From 9405bc1dbccd4c51cff60b32a0386ff3ed55b4b2 Mon Sep 17 00:00:00 2001
From: Dan J Miller <danjm.com@gmail.com>
Date: Tue, 10 Sep 2024 12:00:31 -0230
Subject: [PATCH] fix: Ignore yarn audit warning for GHSA-9wv6-86v2-598j
 (#27024)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

## **Description**

This addresses the following `yarn audit` failure:

```
└─ path-to-regexp
   ├─ ID: 1099496
   ├─ Issue: path-to-regexp outputs backtracking regular expressions
   ├─ URL: https://github.com/advisories/GHSA-9wv6-86v2-598j
   ├─ Severity: high
   ├─ Vulnerable Versions: >=0.2.0 <8.0.0
   │
   ├─ Tree Versions
   │  └─ 1.7.0
   │
   └─ Dependents
      └─ react-router@npm:5.1.2 [12b72]
```

path-to-Regexp is used in two files within react-router v5.1.2:
`generatePath.js` and `matchPath.js`. In both cases, `path` and
`options` variables are passed to a `compilePath` function. Those are
then passed to `pathtoRegexp`. The variables passed to `pathtoRegexp`
are dependent on props or parameters passed to react-router components
and/or methods explictly from the metamask code. So this vulnerability
cannot be exploited by an external actor.

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/27024?quickstart=1)

## **Related issues**

Fixes:

## **Manual testing steps**

1. Go to this page...
2.
3.

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/develop/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.
---
 .yarnrc.yml | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/.yarnrc.yml b/.yarnrc.yml
index 252333917781..1522080c0561 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -43,6 +43,16 @@ npmAuditIgnoreAdvisories:
   # not appear to be used.
   - 1092461
 
+  # Issue: path-to-regexp outputs backtracking regular expressions
+  # URL: https://github.com/advisories/GHSA-9wv6-86v2-598j
+  # path-to-regexp is used in react-router v5.1.2, which we use. However, the
+  # vulnerability in path-to-regexp could only be exploited within react-router
+  # if malicious properties were passed to react-router components or methods
+  # explicitly from our code. As such, this vulneratibility cannot be exploited
+  # by an external / malicious actor. Meanwhile, once we update to v6+,
+  # path-to-regexp will no longer be used.
+  - 1099499
+
   # Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
   # This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
   - 'ts-custom-error (deprecation)'