Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Add chaijs/get-func-name resolution #7351

Merged
merged 3 commits into from
Sep 28, 2023
Merged

fix: Add chaijs/get-func-name resolution #7351

merged 3 commits into from
Sep 28, 2023

Conversation

leotm
Copy link
Contributor

@leotm leotm commented Sep 28, 2023
edited

Description

Fix CI: https://github.com/MetaMask/metamask-mobile/actions/runs/6331863392/job/17197486695
By adding a Yarn package.json lockfile resolution

Then once

Merged we can remove the resolution and bump ethereum-optimism

Fixed in: chaijs/get-func-name@f934b22

Manual testing steps

yarn audit:ci

Related issues

Fixes GHSA-4q6p-r6v2-jvc5

Pre-merge author checklist

  • I’ve followed MetaMask Coding Standards.
  • I've clearly explained:
    • What problem this PR is solving.
    • How this problem was solved.
    • How reviewers can test my changes.
  • I’ve indicated what issue this PR is linked to: Fixes #???
  • I’ve included tests if applicable.
  • I’ve documented any added code.
  • I’ve applied the right labels on the PR (see labeling guidelines).
  • I’ve properly set the pull request status:
    • In case it's not yet "ready for review", I've set it to "draft".
    • In case it's "ready for review", I've changed it from "draft" to "non-draft".

Pre-merge reviewer checklist

  • I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
  • I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

@leotm
Fix GHSA-4q6p-r6v2-jvc5
2d0b3e6 
Follow-up: Bump ethereum-optimism then remove resolution
Ref: ethereum-optimism/optimism#7432 (review)

Vulnerability: GHSA-4q6p-r6v2-jvc5

Fix commit: chaijs/get-func-name@f934b22
@github-actions
Copy link
Contributor

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

@leotm leotm marked this pull request as ready for review September 28, 2023 11:46
@leotm leotm requested a review from a team as a code owner September 28, 2023 11:46
tommasini
tommasini previously approved these changes Sep 28, 2023
View reviewed changes
Copy link
Contributor

@tommasini tommasini left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

Gudahtt
Gudahtt reviewed Sep 28, 2023
View reviewed changes
package.json Outdated Show resolved Hide resolved
@socket-security
Copy link

socket-security bot commented Sep 28, 2023
edited

No top level dependency changes detected. Learn more about Socket for GitHub ↗︎

@socket-security
Copy link

socket-security bot commented Sep 28, 2023
edited

👍 Dependency issues cleared. Learn more about Socket for GitHub ↗︎

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring: get-func-name@2.0.2

Next steps

Take a deeper look at the dependency

Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev.

Remove the package

If you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency.

Mark a package as acceptable risk

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore foo@1.0.0 bar@* or ignore all packages with @SocketSecurity ignore-all

Gudahtt
Gudahtt previously approved these changes Sep 28, 2023
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@leotm
Copy link
Contributor Author

leotm commented Sep 28, 2023

@SocketSecurity ignore get-func-name@2.0.2

nb: https://socket.dev/npm/package/get-func-name/issues/2.0.2?issue=unstableOwnership

A new collaborator has begun publishing package versions. Package stability and security risk may be elevated. Found 1 instance in 1 package

@codecov-commenter
Copy link

codecov-commenter commented Sep 28, 2023
edited

Codecov Report

All modified lines are covered by tests ✅

Comparison is base (c865d3c) 34.60% compared to head (11adc80) 34.60%.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main    #7351   +/-   ##
=======================================
  Coverage   34.60%   34.60%           
=======================================
  Files        1017     1017           
  Lines       27144    27144           
  Branches     2205     2205           
=======================================
  Hits         9393     9393           
  Misses      17262    17262           
  Partials      489      489

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

Gudahtt
Gudahtt reviewed Sep 28, 2023
View reviewed changes
yarn.lock Show resolved Hide resolved
@leotm
Update yarn.lock
11adc80 
Remove stale lockfile resolution
Since removed package.json resolution

RE: https://github.com/MetaMask/metamask-mobile/pull/7351/files#r1340055974
@leotm leotm added dependencies Pull requests that update a dependency file team-security and removed team-mobile-client labels Sep 28, 2023
@sonarcloud
Copy link

sonarcloud bot commented Sep 28, 2023

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
No Duplication information No Duplication information

@leotm leotm merged commit 0ef61bb into main Sep 28, 2023
45 checks passed
@leotm leotm deleted the fix/unbreak-ci-audit-fix-ddos-vuln-bump-chaijs-get-func-name branch September 28, 2023 13:06
@github-actions github-actions bot locked and limited conversation to collaborators Sep 28, 2023
@leotm
Copy link
Contributor Author

leotm commented Sep 28, 2023

ah automation wins, could've merged instead

🙈 @dawnseeker8 i'll lookout for our bots next time

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

@tommasini tommasini Awaiting requested review from tommasini

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file release-7.9.0 team-security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@leotm @codecov-commenter @Gudahtt @tommasini @metamaskbot