Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump SES to fix audit failure #20434

Merged
merged 2 commits into from
Aug 14, 2023
Merged

Bump SES to fix audit failure #20434

merged 2 commits into from
Aug 14, 2023

Conversation

FrederikBolding
Copy link
Member

Explanation

Bump SES to fix audit failure that prevents pending PRs from being merged.

@FrederikBolding FrederikBolding requested a review from a team as a code owner August 9, 2023 20:10
@socket-security
Copy link

Removed dependencies detected. Learn more about Socket for GitHub ↗︎

🚮 Removed packages: [email protected]

georgewrmarshall
georgewrmarshall previously approved these changes Aug 10, 2023
View reviewed changes
Copy link
Contributor

@georgewrmarshall georgewrmarshall left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGMT! You have to add a team label to pass the label CI test I'm not sure which, maybe team-extension-platform?

  • pulled branch and compared yarn audit results

legobeat
legobeat previously approved these changes Aug 10, 2023
View reviewed changes
@legobeat
Copy link
Contributor

legobeat commented Aug 10, 2023
edited
Loading

Unit test failure:

  non-modifiable intrinsics
    ✔ intrinsic globalThis["Infinity"]
    ✔ intrinsic globalThis["NaN"]
    ✔ intrinsic globalThis["undefined"]
    ✔ intrinsic globalThis["isFinite"]
    ✔ intrinsic globalThis["isNaN"]
    ✔ intrinsic globalThis["parseFloat"]
    ✔ intrinsic globalThis["parseInt"]
    ✔ intrinsic globalThis["decodeURI"]
    ✔ intrinsic globalThis["decodeURIComponent"]
    ✔ intrinsic globalThis["encodeURI"]
    ✔ intrinsic globalThis["encodeURIComponent"]
    ✔ intrinsic globalThis["Array"]
    ✔ intrinsic globalThis["ArrayBuffer"]
    ✔ intrinsic globalThis["BigInt"]
    ✔ intrinsic globalThis["BigInt64Array"]
    ✔ intrinsic globalThis["BigUint64Array"]
    ✔ intrinsic globalThis["Boolean"]
    ✔ intrinsic globalThis["DataView"]
    ✔ intrinsic globalThis["EvalError"]
    ✔ intrinsic globalThis["Float32Array"]
    ✔ intrinsic globalThis["Float64Array"]
    ✔ intrinsic globalThis["Int8Array"]
    ✔ intrinsic globalThis["Int16Array"]
    ✔ intrinsic globalThis["Int32Array"]
    ✔ intrinsic globalThis["Map"]
    ✔ intrinsic globalThis["Number"]
    ✔ intrinsic globalThis["Object"]
    ✔ intrinsic globalThis["Promise"]
    ✔ intrinsic globalThis["Proxy"]
    ✔ intrinsic globalThis["RangeError"]
    ✔ intrinsic globalThis["ReferenceError"]
    ✔ intrinsic globalThis["Set"]
    ✔ intrinsic globalThis["String"]
    ✔ intrinsic globalThis["SyntaxError"]
    ✔ intrinsic globalThis["TypeError"]
    ✔ intrinsic globalThis["Uint8Array"]
    ✔ intrinsic globalThis["Uint8ClampedArray"]
    ✔ intrinsic globalThis["Uint16Array"]
    ✔ intrinsic globalThis["Uint32Array"]
    ✔ intrinsic globalThis["URIError"]
    ✔ intrinsic globalThis["WeakMap"]
    ✔ intrinsic globalThis["WeakSet"]
    ✔ intrinsic globalThis["JSON"]
    ✔ intrinsic globalThis["Reflect"]
    ✔ intrinsic globalThis["escape"]
    ✔ intrinsic globalThis["unescape"]
    ✔ intrinsic globalThis["lockdown"]
    ✔ intrinsic globalThis["harden"]
    ✔ intrinsic globalThis["Date"]
    ✔ intrinsic globalThis["Error"]
    ✔ intrinsic globalThis["RegExp"]
    1) intrinsic globalThis["Symbol"]
    ✔ intrinsic globalThis["Math"]
    ✔ intrinsic globalThis["globalThis"]
    ✔ intrinsic globalThis["eval"]
    ✔ intrinsic globalThis["Function"]


