Skip to content

Commit 7bd88af

Browse files
rhyslbwclaude
andcommitted
chore(deps): bump uuid, ip-address, axios & express-openapi-validator
Consolidates the pure dependency version bumps that stack on top of the Node 22 upgrade. Each is a behaviour-preserving bump that closes (or hardens against) Dependabot alerts on consumer-facing and build-context deps; no public API changes. - uuid 8/9 -> ^11.1.1 across cardano-services, e2e, projection-typeorm, web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships its own types). - core: ip-address ^9.0.5 -> ^10.2.0. - axios relocked within ^1.7.4 to 1.18.0. - cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2 (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and its test. Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md (follow-up section): OSV.dev clean for every resolved version, 0 residual advisories in CISA KEV, production closure clean, no lockfile downgrades, per-tier blast-radius diagrams, and the lone publisher transition (multer linusu -> ulisesgascon) annotated as a known maintenance handoff. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
1 parent 77ca3a7 commit 7bd88af

11 files changed

Lines changed: 273 additions & 138 deletions

File tree

docs/security/dependency-vulnerability-audit-2026-06-19.md

Lines changed: 140 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -464,6 +464,146 @@ Moved only because an in-range relock re-resolved a shared sub-tree. Listed for
464464
| `webpack-sources` | 3.3.3 → 3.5.0 | transitive · dev-only · consumer:no | MIT | 7 / 3.5.0 |
465465
| `yargs` | 14.2.3, 16.2.0, 17.7.1 → 14.2.3, 16.2.0, 17.7.1, 17.7.3 | transitive · dev-only · consumer:no | MIT | 2 / 18.0.0 |
466466

