V3.4.0#467
Open
alexjavabraz wants to merge 23 commits into
Open
Conversation
…failures
I've defined ADDRESS_LIST_MAX_ITEMS, UTXO_RESPONSE_MAX_ROWS,
ADDRESS_INFO_MAX_TXIDS and PROVIDER_CONCURRENCY env variables in
order to set an upper bound of on the requests and avoid external
provider/services saturation
remove optional rejectDuplicates and update
build file to use nvmrc
- Add minItems enforcement to validateAddressList (raises 422 when list
is empty, consistent with the minItems: 1 declared in request schemas)
- Update engines.node from >=10.16 to >=20.0.0 to match .nvmrc (v20.18.2)
- Update PR description: document the 4.0.0 major bump rationale, breaking
endpoint removals, and removal of REJECT_DUPLICATE_ADDRESSES toggle
Dependency ReviewThe following issues were found:
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR modernizes the API for a new major release by upgrading the runtime/framework baseline, removing several legacy endpoints/services, and adding configurable guardrails (validation, concurrency limiting, and response-size caps) to address-list driven endpoints to mitigate response amplification risks.
Changes:
- Upgrade to Node 20+ and LoopBack v8+ (plus dependency refresh) and adjust CI to use
.nvmrcand run unit+acceptance tests together. - Add reusable utilities for BTC/EVM address patterns, address-list validation, concurrency-limited fan-out, and env-configurable limits; apply them to
/utxoand/addresses-info. - Remove legacy features and their tests (e.g., register/metrics, logs ingestion, tx-history, Fireblocks proxy) and related DI bindings/exports.
Reviewed changes
Copilot reviewed 50 out of 52 changed files in this pull request and generated 5 comments.
Show a summary per file
| File | Description |
|---|---|
| src/utils/sanitization-utils.ts | Removed legacy payload/log sanitization helpers. |
| src/utils/concurrency.ts | Added chunked concurrency-limited async helper. |
| src/utils/bridge-utils.ts | Removed eslint-disable comments (naming convention now off). |
| src/utils/address-patterns.ts | Centralized BTC/EVM address regex patterns. |
| src/utils/address-list-validation.ts | Added runtime validation for address list size/uniqueness. |
| src/services/tx-history.service.ts | Removed tx-history Mongo service. |
| src/services/rsk-node.service.ts | getBridgeTransaction now returns Transaction | undefined. |
| src/services/register.service.ts | Removed legacy register persistence service. |
| src/services/pegout-status/pegout-status.service.ts | Handle missing bridge tx (undefined) safely. |
| src/services/node-bridge-data.provider.ts | Skip processing when parsed bridge tx is missing. |
| src/services/index.ts | Stopped exporting removed services. |
| src/services/flyover.service.ts | Removed legacy register() method and unused imports. |
| src/services/bridge.service.ts | getBridgeTransactionByHash now returns Transaction | undefined. |
| src/models/tx-output.model.ts | Removed eslint-disable comments for snake_case properties. |
| src/models/tx-input.model.ts | Removed eslint-disable comments for snake_case properties. |
| src/models/tx-history.model.ts | Removed TxHistory model and schema validations. |
| src/models/register-payload.model.ts | Removed RegisterPayload model. |
| src/models/log-entry.model.ts | Removed LogEntry/LogError model used by logs endpoint. |
| src/models/index.ts | Removed exports for deleted models. |
| src/models/fireblocks-generic-response.model.ts | Removed Fireblocks response model. |
| src/models/fireblocks-generic-request.model.ts | Removed Fireblocks request model/whitelist usage. |
| src/models/address-list.model.ts | Added max/unique constraints + centralized BTC pattern. |
| src/index.ts | Removed eslint-disable for enum naming. |
| src/dependency-injection-handler.ts | Removed DI bindings for deleted services. |
| src/dependency-injection-bindings.ts | Removed binding keys for deleted services. |
| src/controllers/utxo.controller.ts | Added address list validation, concurrency limiting, and response cap. |
