Skip to content

chore(deps): bump minor versions for vulnerability fixes#925

Merged
oskarszoon merged 6 commits into
bsv-blockchain:mainfrom
oskarszoon:fix/deps-bump-minor
May 22, 2026
Merged

chore(deps): bump minor versions for vulnerability fixes#925
oskarszoon merged 6 commits into
bsv-blockchain:mainfrom
oskarszoon:fix/deps-bump-minor

Conversation

@oskarszoon

@oskarszoon oskarszoon commented May 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Summary

Applies 9 non-breaking dependency bumps identified by the 2026-05-21 vulnerability triage as fix_class=dep-bump-minor. Closes the following Dependabot alerts:

6 commits, one per ecosystem group + a final go mod tidy.

Deferred from this PR

Test plan

Full AGENTS.md verification battery ran clean:

  • go build ./...
  • go test ./... — 8044 tests pass in 148 packages
  • go test -race ./... — zero Action:"fail" entries
  • go vet ./... — only 4 pre-existing issues in test/utils/ (unrelated to bumps)
  • golangci-lint run
  • staticcheck ./...
  • govulncheck ./... — all 8 bumped Go packages no longer flagged; remaining vulns are Go stdlib (needs 1.26.3) + deferred docker + libp2p (no fix)
  • gosec ./... — informational (717 pre-existing findings, not introduced by bumps)
  • cd ui/dashboard && npm install && npm run build && npm run test:unit — 29 vitest tests pass

Per-group additional verification:

  • pgx: go test -race ./stores/blockchain/sql/... ./stores/utxo/sql/... — 735 tests pass
  • aws-sdk: go test -race ./stores/blob/... — 281 tests pass
  • otel: go test -race ./util/tracing/... — 29 tests pass

Notes

  • Indirect-dep bumps (eventstream, otlpmetrichttp, spdystream) were explicit via go get because go mod tidy alone does not always pull patched versions through direct-dep transitive closure.
  • Final go mod tidy cleaned up the indirect block (44 line removals in go.sum).
  • otlpmetrichttp jumped 8 minor versions (v1.35.0 → v1.43.0); verified by tracing test suite.

oskarszoon added 6 commits May 21, 2026 16:40
@oskarszoon
chore(deps): bump jackc/pgx/v5 to v5.9.2
b001b1a 
Closes Dependabot alerts bsv-blockchain#84 (critical memory-safety in v5.8.0) and bsv-blockchain#86
(SQL injection via dollar-quoted placeholder confusion). pgx is used in
production blockchain and UTXO SQL stores.
@oskarszoon
chore(deps): bump aws-sdk-go-v2 s3 + eventstream
a37c6fb 
Closes Dependabot alerts bsv-blockchain#72 and bsv-blockchain#71. EventStream decoder DoS panic in
v1.7.4 is patched in v1.7.10; s3 service module updated to v1.96.4
(latest patch in the v1.96.x line).
@oskarszoon
chore(deps): bump otel/sdk + otlp HTTP exporters to v1.43.0
0fde7a0 
Closes Dependabot alerts bsv-blockchain#78, bsv-blockchain#77, bsv-blockchain#76. otel/sdk v1.42.0 kenv PATH
hijack (BSD-only, non-exploitable on Linux); otlptracehttp and
otlpmetrichttp unbounded HTTP response body reads patched in v1.43.0.

otlpmetrichttp jump v1.35.0 -> v1.43.0 verified by build + util/tracing
test suite (29 tests pass).
@oskarszoon
chore(deps): bump moby/spdystream to v0.5.1
2d59d68 
Closes Dependabot alert bsv-blockchain#83. moby/spdystream DoS via CRI in v0.5.0
patched in v0.5.1. Indirect dep.

Note: moby/buildkit bumps (alerts bsv-blockchain#64, bsv-blockchain#65) deferred. v0.28.1 pulls
docker/buildx v0.29.1 which uses moby/moby/client types incompatible
with the docker/docker types still used elsewhere in the teranode
dep graph (via testcontainers -> docker/compose -> buildx). Resolving
the chain requires a testcontainers v0.40 -> v0.42 migration that
breaks nat.Port -> network.Port across ~10 source files. Tracked in
separate GH issue.
@oskarszoon
chore(deps): bump svgo to ^4.0.1 in ui/dashboard
404efd7 
Closes Dependabot alert bsv-blockchain#49. svgo billion-laughs DoS (GHSA-xpqw-6gx7-v673)
patched in v4.0.1. svgo is a build-time devDependency used by
@poppanator/sveltekit-svg.

