Skip to content

fix: bumping deps from orca scan for bitgo express#9189

Open
danielpeng1 wants to merge 3 commits into
masterfrom
WCN-1223/orca-scan-bitgo-express
Open

fix: bumping deps from orca scan for bitgo express#9189
danielpeng1 wants to merge 3 commits into
masterfrom
WCN-1223/orca-scan-bitgo-express

Conversation

@danielpeng1

Copy link
Copy Markdown
Contributor

Non-breaking patch/minor version bumps to resolve a large subset of HIGH/MEDIUM CVEs flagged by Orca scan on bitgo-express. More info in ticket (and doc attached to parent ticket).

  • protobufjs: 7.5.8 → 7.6.4
  • qs: 6.14.1 → 6.15.2
  • follow-redirects: 1.15.11 → 1.16.0
  • dompurify: 3.3.1 → 3.4.11
  • react-router / react-router-dom: 6.3.0 → 6.30.4
  • webpack: 5.98.0 → 5.107.2
  • picomatch: pinned to 4.0.4 (already resolved there beforehand, no functional change)
  • @babel/core: 7.29.6 → 7.29.7

Ticket: WCN-1223

…image

Addresses CVEs identified by Orca scan on bitgo-express container:

Node.js dependency upgrades (via yarn resolutions):
- protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269)
- qs: 6.14.1 -> 6.15.2 (CVE-2026-2391, CVE-2026-8723)
- follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653)
- tar: 6.2.1 -> 7.5.16 (CVE-2026-23745 and others)
- dompurify: add 3.4.11 pin (9x CVEs)
- react-router/react-router-dom: 6.3.0 -> 6.30.4 (CVE-2025-68470)
- webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157, CVE-2025-68458)
- picomatch: 2.x -> 4.0.4 (CVE-2026-33671, CVE-2026-33672)
- minimatch: add 9.0.9 pin (CVE-2026-26996 and others)
- @babel/core: add ^7.29.7 pin (CVE-2026-49356)
- @stablelib/ed25519: 1.0.3 -> 2.1.0 (GHSA-x3ff-w252-2g7j)

Dockerfile: add apt-get upgrade -y to runtime stage to pull latest
OS-level security patches (libc6, libssl3, libgnutls30, etc.)

Ticket: WCN-1223
Manually update lockfile entries to match the security resolutions in
package.json, resolving HIGH/MEDIUM CVEs identified by Orca scan:

- protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269)
- qs: 6.14.1 -> 6.15.2 (CVE-2026-2391, CVE-2026-8723)
- follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653)
- tar: 6.2.1 -> 7.5.16 (CVE-2026-26960 HIGH + 5 MEDIUM)
- dompurify: 3.3.1 -> 3.4.11 (9x CVEs)
- minimatch: 9.0.3 -> 9.0.9 (CVE-2026-26996 HIGH + others)
- react-router/dom: 6.3.0 -> 6.30.4 (CVE-2025-68470)
- webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157, CVE-2025-68458)
- picomatch: already at 4.0.4 via prior resolution

Ticket: WCN-1223
@danielpeng1 danielpeng1 self-assigned this Jul 6, 2026
@linear-code

linear-code Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

WCN-1223

Addresses HIGH and MEDIUM CVEs identified by Orca scan on bitgo-express
container v15.35.0. Only includes non-breaking (patch/minor) upgrades.
Breaking major-version bumps (tar 7.x, @stablelib/ed25519 2.x) and
OS-level fixes are tracked separately in INFOSEC-182.

Also drops the minimatch 9.0.9 resolution: forcing it globally breaks
lerna's postinstall build (lerna pins minimatch to an exact 3.0.5 and
calls it as a default export, which 9.x's CJS output no longer has).
Tracked separately as well.

yarn.lock regenerated via a full `yarn install` (not just a manual
patch) so transitive deps of webpack, react-router, and babel actually
land on versions consistent with the resolutions above -- the previous
lockfile still had @babel/core resolving to 7.29.6, one patch below
the ^7.29.7 floor needed for CVE-2026-49356.

Also pins browserslist/enhanced-resolve/es-module-lexer/caniuse-lite/
electron-to-chromium/baseline-browser-mapping and scopes a
webpack/webpack-sources override: the webpack 5.107.2 bump otherwise
pulls their latest versions, which are too recently published to pass
the CI safe-chain minimum-package-age check.

Node.js resolutions updated:
- protobufjs: 7.5.8 -> 7.6.4 (CVE-2026-54269, MEDIUM)
- qs: 6.14.1 -> 6.15.2 (CVE-2026-8723 MEDIUM, CVE-2026-2391)
- follow-redirects: 1.15.11 -> 1.16.0 (GHSA-r4q5-vmmm-2653, MEDIUM)
- dompurify: 3.3.1 -> 3.4.11 (9x MEDIUM CVEs)
- picomatch: pinned to 4.0.4 (CVE-2026-33671, HIGH)
- react-router/dom: 6.3.0 -> 6.30.4 (CVE-2025-68470, MODERATE)
- webpack: 5.98.0 -> 5.107.2 (CVE-2025-68157/68458)
- @babel/core: pinned to ^7.29.7 (CVE-2026-49356)

Also confirms that protobufjs 6.11.4/7.5.4 CVEs reported in v15.20.1
are already resolved -- v15.35.0 was pinned to 7.5.8 (above required
minimum of 7.5.6).

Ticket: WCN-1223
@danielpeng1 danielpeng1 force-pushed the WCN-1223/orca-scan-bitgo-express branch from 419f6e0 to 89a5088 Compare July 6, 2026 18:11
@danielpeng1 danielpeng1 marked this pull request as ready for review July 6, 2026 18:27
@danielpeng1 danielpeng1 requested a review from a team as a code owner July 6, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant