Dependencies update

[seaona]

Context: when installing the npm packages using the Python version 3.11 , the command fails with the error nodejs/node-gyp#2219

What: this PR updates the dependencies in order to fix the error.

1. Update "@lavamoat/allow-scripts": "^2.0.3", using the same version from metamask-extension
2. Update configuration from packages using the command yarn allow-scripts auto
3. Update node version, to fix error The engine "node" is incompatible with this module. Expected version ">=14.0.0". Got "12.22.12"

test-dapp.webm

[socket-security]

New dependency changes detected. Learn more about Socket for GitHub ↗︎

---

🚨 Potential security issues found in this pull request. To accept the risk, merge this PR and you will not be notified again.

Bot Commands

To ignore an alert, reply with a comment starting with @SocketSecurity ignore followed by a space separated list of package-name@version specifiers. e.g. @SocketSecurity ignore [email protected] bar@* or ignore all packages with @SocketSecurity ignore-all

• @SocketSecurity ignore @lavamoat/[email protected]
• @SocketSecurity ignore @lavamoat/[email protected]

📜 Install scripts

Install scripts are run when the package is installed. The majority of malware in npm is hidden in install scripts.

Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Package	Script field	Source
@lavamoat/[email protected] (added)	preinstall	package.json via @lavamoat/[email protected]
@lavamoat/[email protected] (added)	preinstall	package.json via @lavamoat/[email protected]
@lavamoat/[email protected] (added)	preinstall	package.json via @lavamoat/[email protected]
@lavamoat/[email protected] (upgraded)	preinstall	package.json
@lavamoat/[email protected] (upgraded)	preinstall	package.json
@lavamoat/[email protected] (upgraded)	preinstall	package.json
@lavamoat/[email protected] (added)	preinstall	package.json via @lavamoat/[email protected]
@lavamoat/[email protected] (added)	preinstall	package.json via @lavamoat/[email protected]
@lavamoat/[email protected] (upgraded)	preinstall	package.json
@lavamoat/[email protected] (upgraded)	preinstall	package.json

Pull request alert summary

Issue	Status
Install scripts	⚠️ 10 issues
Native code	✅ 0 issues
Bin script shell injection	✅ 0 issues
Unresolved require	✅ 0 issues
Invalid package.json	✅ 0 issues
HTTP dependency	✅ 0 issues
Git dependency	✅ 0 issues
Potential typo squat	✅ 0 issues
Known Malware	✅ 0 issues
Telemetry	✅ 0 issues
Protestware/Troll package	✅ 0 issues

---

📊 Modified Dependency Overview:

⬆️ Updated Package	Version Diff	Added Capability Access	+/- Transitive Count	Publisher
@lavamoat/[email protected]	1.0.6...2.3.0	shell, environment	+7/-3	kumavis

[ritave]

Please update .nvmrc file to v14 as well

[ritave]

Suggested change

	node-version: [14.x, 16.x]
	node-version: [14.x, 16.x, 18.x]

[ritave]

Actually, just checked metamask-extension's .nvmrc, and it's set to v16, which is the minimal version we officially support for our packages.

Might as well upgrade to that one.

[Gudahtt]

If we're updating the minimum supported Node.js version, we should update the version of Node.js referenced in the README, in package.json, and in .nvmrc as well.

[seaona]

aw great catch! I've updated them @Gudahtt thank you!

[legobeat]

This breaks in nodejs v18 due to webpack/webpack#14532:

• Proper solution: upgrade to webpack 5. upgrade webpack plugins, webpack-dev-server, webpack-cli
• Temporary workaround 1: restrict engines.node to v16.x, disable v18 in ci
• Temporary workaround 2: use NODE_OPTIONS=--openssl-legacy-provider
  • As this is intended as a sample dapp, this is something I'd avoid
  • Note: I did not get the suggested output.hashFunction: 'xxhash64' working (it yields a different error message Digest not supported)

[Gudahtt]

I have resolved just the Node.js update in #225 to unblock further publishing

[legobeat]

I just took a new stab at this in #264