fix: bumping deps from orca scan for bitgo express#9189
Open
danielpeng1 wants to merge 3 commits into
Open
Conversation
…image Addresses CVEs identified by Orca scan on bitgo-express container: Node.js dependency upgrades (via yarn resolutions): - protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269) - qs: 6.14.1 -> 6.15.2 (CVE-2026-2391, CVE-2026-8723) - follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653) - tar: 6.2.1 -> 7.5.16 (CVE-2026-23745 and others) - dompurify: add 3.4.11 pin (9x CVEs) - react-router/react-router-dom: 6.3.0 -> 6.30.4 (CVE-2025-68470) - webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157, CVE-2025-68458) - picomatch: 2.x -> 4.0.4 (CVE-2026-33671, CVE-2026-33672) - minimatch: add 9.0.9 pin (CVE-2026-26996 and others) - @babel/core: add ^7.29.7 pin (CVE-2026-49356) - @stablelib/ed25519: 1.0.3 -> 2.1.0 (GHSA-x3ff-w252-2g7j) Dockerfile: add apt-get upgrade -y to runtime stage to pull latest OS-level security patches (libc6, libssl3, libgnutls30, etc.) Ticket: WCN-1223
Manually update lockfile entries to match the security resolutions in package.json, resolving HIGH/MEDIUM CVEs identified by Orca scan: - protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269) - qs: 6.14.1 -> 6.15.2 (CVE-2026-2391, CVE-2026-8723) - follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653) - tar: 6.2.1 -> 7.5.16 (CVE-2026-26960 HIGH + 5 MEDIUM) - dompurify: 3.3.1 -> 3.4.11 (9x CVEs) - minimatch: 9.0.3 -> 9.0.9 (CVE-2026-26996 HIGH + others) - react-router/dom: 6.3.0 -> 6.30.4 (CVE-2025-68470) - webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157, CVE-2025-68458) - picomatch: already at 4.0.4 via prior resolution Ticket: WCN-1223
Contributor
Addresses HIGH and MEDIUM CVEs identified by Orca scan on bitgo-express container v15.35.0. Only includes non-breaking (patch/minor) upgrades. Breaking major-version bumps (tar 7.x, @stablelib/ed25519 2.x) and OS-level fixes are tracked separately in INFOSEC-182. Also drops the minimatch 9.0.9 resolution: forcing it globally breaks lerna's postinstall build (lerna pins minimatch to an exact 3.0.5 and calls it as a default export, which 9.x's CJS output no longer has). Tracked separately as well. yarn.lock regenerated via a full `yarn install` (not just a manual patch) so transitive deps of webpack, react-router, and babel actually land on versions consistent with the resolutions above -- the previous lockfile still had @babel/core resolving to 7.29.6, one patch below the ^7.29.7 floor needed for CVE-2026-49356. Also pins browserslist/enhanced-resolve/es-module-lexer/caniuse-lite/ electron-to-chromium/baseline-browser-mapping and scopes a webpack/webpack-sources override: the webpack 5.107.2 bump otherwise pulls their latest versions, which are too recently published to pass the CI safe-chain minimum-package-age check. Node.js resolutions updated: - protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269, MEDIUM) - qs: 6.14.1 -> 6.15.2 (CVE-2026-8723 MEDIUM, CVE-2026-2391) - follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653, MEDIUM) - dompurify: 3.3.1 -> 3.4.11 (9x MEDIUM CVEs) - picomatch: pinned to 4.0.4 (CVE-2026-33671, HIGH) - react-router/dom: 6.3.0 -> 6.30.4 (CVE-2025-68470, MODERATE) - webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157/68458) - @babel/core: pinned to ^7.29.7 (CVE-2026-49356) Also confirms that protobufjs 6.11.4/7.5.4 CVEs reported in v15.20.1 are already resolved -- v15.35.0 was pinned to 7.5.8 (above required minimum of 7.5.6). Ticket: WCN-1223
419f6e0 to
89a5088
Compare
4 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Non-breaking patch/minor version bumps to resolve a large subset of HIGH/MEDIUM CVEs flagged by Orca scan on bitgo-express. More info in ticket (and doc attached to parent ticket).
Ticket: WCN-1223