 50 for firefox webpack home p95 firstReactRender Benchmark value 1774 exceeds gate value 1630 for firefox webpack home p95 loadScripts Sum of mean exceeds: 145ms | Sum of p95 exceeds: 688ms Sum of all benchmark exceeds: 833ms |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
](https://codespaces.new/MetaMask/metamask-extension/pull/33863?quickstart=1){kind=link}
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Using a
resolutionsto upgradepbkdf2package vulnerable versionsfor those 2 audit issues:
The patched version is
3.1.3.Related issues
N/A
Manual testing steps
N/A
Screenshots/Recordings
Before
After
Pre-merge author checklist
Docs and MetaMask
Extension Coding
Standards.
if applicable
guidelines).
Not required for external contributors.
Pre-merge reviewer checklist
app, test code being changed).
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
Co-authored-by: MetaMask Bot [email protected] 4e39fcb