Verified: npm install + npm run build + npm run test:unit (29 tests pass).
playwright (test:integration) not run locally; CI covers it.
@oskarszoon
chore(deps): go mod tidy after minor bumps
d8bdbea
@oskarszoon oskarszoon mentioned this pull request May 21, 2026
Closed
@github-actions

github-actions Bot commented May 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

🤖 Claude Code Review

Status: Complete

Current Review:

No issues found. This PR applies security-focused dependency bumps that address critical vulnerabilities:

Summary:

  • All version bumps are minor/patch updates within semantic versioning constraints
  • Changes are limited to dependency declarations in go.mod, go.sum, and npm package files
  • No code changes required due to backward-compatible updates
  • Comprehensive test coverage documented in PR description

Verification claims matched:

  • PR description states all AGENTS.md verification commands passed (go build, go test, go test -race, go vet, golangci-lint, staticcheck, govulncheck, gosec, npm build/test)
  • Version ranges in package files use compatible versioning (^ for npm, standard semver for Go)
  • Indirect dependencies explicitly updated via go get (eventstream, otlpmetrichttp, spdystream) as documented

Risk assessment:

  • Low risk: All updates are security patches addressing known CVEs
  • Deferred items (buildkit, docker deps) appropriately documented with rationale
  • Test results indicate no breaking changes introduced

The dependency updates are correctly scoped, well-documented, and follow project security practices.

@sonarqubecloud

sonarqubecloud Bot commented May 21, 2026

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@github-actions

github-actions Bot commented May 21, 2026

Copy link
Copy Markdown
Contributor

Benchmark Comparison Report

Baseline: main (unknown)

Current: PR-925 (142f699)

