fix(sdk-core): update protobufjs to fix critical vulnerability

Addresses CVE-2023-36665

Refs DX-314

TICKET: DX-314

modules/sdk-coin-hbar/package.json

@@ -44,12 +44,12 @@
     "@bitgo/sdk-core": "^26.7.0",
     "@bitgo/statics": "^48.6.0",
     "@hashgraph/proto": "2.12.0",
-    "@hashgraph/sdk": "2.29.0",
+    "@hashgraph/sdk": "2.44.0",
     "@stablelib/sha384": "^1.0.0",
     "bignumber.js": "^9.0.0",
     "lodash": "^4.17.15",
     "long": "^4.0.0",
-    "protobufjs": "7.2.4",
+    "protobufjs": "7.2.5",
     "stellar-sdk": "^10.0.1",
     "tweetnacl": "^1.0.3"
   },

modules/sdk-coin-islm/package.json

@@ -51,7 +51,7 @@
     "cosmjs-types": "^0.6.1",
     "ethers": "^5.7.2",
     "keccak": "3.0.3",
-    "protobufjs": "^7.2.4"
+    "protobufjs": "^7.2.5"
   },
   "devDependencies": {
     "@bitgo/sdk-api": "^1.45.0",

modules/sdk-coin-trx/package.json

@@ -53,7 +53,7 @@
     "bignumber.js": "^9.0.0",
     "ethers": "^5.7.2",
     "lodash": "^4.17.14",
-    "protobufjs": "7.2.4",
+    "protobufjs": "7.2.5",
     "secp256k1": "5.0.0",
     "superagent": "^3.8.3",
     "tronweb": "5.1.0"

yarn.lock

@@ -2463,16 +2463,20 @@
     tweetnacl "^1.0.3"
     utf8 "^3.0.0"
 
-"@hashgraph/[email protected].6":
-  version "1.4.6"
-  resolved "https://registry.npmjs.org/@hashgraph/cryptography/-/cryptography-1.4.6.tgz"
-  integrity sha512-3HmnT1Lek71l6nHxc4GOyT/hSx/LmgusyWfE7hQda2dnE5vL2umydDw5TK2wq8gqmD9S3uRSMhz/BO55wtzxRA==
+"@hashgraph/[email protected].8-beta.5":
+  version "1.4.8-beta.5"
+  resolved "https://registry.yarnpkg.com/@hashgraph/cryptography/-/cryptography-1.4.8-beta.5.tgz#c0a30838d83080086bce5fbf2d8f19924a27805f"
+  integrity sha512-soq2vGLRkdl2Evr+gIvIjCXJjqA1hOAjysBGG+dhP6tKx2PEgEjb3hON/sMbxm3Q4qQdkML/vEthdAV707+flw==
   dependencies:
+    asn1js "^3.0.5"
     bignumber.js "^9.1.1"
-    bn.js "^5.1.1"
-    crypto-js "^4.1.1"
+    bn.js "^5.2.1"
+    buffer "^6.0.3"
+    crypto-js "^4.2.0"
     elliptic "^6.5.4"
     js-base64 "^3.7.4"
+    node-forge "^1.3.1"
+    spark-md5 "^3.0.2"
     tweetnacl "^1.0.3"
     utf8 "^3.0.0"
 
@@ -2485,26 +2489,36 @@
     protobufjs "^7.1.2"
     protobufjs-cli "^1.0.2"
 
