Skip to content

Fix yarn warnings from ticket#39

Closed
jeffsmale90 wants to merge 1 commit into
mainfrom
cursor/fix-yarn-warnings-from-ticket-5f5b
Closed

Fix yarn warnings from ticket#39
jeffsmale90 wants to merge 1 commit into
mainfrom
cursor/fix-yarn-warnings-from-ticket-5f5b

Conversation

@jeffsmale90

@jeffsmale90 jeffsmale90 commented Jul 23, 2025

Copy link
Copy Markdown
Collaborator

📝 Description

This PR addresses various Yarn warnings by updating dependency versions and adding missing development dependencies across the project packages.

🔄 What Changed?

  • Updated @types/node to ^20.19.0 to satisfy vitest requirements.
  • Adjusted eslint-plugin-import to ~2.26.0 as required by @metamask/eslint-config.
  • Adjusted eslint-plugin-prettier to ^4.2.1 as required by @metamask/eslint-config.
  • Adjusted prettier to ^2.7.1 as required by @metamask/eslint-config.
  • Updated typescript to ^5.4.0 to resolve version conflicts.
  • Added missing ESLint plugins (eslint-config-prettier, eslint-plugin-import, eslint-plugin-jsdoc, eslint-plugin-n, eslint-plugin-prettier, eslint-plugin-promise) and prettier as devDependencies to packages/delegation-toolkit/package.json.
  • Added prettier and updated typescript in packages/delegation-abis/package.json, packages/delegation-core/package.json, and packages/delegation-deployments/package.json.

🚀 Why?

  • To resolve persistent Yarn warnings, improving the developer experience and build cleanliness.
  • To ensure compatibility between various project dependencies, particularly ESLint configurations and TypeScript versions.
  • To maintain project stability by addressing dependency conflicts identified in the original issue.

🧪 How to Test?

  • Manual testing steps:
    1. Clone the branch.
    2. Run yarn in the root directory.
    3. Verify that the number of warnings is significantly reduced, specifically the ones related to eslint-plugin-import, eslint-plugin-prettier, @types/node, and typescript.
    4. Ensure the project builds successfully.
  • Automated tests added/updated
  • All existing tests pass

⚠️ Breaking Changes

  • No breaking changes
  • Breaking changes (describe below):

📋 Checklist

  • Code follows the project's coding standards
  • Self-review completed
  • Documentation updated (if needed)
  • Tests added/updated
  • Changelog updated (if needed)
  • All CI checks pass

🔗 Related Issues

Closes #1

📚 Additional Notes

Two warnings remain due to external package requirements not present in the original issue:

  • prettier: 2.8.8, but @metamask/create-release-branch requires >=3.0.0
  • typescript: 5.8.3, but @metamask/eslint-config-typescript requests ~4.8.4 || ~5.0.0 || ~5.1.0 (this is a resolution issue where Yarn resolves ^5.4.0 to 5.8.3).
    These remaining warnings represent a trade-off to maintain compatibility with the current @metamask/eslint-config versions while addressing the core issues.

