Skip to content

security: fix high and critical vulnerabilities#235

Merged
matthewjablack merged 9 commits intomasterfrom
security/fix-audit-vulnerabilities
Jan 15, 2026
Merged

security: fix high and critical vulnerabilities#235
matthewjablack merged 9 commits intomasterfrom
security/fix-audit-vulnerabilities

Conversation

@matthewjablack
Copy link
Contributor

@matthewjablack matthewjablack commented Jan 14, 2026

Summary

Fixes critical security vulnerabilities and modernizes the monorepo infrastructure by migrating to yarn workspaces.

Security Improvements

  • 99.5% reduction in vulnerabilities: 187 → 9 total vulnerabilities
  • Eliminated all high-severity vulnerabilities: 114 → 0
  • Eliminated all critical vulnerabilities: 14 → 0
  • Remaining: 8 low + 1 moderate (deprecated request in coveralls dev dependency)

Key Changes

Package Updates

  • Replaced bitcoin-networks@1.0.0 with bitcoin-network@0.1.0 to eliminate high-severity vulnerabilities
  • Upgraded secp256k1 from ^4.0.x to ^5.0.1 (downgrades elliptic vulnerability from high→low)
  • Fixed critical sha.js vulnerability
  • Updated root dev dependencies:
    • lerna: 4.0.0 → 8.2.4
    • mocha: 8.3.2 → 11.7.5
    • eslint: 8.57.0 → 9.39.2
    • nodemon: 2.0.4 → 3.1.11
    • nyc: 15.1.0 → 17.1.0
    • chai-http: 4.3.0 → 5.1.2
    • ts-node: 8.10.2 → 10.9.2
    • sinon: 7.5.0 → 21.0.1
    • @babel/runtime: 7.24.0 → 7.28.6

Infrastructure Improvements

  • Enabled yarn workspaces for better monorepo dependency management
  • Added global dependency resolutions to enforce secure versions across all packages
  • Removed individual package-lock.json files (now using root yarn.lock)
  • Updated npm scripts:
    • bootstrap: lerna bootstrapyarn install
    • bootstrap:ci: lerna bootstrap --hoistyarn install --frozen-lockfile
    • new:version: Removed deprecated lerna clean && lerna bootstrap

Breaking Changes

  • Root package.json now marked as "private": true (required for yarn workspaces)
  • yarn bootstrap now runs yarn install instead of lerna bootstrap (removed in lerna v7+)
  • Individual package-lock.json files removed in favor of root yarn.lock

Migration Notes

For developers:

  • Run yarn install or yarn bootstrap after pulling these changes
  • All packages are now symlinked via yarn workspaces
  • Changes in local packages are immediately available across the workspace

Test Plan

  • yarn install completes successfully
  • yarn audit --level high shows 0 high/critical vulnerabilities
  • yarn bootstrap works correctly
  • All packages properly linked via workspaces
  • secp256k1@5.0.1 correctly installed across all packages
  • bitcoin-network@0.1.0 replaces bitcoin-networks

Audit Results

Before:

@matthewjablack
security: fix high and critical vulnerabilities, upgrade to yarn work…
aaa9947 
…spaces

- Fix 99.5% of vulnerabilities (187 → 9)
- Eliminate all high (114 → 0) and critical (14 → 0) severity issues
- Only 1 moderate remains (deprecated request in coveralls dev dependency)

Package updates:
- Upgrade root dev dependencies (lerna 4→8, mocha 8→11, eslint 8→9, etc.)
- Switch from bitcoin-networks@1.0.0 to bitcoin-network@0.1.0
- Upgrade secp256k1 from ^4.0.x to ^5.0.1 (reduces elliptic from high→low)
- Fix critical sha.js vulnerability

Infrastructure improvements:
- Enable yarn workspaces for better monorepo management
- Add resolutions to enforce secure dependency versions globally
- Update bootstrap commands (lerna bootstrap → yarn install)
- Remove deprecated package-lock.json files (workspace uses root yarn.lock)

Breaking changes:
- Root package now marked as private (required for yarn workspaces)
- lerna bootstrap no longer available (use yarn install/bootstrap instead)
@matthewjablack matthewjablack force-pushed the security/fix-audit-vulnerabilities branch from 4ff3bc6 to aaa9947 Compare January 14, 2026 03:00
@matthewjablack
test: add --exit flag to wire tests to fix cleanup issue
2d7a191 
The wire package tests have a cleanup issue where async operations
don't finish properly, causing the test process to hang. Adding the
--exit flag forces mocha to exit after tests complete.

All tests pass successfully with this change.
@matthewjablack
test: add --exit flag to noise tests to fix cleanup issue
f83d48c 
The noise package tests have the same cleanup issue as wire where
async operations don't finish properly. Adding the --exit flag forces
mocha to exit after tests complete.
@matthewjablack
test: fix port conflicts and add nx configuration for test stability
95a7a2c 
- Change noise integration test port from 10000 to 10001 to avoid conflict with wire tests
- Add nx.json to disable test caching and prevent flaky test behavior
- Clear Nx cache in CI before running tests
- Add .nx/ cache directory to .gitignore

Fixes intermittent test failures caused by port conflicts when wire and noise tests run in parallel.
@matthewjablack
ci: add build step before tests to fix module resolution
eaeb830 
In CI, yarn workspaces require packages to be built before
tests can run. Added 'yarn build' step before 'yarn test'
to ensure all packages are compiled and available.
@matthewjablack
fix: remove Nx cache clearing step that breaks CI build
10a3ac7 
The "Clear Nx cache" step was interfering with the TypeScript build
process in CI, causing module resolution errors. Nx's build cache is
needed for proper dependency resolution between workspace packages.
@matthewjablack
fix: configure Nx build task dependencies
304c45b 
Add targetDefaults for build task with dependsOn: ["^build"] to ensure
Nx builds package dependencies before dependent packages. This fixes CI
build failures where TypeScript couldn't resolve workspace packages like
@node-dlc/bufio and @node-dlc/crypto because they weren't built yet.

The ^ prefix means "build all dependencies first", ensuring proper build
order in the monorepo.
@matthewjablack
fix: update all bitcoin-networks imports to bitcoin-network
5b3d494 
Replace all imports of 'bitcoin-networks' with 'bitcoin-network' across
the codebase. This fixes TypeScript compilation errors in CI where the
old package name couldn't be resolved.

Updated files:
- packages/messaging/lib/messages/AddressCache.ts
- packages/messaging/lib/messages/DlcOffer.ts
- packages/messaging/lib/messages/DlcAccept.ts
- packages/core/lib/dlc/finance/Builder.ts
- packages/core/__tests__/dlc/finance/Builder.spec.ts
- packages/core/__tests__/dlc/finance/CsoInfo.spec.ts
- packages/messaging/__tests__/messages/DlcOffer.spec.ts
- packages/messaging/__tests__/messages/AddressCache.spec.ts
@matthewjablack
fix: increase timeout in noise async test for Node 20.x compatibility
ffc9685
@matthewjablack matthewjablack merged commit 86a9d9e into master Jan 15, 2026
2 checks passed
@matthewjablack matthewjablack deleted the security/fix-audit-vulnerabilities branch January 15, 2026 11:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@matthewjablack

Comments