467+
## Follow-up wave — direct bumps on the Node 22 baseline (2026-06-20)
468+
469+
The four deferred direct-dependency bumps that required the Node 22 runtime (or a major parent bump) as a prerequisite, now actioned together. Each clears a consumer-facing or build-context alert that the in-range relock could not reach; this resolves the interim PARTIAL on `uuid` from §A (its direct lines now all sit on the patched major; the residual `8.3.2`/`9.0.0` copies are transitive-only — pinned by `pg-boss`, `typeorm-extension` and the Trezor stack — and stay tracked).
470+
471+
| Package | Version (→ updated) | Status (severity) | Scope | License | Provenance / publisher |
472+
|---|---|---|---|---|---|
473+
| `uuid` | direct 10.0.0 → **11.1.1** (transitive 8.3.2, 9.0.0 remain) | CLOSED direct · PARTIAL transitive (medium) | direct · prod · consumer:yes | MIT | signed + SLSA; publisher `ctavan` → GitHub Actions OIDC (provenance adoption, benign) |
474+
| `ip-address` | 9.0.5 → **10.2.0** | CLOSED (medium) | direct · prod · consumer:yes | MIT | signed; publisher `beaugunderson` unchanged |
475+
| `axios` | 1.11.0 → **1.18.0** (in-range relock, ^1.7.4) | CLOSED (high) | direct · prod · consumer:yes | MIT | signed + SLSA; publisher `jasonsaayman` → GitHub Actions OIDC trusted-publisher (approver `jasonsaayman`), benign |
476+
| `express-openapi-validator` | 4.13.8 → **5.6.2** | CLOSED (high) | direct · prod · consumer:yes | MIT | signed; publisher `cdimascio` unchanged |
477+
| `multer` | 1.4.5-lts.2 → **2.2.0** | CLOSED (high) | transitive (via `express-openapi-validator`) · prod · consumer:yes | MIT | signed; publisher `linusu``ulisesgascon`**human→human**, a known maintenance handoff to the Express/OpenJS maintainer; benign |
478+
479+
### Blast radius — follow-up wave
480+
481+
Unlike the §A relock wave, this wave **does reach Tier 1**: `ip-address` is a direct production dependency of `core`, so every package that pulls `core` into production now resolves a changed `ip-address` (18 published packages in total). The change is a network-address parser used for relay/peer addresses — **no key-material or cryptographic code path is altered** (`crypto` itself is untouched; it sits below `core`). `axios` and `express-openapi-validator`/`multer` are confined to the service/data tier and tooling.
482+
483+
#### 🔑 Tier 1 — Keys, crypto, consensus & transaction logic
484+
485+
*`ip-address` enters at `core` and propagates to its Tier 1 dependents; `crypto` (below `core`) is untouched.*
486+
487+
```mermaid
488+
flowchart LR
489+
classDef crit fill:#f8b4b4,stroke:#b91c1c,color:#111;
490+
classDef high fill:#fdba74,stroke:#c2410c,color:#111;
491+
classDef med fill:#fde68a,stroke:#a16207,color:#111;
492+
classDef low fill:#bfdbfe,stroke:#1d4ed8,color:#111;
493+
classDef none fill:#bbf7d0,stroke:#15803d,color:#111;
494+
495+
d_ip("ip-address<br/>medium"):::med
496+
497+
p_core["core<br/>direct"]:::med
498+
p_key_management["key-management<br/>via core"]:::med
499+
p_tx_construction["tx-construction<br/>via core"]:::med
500+
p_input_selection["input-selection<br/>via core"]:::med
501+
p_governance["governance<br/>via core"]:::med
502+
p_crypto["crypto<br/>untouched"]:::none
503+
504+
d_ip --> p_core
505+
d_ip --> p_key_management
506+
d_ip --> p_tx_construction
507+
d_ip --> p_input_selection
508+
d_ip --> p_governance
509+
```
510+
511+
#### 🛡️ Tier 2 — Wallet orchestration, hardware signing, dApp/extension surface
512+
513+
```mermaid
514+
flowchart LR
515+
classDef crit fill:#f8b4b4,stroke:#b91c1c,color:#111;
516+
classDef high fill:#fdba74,stroke:#c2410c,color:#111;
517+
classDef med fill:#fde68a,stroke:#a16207,color:#111;
518+
classDef low fill:#bfdbfe,stroke:#1d4ed8,color:#111;
519+
classDef none fill:#bbf7d0,stroke:#15803d,color:#111;
520+
521+
d_ip("ip-address<br/>medium"):::med
522+
d_uuid("uuid<br/>medium"):::med
523+
524+
p_wallet["wallet"]:::med
525+
p_web_extension["web-extension"]:::med
526+
p_dapp_connector["dapp-connector"]:::med
527+
p_hardware_ledger["hardware-ledger"]:::med
528+
p_hardware_trezor["hardware-trezor"]:::med
529+
530+
d_ip --> p_wallet
531+
d_ip --> p_web_extension
532+
d_ip --> p_dapp_connector
533+
d_ip --> p_hardware_ledger
534+
d_ip --> p_hardware_trezor
535+
d_uuid --> p_wallet
536+
d_uuid --> p_web_extension
537+
```
538+
539+
#### 🌐 Tier 3 — Backend services & data plane
540+
541+
*Highest exposure: `cardano-services` and `cardano-services-client` pull the high-severity `axios` and (services only) `express-openapi-validator`/`multer`.*
542+
543+
```mermaid
544+
flowchart LR
545+
classDef crit fill:#f8b4b4,stroke:#b91c1c,color:#111;
546+
classDef high fill:#fdba74,stroke:#c2410c,color:#111;
547+
classDef med fill:#fde68a,stroke:#a16207,color:#111;
548+
classDef low fill:#bfdbfe,stroke:#1d4ed8,color:#111;
549+
classDef none fill:#bbf7d0,stroke:#15803d,color:#111;
550+
551+
d_ip("ip-address<br/>medium"):::med
552+
d_axios("axios<br/>high"):::high
553+
d_eov("express-openapi-validator<br/>→ multer · high"):::high
554+
d_uuid("uuid<br/>medium"):::med
555+
556+
p_cardano_services["cardano-services"]:::high
557+
p_cardano_services_client["cardano-services-client"]:::high
558+
p_ogmios["ogmios"]:::med
559+
p_projection["projection"]:::med
560+
p_projection_typeorm["projection-typeorm"]:::med
561+
562+
d_ip --> p_cardano_services
563+
d_ip --> p_cardano_services_client
564+
d_ip --> p_ogmios
565+
d_ip --> p_projection
566+
d_ip --> p_projection_typeorm
567+
d_axios --> p_cardano_services
568+
d_axios --> p_cardano_services_client
569+
d_eov --> p_cardano_services
570+
d_uuid --> p_cardano_services
571+
d_uuid --> p_projection_typeorm
572+
```
573+
574+
#### 🧰 Tier 4 — Utilities & dev/test tooling (mostly not consumer-installed)
575+
576+
```mermaid
577+
flowchart LR
578+
classDef crit fill:#f8b4b4,stroke:#b91c1c,color:#111;
579+
classDef high fill:#fdba74,stroke:#c2410c,color:#111;
580+
classDef med fill:#fde68a,stroke:#a16207,color:#111;
581+
classDef low fill:#bfdbfe,stroke:#1d4ed8,color:#111;
582+
classDef none fill:#bbf7d0,stroke:#15803d,color:#111;
583+
584+
d_ip("ip-address<br/>medium"):::med
585+
d_axios("axios<br/>high"):::high
586+
d_eov("express-openapi-validator<br/>→ multer · high"):::high
587+
d_uuid("uuid<br/>medium"):::med
588+
589+
p_e2e["e2e"]:::high
590+
p_golden["golden-test-generator"]:::high
591+
p_util_dev["util-dev"]:::high
592+
593+
d_ip --> p_e2e
594+
d_ip --> p_golden
595+
d_ip --> p_util_dev
596+
d_axios --> p_e2e
597+
d_axios --> p_golden
598+
d_axios --> p_util_dev
599+
d_eov --> p_e2e
600+
d_uuid --> p_e2e
601+
```
602+
603+
- **Cross-referenced databases:** OSV.dev returns **0** records for every resolved version above (`uuid@11.1.1`, `ip-address@10.2.0`, `axios@1.18.0`, `multer@2.2.0`, `express-openapi-validator@5.6.2`). **0** of the residual transitive advisories (`uuid<11.1.1`, `ws 8.5.0`, `yaml 2.6.1`) intersect the CISA KEV catalogue (1623 entries) — none are under active exploitation, so deferral remains appropriate.
604+
- **Production closure:** `yarn npm audit --environment production` is clean (exit 0) on this baseline — no advisory reaches a published package's production tree.
605+
- **Regression check:** lockfile diff vs the Node 22 baseline shows only upgrades and removals consistent with these bumps (e.g. `express-openapi-validator` v5 swaps `json-schema-ref-parser``@apidevtools/json-schema-ref-parser` 14.x, drops `lodash.uniq`/`lodash.zipobject`/`call-me-maybe`/`concat-stream@1.x`; `multer` 1.x removed). No shared transitive was silently downgraded.
606+
467607
## Method & limitations
468608