 56 passing (14ms)
 1 failing

  1) non-modifiable intrinsics
       intrinsic globalThis["Symbol"]:

      AssertionError [ERR_ASSERTION] [ERR_ASSERTION]: value of universal property globalThis["Symbol"] should be frozen
      + expected - actual

      -false
      +true
      
    at testIntrinsic (test/helpers/protect-intrinsics-helpers.js:39:20)
    at Context.<anonymous> (test/unit-global/protect-intrinsics.test.js:9:57)

@mcmire
Copy link
Contributor

mcmire commented Aug 14, 2023

It looks like Symbol was tamed in 0.18.5: endojs/endo@9fb1242

If this change is relevant, what is the correct fix? Should we add Symbol to the ignorelist here? https://github.com/MetaMask/metamask-extension/blob/develop/test/helpers/protect-intrinsics-helpers.js#L16

@Gudahtt
Copy link
Member

Gudahtt commented Aug 14, 2023

Alternatively we can freeze it by adding it to the shouldHardenManually array in lockdown-more.js

@mcmire
Copy link
Contributor

mcmire commented Aug 14, 2023

Ah, yeah, that would make more sense.

Gudahtt
Gudahtt approved these changes Aug 14, 2023
View reviewed changes
Copy link
Member

@Gudahtt Gudahtt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM!

@codecov
Copy link

codecov bot commented Aug 14, 2023

Codecov Report

Merging #20434 (30c1057) into develop (e02f597) will not change coverage.
Report is 21 commits behind head on develop.
The diff coverage is n/a.

@@           Coverage Diff            @@
##           develop   #20434   +/-   ##
========================================
  Coverage    68.84%   68.84%           
========================================
  Files          993      993           
  Lines        38258    38258           
  Branches     10248    10248           
========================================
  Hits         26338    26338           
  Misses       11920    11920

@metamaskbot
Copy link
Collaborator

Builds ready [30c1057]
Page Load Metrics (1567 ± 54 ms)
PlatformPageMetricMin (ms)Max (ms)Average (ms)StandardDeviation (ms)MarginOfError (ms)
ChromeHomefirstPaint1131991392512
domContentLoaded14321827156711354
load14321828156711354
domInteractive14321827156711354
Bundle size diffs [🚨 Warning! Bundle size has increased!]
  • background: 10 Bytes (0.00%)
  • ui: 0 Bytes (0.00%)
  • common: 0 Bytes (0.00%)

@Gudahtt Gudahtt merged commit e0a6435 into develop Aug 14, 2023
@Gudahtt Gudahtt deleted the fb/audit-bump-ses branch August 14, 2023 19:00
@github-actions github-actions bot locked and limited conversation to collaborators Aug 14, 2023
@metamaskbot metamaskbot added the release-10.36.0 Issue or pull request that will be included in release 10.36.0 label Aug 14, 2023
@Gudahtt Gudahtt added release-10.34.5 Issue or pull request that will be included in release 10.34.5 and removed release-10.36.0 Issue or pull request that will be included in release 10.36.0 labels Sep 19, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Gudahtt Gudahtt Gudahtt approved these changes

@darkwing darkwing darkwing approved these changes

@legobeat legobeat legobeat left review comments

@georgewrmarshall georgewrmarshall georgewrmarshall left review comments

Assignees
No one assigned
Labels
release-10.34.5 Issue or pull request that will be included in release 10.34.5 team-extension-platform
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@FrederikBolding @legobeat @mcmire @Gudahtt @metamaskbot @darkwing @georgewrmarshall