fix(deps): resolve all critical Dependabot security alerts

[chengwenxi]

Summary

• Upgrade google.golang.org/grpc v1.62.1 → v1.79.3 in oracle/, node/, ops/tools/ — fixes gRPC-Go authorization bypass via missing leading slash in :path (alerts modify qanet-deploy-config #525-Enable parsing log level for different modules #527)
• Remove github.com/btcsuite/btcd v0.20.1-beta from tx-submitter/ — fixes witness size checking bypass (alert declaration redundancy #126); only the btcec/v2 sub-module is retained
• Bump axios to ^1.15.0 — fixes SSRF via header injection and NO_PROXY hostname normalization bypass (alerts Update submitter & oracle external sign version #573-fix server api #576)
• Bump elliptic to ^6.6.1 — fixes ECDSA private key extraction upon signing malformed input (alerts Fix ChallengeState #213, Blob metadata #215)
• Bump handlebars to ^4.7.9 — fixes JavaScript injection via AST type confusion (alerts Fix batch hash #547, Adjust submitter flag name #551)
• Bump pbkdf2 to ^3.1.3 — fixes predictable keys from uninitialized memory and silently ignored Uint8Array input (alerts Audit ToB 03 & 10: Fix mint inflation #277, Feature/release 0.1.x ops #278, Skip genesis batch #437, fix chunks append with nil rows #438)
• Bump sha.js to ^2.4.12 — fixes missing type checks leading to hash rewind (alerts Fix cherry-pick action #291, fix cherry pick workflow #292)
• Bump cipher-base to ^1.0.5 — fixes missing type checks leading to hash rewind (alerts Update derivation metrics #289, Fix cherry-pick action #290)
• Bump form-data to ^4.0.4 — fixes unsafe random function for choosing boundary (alerts Bump the go_modules group across 6 directories with 2 updates #283-Update derivation metrics #286)
• Bump underscore to ^1.12.1 — fixes arbitrary code execution (alert Support EIP4844 #6)
• Add yarn resolutions in contracts/package.json to force patched versions of transitive dependencies
• Migrate gas-oracle/ from npm to yarn — the existing package-lock.json had outdated transitive dependencies; yarn resolves all patched versions. This also makes gas-oracle consistent with contracts.

Not fixed in this PR

• babel-traverse (alert Update compose #75) — no patched version exists for the v6 package. This is a deeply nested transitive dependency from the deprecated ethereum-waffle/ganache-core toolchain. Remediation requires migrating testing infrastructure to a modern Babel v7+ setup (@babel/traverse ≥ 7.23.2).

Verification

• All four Go modules (oracle, node, ops/tools, tx-submitter) compile successfully with go build ./...
• yarn install succeeds in both contracts/ and gas-oracle/

Test plan

• Verify CI builds pass for all Go modules
• Verify npm/yarn CI steps pass for contracts and gas-oracle
• Run existing test suites to confirm no regressions
• Confirm Dependabot alerts auto-close after merge

🤖 Generated with Claude Code

Summary by CodeRabbit

Chores

• Updated package and module dependencies across the codebase to enhance security, stability, and performance.
• Added dependency resolution configurations to pin versions and ensure consistency across multiple modules.
• Upgraded critical dependencies including cryptography, networking, and messaging libraries to latest compatible versions.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates dependencies across the monorepo: upgrading axios and managing npm resolutions in the contracts package, and updating multiple indirect Go module versions across node, ops/tools, oracle, and tx-submitter packages to align with newer versions of protobuf, cryptography, and gRPC libraries.

Changes

Cohort / File(s)	Summary
Contracts Package Dependencies contracts/package.json	Updated axios from ^1.4.0 to ^1.15.0 and added a resolutions block pinning versions for cipher-base, elliptic, form-data, handlebars, pbkdf2, sha.js, and underscore.
Go Module Dependency Updates node/go.mod, ops/tools/go.mod, oracle/go.mod, tx-submitter/go.mod	Synchronized indirect dependency versions across Go modules: updated xxhash/v2 (v2.2.0 → v2.3.0), protobuf (v1.5.3 → v1.5.4), golang.org/x/* libraries (crypto, net, sync, sys, text to v0.46.0+), and google.golang.org/grpc (v1.62.1 → v1.79.3) and protobuf (v1.33.0 → v1.36.10). Removed golang.org/x/exp from node/go.mod and btcsuite/btcd v0.20.1-beta from tx-submitter/go.mod.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

Possibly related PRs

• feature: update go mod & submodule #914: Modifies the same Go module files with similar dependency version updates and replace directives.
• update go-ethereum dependency #748: Updates dependency entries across the same module files (node/, ops/tools/, oracle/, contracts/, tx-submitter/).

