Merge dependabot security PRs

[mikesposito]

There are several PR related to security vulnerabilities from dependabot in repos owned by Wallet Framework (for full list, see https://github.com/MetaMask/MetaMask-planning/issues/3540).

In some cases, we should also prioritize release and update of affected packages in their consumers in order to mitigate the security issues, based on their EPSS value.

When to release the package

• if EPSS is >= 1% then release the package and deliver to clients
• if EPSS is < 1%
  • if the package is released (and delivered to clients) frequently then just merge the dependabot PR
  • if the package is rarely updated, release and deliver to (at least) other packages that are released more frequently, or to clients if it makes sense

To get the EPSS value

• Go to the alert related to the PR (e.g. https://github.com/MetaMask/actions-gh-pages-test-repo/security/dependabot/64)
• Click on See advisory in GitHub Advisory Database
• See EPSS right below GHSA ID

For packages we are in process of archiving
For affected packages that are in the process of being abandoned/archived, we should make sure that the related vulnerabilities have been mitigated on clients before ignoring the dependabot PR.

PR List

• Bump @babel/traverse from 7.11.5 to 7.25.9 in the npm_and_yarn group actions-gh-pages-test-repo#118
• build(deps): bump the npm_and_yarn group across 1 directory with 11 updates ethjs-unit#22
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/6
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/10
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/14
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/21
    • Extension is using a patched version
    • Mobile is using a patched version
  • elliptic package (patched version 6.6.0):
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/5
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/7
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/36
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/32
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/25
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/24
    • https://github.com/MetaMask/ethjs-unit/security/dependabot/23
      • Extension is using a patched version
      • Mobile is using a patched version
        • chore(deps): bump elliptic to ^6.6.0 metamask-mobile#12979
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/13
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-unit/security/dependabot/11
    • Extension is using a patched version
    • Mobile is using a patched version
• Bump braces from 3.0.2 to 3.0.3 in the npm_and_yarn group swappable-obj-proxy#61
  • 2.3.0 swappable-obj-proxy#73
  • Core packages already use the patched version of braces
• build(deps): bump the npm_and_yarn group across 1 directory with 7 updates ethjs-filter#14
  • https://github.com/MetaMask/ethjs-filter/security/dependabot/5
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-filter/security/dependabot/11
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-filter/security/dependabot/13
    • Extension is using a patched version
    • Mobile is using a patched version
• Bump the npm_and_yarn group across 1 directory with 9 updates ethjs-util#25
  • https://github.com/MetaMask/ethjs-util/security/dependabot/22
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/16
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/13
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/24
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/20
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/15
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/10
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/9
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/8
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/5
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/1
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-util/security/dependabot/11
    • Extension is using a patched version
    • Mobile is using a patched version
• build(deps): bump the npm_and_yarn group across 1 directory with 7 updates ethjs#32
  • https://github.com/MetaMask/ethjs/security/dependabot/71
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs/security/dependabot/77
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs/security/dependabot/59
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs/security/dependabot/7
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs/security/dependabot/75
    • Extension is using a patched version
    • Mobile is using a patched version
• build(deps): bump the npm_and_yarn group across 1 directory with 9 updates ethjs-contract#25
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/33
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/20
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/16
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/38
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/30
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/18
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/12
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/11
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/10
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/5
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-contract/security/dependabot/35
    • Extension is using a patched version
    • Mobile is using a patched version
• Bump the npm_and_yarn group across 1 directory with 9 updates ethjs-format#15
  • https://github.com/MetaMask/ethjs-format/security/dependabot/23
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/16
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/13
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/25
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/20
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/15
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/10
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/9
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/8
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/5
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-format/security/dependabot/11
    • Extension is using a patched version
    • Mobile is using a patched version
• build(deps): bump the npm_and_yarn group across 1 directory with 13 updates ethjs-provider-http#25
  • https://github.com/MetaMask/ethjs-provider-http/security/dependabot/15
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-provider-http/security/dependabot/1
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-provider-http/security/dependabot/22
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-provider-http/security/dependabot/17
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-provider-http/security/dependabot/6
    • Extension is using a patched version
    • Mobile is using a patched version
• Bump the npm_and_yarn group across 1 directory with 6 updates ethjs-query#54
  • https://github.com/MetaMask/ethjs-query/security/dependabot/81
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-query/security/dependabot/64
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-query/security/dependabot/75
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/ethjs-query/security/dependabot/77
    • Extension is using a patched version
    • Mobile is using a patched version
• (Mitigated on clients) build(deps): bump the npm_and_yarn group across 1 directory with 6 updates number-to-bn#24
  • https://github.com/MetaMask/number-to-bn/security/dependabot/75
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/number-to-bn/security/dependabot/24
    • Extension is using a patched version
    • Mobile is using a patched version
  • https://github.com/MetaMask/number-to-bn/security/dependabot/57
    • Extension is using a patched version
    • Mobile is using a patched version
• Bump the npm_and_yarn group across 2 directories with 2 updates oss-attribution-generator#32