chore: ignore minimatch ReDoS advisory (GHSA-3ppc-4f35-3m26)

[cryptodev-2s]

Description

Adds minimatch advisory GHSA-3ppc-4f35-3m26 (ID 1113296) to npmAuditIgnoreAdvisories in .yarnrc.yml.

Reason: minimatch <10.2.1 has a high-severity ReDoS vulnerability via repeated wildcards with non-matching literals.

Why ignore: The vulnerable versions (3.1.2 via eslint-plugin-n, 10.1.1 via glob) are only used in dev/build-time dependencies and are not shipped to users.

Changelog

CHANGELOG entry: null

Related issues

Fixes:

Manual testing steps

1. Run yarn npm audit and verify advisory 1113296 no longer appears.

Screenshots/Recordings

Before

After

Pre-merge author checklist

• I've followed MetaMask Contributor Docs and MetaMask Extension Coding Standards.
• I've completed the PR template to the best of my ability
• I’ve included tests if applicable
• I’ve documented my code using JSDoc format if applicable
• I’ve applied the right labels on the PR (see labeling guidelines). Not required for external contributors.

Pre-merge reviewer checklist

• I've manually tested the PR (e.g. pull and build branch, run the app, test code being changed).
• I confirm that this PR addresses all acceptance criteria described in the ticket it closes and includes the necessary testing evidence such as recordings and or screenshots.

---

Note

Low Risk
Config-only change that affects audit reporting/CI noise, not runtime behavior. Risk is mainly that a real vulnerability could be overlooked if minimatch usage changes in the future.

Overview
Updates .yarnrc.yml to ignore npm audit advisory 1113296 for minimatch (GHSA-3ppc-4f35-3m26), with comments documenting that the ReDoS issue is only present in dev/build-time dependencies and not shipped to users.

^{Written by Cursor Bugbot for commit be18b6e. This will update automatically on new commits. Configure here.}

[github-actions]

CLA Signature Action: All authors have signed the CLA. You may need to manually re-run the blocking PR check if it doesn't pass in a few minutes.

[metamaskbotv2]

✨ Files requiring CODEOWNER review ✨

👨‍🔧 @MetaMask/extension-platform (1 files, +5 -0)

• 📄 .yarnrc.yml +5 -0

[metamaskbotv2]

Builds ready [be18b6e]

• builds: chrome, firefox
• builds (beta): chrome, firefox
• builds (flask): chrome, firefox
• builds (test): chrome, firefox
• builds (test-flask): chrome, firefox
• bundle size: Bundle Size Stats
• user-actions-benchmark: User Actions Stats
• storybook: Storybook
• typescript migration: Dashboard
• all artifacts
• bundle viz:

  • background: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9
  • common: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17
  • ui: 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20
  • content-script: 0
  • offscreen: 0

UI Startup Metrics (1426 ± 96 ms)

