From d666e103128661716e3a375f40625a0d5602f5b7 Mon Sep 17 00:00:00 2001 From: Pranav Jain Date: Mon, 27 Apr 2026 14:37:22 -0400 Subject: [PATCH] chore: bump version to v2.1.0 and fix trivy vulnerabilities Bump version to 2.1.0 for GHCR release. Fix all 17 Trivy HIGH/CRITICAL findings via npm overrides: - @xmldom/xmldom: ^0.9.10 (CVE-2026-34601, CVE-2026-41672-41675) - protobufjs: ^7.5.5 (CVE-2026-41242, CRITICAL) - basic-ftp: ^5.3.0 (CVE-2026-39983, GHSA-6v7q, GHSA-rp42) - lodash: ^4.18.0 (CVE-2026-4800) Also fix missing keychain nocks in sendMany multisig test -- the handler fetches all 3 keychains for walletPubs but the test only mocked user. WAL-803 Co-Authored-By: Claude Opus 4.6 (1M context) --- package-lock.json | 6 +++--- package.json | 11 ++++++----- src/__tests__/api/master/sendMany.test.ts | 19 +++++++++++++++++++ 3 files changed, 28 insertions(+), 8 deletions(-) diff --git a/package-lock.json b/package-lock.json index 4c8b5e9c..806d0aa3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "@bitgo/advanced-wallets", - "version": "2.0.0", + "version": "2.1.0", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "@bitgo/advanced-wallets", - "version": "2.0.0", + "version": "2.1.0", "dependencies": { "@api-ts/io-ts-http": "^3.2.1", "@api-ts/openapi-generator": "^6.0.1", @@ -95,7 +95,7 @@ "debug": "^3.1.0", "express": "4.21.2", "io-ts": "2.1.3", - "lodash": "^4.17.20", + "lodash": "^4.18.0", "morgan": "^1.9.1", "openpgp": "5.11.3", "proxy-agent": "6.4.0", diff --git a/package.json b/package.json index 1be4a795..9616986a 100644 --- a/package.json +++ b/package.json @@ -1,6 +1,6 @@ { "name": "@bitgo/advanced-wallets", - "version": "2.0.0", + "version": "2.1.0", "description": "Advanced Wallets - On-Premises Key Management with BitGo Express", "main": "./dist/src/index.js", "types": "./dist/src/index.d.ts", @@ -110,7 +110,7 @@ "debug": "^3.1.0", "express": "4.21.2", "io-ts": "2.1.3", - "lodash": "^4.17.20", + "lodash": "^4.18.0", "morgan": "^1.9.1", "openpgp": "5.11.3", "proxy-agent": "6.4.0", @@ -136,8 +136,6 @@ "store2": "^2.14.4", "tar": "^7.5.11", "basic-ftp": "^5.3.0", - "@xmldom/xmldom": "^0.9.9", - "protobufjs": "^7.5.5", "flatted": "^3.4.0", "serialize-javascript": "^7.0.3", "@isaacs/brace-expansion": "^5.0.1", @@ -147,7 +145,10 @@ "validator": "^13.15.22", "node-forge": "^1.3.2", "xml2js": "^0.5.0", - "glob": "^11.1.0" + "glob": "^11.1.0", + "@xmldom/xmldom": "^0.9.10", + "protobufjs": "^7.5.5", + "lodash": "^4.18.0" }, "devDependencies": { "@api-ts/openapi-generator": "^5.7.0", diff --git a/src/__tests__/api/master/sendMany.test.ts b/src/__tests__/api/master/sendMany.test.ts index 97a93792..1c726b05 100644 --- a/src/__tests__/api/master/sendMany.test.ts +++ b/src/__tests__/api/master/sendMany.test.ts @@ -1026,12 +1026,29 @@ describe('POST /api/v1/:coin/advancedwallet/:walletId/sendMany', () => { const keychainGetNock = nock(bitgoApiUrl) .get(`/api/v2/${coin}/key/user-key-id`) + .times(2) .matchHeader('any', () => true) .reply(200, { id: 'user-key-id', pub: 'xpub_user', }); + const backupKeychainGetNock = nock(bitgoApiUrl) + .get(`/api/v2/${coin}/key/backup-key-id`) + .matchHeader('any', () => true) + .reply(200, { + id: 'backup-key-id', + pub: 'xpub_backup', + }); + + const bitgoKeychainGetNock = nock(bitgoApiUrl) + .get(`/api/v2/${coin}/key/bitgo-key-id`) + .matchHeader('any', () => true) + .reply(200, { + id: 'bitgo-key-id', + pub: 'xpub_bitgo', + }); + const prebuildStub = sinon.stub(Wallet.prototype, 'prebuildTransaction').resolves({ txHex: 'prebuilt-tx-hex', txInfo: { nP2SHInputs: 1, nSegwitInputs: 0, nOutputs: 2 }, @@ -1072,6 +1089,8 @@ describe('POST /api/v1/:coin/advancedwallet/:walletId/sendMany', () => { walletGetNock.done(); keychainGetNock.done(); + backupKeychainGetNock.done(); + bitgoKeychainGetNock.done(); sinon.assert.calledOnce(prebuildStub); sinon.assert.calledOnce(verifyStub); signNock.done();