chore: Update yarn v1 to v3

[tommasini]

Description

This PR updates yarn v1 to yarn v3. React native doens't support yet PNP so we still need to be using node_modules.
This brings a couple of advantages listed here

This update is needed to fix resolutions edge cases that we had in yarn v1

• The way to exclude npm audit advisories is not at .yarnrc.yml
• There is no need of yarn-improved-audit package anymore

Related issues

Fixes:

Manual testing steps

1. Go to this page...

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I’ve followed MetaMask Contributor Docs and MetaMask Mobile Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​unique-slug@​5.0.0
	npm/​unique-filename@​4.0.0
	npm/​chownr@​3.0.0
	npm/​abbrev@​3.0.1
	npm/​@​types/​bn.js@​5.1.6
	npm/​@​isaacs/​fs-minipass@​4.0.1
	npm/​@​metamask/​snaps-sdk@​6.21.0
	npm/​yallist@​5.0.0
	npm/​p-map@​7.0.3
	npm/​@​babel/​traverse@​7.26.7
	npm/​minipass-fetch@​4.0.1
	npm/​@​npmcli/​agent@​3.0.0
	npm/​tar@​7.4.3
	npm/​picomatch@​4.0.2
	npm/​minizlib@​3.0.2
	npm/​negotiator@​1.0.0
	npm/​proc-log@​5.0.0
	npm/​@​npmcli/​fs@​4.0.0
	npm/​nopt@​8.1.0
	npm/​ssri@​12.0.0
	npm/​cacache@​19.0.1
	npm/​make-fetch-happen@​14.0.3
	npm/​@​metamask/​solana-wallet-snap@​1.22.0 ⏵ 1.24.0			+3	+1
	npm/​fdir@​6.4.4
	npm/​tinyglobby@​0.2.13
	npm/​@​metamask/​superstruct@​3.1.0

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. Learn more about Socket for GitHub.

Action	Severity	Alert (click for details)
Block		npm/@metamask/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview Source: package.json Source: yarn.lock ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@metamask/[email protected] has Network access. Module: globalThis["fetch"] Location: Package overview Source: package.json Source: yarn.lock ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@metamask/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/@npmcli/[email protected] has a New author. New Author: npm-cli-ops Previous Author: lukekarrys Source: yarn.lock ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@npmcli/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has a New author. New Author: wesleytodd Previous Author: dougwilson Source: yarn.lock ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has a New author. New Author: npm-cli-ops Previous Author: lukekarrys Source: yarn.lock ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		npm/[email protected] has a New author. New Author: npm-cli-ops Previous Author: lukekarrys Source: yarn.lock ℹ Read more on: This package | This alert | What is new author? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[Mrtenz]

Any reason to bump to v3 instead of v4 (latest)?

[tommasini]

@Mrtenz Thank you so much for the amazing question!

I've chosen the v3 to migrate from the v1 just because it was the version announced by react native team in the highlights of react native version 0.74 for new projects!

Thanks to your comment I gave a look to v4 yarn breaking changes, I didn't consider it until now. Do you have any strong thoughts on moving forward with it?