469609
- **Vulnerability status** tests each resolved version against the advisory's vulnerable range (semver). PARTIAL = the manifest range moved to a patched version but another consumer pins an older, still-vulnerable copy — enumerated in the deferred-work issues (#1701#1708).

packages/cardano-services/package.json

Lines changed: 2 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,6 @@
6969
"@types/express-prometheus-middleware": "^1.2.1",
7070
"@types/lodash": "^4.14.182",
7171
"@types/pg": "^8.6.5",
72-
"@types/uuid": "^8.3.4",
7372
"@types/wait-on": "^5.3.1",
7473
"@types/ws": "^8.5.10",
7574
"axios-mock-adapter": "^2.0.0",
@@ -114,7 +113,7 @@
114113
"dotenv": "^16.0.0",
115114
"envalid": "^7.3.1",
116115
"express": "^4.20.0",
117-
"express-openapi-validator": "^4.13.8",
116+
"express-openapi-validator": "^5.6.2",
118117
"express-prom-bundle": "^6.4.1",
119118
"fraction.js": "^4.2.0",
120119
"fuse.js": "^7.0.0",
@@ -132,7 +131,7 @@
132131
"ts-custom-error": "^3.2.0",
133132
"ts-log": "^2.2.4",
134133
"typeorm": "^0.3.15",
135-
"uuid": "^10.0.0",
134+
"uuid": "^11.1.1",
136135
"ws": "^8.17.1"
137136
},
138137
"files": [

packages/cardano-services/src/util/openApi.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,7 @@ import { OpenAPIV3 } from 'express-openapi-validator/dist/framework/types';
22

