Skip to content

V3.4.0#467

Open
alexjavabraz wants to merge 23 commits into
mainfrom
v3.4.0
Open

V3.4.0#467
alexjavabraz wants to merge 23 commits into
mainfrom
v3.4.0

Conversation

@alexjavabraz

@alexjavabraz alexjavabraz commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

No description provided.

@ronaldsg20
chore(audit): run audit fix
56aff0e
@ronaldsg20
security(api): harden address-list endpoints and fix acceptance test …
b000985 
…failures

    I've defined ADDRESS_LIST_MAX_ITEMS, UTXO_RESPONSE_MAX_ROWS,
    ADDRESS_INFO_MAX_TXIDS and PROVIDER_CONCURRENCY env variables in
    order to set an upper bound of on the requests and avoid external
    provider/services saturation
@ronaldsg20
refactor(remove): Remove fireblocks and register endpoints
400bddd
@ronaldsg20
refactor(api): remove logs and tx-history endpoints
fac9375
@ronaldsg20
chore(dependencies): Update dependencies
38dfe3f
@ronaldsg20
ci(SonarCloud): Remove sonar scanner
b5d3b26
@ronaldsg20
chore(update version): Update version to 4.0.0
6cc24e8
@ronaldsg20
fix(comments): remove optional rejectDuplicates
9d4794c 
    remove optional rejectDuplicates and update
    build file to use nvmrc
@ronaldsg20
fix(security): address PR review comments
30cbadb 
  - Add minItems enforcement to validateAddressList (raises 422 when list
    is empty, consistent with the minItems: 1 declared in request schemas)
  - Update engines.node from >=10.16 to >=20.0.0 to match .nvmrc (v20.18.2)
  - Update PR description: document the 4.0.0 major bump rationale, breaking
  endpoint removals, and removal of REJECT_DUPLICATE_ADDRESSES toggle
@github-actions

github-actions Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Dependency Review

The following issues were found:

  • ✅ 0 vulnerable package(s)
  • ✅ 0 package(s) with incompatible licenses
  • ✅ 0 package(s) with invalid SPDX license definitions
  • ✅ 0 package(s) with unknown licenses.
  • ⚠️ 29 packages with OpenSSF Scorecard issues.

View full job summary

Copilot AI reviewed Jun 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR modernizes the API for a new major release by upgrading the runtime/framework baseline, removing several legacy endpoints/services, and adding configurable guardrails (validation, concurrency limiting, and response-size caps) to address-list driven endpoints to mitigate response amplification risks.

Changes:

  • Upgrade to Node 20+ and LoopBack v8+ (plus dependency refresh) and adjust CI to use .nvmrc and run unit+acceptance tests together.
  • Add reusable utilities for BTC/EVM address patterns, address-list validation, concurrency-limited fan-out, and env-configurable limits; apply them to /utxo and /addresses-info.
  • Remove legacy features and their tests (e.g., register/metrics, logs ingestion, tx-history, Fireblocks proxy) and related DI bindings/exports.

Reviewed changes

Copilot reviewed 50 out of 52 changed files in this pull request and generated 5 comments.

