fix: Ignore yarn audit warning for GHSA-9wv6-86v2-598j

[danjm]

Description

This addresses the following yarn audit failure:

└─ path-to-regexp
   ├─ ID: 1099496
   ├─ Issue: path-to-regexp outputs backtracking regular expressions
   ├─ URL: https://github.com/advisories/GHSA-9wv6-86v2-598j
   ├─ Severity: high
   ├─ Vulnerable Versions: >=0.2.0 <8.0.0
   │ 
   ├─ Tree Versions
   │  └─ 1.7.0
   │ 
   └─ Dependents
      └─ react-router@npm:5.1.2 [12b72]

path-to-Regexp is used in two files within react-router v5.1.2: generatePath.js and matchPath.js. In both cases, path and options variables are passed to a compilePath function. Those are then passed to pathtoRegexp. The variables passed to pathtoRegexp are dependent on props or parameters passed to react-router components and/or methods explictly from the metamask code. So this vulnerability cannot be exploited by an external actor.

Related issues

Fixes:

Manual testing steps

1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 70.15%. Comparing base (9f8651c) to head (3e010c4).
Report is 1 commits behind head on develop.

Additional details and impacted files

@@           Coverage Diff            @@
##           develop   #27024   +/-   ##
========================================
  Coverage    70.15%   70.15%           
========================================
  Files         1425     1425           
  Lines        49651    49651           
  Branches     13891    13891           
========================================
  Hits         34831    34831           
  Misses       14820    14820           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[metamaskbot]

Builds ready [3e010c4]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5
  • common: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • offscreen: 0
  • ui: 0, 1, 10, 11, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (1679 ± 86 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	1481	2218	1681	187	90
		domContentLoaded	1472	2146	1660	176	84
		load	1481	2161	1679	180	86
		domInteractive	13	57	29	12	6

Bundle size diffs

• background: 0 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[desi]

Thanks for fixing this!

[danjm]

Note: it seems the worst case that would be actually possible is that we accidentally set the path property on either a Route component or on the second param to matchPath to a path that would generate an exploitable regexp:

The bad regular expression is generated any time you have two parameters within a single segment, separated by something that is not a period (.). For example, /:a-:b will produce the regular expression /^\/([^\/]+?)-([^\/]+?)\/?$/

So we would have to accidentally set a path to something like /:a-:b or /flights/:from-:to
We don't have any uses of parameters within our paths, so this is very unlikely, and in general (as the security disclosue blog post says): "Thankfully the pattern of using more than one parameter within slashes is extremely rare or non-existent.". So it would be very unlikely for this to happen by accident, but still not totally impossible, so we should probably upgrade to react-router v6 sooner rather than later

[metamaskbot]

Missing release label release-12.3.0 on PR. Adding release label release-12.3.0 on PR and removing other release labels(release-12.5.0), as PR was cherry-picked in branch 12.3.0.