-"@hashgraph/[email protected]":
-  version "2.29.0"
-  resolved "https://registry.npmjs.org/@hashgraph/sdk/-/sdk-2.29.0.tgz"
-  integrity sha512-dMv2q7OCa2Xyi0ooGjo4JJRFxHKzKBvMd8G/n30j4jHx1JiSfI2ckPTAOwfCbYZ/o+EMDZzevyD5+Juf9iph+A==
+"@hashgraph/[email protected]":
+  version "2.14.0-beta.5"
+  resolved "https://registry.yarnpkg.com/@hashgraph/proto/-/proto-2.14.0-beta.5.tgz#9c6991012ce85d1540b26937462560473d8dc0f7"
+  integrity sha512-UrIbLdctpD//Ua99Z4PnknbR8220nc1Pzv0nkDJ1emZE9EAi7YOOry2Dw660azQHWfVw/HhqECPdiKrTIZ2b+Q==
+  dependencies:
+    long "^4.0.0"
+    protobufjs "^7.2.5"
+
+"@hashgraph/[email protected]":
+  version "2.44.0"
+  resolved "https://registry.yarnpkg.com/@hashgraph/sdk/-/sdk-2.44.0.tgz#02ede40fe0cb6abca8eb28c6904fa06d5d5b82b5"
+  integrity sha512-F+fASqp/8Wp27HFXi2E60qY0Zp60UJWtTonqbIT+TCFbslItbLDJR+p+2FEz3wVCWRq2gJw+1ZMi/CMWtOHYpA==
   dependencies:
     "@ethersproject/abi" "^5.7.0"
     "@ethersproject/bignumber" "^5.7.0"
     "@ethersproject/bytes" "^5.7.0"
     "@ethersproject/rlp" "^5.7.0"
     "@grpc/grpc-js" "1.8.2"
-    "@hashgraph/cryptography" "1.4.6"
-    "@hashgraph/proto" "2.12.0"
-    axios "^1.3.1"
+    "@hashgraph/cryptography" "1.4.8-beta.5"
+    "@hashgraph/proto" "2.14.0-beta.5"
+    axios "^1.6.4"
     bignumber.js "^9.1.1"
-    crypto-js "^4.1.1"
+    bn.js "^5.1.1"
+    crypto-js "^4.2.0"
     js-base64 "^3.7.4"
     long "^4.0.0"
     pino "^8.14.1"
     pino-pretty "^10.0.0"
-    protobufjs "^7.1.2"
+    protobufjs "^7.2.5"
+    rfc4648 "^1.5.3"
     utf8 "^3.0.0"
 
 "@humanwhocodes/config-array@^0.5.0":
@@ -6553,7 +6567,7 @@ axios@^0.26.1:
   dependencies:
     follow-redirects "^1.14.8"
 
-axios@^1.0.0, axios@^1.3.1, axios@^1.3.4, axios@^1.4.0:
+axios@^1.0.0, axios@^1.3.4, axios@^1.4.0:
   version "1.6.1"
   resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.1.tgz#76550d644bf0a2d469a01f9244db6753208397d7"
   integrity sha512-vfBmhDpKafglh0EldBEbVuoe7DyAavGSLWhuSm5ZSEKQnHhBf0xAAwybbNH1IkrJNGnS/VG4I5yxig1pCEXE4g==
@@ -6571,6 +6585,15 @@ axios@^1.6.0:
     form-data "^4.0.0"
     proxy-from-env "^1.1.0"
 
+axios@^1.6.4:
+  version "1.6.8"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.6.8.tgz#66d294951f5d988a00e87a0ffb955316a619ea66"
+  integrity sha512-v/ZHtJDU39mDpyBoFVkETcd/uNdxrWRrg3bKpOKzXFA6Bvqopts6ALSMU3y6ijYxbw2B+wPrIv46egTzJXCLGQ==
+  dependencies:
+    follow-redirects "^1.15.6"
+    form-data "^4.0.0"
+    proxy-from-env "^1.1.0"
+
 b64-lite@^1.3.1, b64-lite@^1.4.0:
   version "1.4.0"
   resolved "https://registry.yarnpkg.com/b64-lite/-/b64-lite-1.4.0.tgz#e62442de11f1f21c60e38b74f111ac0242283d3d"
@@ -8460,7 +8483,7 @@ [email protected], crypto-browserify@^3.0.0, crypto-browserify@^3.12.0:
     randombytes "^2.0.0"
     randomfill "^1.0.3"
 
-crypto-js@^4.1.1:
+crypto-js@^4.1.1, crypto-js@^4.2.0:
   version "4.2.0"
   resolved "https://registry.yarnpkg.com/crypto-js/-/crypto-js-4.2.0.tgz#4d931639ecdfd12ff80e8186dba6af2c2e856631"
   integrity sha512-KALDyEYgpY+Rlob/iriUtjV6d5Eq+Y191A5g4UqLAi8CyGP9N1+FdVbkc1SxKc2r4YAYqG8JzO2KGL+AizD70Q==
@@ -10730,7 +10753,7 @@ flux@^4.0.1:
     fbemitter "^3.0.0"
     fbjs "^3.0.1"
 
