build: Snyk test/monitor for web3-react + exclude workspace unmet deps

.github/workflows/CI.yml

@@ -28,7 +28,8 @@ jobs:
           node-version: ${{ matrix.node_version }}
           cache: 'yarn'
 
-      - run: yarn
+      # ensure the lockfile is in sync with the specified dependencies
+      - run: yarn install --frozen-lockfile
 
       - run: yarn build
 

.github/workflows/snyk_sca_scan.yml

@@ -0,0 +1,35 @@
+name: Snyk Code Security
+
+on:
+  pull_request:
+    branches:
+      - '**'
+  push:
+    branches:
+      - main
+    paths-ignore:
+      - '**/*.md'
+
+jobs:
+  open-source:
+    name: '🔒 Open Source Scan'
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v2
+      - name: Run Snyk test to check for known vulnerabilities in software supply chain
+        uses: snyk/actions/node@0e928f3e9ae859e2b95ac2b89af55d7b6434244d
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}
+        with:
+          command: test
+          # include devDependencies to deps list for Snyk dep-graph
+          args: --dev --severity-threshold=medium 
+
+      - name: Run Snyk monitor to upload the latest snapshot 
+        uses: snyk/actions/node@0e928f3e9ae859e2b95ac2b89af55d7b6434244d
+        env:
+          SNYK_TOKEN: ${{ secrets.SNYK_API_TOKEN }}
+        with:
+          command: monitor
+          # include devDependencies to deps list for Snyk dep-graph
+          args: --dev --severity-threshold=medium 

.snyk

@@ -0,0 +1,8 @@
+# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.
+version: v1.25.0
+ignore: {}
+patch: {}
+exclude:
+  global:
+    - packages/**
+    - examples/**

package.json

@@ -28,9 +28,8 @@
     "@typescript-eslint/parser": "^5.19.0",
     "@uniswap/eslint-config": "^1.1.1",
     "eslint": "^8.13.0",
-    "eth-provider": "^0.9.4",
     "jest": "^27.5.1",
-    "lerna": "^4.0.0",
+    "lerna": "^5",
     "react": "^18.0.0",
     "react-test-renderer": "^18.0.0",
     "ts-jest": "^27.1.4",