Suggested reviewers

• FletcherMan
• panos-xyz
• curryxbo
• r3aker86

Poem

🐰 Dependencies dance in harmony today,
Axios springs forward, Go modules align,
Protobuf and gRPC lead the way,
Version pins gleam in the moonlight's shine,
Our monorepo hops with renewed design! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and accurately summarizes the main change: resolving critical Dependabot security alerts across the codebase through dependency upgrades.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch worktree-fix-dependabot-critical

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

🧹 Nitpick comments (2)

node/go.mod (1)

123-125: Consider adding a CI guard to prevent cross-module version drift.

Given the same security-sensitive bumps are repeated across multiple go.mod files, a lightweight CI check (go list -m all diff or policy script) would help keep grpc/protobuf/x/* versions aligned over time.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@node/go.mod` around lines 123 - 125, The go.mod entries for
google.golang.org/genproto, google.golang.org/grpc and
google.golang.org/protobuf are drifting across modules; add a lightweight CI
guard that runs `go list -m all` (or a small policy script) to collect those
module versions across the repo and fail the run on any unexpected divergence.
Implement a small script (e.g., check-go-module-versions) that normalizes and
compares versions for the modules named (google.golang.org/genproto,
google.golang.org/grpc, google.golang.org/protobuf) and exits non-zero on
mismatch, then invoke that script as a step in the CI pipeline so PRs that
change those module versions are blocked until reconciled.

contracts/package.json (1)

99-106: Prefer exact resolutions pins for deterministic security remediation.

The caret ranges currently allow version drift across installs. The lockfile shows this is happening—for example, underscore resolved to 1.13.8 instead of 1.12.1, and cipher-base resolved to 1.0.7 instead of 1.0.5. Exact pins ensure reproducible, auditable security fixes.

Suggested diff

 "resolutions": {
-    "cipher-base": "^1.0.5",
-    "elliptic": "^6.6.1",
-    "form-data": "^4.0.4",
-    "handlebars": "^4.7.9",
-    "pbkdf2": "^3.1.3",
-    "sha.js": "^2.4.12",
-    "underscore": "^1.12.1"
+    "cipher-base": "1.0.5",
+    "elliptic": "6.6.1",
+    "form-data": "4.0.4",
+    "handlebars": "4.7.9",
+    "pbkdf2": "3.1.3",
+    "sha.js": "2.4.12",
+    "underscore": "1.12.1"
 }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@contracts/package.json` around lines 99 - 106, Update the resolutions object
in package.json to use exact version pins instead of caret ranges so installs
are deterministic; replace entries like "cipher-base": "^1.0.5", "elliptic":
"^6.6.1", "form-data": "^4.0.4", "handlebars": "^4.7.9", "pbkdf2": "^3.1.3",
"sha.js": "^2.4.12", "underscore": "^1.12.1" with exact strings "cipher-base":
"1.0.5", "elliptic": "6.6.1", "form-data": "4.0.4", "handlebars": "4.7.9",
"pbkdf2": "3.1.3", "sha.js": "2.4.12", "underscore": "1.12.1" in the resolutions
object so the lockfile remains reproducible and security remediation is
auditable.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@contracts/package.json`:
- Around line 99-106: Update the resolutions object in package.json to use exact
version pins instead of caret ranges so installs are deterministic; replace
entries like "cipher-base": "^1.0.5", "elliptic": "^6.6.1", "form-data":
"^4.0.4", "handlebars": "^4.7.9", "pbkdf2": "^3.1.3", "sha.js": "^2.4.12",
"underscore": "^1.12.1" with exact strings "cipher-base": "1.0.5", "elliptic":
"6.6.1", "form-data": "4.0.4", "handlebars": "4.7.9", "pbkdf2": "3.1.3",
"sha.js": "2.4.12", "underscore": "1.12.1" in the resolutions object so the
lockfile remains reproducible and security remediation is auditable.

In `@node/go.mod`:
- Around line 123-125: The go.mod entries for google.golang.org/genproto,
google.golang.org/grpc and google.golang.org/protobuf are drifting across
modules; add a lightweight CI guard that runs `go list -m all` (or a small
policy script) to collect those module versions across the repo and fail the run
on any unexpected divergence. Implement a small script (e.g.,
check-go-module-versions) that normalizes and compares versions for the modules
named (google.golang.org/genproto, google.golang.org/grpc,
google.golang.org/protobuf) and exits non-zero on mismatch, then invoke that
script as a step in the CI pipeline so PRs that change those module versions are
blocked until reconciled.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4b68ec09-b154-4fe4-983c-f3d6d816e78b

📥 Commits

Reviewing files that changed from the base of the PR and between 62bb525 and 8d97a2c.

⛔ Files ignored due to path filters (8)

• contracts/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• gas-oracle/package-lock.json is excluded by !**/package-lock.json
• gas-oracle/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
• go.work.sum is excluded by !**/*.sum
• node/go.sum is excluded by !**/*.sum
• ops/tools/go.sum is excluded by !**/*.sum
• oracle/go.sum is excluded by !**/*.sum
• tx-submitter/go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• contracts/package.json
• node/go.mod
• ops/tools/go.mod
• oracle/go.mod
• tx-submitter/go.mod

💤 Files with no reviewable changes (1)

• tx-submitter/go.mod