You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.
- uuid 8/9 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
(pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
its test.
Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md
(follow-up section): OSV.dev clean for every resolved version, 0 residual
advisories in CISA KEV, production closure clean, no lockfile downgrades,
per-tier blast-radius diagrams, and the lone publisher transition (multer
linusu -> ulisesgascon) annotated as a known maintenance handoff.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
## Follow-up wave — direct bumps on the Node 22 baseline (2026-06-20)
468
+
469
+
The four deferred direct-dependency bumps that required the Node 22 runtime (or a major parent bump) as a prerequisite, now actioned together. Each clears a consumer-facing or build-context alert that the in-range relock could not reach; this resolves the interim PARTIAL on `uuid` from §A (its direct lines now all sit on the patched major; the residual `8.3.2`/`9.0.0` copies are transitive-only — pinned by `pg-boss`, `typeorm-extension` and the Trezor stack — and stay tracked).
470
+
471
+
| Package | Version (→ updated) | Status (severity) | Scope | License | Provenance / publisher |
472
+
|---|---|---|---|---|---|
473
+
|`uuid`| direct 10.0.0 → **11.1.1** (transitive 8.3.2, 9.0.0 remain) | CLOSED direct · PARTIAL transitive (medium) | direct · prod · consumer:yes| MIT | signed + SLSA; publisher `ctavan` → GitHub Actions OIDC (provenance adoption, benign) |
474
+
|`ip-address`| 9.0.5 → **10.2.0**| CLOSED (medium) | direct · prod · consumer:yes| MIT | signed; publisher `beaugunderson` unchanged |
|`express-openapi-validator`| 4.13.8 → **5.6.2**| CLOSED (high) | direct · prod · consumer:yes| MIT | signed; publisher `cdimascio` unchanged |
477
+
|`multer`| 1.4.5-lts.2 → **2.2.0**| CLOSED (high) | transitive (via `express-openapi-validator`) · prod · consumer:yes| MIT | signed; publisher `linusu` → `ulisesgascon` — **human→human**, a known maintenance handoff to the Express/OpenJS maintainer; benign |
478
+
479
+
### Blast radius — follow-up wave
480
+
481
+
Unlike the §A relock wave, this wave **does reach Tier 1**: `ip-address` is a direct production dependency of `core`, so every package that pulls `core` into production now resolves a changed `ip-address` (18 published packages in total). The change is a network-address parser used for relay/peer addresses — **no key-material or cryptographic code path is altered** (`crypto` itself is untouched; it sits below `core`). `axios` and `express-openapi-validator`/`multer` are confined to the service/data tier and tooling.
*Highest exposure: `cardano-services` and `cardano-services-client` pull the high-severity `axios` and (services only) `express-openapi-validator`/`multer`.*
-**Cross-referenced databases:** OSV.dev returns **0** records for every resolved version above (`uuid@11.1.1`, `ip-address@10.2.0`, `axios@1.18.0`, `multer@2.2.0`, `express-openapi-validator@5.6.2`). **0** of the residual transitive advisories (`uuid<11.1.1`, `ws 8.5.0`, `yaml 2.6.1`) intersect the CISA KEV catalogue (1623 entries) — none are under active exploitation, so deferral remains appropriate.
604
+
-**Production closure:**`yarn npm audit --environment production` is clean (exit 0) on this baseline — no advisory reaches a published package's production tree.
605
+
-**Regression check:** lockfile diff vs the Node 22 baseline shows only upgrades and removals consistent with these bumps (e.g. `express-openapi-validator` v5 swaps `json-schema-ref-parser`→`@apidevtools/json-schema-ref-parser` 14.x, drops `lodash.uniq`/`lodash.zipobject`/`call-me-maybe`/`concat-stream@1.x`; `multer` 1.x removed). No shared transitive was silently downgraded.
606
+
467
607
## Method & limitations
468
608
469
609
-**Vulnerability status** tests each resolved version against the advisory's vulnerable range (semver). PARTIAL = the manifest range moved to a patched version but another consumer pins an older, still-vulnerable copy — enumerated in the deferred-work issues (#1701–#1708).
0 commit comments