chore: Update yarn.lock to remove inflight from application dependency tree

[danjm]

Description

We have a yarn audit failure on develop due to the package inflight which is used by the package glob. While glob is a dependency of many of our dev dependencies, it is only causing an audit failure because it is a dependency of a package ultimately imported by trezor:

danjm@pop-os:~/metamask/metamask-extension$ yarn why -R inflight
└─ metamask-crx@workspace:.
   ├─ @metamask/eth-trezor-keyring@npm:3.1.0 (via npm:^3.1.0)
   │  └─ @trezor/connect-web@npm:9.2.2 [42492] (via npm:^9.1.11 [42492])
   │     ├─ @trezor/connect@npm:9.2.2 [d8f53] (via npm:9.2.2 [d8f53])
   │     │  ├─ @trezor/connect-analytics@npm:1.0.14 [bb3a7] (via npm:1.0.14 [bb3a7])
   │     │  │  └─ @trezor/analytics@npm:1.0.16 [bc8f6] (via npm:1.0.16 [bc8f6])
   │     │  │     └─ @trezor/env-utils@npm:1.0.15 [342f9] (via npm:1.0.15 [342f9])
   │     │  │        └─ expo-constants@npm:15.4.5 [20ef0] (via npm:15.4.5 [20ef0])
   │     │  │           └─ @expo/config@npm:8.5.6 (via npm:~8.5.0)
   │     │  │              ├─ @expo/config-plugins@npm:7.9.2 (via npm:~7.9.0)
   │     │  │              │  └─ glob@npm:7.1.6 (via npm:7.1.6)
   │     │  │              │     └─ inflight@npm:1.0.6 (via npm:^1.0.4)
   │     │  │              ├─ glob@npm:7.1.6 (via npm:7.1.6)
   │     │  │              └─ sucrase@npm:3.34.0 (via npm:3.34.0)
   │     │  │                 └─ glob@npm:7.1.6 (via npm:7.1.6)

However, expo-constants is not actually used in our application code. It's inclusion in our dependency tree is due to some problem in how the trezor packages are built (which we also should probably investigate, but that can be done separately).

To solve the audit failure, this PR edits yarn.lock to resolve the instances of glob under @expo/config to a version that does not use inflight.

Update: as per the below suggestion, instead of directly editing the yarn.lock file, this PR now adds resolutions to resolve the instances of glob under @expo/config to a version that does not use inflight

Manual testing steps

yarn audit should pass

Pre-merge author checklist

• I’ve followed MetaMask Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[legobeat]

@danjm The canonical way to address this would be through resolutions in package.json to avoid inadvertent revert of these down the line.

Also, picking v10 introduces less new unused deps.

Adding the following lines followed by a yarn dedupe should do it:

    "sucrase@npm:3.34.0": "^3.35.0",
    "@expo/config/glob": "^10.3.10",
    "@expo/config-plugins/glob": "^10.3.10",

[metamaskbot]

Builds ready [2dd5b34]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (980 ± 543 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	71	149	95	23	11
		domContentLoaded	9	36	13	6	3
		load	59	3011	980	1131	543
		domInteractive	9	36	13	6	3

Bundle size diffs

• background: 0 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[danjm]

Thanks @legobeat, I can update to match your suggestions

[socket-security]

New and removed dependencies detected. Learn more about Socket for GitHub ↗︎

Package	New capabilities	Transitives	Size	Publisher
npm/sucrase@3.35.0	Transitive: filesystem, shell	+1	1.23 MB	alangpierce

View full report↗︎

[metamaskbot]

Builds ready [504fcfb]

• builds: chrome, firefox
• builds (beta): chrome
• builds (flask): chrome, firefox
• builds (MMI): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• build viz: Build System
• mv3: Background Module Init Stats
• mv3: UI Init Stats
• mv3: Module Load Stats
• mv3: Bundle Size Stats
• mv2: E2e Actions Stats
• code coverage: Report
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • content-script: 0
  • ui: 0, 1, 10, 2, 3, 4, 5, 6, 7, 8, 9

Page Load Metrics (919 ± 558 ms)

Platform	Page	Metric	Min (ms)	Max (ms)	Average (ms)	StandardDeviation (ms)	MarginOfError (ms)
Chrome	Home	firstPaint	71	173	103	32	15
		domContentLoaded	9	60	17	12	6
		load	58	2896	919	1162	558
		domInteractive	9	60	17	12	6

Bundle size diffs

• background: 0 Bytes (0.00%)
• ui: 0 Bytes (0.00%)
• common: 0 Bytes (0.00%)

[metamaskbot]

Missing release label release-11.16.6 on PR. Adding release label release-11.16.6 on PR and removing other release labels(release-11.18.0), as PR was cherry-picked in branch 11.16.6.