chore: bump version to v2.1.0 and fix trivy vulnerabilities

Bump version to 2.1.0 for GHCR release. Fix all 17 Trivy HIGH/CRITICAL
findings via npm overrides:

- @xmldom/xmldom: ^0.9.10 (CVE-2026-34601, CVE-2026-41672-41675)
- protobufjs: ^7.5.5 (CVE-2026-41242, CRITICAL)
- basic-ftp: ^5.3.0 (CVE-2026-39983, GHSA-6v7q, GHSA-rp42)
- lodash: ^4.18.0 (CVE-2026-4800)

Also fix missing keychain nocks in sendMany multisig test -- the handler
fetches all 3 keychains for walletPubs but the test only mocked user.

WAL-803

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: pranavjain97

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "@bitgo/advanced-wallets",
-  "version": "2.0.0",
+  "version": "2.1.0",
   "description": "Advanced Wallets - On-Premises Key Management with BitGo Express",
   "main": "./dist/src/index.js",
   "types": "./dist/src/index.d.ts",
@@ -110,7 +110,7 @@
     "debug": "^3.1.0",
     "express": "4.21.2",
     "io-ts": "2.1.3",
-    "lodash": "^4.17.20",
+    "lodash": "^4.18.0",
     "morgan": "^1.9.1",
     "openpgp": "5.11.3",
     "proxy-agent": "6.4.0",
@@ -136,8 +136,6 @@
     "store2": "^2.14.4",
     "tar": "^7.5.11",
     "basic-ftp": "^5.3.0",
-    "@xmldom/xmldom": "^0.9.9",
-    "protobufjs": "^7.5.5",
     "flatted": "^3.4.0",
     "serialize-javascript": "^7.0.3",
     "@isaacs/brace-expansion": "^5.0.1",
@@ -147,7 +145,10 @@
     "validator": "^13.15.22",
     "node-forge": "^1.3.2",
     "xml2js": "^0.5.0",
-    "glob": "^11.1.0"
+    "glob": "^11.1.0",
+    "@xmldom/xmldom": "^0.9.10",
+    "protobufjs": "^7.5.5",
+    "lodash": "^4.18.0"
   },
   "devDependencies": {
     "@api-ts/openapi-generator": "^5.7.0",

package.json

@@ -1026,12 +1026,29 @@ describe('POST /api/v1/:coin/advancedwallet/:walletId/sendMany', () => {
 
     const keychainGetNock = nock(bitgoApiUrl)
       .get(`/api/v2/${coin}/key/user-key-id`)
+      .times(2)
       .matchHeader('any', () => true)
       .reply(200, {
         id: 'user-key-id',
         pub: 'xpub_user',
       });
 
+    const backupKeychainGetNock = nock(bitgoApiUrl)
+      .get(`/api/v2/${coin}/key/backup-key-id`)
+      .matchHeader('any', () => true)
+      .reply(200, {
+        id: 'backup-key-id',
+        pub: 'xpub_backup',
+      });
+
+    const bitgoKeychainGetNock = nock(bitgoApiUrl)
+      .get(`/api/v2/${coin}/key/bitgo-key-id`)
+      .matchHeader('any', () => true)
+      .reply(200, {
+        id: 'bitgo-key-id',
+        pub: 'xpub_bitgo',
+      });
+
     const prebuildStub = sinon.stub(Wallet.prototype, 'prebuildTransaction').resolves({
       txHex: 'prebuilt-tx-hex',
       txInfo: { nP2SHInputs: 1, nSegwitInputs: 0, nOutputs: 2 },
@@ -1072,6 +1089,8 @@ describe('POST /api/v1/:coin/advancedwallet/:walletId/sendMany', () => {
 
     walletGetNock.done();
     keychainGetNock.done();
+    backupKeychainGetNock.done();
+    bitgoKeychainGetNock.done();
     sinon.assert.calledOnce(prebuildStub);
     sinon.assert.calledOnce(verifyStub);
     signNock.done();