-[email protected], follow-redirects@^1.0.0, follow-redirects@^1.14.0, follow-redirects@^1.14.7, follow-redirects@^1.14.8, follow-redirects@^1.14.9, follow-redirects@^1.15.0:
+[email protected], follow-redirects@^1.0.0, follow-redirects@^1.14.0, follow-redirects@^1.14.7, follow-redirects@^1.14.8, follow-redirects@^1.14.9, follow-redirects@^1.15.0, follow-redirects@^1.15.6:
   version "1.15.4"
   resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.4.tgz#cdc7d308bf6493126b17ea2191ea0ccf3e535adf"
   integrity sha512-Cr4D/5wlrb0z9dgERpUL3LrmPKVDsETIJhaCMeDfuFYcqa5bldGV6wBsAN6X/vxlXQtFBMrXdXxdL8CbDTGniw==
@@ -14377,7 +14400,7 @@ node-fetch@^3.3.1:
     fetch-blob "^3.1.4"
     formdata-polyfill "^4.0.10"
 
-node-forge@^1:
+node-forge@^1, node-forge@^1.3.1:
   version "1.3.1"
   resolved "https://registry.npmjs.org/node-forge/-/node-forge-1.3.1.tgz"
   integrity sha512-dPEtOeMvF9VMcYV/1Wb8CPoVAXtp6MKMlcbAt4ddqmGqUJ6fQZFXkNZNkNlfevtNkGtaSoXf/vNNNSvgrdXwtA==
@@ -15900,7 +15923,7 @@ protobufjs-cli@^1.0.2:
     tmp "^0.2.1"
     uglify-js "^3.7.7"
 
-[email protected].4, protobufjs@^6.8.8, protobufjs@^7.0.0, protobufjs@^7.1.2, protobufjs@^7.2.4, protobufjs@~6.11.2, protobufjs@~6.11.3:
+[email protected].5, protobufjs@^6.8.8, protobufjs@^7.0.0, protobufjs@^7.1.2, protobufjs@^7.2.4, protobufjs@^7.2.5, protobufjs@~6.11.2, protobufjs@~6.11.3:
   version "7.2.5"
   resolved "https://registry.yarnpkg.com/protobufjs/-/protobufjs-7.2.5.tgz#45d5c57387a6d29a17aab6846dcc283f9b8e7f2d"
   integrity sha512-gGXRSXvxQ7UiPgfw8gevrfRWcTlSbOFg+p/N+JVJEK5VhueL2miT6qTymqAmjr1Q5WbOCyJbyrk6JfWKwlFn6A==
@@ -16710,6 +16733,11 @@ reusify@^1.0.4:
   resolved "https://registry.npmjs.org/reusify/-/reusify-1.0.4.tgz"
   integrity sha512-U9nH88a3fc/ekCF1l0/UP1IosiuIjyTh7hBvXVMHYgVcfGvt897Xguj2UOLDeI5BG2m7/uwyaLVT6fbtCwTyzw==
 
+rfc4648@^1.5.3:
+  version "1.5.3"
+  resolved "https://registry.yarnpkg.com/rfc4648/-/rfc4648-1.5.3.tgz#e62b81736c10361ca614efe618a566e93d0b41c0"
+  integrity sha512-MjOWxM065+WswwnmNONOT+bD1nXzY9Km6u3kzvnx8F8/HXGZdz3T6e6vZJ8Q/RIMUSp/nxqjH3GwvJDy8ijeQQ==
+
 rfdc@^1.3.0:
   version "1.3.0"
   resolved "https://registry.npmjs.org/rfdc/-/rfdc-1.3.0.tgz"
@@ -17589,6 +17617,11 @@ sourcemap-codec@^1.4.8:
   resolved "https://registry.npmjs.org/sourcemap-codec/-/sourcemap-codec-1.4.8.tgz"
   integrity sha512-9NykojV5Uih4lgo5So5dtw+f0JgJX30KCNI8gwhz2J9A15wD0Ml6tjHKwf6fTSa6fAdVBdZeNOs9eJ71qCk8vA==
 
+spark-md5@^3.0.2:
+  version "3.0.2"
+  resolved "https://registry.yarnpkg.com/spark-md5/-/spark-md5-3.0.2.tgz#7952c4a30784347abcee73268e473b9c0167e3fc"
+  integrity sha512-wcFzz9cDfbuqe0FZzfi2or1sgyIrsDwmPwfZC4hiNidPdPINjeUwNfv5kldczoEAcjl9Y1L3SM7Uz2PUEQzxQw==
+
 spawn-wrap@^2.0.0:
   version "2.0.0"
   resolved "https://registry.npmjs.org/spawn-wrap/-/spawn-wrap-2.0.0.tgz"