Summary

  • Regressions: 0
  • Improvements: 0
  • Unchanged: 144
  • Significance level: p < 0.05
All benchmark results (sec/op)
Benchmark Baseline Current Change p-value
_NewBlockFromBytes-4 1.682µ 1.786µ ~ 0.100
SplitSyncedParentMap_SetIfNotExists/256_buckets-4 61.57n 61.71n ~ 1.000
SplitSyncedParentMap_SetIfNotExists/16_buckets-4 61.47n 61.58n ~ 1.000
SplitSyncedParentMap_SetIfNotExists/1_bucket-4 61.48n 61.81n ~ 0.200
SplitSyncedParentMap_ConcurrentSetIfNotExists/256_buckets... 30.10n 30.74n ~ 0.100
SplitSyncedParentMap_ConcurrentSetIfNotExists/16_buckets_... 50.97n 52.57n ~ 0.700
SplitSyncedParentMap_ConcurrentSetIfNotExists/1_bucket_pa... 106.1n 106.8n ~ 0.400
MiningCandidate_Stringify_Short-4 260.4n 264.2n ~ 0.100
MiningCandidate_Stringify_Long-4 1.912µ 1.872µ ~ 0.100
MiningSolution_Stringify-4 970.2n 982.2n ~ 0.400
BlockInfo_MarshalJSON-4 1.783µ 1.775µ ~ 0.300
NewFromBytes-4 129.5n 144.1n ~ 0.100
AddTxBatchColumnar_Validation-4 2.629µ 2.464µ ~ 0.400
OffsetValidationLoop-4 646.6n 639.5n ~ 0.400
Mine_EasyDifficulty-4 66.89µ 66.84µ ~ 1.000
Mine_WithAddress-4 7.315µ 6.965µ ~ 0.700
DirectSubtreeAdd/4_per_subtree-4 57.07n 57.79n ~ 0.200
DirectSubtreeAdd/64_per_subtree-4 28.29n 29.08n ~ 0.100
DirectSubtreeAdd/256_per_subtree-4 27.30n 27.39n ~ 0.400
DirectSubtreeAdd/1024_per_subtree-4 26.39n 26.37n ~ 1.000
DirectSubtreeAdd/2048_per_subtree-4 25.93n 26.02n ~ 1.000
SubtreeProcessorAdd/4_per_subtree-4 296.3n 320.1n ~ 0.100
SubtreeProcessorAdd/64_per_subtree-4 290.7n 321.3n ~ 0.100
SubtreeProcessorAdd/256_per_subtree-4 306.3n 304.7n ~ 1.000
SubtreeProcessorAdd/1024_per_subtree-4 278.6n 319.0n ~ 0.100
SubtreeProcessorAdd/2048_per_subtree-4 273.5n 319.5n ~ 0.100
SubtreeProcessorRotate/4_per_subtree-4 280.5n 336.9n ~ 0.100
SubtreeProcessorRotate/64_per_subtree-4 278.1n 308.4n ~ 0.100
SubtreeProcessorRotate/256_per_subtree-4 281.5n 310.8n ~ 0.100
SubtreeProcessorRotate/1024_per_subtree-4 295.6n 307.6n ~ 0.100
SubtreeNodeAddOnly/4_per_subtree-4 54.90n 54.99n ~ 0.200
SubtreeNodeAddOnly/64_per_subtree-4 34.34n 34.51n ~ 0.100
SubtreeNodeAddOnly/256_per_subtree-4 33.36n 33.45n ~ 0.100
SubtreeNodeAddOnly/1024_per_subtree-4 32.83n 32.77n ~ 0.400
SubtreeCreationOnly/4_per_subtree-4 113.8n 115.0n ~ 0.100
SubtreeCreationOnly/64_per_subtree-4 400.0n 406.7n ~ 0.100
SubtreeCreationOnly/256_per_subtree-4 1.341µ 1.394µ ~ 0.100
SubtreeCreationOnly/1024_per_subtree-4 4.389µ 4.509µ ~ 0.100
SubtreeCreationOnly/2048_per_subtree-4 8.213µ 8.261µ ~ 0.700
SubtreeProcessorOverheadBreakdown/64_per_subtree-4 274.6n 290.7n ~ 0.100
SubtreeProcessorOverheadBreakdown/1024_per_subtree-4 280.4n 305.6n ~ 0.100
ParallelGetAndSetIfNotExists/1k_nodes-4 2.212m 2.268m ~ 0.100
ParallelGetAndSetIfNotExists/10k_nodes-4 5.399m 5.480m ~ 0.100
ParallelGetAndSetIfNotExists/50k_nodes-4 7.654m 8.229m ~ 0.100
ParallelGetAndSetIfNotExists/100k_nodes-4 10.79m 11.64m ~ 0.100
SequentialGetAndSetIfNotExists/1k_nodes-4 1.945m 2.010m ~ 0.100
SequentialGetAndSetIfNotExists/10k_nodes-4 4.771m 7.127m ~ 0.100
SequentialGetAndSetIfNotExists/50k_nodes-4 12.75m 23.10m ~ 0.100
SequentialGetAndSetIfNotExists/100k_nodes-4 22.82m 43.01m ~ 0.100
