From b1e173a6e731dadbff27960104a693d147cc25d5 Mon Sep 17 00:00:00 2001
From: Michele Esposito <34438276+mikesposito@users.noreply.github.com>
Date: Wed, 4 Dec 2024 22:05:47 +0100
Subject: [PATCH] chore: force `@solana/web3.js` version resolution (#28926)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

<!--
Please submit this PR as a draft initially.
Do not mark it as "Ready for review" until the template has been
completely filled out, and PR status checks have passed at least once.
-->

## **Description**

<!--
Write a short description of the changes included in this pull request,
also include relevant motivation and context. Have in mind the following
questions:
1. What is the reason for the change?
2. What is the improvement/solution?
-->

Due to this
[Advisory](https://github.com/advisories/GHSA-2mhj-xmf4-pr8m), this PR
forces the resolution of the affected package version to the current one
(unaffected), avoiding unintentional updates to affected versions

[![Open in GitHub
Codespaces](https://github.com/codespaces/badge.svg)](https://codespaces.new/MetaMask/metamask-extension/pull/28926?quickstart=1)

## **Related issues**

Fixes:

## **Manual testing steps**

N/A

## **Screenshots/Recordings**

<!-- If applicable, add screenshots and/or recordings to visualize the
before and after of your change. -->

### **Before**

<!-- [screenshots/recordings] -->

### **After**

<!-- [screenshots/recordings] -->

## **Pre-merge author checklist**

- [ ] I've followed [MetaMask Contributor
Docs](https://github.com/MetaMask/contributor-docs) and [MetaMask
Extension Coding
Standards](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/CODING_GUIDELINES.md).
- [ ] I've completed the PR template to the best of my ability
- [ ] I’ve included tests if applicable
- [ ] I’ve documented my code using [JSDoc](https://jsdoc.app/) format
if applicable
- [ ] I’ve applied the right labels on the PR (see [labeling
guidelines](https://github.com/MetaMask/metamask-extension/blob/main/.github/guidelines/LABELING_GUIDELINES.md)).
Not required for external contributors.

## **Pre-merge reviewer checklist**

- [ ] I've manually tested the PR (e.g. pull and build branch, run the
app, test code being changed).
- [ ] I confirm that this PR addresses all acceptance criteria described
in the ticket it closes and includes the necessary testing evidence such
as recordings and or screenshots.

---------

Co-authored-by: Dan J Miller <danjm.com@gmail.com>
---
 .yarnrc.yml  | 8 ++++++++
 package.json | 3 ++-
 yarn.lock    | 8 ++++----
 3 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/.yarnrc.yml b/.yarnrc.yml
index 8e12d8037c6a..652a13c3c19c 100644
--- a/.yarnrc.yml
+++ b/.yarnrc.yml
@@ -43,6 +43,14 @@ npmAuditIgnoreAdvisories:
   # not appear to be used.
   - 1092461
 
+  # Issue: Malware in @solana/web3.js
+  # URL: https://github.com/advisories/GHSA-2mhj-xmf4-pr8m
+  # we patched this to ensure the vulnerable versions are not included, but the advisory
+  # was mistakenly originally created to flag all versions as vulnerable
+  - 1101059
+
+
+
   # Temp fix for https://github.com/MetaMask/metamask-extension/pull/16920 for the sake of 11.7.1 hotfix
   # This will be removed in this ticket https://github.com/MetaMask/metamask-extension/issues/22299
   - 'ts-custom-error (deprecation)'
diff --git a/package.json b/package.json
index 3190f5deb970..1b30892f9616 100644
--- a/package.json
+++ b/package.json
@@ -252,7 +252,8 @@
     "@ledgerhq/hw-app-eth/axios": "^0.28.0",
     "@ledgerhq/hw-app-eth@npm:^6.39.0": "patch:@ledgerhq/hw-app-eth@npm%3A6.39.0#~/.yarn/patches/@ledgerhq-hw-app-eth-npm-6.39.0-866309bbbe.patch",
     "@ledgerhq/evm-tools@npm:^1.2.3": "patch:@ledgerhq/evm-tools@npm%3A1.2.3#~/.yarn/patches/@ledgerhq-evm-tools-npm-1.2.3-414f44baa9.patch",
-    "cross-spawn@npm:^5.0.1": "^7.0.5"
+    "cross-spawn@npm:^5.0.1": "^7.0.5",
+    "@solana/web3.js@npm:^1.95.0": "^1.95.8"
   },
   "dependencies": {
     "@babel/runtime": "patch:@babel/runtime@npm%3A7.25.9#~/.yarn/patches/@babel-runtime-npm-7.25.9-fe8c62510a.patch",
diff --git a/yarn.lock b/yarn.lock
index 222d18e5dcb6..57ecfaef99be 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -8125,9 +8125,9 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@solana/web3.js@npm:^1.95.0":
-  version: 1.95.4
-  resolution: "@solana/web3.js@npm:1.95.4"
+"@solana/web3.js@npm:^1.95.8":
+  version: 1.95.8
+  resolution: "@solana/web3.js@npm:1.95.8"
   dependencies:
     "@babel/runtime": "npm:^7.25.0"
     "@noble/curves": "npm:^1.4.2"
@@ -8144,7 +8144,7 @@ __metadata:
     node-fetch: "npm:^2.7.0"
     rpc-websockets: "npm:^9.0.2"
     superstruct: "npm:^2.0.2"
-  checksum: 10/353e04ac1110035ff108f16af4029c7a98f71cce841d45877c9bc4a354cdc58a051681603c92289b81e3dc5ef6b1567c6f866e4ba56a434db145e38a5a41d276
+  checksum: 10/25fb38f46f4ba47019f17f686219a75f821455737bbf1153deb8b3f1141c3996c1ac0dc8603bbac50cd04f61058e472772d866aa38d01aef4e1609e53e442075
   languageName: node
   linkType: hard