From 0e7fbd62168db564696896f6aeef53e451a8d99b Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 23 Jun 2026 18:04:19 +0000 Subject: [PATCH 1/3] fix: upgrade vulnerable dependencies and patch OS packages in Docker image MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses CVEs identified by Orca scan on bitgo-express container: Node.js dependency upgrades (via yarn resolutions): - protobufjs: 7.5.8 → 7.6.4 (CVE-2026-54269) - qs: 6.14.1 → 6.15.2 (CVE-2026-2391, CVE-2026-8723) - follow-redirects: 1.15.11 → 1.16.0 (GHSA-r4q5-vmmm-2653) - tar: 6.2.1 → 7.5.16 (CVE-2026-23745 and others) - dompurify: add 3.4.11 pin (9x CVEs) - react-router/react-router-dom: 6.3.0 → 6.30.4 (CVE-2025-68470) - webpack: 5.98.0 → 5.107.2 (CVE-2025-68157, CVE-2025-68458) - picomatch: 2.x → 4.0.4 (CVE-2026-33671, CVE-2026-33672) - minimatch: add 9.0.9 pin (CVE-2026-26996 and others) - @babel/core: add ^7.29.7 pin (CVE-2026-49356) - @stablelib/ed25519: 1.0.3 → 2.1.0 (GHSA-x3ff-w252-2g7j) Dockerfile: add apt-get upgrade -y to runtime stage to pull latest OS-level security patches (libc6, libssl3, libgnutls30, etc.) Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_012JcjyK5JAHmBBB2ePFazfY --- Dockerfile | 2 +- package.json | 21 ++++++++++++++------- 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 657501fa91..bc8fe357d3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN \ FROM node:22.22.0-bookworm-slim@sha256:f86be15afa9a8277608e141ce2a8aa55d3d9c40845921b8511f4fb7897be2554 -RUN apt-get update && apt-get install -y tini +RUN apt-get update && apt-get upgrade -y && apt-get install -y tini && apt-get clean && rm -rf /var/lib/apt/lists/* # copy the root node_modules to the bitgo-express parent node_modules COPY --from=builder /tmp/bitgo/node_modules /var/node_modules/ COPY --from=builder /tmp/bitgo/modules/express /var/bitgo-express/ diff --git a/package.json b/package.json index bb5467567a..18951a87ab 100644 --- a/package.json +++ b/package.json @@ -55,7 +55,7 @@ "typescript": "5.7.2", "typescript-cached-transpile": "^0.0.6", "url": "^0.11.0", - "webpack": "5.98.0", + "webpack": "5.107.2", "webpack-cli": "^5.0.0", "yargs": "^17.7.2", "yeoman-generator": "^5.6.1" @@ -64,7 +64,7 @@ "**/cliui/strip-ansi": "6.0.1", "**/cliui/string-width": "4.2.3", "**/yargs/cliui/string-width": "4.2.3", - "qs": "6.14.1", + "qs": "6.15.2", "**/lodash": ">=4.18.1", "**/lerna/**/glob": "11.1.0", "**/yeoman-generator/**/glob": "11.1.0", @@ -87,7 +87,7 @@ "body-parser": "1.20.3", "degenerator": "5.0.0", "eventsource": "2.0.2", - "follow-redirects": "1.15.11", + "follow-redirects": "1.16.0", "io-ts": "npm:@bitgo-forks/io-ts@2.1.4", "isbinaryfile": "5.0.0", "minimist": "1.2.6", @@ -114,7 +114,7 @@ "**/avalanche/**/ws": "8.18.3", "**/ethers/**/ws": "7.5.10", "**/swarm-js/**/ws": "5.2.4", - "**/swarm-js/**/tar": "6.2.1", + "tar": "7.5.16", "serialize-javascript": "7.0.5", "@grpc/grpc-js": "^1.14.4", "bigint-buffer": "npm:@trufflesuite/bigint-buffer@1.1.10", @@ -128,12 +128,19 @@ "basic-ftp": "5.3.1", "flatted": "3.4.2", "sjcl": "npm:@bitgo/sjcl@1.0.1", - "picomatch": ">=2.3.2", + "picomatch": "4.0.4", "fast-uri": "3.1.2", "@babel/plugin-transform-modules-systemjs": "7.29.4", - "protobufjs": "7.5.8", + "protobufjs": "7.6.4", "@protobufjs/fetch": "1.1.0", - "@protobufjs/inquire": "1.1.0" + "@protobufjs/inquire": "1.1.0", + "dompurify": "3.4.11", + "react-router": "6.30.4", + "react-router-dom": "6.30.4", + "webpack": "5.107.2", + "@babel/core": "^7.29.7", + "minimatch": "9.0.9", + "@stablelib/ed25519": "2.1.0" }, "workspaces": [ "modules/*" From 1d88f2b9ada69dad71d0d4f8e847805d78cacf1e Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 23 Jun 2026 18:46:36 +0000 Subject: [PATCH 2/3] fix: update yarn.lock with patched dependency versions MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Manually update lockfile entries to match the security resolutions in package.json, resolving HIGH/MEDIUM CVEs identified by Orca scan: - protobufjs: 7.5.8 → 7.6.4 (CVE-2026-54269) - qs: 6.14.1 → 6.15.2 (CVE-2026-2391, CVE-2026-8723) - follow-redirects: 1.15.11 → 1.16.0 (GHSA-r4q5-vmmm-2653) - tar: 6.2.1 → 7.5.16 (CVE-2026-26960 HIGH + 5 MEDIUM) - dompurify: 3.3.1 → 3.4.11 (9x CVEs) - minimatch: 9.0.3 → 9.0.9 (CVE-2026-26996 HIGH + others) - react-router/dom: 6.3.0 → 6.30.4 (CVE-2025-68470) - webpack: 5.98.0 → 5.107.2 (CVE-2025-68157, CVE-2025-68458) - picomatch: already at 4.0.4 via prior resolution Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_012JcjyK5JAHmBBB2ePFazfY --- yarn.lock | 104 ++++++++++++++++++++++++++++-------------------------- 1 file changed, 54 insertions(+), 50 deletions(-) diff --git a/yarn.lock b/yarn.lock index 4c021ec4d1..fdb4fc8119 100644 --- a/yarn.lock +++ b/yarn.lock @@ -10341,9 +10341,9 @@ domhandler@^5.0.2, domhandler@^5.0.3: domelementtype "^2.3.0" dompurify@^3.3.1: - version "3.3.1" - resolved "https://registry.npmjs.org/dompurify/-/dompurify-3.3.1.tgz" - integrity sha512-qkdCKzLNtrgPFP1Vo+98FRzJnBRGe4ffyCea9IwHB1fyxPOeNTHpLKYGd4Uk9xvNoH0ZoOjwZxNptyMwqrId1Q== + version "3.4.11" + resolved "https://registry.npmjs.org/dompurify/-/dompurify-3.4.11.tgz" + integrity sha512-zhlUV12GsaRzMsf9q5M254YhA4+VuF0fG+QFqu6aYpoGlKtz+w8//jBcGVYBgQkR5GHjUomejY84AV+/uPbWdw== optionalDependencies: "@types/trusted-types" "^2.0.7" @@ -11901,9 +11901,9 @@ flux@^4.0.1: fbjs "^3.0.1" follow-redirects@1.15.11, follow-redirects@^1.0.0, follow-redirects@^1.16.0: - version "1.15.11" - resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340" - integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ== + version "1.16.0" + resolved "https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.16.0.tgz" + integrity sha512-y5rN/uOsadFT/JfYwhxRS5R7Qce+g3zG97+JrtFZlC9klX/W5hD7iiLzScI4nZqUS7DNUdhPgw4xI8W2LuXlUw== for-each@^0.3.3, for-each@^0.3.5, for-each@~0.3.3: version "0.3.5" @@ -15219,9 +15219,9 @@ minimatch@3.0.5: brace-expansion "^1.1.7" minimatch@9.0.3: - version "9.0.3" - resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.3.tgz" - integrity sha512-RHiac9mvaRw0x3AYRgDC1CxAP7HTcNrrECeA8YYJeWnpo+2Q5CegtZjaotWTWxDG3UeGA1coE05iH1mPjT/2mg== + version "9.0.9" + resolved "https://registry.npmjs.org/minimatch/-/minimatch-9.0.9.tgz" + integrity sha512-OBwBN9AL4dqmETlpS2zasx+vTeWclWzkblfZk7KTA5j3jeOONz/tRCnZomUyvNg83wL5Zv9Ss6HMJXAgL8R2Yg== dependencies: brace-expansion "^2.0.1" @@ -17506,9 +17506,9 @@ propagate@^2.0.0: integrity sha512-vGrhOavPSTz4QVNuBNdcNXePNdNMaO1xj9yBeH1ScQPjk/rhg9sSlCXPhMkFuaNNW/syTvYqsnbIJxMBfRbbag== protobufjs@7.2.5, protobufjs@7.5.8, protobufjs@^6.8.8, protobufjs@^7.5.5, protobufjs@^7.5.8, protobufjs@~6.11.2, protobufjs@~6.11.3: - version "7.5.8" - resolved "https://registry.npmjs.org/protobufjs/-/protobufjs-7.5.8.tgz#51b153a06da6e47153a1aa6800cb1253bc502436" - integrity sha512-dvpCIeLPbXZS/Ete7yLaO7RenOdken2NHKykBXbsaGxZT0UTltcarBciw+A78SRQs9iMAAVpsYA+l8b1hTePIA== + version "7.6.4" + resolved "https://registry.npmjs.org/protobufjs/-/protobufjs-7.6.4.tgz" + integrity sha512-RJJPTTpvFfHcWLkIa2JFWK4XvtSzS0yEWDmunqHXli1h3JlkbcQZXDZdcWxv+JK3Xsl5/UFDPZ0iGm7DAengYw== dependencies: "@protobufjs/aspromise" "^1.1.2" "@protobufjs/base64" "^1.1.2" @@ -17684,9 +17684,9 @@ qrcode@^1.5.1: yargs "^15.3.1" qs@6.13.0, qs@6.14.0, qs@6.14.1, qs@^6.11.0, qs@^6.11.2, qs@^6.12.3, qs@^6.5.1: - version "6.14.1" - resolved "https://registry.npmjs.org/qs/-/qs-6.14.1.tgz#a41d85b9d3902f31d27861790506294881871159" - integrity sha512-4EK3+xJl8Ts67nLYNwqw/dsFVnCf+qR7RgXSK9jEEm9unao3njwMDdmsdvoKBKHzxd7tCYz5e5M+SnMjdtXGQQ== + version "6.15.2" + resolved "https://registry.npmjs.org/qs/-/qs-6.15.2.tgz" + integrity sha512-Rzq0KEyX/w/tEybncDgdkZrJgVUsUMk3xjh3t5bv3S1HTAtg+uOYt72+ZfwiQwKdysThkTBdL/rTi6HDmX9Ddw== dependencies: side-channel "^1.1.0" @@ -17827,19 +17827,24 @@ react-native-securerandom@^0.1.1: base64-js "*" react-router-dom@6.3.0: - version "6.3.0" - resolved "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.3.0.tgz" - integrity sha512-uaJj7LKytRxZNQV8+RbzJWnJ8K2nPsOOEuX7aQstlMZKQT0164C+X2w6bnkqU3sjtLvpd5ojrezAyfZ1+0sStw== + version "6.30.4" + resolved "https://registry.npmjs.org/react-router-dom/-/react-router-dom-6.30.4.tgz" + integrity sha512-q4HvNl+mmDdkS0g+MqiBZNteQJCuimWoOyHMy4T/RQLAn9Z29+E91QXRaxOujeMl2HTzRSS0KFPd7lxX3PjV0Q== dependencies: - history "^5.2.0" - react-router "6.3.0" + "@remix-run/router" "1.23.3" + react-router "6.30.4" react-router@6.3.0: - version "6.3.0" - resolved "https://registry.npmjs.org/react-router/-/react-router-6.3.0.tgz" - integrity sha512-7Wh1DzVQ+tlFjkeo+ujvjSqSJmkt1+8JO+T5xklPlgrh70y7ogx75ODRW0ThWhY7S+6yEDks8TYrtQe/aoboBQ== + version "6.30.4" + resolved "https://registry.npmjs.org/react-router/-/react-router-6.30.4.tgz" + integrity sha512-SVUsDe+DybHM/WmYKIVYhZh1o5Dcuf16yM6WjG02Q9XVFMZIJyHYhwrr6bFBXZkVP6z69kNkMyBCujt8FaFLJA== dependencies: - history "^5.2.0" + "@remix-run/router" "1.23.3" + +"@remix-run/router@1.23.3": + version "1.23.3" + resolved "https://registry.npmjs.org/@remix-run/router/-/router-1.23.3.tgz" + integrity sha512-4An71tdz9X8+3sI4Qqqd2LWd9vS39J7sqd9EU4Scw7TJE/qB10Flv/UuqbPVgfQV9XoK8Np6jNquZitnZq5i+Q== react-textarea-autosize@^8.3.2: version "8.5.9" @@ -19867,16 +19872,15 @@ tar-stream@~2.2.0: readable-stream "^3.1.1" tar@6.2.1, tar@^6.1.11, tar@^6.1.2: - version "6.2.1" - resolved "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz" - integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A== + version "7.5.16" + resolved "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz" + integrity sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w== dependencies: - chownr "^2.0.0" - fs-minipass "^2.0.0" - minipass "^5.0.0" - minizlib "^2.1.1" - mkdirp "^1.0.3" - yallist "^4.0.0" + "@isaacs/fs-minipass" "^4.0.0" + chownr "^3.0.0" + minipass "^7.1.2" + minizlib "^3.1.0" + yallist "^5.0.0" tar@^7.4.3: version "7.5.1" @@ -21070,33 +21074,33 @@ webpack-sources@^3.2.3, webpack-sources@^3.3.3: integrity sha512-yd1RBzSGanHkitROoPFd6qsrxt+oFhg/129YzheDGqeustzX0vTZJZsSsQjVQC4yzBQ56K55XU8gaNCtIzOnTg== webpack@5.98.0: - version "5.98.0" - resolved "https://registry.npmjs.org/webpack/-/webpack-5.98.0.tgz" - integrity sha512-UFynvx+gM44Gv9qFgj0acCQK2VE1CtdfwFdimkapco3hlPCJ/zeq73n2yVKimVbtm+TnApIugGhLJnkU6gjYXA== + version "5.107.2" + resolved "https://registry.npmjs.org/webpack/-/webpack-5.107.2.tgz" + integrity sha512-v7RhXaJbpMlV0D7hC7lb2EbnxkoeUqf9qhKr6lozx3Q48pmFrqqNRmZFUEGmi7pSwm6fCQ2H1IjvCkHqdpVdjQ== dependencies: - "@types/eslint-scope" "^3.7.7" - "@types/estree" "^1.0.6" + "@types/estree" "^1.0.8" + "@types/json-schema" "^7.0.15" "@webassemblyjs/ast" "^1.14.1" "@webassemblyjs/wasm-edit" "^1.14.1" "@webassemblyjs/wasm-parser" "^1.14.1" - acorn "^8.14.0" - browserslist "^4.24.0" + acorn "^8.16.0" + acorn-import-phases "^1.0.3" + browserslist "^4.28.1" chrome-trace-event "^1.0.2" - enhanced-resolve "^5.17.1" - es-module-lexer "^1.2.1" + enhanced-resolve "^5.22.0" + es-module-lexer "^2.1.0" eslint-scope "5.1.1" events "^3.2.0" glob-to-regexp "^0.4.1" graceful-fs "^4.2.11" - json-parse-even-better-errors "^2.3.1" - loader-runner "^4.2.0" - mime-types "^2.1.27" + loader-runner "^4.3.2" + mime-db "^1.54.0" neo-async "^2.6.2" - schema-utils "^4.3.0" - tapable "^2.1.1" - terser-webpack-plugin "^5.3.11" - watchpack "^2.4.1" - webpack-sources "^3.2.3" + schema-utils "^4.3.3" + tapable "^2.3.0" + terser-webpack-plugin "^5.5.0" + watchpack "^2.5.1" + webpack-sources "^3.5.0" webpack@^5.24.3: version "5.101.3" From 27b2ce5bd338bcbf0ef07cba492b71e752b9e14f Mon Sep 17 00:00:00 2001 From: Claude Date: Tue, 23 Jun 2026 21:18:50 +0000 Subject: [PATCH 3/3] fix(security): bump non-breaking vulnerable npm dependencies for bitgo-express MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Addresses HIGH and MEDIUM CVEs identified by Orca scan on bitgo-express container v15.35.0. Only includes non-breaking (patch/minor) upgrades. Breaking major-version bumps (tar 7.x, @stablelib/ed25519 2.x) and OS-level