33
export const versionPathFromSpec = (specPath: string) => {
44
try {
5-
const apiDoc = require(specPath) as OpenAPIV3.Document;
5+
const apiDoc = require(specPath) as OpenAPIV3.DocumentV3;
66

77
return `/v${apiDoc.info.version}`;
88
} catch (error) {

packages/cardano-services/test/util/openApi.test.ts

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ describe('openApi utils', () => {
88
const apiSpecPath = path.join(__dirname, '..', '..', 'src', 'Http', 'openApi.json');
99
const {
1010
info: { version }
11-
} = require(apiSpecPath) as OpenAPIV3.Document;
11+
} = require(apiSpecPath) as OpenAPIV3.DocumentV3;
1212
expect(version).not.toBeUndefined();
1313
expect(versionPathFromSpec(apiSpecPath)).toBe(`/v${version}`);
1414
});

packages/core/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -54,7 +54,7 @@
5454
"@foxglove/crc": "^0.0.3",
5555
"@scure/base": "^1.1.1",
5656
"fraction.js": "4.0.1",
57-
"ip-address": "^9.0.5",
57+
"ip-address": "^10.2.0",
5858
"lodash": "^4.17.21",
5959
"ts-custom-error": "^3.2.0",
6060
"ts-log": "^2.2.4",

packages/e2e/package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -112,7 +112,7 @@
112112
"ts-log": "^2.2.4",
113113
"ts-node": "^10.8.1",
114114
"ts-stopwatch": "0.0.4",
115-
"uuid": "^8.3.2",
115+
"uuid": "^11.1.1",
116116
"webextension-polyfill": "^0.8.0",
117117
"ws": "^8.5.0"
118118
},
@@ -135,7 +135,6 @@
135135
"@types/k6": "^0.53.1",
136136
"@types/lodash": "^4.14.182",
137137
"@types/ora": "^3.2.0",
138-
"@types/uuid": "^8.3.4",
139138
"@types/webextension-polyfill": "^0.8.0",
140139
"@wdio/cli": "^7.19.5",
141140
"@wdio/local-runner": "^7.19.5",

packages/projection-typeorm/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -51,7 +51,7 @@
5151
"ts-log": "^2.2.4",
5252
"tsc-alias": "^1.8.10",
5353
"typeorm": "^0.3.15",
54-
"uuid": "^9.0.0"
54+
"uuid": "^11.1.1"
5555
},
5656
"devDependencies": {
5757
"@cardano-sdk/util-dev": "workspace:~",

packages/wallet/package.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -81,7 +81,7 @@
8181
"rxjs": "^7.4.0",
8282
"ts-custom-error": "^3.2.0",
8383
"ts-log": "^2.2.3",
84-
"uuid": "^8.3.2"
84+
"uuid": "^11.1.1"
8585
},
8686
"files": [
8787
"dist/*",

packages/web-extension/package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,6 @@
3939
"devDependencies": {
4040
"@cardano-sdk/util-dev": "workspace:~",
4141
"@types/lodash": "^4.14.182",
42-
"@types/uuid": "^8.3.4",
4342
"@types/webextension-polyfill": "^0.8.0",
4443
"eslint": "^7.32.0",
4544
"jest": "^28.1.3",
@@ -67,7 +66,7 @@
6766
"rxjs": "^7.4.0",
6867
"ts-custom-error": "^3.2.0",
6968
"ts-log": "^2.2.3",
70-
"uuid": "^8.3.2",
69+
"uuid": "^11.1.1",
7170
"webextension-polyfill": "^0.8.0"
7271
},
7372
"files": [

tsconfig.tsbuildinfo

Lines changed: 0 additions & 1 deletion
This file was deleted.

0 commit comments

Comments
 (0)