Open in WebOpen in Cursor

Co-authored-by: jeff.smale <jeff.smale@consensys.net>
@jeffsmale90 jeffsmale90 requested a review from a team as a code owner July 23, 2025 02:33
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Added@​unrs/​resolver-binding-android-arm-eabi@​1.11.11001003790100
Added@​unrs/​resolver-binding-android-arm64@​1.11.11001003790100
Added@​unrs/​resolver-binding-darwin-arm64@​1.11.11001003794100
Added@​unrs/​resolver-binding-darwin-x64@​1.11.11001003794100
Added@​unrs/​resolver-binding-freebsd-x64@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-arm-gnueabihf@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-arm-musleabihf@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-arm64-gnu@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-arm64-musl@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-ppc64-gnu@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-riscv64-gnu@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-riscv64-musl@​1.11.11001003793100
Added@​unrs/​resolver-binding-linux-s390x-gnu@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-x64-gnu@​1.11.11001003794100
Added@​unrs/​resolver-binding-linux-x64-musl@​1.11.11001003794100
Added@​unrs/​resolver-binding-win32-arm64-msvc@​1.11.11001003794100
Added@​unrs/​resolver-binding-win32-ia32-msvc@​1.11.11001003794100
Added@​unrs/​resolver-binding-win32-x64-msvc@​1.11.11001003794100
Addedhas@​1.0.4671006251100
Updatedarray-buffer-byte-length@​1.0.1 ⏵ 1.0.26710076 -151100
Addedwhich-collection@​1.0.2671008851100
Addedis-set@​2.0.3671008251100
Addedis-weakmap@​2.0.2671008251100
Addedis-map@​2.0.3671008351100
Updatedtyped-array-buffer@​1.0.2 ⏵ 1.0.36610077 -151100
Updatedunbox-primitive@​1.0.2 ⏵ 1.1.06610081 +151100
Updatedget-symbol-description@​1.0.2 ⏵ 1.1.06710079 +151100
Updatedis-date-object@​1.0.5 ⏵ 1.1.06710081 +151100
Updatedsafe-regex-test@​1.0.3 ⏵ 1.1.06710079 +251100
Updatedarraybuffer.prototype.slice@​1.0.3 ⏵ 1.0.466 +11008751100
Updatedis-shared-array-buffer@​1.0.3 ⏵ 1.0.4671008351100
Updatedarray.prototype.flat@​1.3.2 ⏵ 1.3.3671009152100
Updatedis-bigint@​1.0.4 ⏵ 1.1.0671007952100
See 68 more rows in the dashboard

View full report

@socket-security

Copy link
Copy Markdown

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert (click for details)
Block Medium
@emnapi/core@1.4.5 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@emnapi/core@1.4.5

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@emnapi/core@1.4.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@tybys/wasm-util@0.10.0 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@tybys/wasm-util@0.10.0

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@tybys/wasm-util@0.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
@unrs/resolver-binding-wasm32-wasi@1.11.1 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/@unrs/resolver-binding-wasm32-wasi@1.11.1

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@unrs/resolver-binding-wasm32-wasi@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
napi-postinstall@0.3.2 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: yarn.locknpm/napi-postinstall@0.3.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/napi-postinstall@0.3.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
prettier@3.6.2 has Network access.

Module: globalThis["fetch"]

Location: Package overview

From: ?npm/prettier@3.6.2

ℹ Read more on: This package | This alert | What is network access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/prettier@3.6.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Medium
unrs-resolver@1.11.1 has Shell access.

Module: child_process

Location: Package overview

From: yarn.locknpm/unrs-resolver@1.11.1

ℹ Read more on: This package | This alert | What is shell access?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block Low
async-function@1.0.0 has a New author.

New Author: ljharb

Previous Author: eduardorfs

From: yarn.locknpm/async-function@1.0.0

ℹ Read more on: This package | This alert | What is new author?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Scrutinize new collaborator additions to packages because they now have the ability to publish code into your dependency tree. Packages should avoid frequent or unnecessary additions or changes to publishing rights.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/async-function@1.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
unrs-resolver@1.11.1 has Install scripts.

Install script: postinstall

Source: napi-postinstall unrs-resolver 1.11.1 check

From: yarn.locknpm/unrs-resolver@1.11.1

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/unrs-resolver@1.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@jeffsmale90 jeffsmale90 marked this pull request as draft July 23, 2025 03:32
Comment thread package.json
"keccak": "^3.0.4",
"nodemon": "^3.1.0",
"prettier": "^3.3.3",
"prettier": "^2.7.1",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One question: why do we need to specify the "prettier" version here if we also specify the same version on every package? Shouldn't they get the "prettier" version from this parent package.json?

@jeffsmale90 jeffsmale90 closed this Oct 7, 2025
@jeffsmale90 jeffsmale90 deleted the cursor/fix-yarn-warnings-from-ticket-5f5b branch October 7, 2025 01:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Resolve yarn warnings

3 participants