ProcessOwnBlockSubtreeNodesParallel/1k_nodes-4 2.270m 2.326m ~ 0.100
ProcessOwnBlockSubtreeNodesParallel/10k_nodes-4 8.320m 8.476m ~ 0.100
ProcessOwnBlockSubtreeNodesParallel/100k_nodes-4 13.78m 14.43m ~ 0.100
ProcessOwnBlockSubtreeNodesSequential/1k_nodes-4 1.968m 2.060m ~ 0.200
ProcessOwnBlockSubtreeNodesSequential/10k_nodes-4 8.267m 9.237m ~ 0.100
ProcessOwnBlockSubtreeNodesSequential/100k_nodes-4 42.19m 55.19m ~ 0.100
BlockAssembler_AddTx-4 0.03358n 0.02930n ~ 0.100
AddNode-4 12.53 12.46 ~ 0.700
AddNodeWithMap-4 12.82 13.50 ~ 0.200
DiskTxMap_SetIfNotExists-4 3.665µ 3.637µ ~ 1.000
DiskTxMap_SetIfNotExists_Parallel-4 3.443µ 3.474µ ~ 1.000
DiskTxMap_ExistenceOnly-4 339.8n 320.9n ~ 0.100
Queue-4 186.1n 185.2n ~ 0.200
AtomicPointer-4 3.704n 3.652n ~ 0.200
ReorgOptimizations/DedupFilterPipeline/Old/10K-4 830.8µ 787.4µ ~ 0.100
ReorgOptimizations/DedupFilterPipeline/New/10K-4 760.7µ 765.1µ ~ 0.100
ReorgOptimizations/AllMarkFalse/Old/10K-4 104.4µ 103.2µ ~ 0.700
ReorgOptimizations/AllMarkFalse/New/10K-4 64.41µ 64.97µ ~ 0.100
ReorgOptimizations/HashSlicePool/Old/10K-4 50.95µ 49.89µ ~ 0.700
ReorgOptimizations/HashSlicePool/New/10K-4 11.43µ 11.11µ ~ 0.100
ReorgOptimizations/NodeFlags/Old/10K-4 4.325µ 4.355µ ~ 0.100
ReorgOptimizations/NodeFlags/New/10K-4 1.462µ 1.476µ ~ 0.200
ReorgOptimizations/DedupFilterPipeline/Old/100K-4 9.429m 9.104m ~ 0.700
ReorgOptimizations/DedupFilterPipeline/New/100K-4 9.398m 9.313m ~ 0.400
ReorgOptimizations/AllMarkFalse/Old/100K-4 1.078m 1.069m ~ 0.100
ReorgOptimizations/AllMarkFalse/New/100K-4 705.0µ 704.3µ ~ 0.700
ReorgOptimizations/HashSlicePool/Old/100K-4 479.9µ 483.8µ ~ 0.700
ReorgOptimizations/HashSlicePool/New/100K-4 201.9µ 195.8µ ~ 1.000
ReorgOptimizations/NodeFlags/Old/100K-4 47.91µ 48.20µ ~ 0.100
ReorgOptimizations/NodeFlags/New/100K-4 16.55µ 16.55µ ~ 1.000
TxMapSetIfNotExists-4 49.57n 49.67n ~ 0.400
TxMapSetIfNotExistsDuplicate-4 41.28n 41.35n ~ 1.000
ChannelSendReceive-4 611.5n 601.4n ~ 0.100
CalcBlockWork-4 462.5n 474.2n ~ 0.100
CalculateWork-4 639.9n 632.8n ~ 0.400
BuildBlockLocatorString_Helpers/Size_10-4 1.359µ 1.334µ ~ 0.100
BuildBlockLocatorString_Helpers/Size_100-4 16.25µ 12.97µ ~ 0.700
BuildBlockLocatorString_Helpers/Size_1000-4 128.5µ 144.0µ ~ 0.700
CatchupWithHeaderCache-4 104.3m 104.4m ~ 1.000
_BufferPoolAllocation/16KB-4 3.886µ 3.639µ ~ 0.100
_BufferPoolAllocation/32KB-4 7.558µ 7.203µ ~ 0.100
_BufferPoolAllocation/64KB-4 16.14µ 20.57µ ~ 0.700
_BufferPoolAllocation/128KB-4 24.43µ 25.10µ ~ 0.700
_BufferPoolAllocation/512KB-4 107.06µ 92.60µ ~ 0.100
_BufferPoolConcurrent/32KB-4 18.77µ 17.85µ ~ 0.200
_BufferPoolConcurrent/64KB-4 29.93µ 28.71µ ~ 0.700
_BufferPoolConcurrent/512KB-4 145.2µ 139.8µ ~ 0.100
_SubtreeDeserializationWithBufferSizes/16KB-4 617.6µ 607.4µ ~ 0.100
_SubtreeDeserializationWithBufferSizes/32KB-4 630.7µ 607.5µ ~ 0.100
_SubtreeDeserializationWithBufferSizes/64KB-4 611.1µ 603.4µ ~ 0.100
_SubtreeDeserializationWithBufferSizes/128KB-4 589.9µ 584.8µ ~ 0.200
_SubtreeDeserializationWithBufferSizes/512KB-4 599.5µ 595.3µ ~ 0.100
_SubtreeDataDeserializationWithBufferSizes/16KB-4 36.42m 35.98m ~ 0.100
_SubtreeDataDeserializationWithBufferSizes/32KB-4 36.05m 35.95m ~ 0.400