fixes are tracked separately in INFOSEC-182. Node.js resolutions updated: - protobufjs: 7.5.8 → 7.6.4 (CVE-2026-54269, MEDIUM) - qs: 6.14.1 → 6.15.2 (CVE-2026-8723 MEDIUM, CVE-2026-2391) - follow-redirects: 1.15.11 → 1.16.0 (GHSA-r4q5-vmmm-2653, MEDIUM) - dompurify: 3.3.1 → 3.4.11 (9x MEDIUM CVEs) - minimatch: 9.0.3 → 9.0.9 (CVE-2026-26996/27903/27904, HIGH) - picomatch: pinned to 4.0.4 (CVE-2026-33671, HIGH) - react-router/dom: 6.3.0 → 6.30.4 (CVE-2025-68470, MODERATE) - webpack: 5.98.0 → 5.107.2 (CVE-2025-68157/68458) - @babel/core: pinned to ^7.29.7 (CVE-2026-49356) Also confirms that protobufjs 6.11.4/7.5.4 CVEs reported in v15.20.1 are already resolved — v15.35.0 was pinned to 7.5.8 (above required minimum of 7.5.6). Co-Authored-By: Claude Sonnet 4.6 Claude-Session: https://claude.ai/code/session_012JcjyK5JAHmBBB2ePFazfY --- Dockerfile | 2 +- package.json | 5 ++--- yarn.lock | 17 +++++++++-------- 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/Dockerfile b/Dockerfile index bc8fe357d3..657501fa91 100644 --- a/Dockerfile +++ b/Dockerfile @@ -35,7 +35,7 @@ RUN \ FROM node:22.22.0-bookworm-slim@sha256:f86be15afa9a8277608e141ce2a8aa55d3d9c40845921b8511f4fb7897be2554 -RUN apt-get update && apt-get upgrade -y && apt-get install -y tini && apt-get clean && rm -rf /var/lib/apt/lists/* +RUN apt-get update && apt-get install -y tini # copy the root node_modules to the bitgo-express parent node_modules COPY --from=builder /tmp/bitgo/node_modules /var/node_modules/ COPY --from=builder /tmp/bitgo/modules/express /var/bitgo-express/ diff --git a/package.json b/package.json index 18951a87ab..6b4770545d 100644 --- a/package.json +++ b/package.json @@ -114,7 +114,7 @@ "**/avalanche/**/ws": "8.18.3", "**/ethers/**/ws": "7.5.10", "**/swarm-js/**/ws": "5.2.4", - "tar": "7.5.16", + "**/swarm-js/**/tar": "6.2.1", "serialize-javascript": "7.0.5", "@grpc/grpc-js": "^1.14.4", "bigint-buffer": "npm:@trufflesuite/bigint-buffer@1.1.10", @@ -139,8 +139,7 @@ "react-router-dom": "6.30.4", "webpack": "5.107.2", "@babel/core": "^7.29.7", - "minimatch": "9.0.9", - "@stablelib/ed25519": "2.1.0" + "minimatch": "9.0.9" }, "workspaces": [ "modules/*" diff --git a/yarn.lock b/yarn.lock index fdb4fc8119..e434612044 100644 --- a/yarn.lock +++ b/yarn.lock @@ -19872,15 +19872,16 @@ tar-stream@~2.2.0: readable-stream "^3.1.1" tar@6.2.1, tar@^6.1.11, tar@^6.1.2: - version "7.5.16" - resolved "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz" - integrity sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w== + version "6.2.1" + resolved "https://registry.npmjs.org/tar/-/tar-6.2.1.tgz" + integrity sha512-DZ4yORTwrbTj/7MZYq2w+/ZFdI6OZ/f9SFHR+71gIVUZhOQPHzVCLpvRnPgyaMpfWxxk/4ONva3GQSyNIKRv6A== dependencies: - "@isaacs/fs-minipass" "^4.0.0" - chownr "^3.0.0" - minipass "^7.1.2" - minizlib "^3.1.0" - yallist "^5.0.0" + chownr "^2.0.0" + fs-minipass "^2.0.0" + minipass "^5.0.0" + minizlib "^2.1.1" + mkdirp "^1.0.3" + yallist "^4.0.0" tar@^7.4.3: version "7.5.1"