| src/controllers/tx-history.controller.ts | Removed tx-history endpoints. |
| src/controllers/register.controller.ts | Removed register endpoint. |
| src/controllers/logs.controller.ts | Removed logs ingestion endpoint. |
| src/controllers/index.ts | Removed exports for deleted controllers. |
| src/controllers/fireblocks.controller.ts | Removed Fireblocks proxy endpoints. |
| src/controllers/addresses-info.controller.ts | Added validation, concurrency limiting, and txid capping. |
| src/constants/fireblocks-allowed-uris.ts | Removed Fireblocks URI whitelist. |
| src/config/limits.ts | New env-configurable limits (max list size, concurrency, etc.). |
| src/tests/unit/utxo.controller.unit.ts | Added tests covering amplification defenses and caps. |
| src/tests/unit/tx-history.controller.unit.ts | Removed tx-history controller tests. |
| src/tests/unit/services/rsk-node.services.unit.ts | Updated for possibly-undefined bridge transaction return. |
| src/tests/unit/services/flyover-service.service.unit.ts | Removed flyover register tests. |
| src/tests/unit/register.controller.unit.ts | Removed register controller tests. |
| src/tests/unit/bridge.handler.unit.ts | Updated assertions for possibly-undefined parser response. |
| src/tests/unit/addressesInfo.controller.unit.ts | Updated async flow + added amplification defense tests. |
| src/tests/helper.ts | Removed eslint-disable comments for snake_case test data. |
| src/tests/acceptance/utxo.controller.acceptance.ts | Added acceptance tests for list size/dup rejection. |
| src/tests/acceptance/logs.controller.acceptance.ts | Removed logs endpoint acceptance tests. |
| src/tests/acceptance/input-sanitization.acceptance.ts | Updated expectations (e.g., empty list now 422); removed register/logs sections. |
| src/tests/acceptance/fireblocks.controller.acceptance.ts | Removed Fireblocks acceptance tests. |
| src/tests/acceptance/addresses-info.controller.acceptance.ts | New acceptance coverage for list limits + txid cap. |
| package.json | Major version bump + Node/LoopBack upgrade + new test:all script. |
| .gitignore | Ignore .claude directory. |
| .github/workflows/build.yml | Use .nvmrc + run test:all; removed SonarCloud step. |
| .eslintrc.js | Disabled @typescript-eslint/naming-convention globally. |
Comment on lines
+89
to
+97
| "@loopback/build": "^12.0.12", | ||
| "@loopback/eslint-config": "^16.0.1", | ||
| "@loopback/testlab": "^8.0.12", | ||
| "@types/big.js": "^6.1.2", | ||
| "@types/bs58": "^4.0.1", | ||
| "@types/nock": "^10.0.3", | ||
| "@types/node": "^16.18.50", | ||
| "@typescript-eslint/eslint-plugin": "^6.4.1", | ||
| "@typescript-eslint/parser": "^6.4.1", | ||
| "@typescript-eslint/eslint-plugin": "^7.18.0", | ||
| "@typescript-eslint/parser": "^7.18.0", |
Comment on lines
+2
to
+3
| "name": "2wp-api", | ||
| "version": "3.3.1", | ||
| "version": "4.0.0", |
| reject(reason); | ||
| }); | ||
| }); | ||
| validateAddressList(addressList.addressList, {maxItems: ADDRESS_LIST_MAX_ITEMS}); |
Comment on lines
+58
to
+75
| const utxosWithAddress = await withConcurrency( | ||
| addressList.addressList, | ||
| PROVIDER_CONCURRENCY, | ||
| async (address: string) => { | ||
| const utxos = await this.utxoProviderService.utxoProvider(address); | ||
| return utxos.map(utxo => new Utxo({address, ...utxo})); | ||
| }, | ||
| ); | ||
|
|
||
| const flat = utxosWithAddress.flat(); | ||
| if (flat.length > UTXO_RESPONSE_MAX_ROWS) { | ||
| throw new HttpErrors.PayloadTooLarge( | ||
| `UTXO response exceeds maximum of ${UTXO_RESPONSE_MAX_ROWS} rows`, | ||
| ); | ||
| } | ||
|
|
||
| this.logger.trace('[getUtxos] Got utxos!'); | ||
| return new UtxoResponse({data: flat}); |
| }) | ||
| addressList: AddressList, | ||
| ): Promise<AddressInfoResponse> { | ||
| validateAddressList(addressList.addressList, {maxItems: ADDRESS_LIST_MAX_ITEMS}); |
Feat/standard logs traces
refactor: adding allowScripts for npm v12
ronaldsg20
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.