From bb391c2e5d1e3aa31edf030b76ce7a3eb31fa796 Mon Sep 17 00:00:00 2001
From: seaona <54408225+seaona@users.noreply.github.com>
Date: Fri, 7 Mar 2025 10:10:26 +0100
Subject: [PATCH] chore: fix trezor audit (#30850)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

We temporarily ignore the `'@trezor/connect-web` audit failure to
unblock ci, as upgrading to the new version breaks the webpack build.

```
└─ @trezor/connect-web
   ├─ ID: @trezor/connect-web (deprecation)
   ├─ Issue: This version is no longer supported
   ├─ Severity: moderate
   ├─ Vulnerable Versions: 9.4.7
   │
   ├─ Tree Versions
   │  └─ 9.4.7
   │
   └─ Dependents
      └─ metamask-crx@workspace:.
```

[This
issue](https://github.com/MetaMask/metamask-extension/issues/30851) is
created in order to upgrade to the latest version and remove the entry
from the ignore list.

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/30850?quickstart=1)

## **Related issues**

Fixes:

## **Manual testing steps**

1. Check yarn audit gh action


## **Screenshots/Recordings**

### Before

![Screenshot from 2025-03-07
09-35-05](https://github.com/user-attachments/assets/04fe6b00-93c9-40e3-8b0b-aeb758015ba7)

### After

![Screenshot from 2025-03-07
09-40-00](https://github.com/user-attachments/assets/a895ccfa-8203-4c92-b0dd-61c567cd9f5a)


## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

---------

Co-authored-by: Frederik Bolding <frederik.bolding@gmail.com>
---
 .yarnrc.yml | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/.yarnrc.yml b/.yarnrc.yml
index 8eea0010a657..27deee790900 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -126,6 +126,12 @@ npmAuditIgnoreAdvisories:
   # New package name format for new versions: @ethereumjs/wallet.
   - 'ethereumjs-wallet (deprecation)'
 
+  # The new trezor version breaks the webpack build due to issues with ESM and CommonJS
+  # Leading to this error on start: `Uncaught ReferenceError: exports is not defined`
+  # We temporarily ignore the audit failure until we can safely upgrade to the new version without breaking the webpack build
+  # Check Trezor 9.5.X Changelog for more info: https://github.com/trezor/trezor-suite/blob/develop/packages/connect/CHANGELOG.md
+  - '@trezor/connect-web (deprecation)'
+
 plugins:
   - path: .yarn/plugins/@yarnpkg/plugin-allow-scripts.cjs
     spec: 'https://raw.githubusercontent.com/LavaMoat/LavaMoat/main/packages/yarn-plugin-allow-scripts/bundles/@yarnpkg/plugin-allow-scripts.js'