Platform	BuildType	Page	Metric	Mean (ms)	Min (ms)	Max (ms)	Std Dev (ms)	P 75 (ms)	P 95 (ms)
Chrome	Browserify	Standard Home	uiStartup	1426	1224	1655	96	1467	1628
			load	1227	1033	1482	89	1263	1398
			domContentLoaded	1218	1019	1452	87	1249	1373
			domInteractive	28	16	101	20	25	82
			firstPaint	154	70	1250	132	212	266
			backgroundConnect	258	235	411	22	261	298
			firstReactRender	18	11	37	4	19	25
			initialActions	1	0	7	1	1	2
			loadScripts	978	784	1205	85	1012	1132
			setupStore	13	7	28	5	16	21
			numNetworkReqs	31	22	91	20	22	86
	Browserify	Power User Home	uiStartup	2679	1438	10752	1729	2587	4668
			load	1261	1072	1804	160	1307	1645
			domContentLoaded	1242	1061	1790	153	1275	1614
			domInteractive	35	19	176	23	34	89
			firstPaint	218	82	1590	171	275	394
			backgroundConnect	902	304	8289	1326	556	2783
			firstReactRender	25	16	236	22	25	31
			initialActions	1	0	2	1	1	1
			loadScripts	977	819	1476	147	1002	1327
			setupStore	15	6	41	7	16	32
			numNetworkReqs	75	32	143	27	92	125
	Webpack	Standard Home	uiStartup	911	707	1198	107	985	1090
			load	774	628	1070	109	873	941
			domContentLoaded	767	624	1062	107	862	933
			domInteractive	30	18	143	22	25	83
			firstPaint	132	67	438	69	167	278
			backgroundConnect	30	19	73	10	36	50
			firstReactRender	19	12	42	6	20	33
			initialActions	1	0	4	1	1	2
			loadScripts	764	622	1060	106	860	925
			setupStore	12	6	34	5	13	23
			numNetworkReqs	31	22	89	19	25	84
	Webpack	Power User Home	uiStartup	1293	973	2011	168	1382	1588
			load	767	652	1181	116	775	1072
			domContentLoaded	755	646	1173	114	758	1060
			domInteractive	41	19	169	31	39	119
			firstPaint	159	72	1097	124	155	356
			backgroundConnect	177	131	401	53	185	294
			firstReactRender	24	17	40	4	26	31
			initialActions	1	0	5	1	1	1
			loadScripts	752	643	1165	111	756	1048
			setupStore	14	5	45	7	16	22
			numNetworkReqs	120	35	261	51	150	199
Firefox	Browserify	Standard Home	uiStartup	1711	1492	2660	209	1722	2089
			load	1444	1228	2337	177	1475	1688
			domContentLoaded	1443	1228	2337	177	1474	1688
			domInteractive	98	34	910	92	137	148
			firstPaint	-	-	-	-	-	-
			backgroundConnect	61	31	267	27	61	87
			firstReactRender	14	11	22	2	15	17
			initialActions	1	0	3	1	2	2
			loadScripts	1416	1203	2300	172	1446	1605
			setupStore	18	7	164	21	17	32
			numNetworkReqs	32	19	95	20	27	90
	Browserify	Power User Home	uiStartup	2894	2085	8043	681	3048	3790
			load	1625	1295	6683	568	1639	2133
			domContentLoaded	1625	1289	6683	568	1639	2132
			domInteractive	148	38	896	147	125	431
			firstPaint	-	-	-	-	-	-
			backgroundConnect	367	116	1155	263	492	877
			firstReactRender	19	15	77	8	19	26
			initialActions	2	1	4	1	2	2
			loadScripts	1581	1269	6571	557	1580	2092
			setupStore	131	8	779	166	170	433
			numNetworkReqs	74	31	231	38	87	146
	Webpack	Standard Home	uiStartup	1655	1387	3623	310	1657	2000
			load	1388	1176	3247	212	1412	1586
			domContentLoaded	1387	1172	3247	212	1412	1585
			domInteractive	115	31	1947	189	132	150
			firstPaint	-	-	-	-	-	-
			backgroundConnect	77	24	1914	188	65	160
			firstReactRender	16	11	69	7	16	25
			initialActions	1	0	3	0	1	2
			loadScripts	1360	1156	3231	206	1389	1502
			setupStore	20	7	149	24	16	48
			numNetworkReqs	31	20	93	19	27	84
	Webpack	Power User Home	uiStartup	2778	2028	4445	411	3003	3508
			load	1602	1311	3585	318	1671	2161
			domContentLoaded	1602	1311	3585	318	1665	2160
			domInteractive	170	35	877	190	142	682
			firstPaint	-	-	-	-	-	-
			backgroundConnect	398	125	1288	272	574	950
			firstReactRender	22	16	59	6	25	31
			initialActions	2	1	8	1	2	3
			loadScripts	1563	1293	3535	311	1598	2131
			setupStore	162	8	772	194	199	593
			numNetworkReqs	73	29	204	39	84	148

📊 Page Load Benchmark Results

Current Commit: be18b6e | Date: 2/19/2026

📄 Localhost MetaMask Test Dapp

Samples: 100

Summary

• pageLoadTime-> current mean value: 1.04s (±50ms) 🟡 | historical mean value: 1.03s ⬆️ (historical data)
• domContentLoaded-> current mean value: 731ms (±71ms) 🟢 | historical mean value: 726ms ⬆️ (historical data)
• firstContentfulPaint-> current mean value: 84ms (±49ms) 🟢 | historical mean value: 86ms ⬇️ (historical data)

📈 Detailed Results

Metric	Mean	Std Dev	Min	Max	P95	P99
pageLoadTime	1.04s	50ms	1.01s	1.44s	1.07s	1.44s
domContentLoaded	731ms	71ms	703ms	1.39s	758ms	1.39s
firstPaint	84ms	49ms	60ms	572ms	88ms	572ms
firstContentfulPaint	84ms	49ms	60ms	572ms	88ms	572ms
largestContentfulPaint	0ms	0ms	0ms	0ms	0ms	0ms

Bundle size diffs

• background: 58 Bytes (0%)
• ui: 5 Bytes (0%)
• common: 20 Bytes (0%)