_SubtreeDataDeserializationWithBufferSizes/64KB-4 36.21m 35.91m ~ 0.200
_SubtreeDataDeserializationWithBufferSizes/128KB-4 36.11m 35.71m ~ 0.200
_SubtreeDataDeserializationWithBufferSizes/512KB-4 35.75m 35.46m ~ 0.100
_PooledVsNonPooled/Pooled-4 646.3n 736.0n ~ 0.100
_PooledVsNonPooled/NonPooled-4 7.380µ 7.215µ ~ 0.100
_MemoryFootprint/Current_512KB_32concurrent-4 6.482µ 6.318µ ~ 0.100
_MemoryFootprint/Proposed_32KB_32concurrent-4 9.213µ 9.095µ ~ 0.100
_MemoryFootprint/Alternative_64KB_32concurrent-4 9.070µ 8.761µ ~ 0.400
_prepareTxsPerLevel-4 419.9m 431.8m ~ 0.100
_prepareTxsPerLevelOrdered-4 3.698m 3.772m ~ 0.700
_prepareTxsPerLevel_Comparison/Original-4 426.3m 425.0m ~ 1.000
_prepareTxsPerLevel_Comparison/Optimized-4 3.635m 3.768m ~ 0.100
SubtreeSizes/10k_tx_4_per_subtree-4 1.282m 1.462m ~ 0.700
SubtreeSizes/10k_tx_16_per_subtree-4 301.3µ 302.8µ ~ 0.700
SubtreeSizes/10k_tx_64_per_subtree-4 72.32µ 71.33µ ~ 0.100
SubtreeSizes/10k_tx_256_per_subtree-4 17.92µ 17.69µ ~ 0.700
SubtreeSizes/10k_tx_512_per_subtree-4 8.845µ 8.736µ ~ 0.200
SubtreeSizes/10k_tx_1024_per_subtree-4 4.397µ 4.421µ ~ 0.700
SubtreeSizes/10k_tx_2k_per_subtree-4 2.212µ 2.145µ ~ 0.200
BlockSizeScaling/10k_tx_64_per_subtree-4 69.79µ 69.00µ ~ 0.400
BlockSizeScaling/10k_tx_256_per_subtree-4 17.48µ 17.65µ ~ 0.700
BlockSizeScaling/10k_tx_1024_per_subtree-4 4.378µ 4.365µ ~ 1.000
BlockSizeScaling/50k_tx_64_per_subtree-4 371.2µ 365.0µ ~ 0.400
BlockSizeScaling/50k_tx_256_per_subtree-4 87.20µ 88.89µ ~ 0.400
BlockSizeScaling/50k_tx_1024_per_subtree-4 21.54µ 21.43µ ~ 0.800
SubtreeAllocations/small_subtrees_exists_check-4 150.7µ 148.1µ ~ 0.200
SubtreeAllocations/small_subtrees_data_fetch-4 159.9µ 156.9µ ~ 0.200
SubtreeAllocations/small_subtrees_full_validation-4 311.9µ 302.1µ ~ 0.200
SubtreeAllocations/medium_subtrees_exists_check-4 8.882µ 8.901µ ~ 1.000
SubtreeAllocations/medium_subtrees_data_fetch-4 9.362µ 9.306µ ~ 0.700
SubtreeAllocations/medium_subtrees_full_validation-4 17.57µ 17.70µ ~ 1.000
SubtreeAllocations/large_subtrees_exists_check-4 2.107µ 2.078µ ~ 0.100
SubtreeAllocations/large_subtrees_data_fetch-4 2.250µ 2.212µ ~ 0.100
SubtreeAllocations/large_subtrees_full_validation-4 4.392µ 4.342µ ~ 0.700
StoreBlock_Sequential/BelowCSVHeight-4 333.3µ 338.7µ ~ 0.200
StoreBlock_Sequential/AboveCSVHeight-4 333.4µ 339.6µ ~ 0.100
GetUtxoHashes-4 271.2n 277.9n ~ 0.400
GetUtxoHashes_ManyOutputs-4 45.23µ 45.75µ ~ 0.200
_NewMetaDataFromBytes-4 214.4n 216.0n ~ 0.100
_Bytes-4 404.0n 402.5n ~ 0.400
_MetaBytes-4 141.2n 140.3n ~ 1.000

Threshold: >10% with p < 0.05 | Generated: 2026-05-21 17:16 UTC

@oskarszoon oskarszoon enabled auto-merge (squash) May 21, 2026 17:53
@oskarszoon oskarszoon merged commit c0a75de into bsv-blockchain:main May 22, 2026
25 checks passed
@oskarszoon oskarszoon self-assigned this May 22, 2026
This was referenced May 22, 2026
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@icellan icellan icellan approved these changes

@freemans13 freemans13 freemans13 approved these changes

@ordishs ordishs Awaiting requested review from ordishs

Assignees

@oskarszoon oskarszoon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@oskarszoon @icellan @freemans13