Show a summary per file
File Description
src/utils/sanitization-utils.ts Removed legacy payload/log sanitization helpers.
src/utils/concurrency.ts Added chunked concurrency-limited async helper.
src/utils/bridge-utils.ts Removed eslint-disable comments (naming convention now off).
src/utils/address-patterns.ts Centralized BTC/EVM address regex patterns.
src/utils/address-list-validation.ts Added runtime validation for address list size/uniqueness.
src/services/tx-history.service.ts Removed tx-history Mongo service.
src/services/rsk-node.service.ts getBridgeTransaction now returns Transaction | undefined.
src/services/register.service.ts Removed legacy register persistence service.
src/services/pegout-status/pegout-status.service.ts Handle missing bridge tx (undefined) safely.
src/services/node-bridge-data.provider.ts Skip processing when parsed bridge tx is missing.
src/services/index.ts Stopped exporting removed services.
src/services/flyover.service.ts Removed legacy register() method and unused imports.
src/services/bridge.service.ts getBridgeTransactionByHash now returns Transaction | undefined.
src/models/tx-output.model.ts Removed eslint-disable comments for snake_case properties.
src/models/tx-input.model.ts Removed eslint-disable comments for snake_case properties.
src/models/tx-history.model.ts Removed TxHistory model and schema validations.
src/models/register-payload.model.ts Removed RegisterPayload model.
src/models/log-entry.model.ts Removed LogEntry/LogError model used by logs endpoint.
src/models/index.ts Removed exports for deleted models.
src/models/fireblocks-generic-response.model.ts Removed Fireblocks response model.
src/models/fireblocks-generic-request.model.ts Removed Fireblocks request model/whitelist usage.
src/models/address-list.model.ts Added max/unique constraints + centralized BTC pattern.
src/index.ts Removed eslint-disable for enum naming.
src/dependency-injection-handler.ts Removed DI bindings for deleted services.
src/dependency-injection-bindings.ts Removed binding keys for deleted services.
src/controllers/utxo.controller.ts Added address list validation, concurrency limiting, and response cap.
src/controllers/tx-history.controller.ts Removed tx-history endpoints.
src/controllers/register.controller.ts Removed register endpoint.
src/controllers/logs.controller.ts Removed logs ingestion endpoint.
src/controllers/index.ts Removed exports for deleted controllers.
src/controllers/fireblocks.controller.ts Removed Fireblocks proxy endpoints.
src/controllers/addresses-info.controller.ts Added validation, concurrency limiting, and txid capping.
src/constants/fireblocks-allowed-uris.ts Removed Fireblocks URI whitelist.
src/config/limits.ts New env-configurable limits (max list size, concurrency, etc.).
src/tests/unit/utxo.controller.unit.ts Added tests covering amplification defenses and caps.
src/tests/unit/tx-history.controller.unit.ts Removed tx-history controller tests.
src/tests/unit/services/rsk-node.services.unit.ts Updated for possibly-undefined bridge transaction return.
src/tests/unit/services/flyover-service.service.unit.ts Removed flyover register tests.
src/tests/unit/register.controller.unit.ts Removed register controller tests.
src/tests/unit/bridge.handler.unit.ts Updated assertions for possibly-undefined parser response.
src/tests/unit/addressesInfo.controller.unit.ts Updated async flow + added amplification defense tests.
src/tests/helper.ts Removed eslint-disable comments for snake_case test data.
src/tests/acceptance/utxo.controller.acceptance.ts Added acceptance tests for list size/dup rejection.
src/tests/acceptance/logs.controller.acceptance.ts Removed logs endpoint acceptance tests.
src/tests/acceptance/input-sanitization.acceptance.ts Updated expectations (e.g., empty list now 422); removed register/logs sections.
src/tests/acceptance/fireblocks.controller.acceptance.ts Removed Fireblocks acceptance tests.
src/tests/acceptance/addresses-info.controller.acceptance.ts New acceptance coverage for list limits + txid cap.
package.json Major version bump + Node/LoopBack upgrade + new test:all script.
.gitignore Ignore .claude directory.
.github/workflows/build.yml Use .nvmrc + run test:all; removed SonarCloud step.
.eslintrc.js Disabled @typescript-eslint/naming-convention globally.

Comment thread package.json
Comment on lines +89 to +97
"@loopback/build": "^12.0.12",
"@loopback/eslint-config": "^16.0.1",
"@loopback/testlab": "^8.0.12",
"@types/big.js": "^6.1.2",
"@types/bs58": "^4.0.1",
"@types/nock": "^10.0.3",
"@types/node": "^16.18.50",
"@typescript-eslint/eslint-plugin": "^6.4.1",
"@typescript-eslint/parser": "^6.4.1",
"@typescript-eslint/eslint-plugin": "^7.18.0",
"@typescript-eslint/parser": "^7.18.0",
Comment thread package.json Outdated
Comment on lines +2 to +3
"name": "2wp-api",
"version": "3.3.1",
"version": "4.0.0",
Comment thread src/controllers/utxo.controller.ts
reject(reason);
});
});
validateAddressList(addressList.addressList, {maxItems: ADDRESS_LIST_MAX_ITEMS});
Comment thread src/controllers/utxo.controller.ts
Comment on lines +58 to +75
const utxosWithAddress = await withConcurrency(
addressList.addressList,
PROVIDER_CONCURRENCY,
async (address: string) => {
const utxos = await this.utxoProviderService.utxoProvider(address);
return utxos.map(utxo => new Utxo({address, ...utxo}));
},
);

const flat = utxosWithAddress.flat();
if (flat.length > UTXO_RESPONSE_MAX_ROWS) {
throw new HttpErrors.PayloadTooLarge(
`UTXO response exceeds maximum of ${UTXO_RESPONSE_MAX_ROWS} rows`,
);
}

this.logger.trace('[getUtxos] Got utxos!');
return new UtxoResponse({data: flat});
Comment thread src/controllers/addresses-info.controller.ts
})
addressList: AddressList,
): Promise<AddressInfoResponse> {
validateAddressList(addressList.addressList, {maxItems: ADDRESS_LIST_MAX_ITEMS});
Copilot AI review requested due to automatic review settings June 26, 2026 13:32
Copilot AI reviewed Jun 26, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review is ineligible. To be eligible to request a review, you need a paid Copilot license, or your organization must enable Copilot code review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments
@ronaldsg20 ronaldsg20 ronaldsg20 approved these changes
@annipi annipi Awaiting requested review from annipi
@lserra-iov lserra-iov Awaiting requested review from lserra-iov

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@alexjavabraz @ronaldsg20 @lserra-iov @annipi @spoletijuan