Merge dependabot security PRs

[mikesposito]

There are several PR related to security vulnerabilities from dependabot in repos owned by Wallet Framework (for full list, see https://github.com/MetaMask/MetaMask-planning/issues/3540).

In some cases, we should also prioritize release and update of affected packages in their consumers in order to mitigate the security issues, based on their EPSS value.

When to release the package

• if EPSS is >= 1% then release the package and deliver to clients
• if EPSS is < 1%
  • if the package is released (and delivered to clients) frequently then just merge the dependabot PR
  • if the package is rarely updated, release and deliver to (at least) other packages that are released more frequently, or to clients if it makes sense

To get the EPSS value

• Go to the alert related to the PR (e.g. https://github.com/MetaMask/actions-gh-pages-test-repo/security/dependabot/64)
• Click on See advisory in GitHub Advisory Database
• See EPSS right below GHSA ID

@mikesposito

• [ ] https://github.com/MetaMask/actions-gh-pages-test-repo/pull/118
• [ ] https://github.com/MetaMask/ethjs-unit/pull/22
• [ ] https://github.com/MetaMask/swappable-obj-proxy/pull/61
  • [ ] Release new version
  • [ ] Update in closer consumer (with higher update frequency)

@mcmire

• [ ] https://github.com/MetaMask/ethjs-filter/pull/14
• [ ] https://github.com/MetaMask/ethjs-util/pull/25
• [ ] https://github.com/MetaMask/ethjs/pull/32

@MajorLift

• [ ] https://github.com/MetaMask/ethjs-contract/pull/25
• [ ] https://github.com/MetaMask/ethjs-format/pull/15
• [ ] https://github.com/MetaMask/ethjs-provider-http/pull/25

@mcmire

• [ ] https://github.com/MetaMask/ethjs-query/pull/54
• [ ] https://github.com/MetaMask/number-to-bn/pull/24
• [ ] https://github.com/MetaMask/oss-attribution-generator/pull/32