@hyperledger/cactus-common - npm Package Versions

2.0.0-rc.4 (2024-09-08)

Bug Fixes

• ci: updated permissioning and versioning in GitHub Actions (cd71082)
• relay: curl openssl added -L; upgrade openssl from 1.1.1 to 3.0.14 (935e4b8)
• security: address CVE-2022-3517 - minimatch < 3.0.5 ReDoS vuln (e97e27b)
• security: address CVE-2024-39338 SSRF in axios >= 1.3.2, <= 1.7.3 (7e7bb44)

Features

• connector-daml: aio image (141ee24)
• consortium-static: new consortium plugin (db3475f)
• corda: support 5.1 via TS/HTTP (no JVM) (ec9683d), closes #2978 #3293
• core-api: add createIsJwsGeneralTypeGuard, createAjvTypeGuard<T> (957da7c), closes /github.com/hyperledger/cacti/pull/3471#discussion_r1731894747
• go-ethereum-socketio: remove deprecated connector (56dd9f8), closes #3155
• ledger-browser: implement dynamic app setup (0e368de), closes #3347
• ledger-browser: refactor home page (500ac9b), closes #3320
• ledger-browser: rewrite fabric application (ecf074c), closes #3308 #3279
• persistence-ethereum: add sample setup scripts, improve documentation (ed915cf)
• persistence-ethereum: migrate to separate db schema (b160c52), closes #3340
• persistence-fabric: add sample setup scripts, improve documentation (9fef336)
• tcs-huawei-socketio: remove deprecated connector (053224f), closes #3155 #3155
• weaver: upgrade to corda 4.12 and jvm 17 (edde6c6)

2.0.0-rc.3 (2024-07-21)

Bug Fixes

• address CVE-2022-24434, GHSA-wm7h-9275-46v2 caused by dicer (6ff8111)
• ci: deprecationWarning in yarn_custom_checks (96a3865)
• cmd-api-server: use ncc bundle in container image - CVE-2024-29415 (9eefa66)
• connector-fabric: decode blocks in getTransactionReceiptByTxID() (1bdc35d)
• connector-polkadot: use dynamic import calls for ESM dependencies (76adf12), closes #3077
• the CVEs of braces nth-check vite webpack-dev-middleware - 2024-07 (4253d3f)

Build System

• bump uuid@10.0.0 fs-extra@11.2.0 @bufbuild/protobuf@1.10.0 (9970352)

Code Refactoring

• retire connector plugin specific container images, fix docs (24b5888)

Features

• besu: remove hard dependency on keychain (f5b60b4), closes #963
• bungee-hermes: ability to use connectors without instanciating APIs (6a71ddf)
• connector-corda: add vaultQueryV1 REST API operation + endpoint (d2bf145)
• connector-corda: support JVM 17 Cordapps (1994128)
• fabric-connector: add getChainInfo, improve getBlock output (8c030ae)
• persistence-fabric: rewrite the plugin (c867a9f), closes #3298

Performance Improvements

• ci: only publish artifacts on git version tags of main (66e3139)

BREAKING CHANGES

• Container images are being deleted here and will also get deleted from GHCR. Though the public APIs of the Typescript code do not change, still, some parts of the documentation will become invalid until we update it to match the changes here. I invested a large amount of effort into doing this documentation update as part of this change but it is very likely that I've missed a few spots and therefore it is best to mark this as a breaking change in my opinion to call attention to the fact that we still have ways to go with updating the documentation around these container images.

1. Deleted all the container images that were just wrappers around the cmd-api-server container image installing their own npm package from the registry. The reason for this is that they ended up just being maintenance burden since we can achieve the exact same things just by re-using the API server's container image directly.
2. This way we don't have to deal with CVEs in 10x container images when it's really just the one container image that we use as the base that needs to deal with them anyway.
3. I also spent quite a bit of effort in this change to update the README.md files of the packages where previously we had plugin specific container images defined so that the README.md files have the tutorials that are more up to date compared to how they were (most of them had the tutorials completely broken for a long while which was causing a lot of difficulties to the newcomers who were trying to work with the packages).
4. The reason why they got so out of date traces back to the undue maintenance burden of keeping separate images for each connector plugin. We hope that with this simplification we can keep the documentation continuously up to date since it will require less time do so.
5. Also deleted the ci.yaml container building jobs which were relevant to the scope of this change so that we also save on CI resources, another long-running project that's been in need of some attention from the maintainers.

Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com

• Renamed classes to fix typos in their name: PluginFactoryPersistanceFabric This is being done in this pull request because for some reason (that I still don't understand) the spell checker started failing on these only in the context of this pull request. The typos were present on the main branch already somehow having passed spellchecking earlier and every other time since then.

And also

• prom-clien@15.1.3
• del-cli@5.1.0
• cspell@8.10.4
• del-cli@5.1.0

Quality of life improvements and also hoping to get rid of a few of the vulnerable dependency versions we have in the codebase according to dependabot.

More similar changes are coming in with further upgrades but I want to avoid making bigger changes in one go so that it's easier to hunt down bugs later if something only gets discovered after we've merged a bunch of these.

Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com

• fabric-connector: It accepts type instead of skipDecode flag.

• Move common block formatting logic to cacti-block-formatters.ts.
• Add tests for new features. Move test common to quering qscc to single file to increase CI speed.

Signed-off-by: Michal Bajer michal.bajer@fujitsu.com

2.0.0-rc.2 (2024-07-03)

Bug Fixes

• cmd-api-server: shutdown hook was not waiting for promises (d14bf02)
• cmd-api-server: stop changing LoggerProvider log level (6ef514c)
• deps: fix batch of missing production dependencies v2.0.0-rc.1 (51d64ee), closes #3344
• go-sdk: use protos v1 api for fabric-protos-go unmarshal (8896518)
• plugin-persistence-ethereum: make created_at TIMESTAMPTZ in schema (08925ff), closes #3373

Features

• cactus-example-tcs-huawei: remove deprecated sample app (45fadcd), closes #3155 #3157
• connector-besu: expose API client and OpenAPI code for web builds (199c1f0)
• connector-corda: add initial set of JvmObject factory functions (d9d5904)
• connector-corda: add JSON classname->JVM class object deserialize (0508f14)
• fabric-driver: added weaver fabric driver as cacti plugin package (36b8470)
• ledger-browser: refactor eth dashboard page (c69fb4c), closes #3207
• ledger-browser: refactor eth tokens page into accounts page (0b0c22c), closes #3237
• ledger-browser: refactor routing, improve UI (3fcc7a1)
• ledger-browser: use react query in eth app (4d3fb7e), closes #3203

2.0.0-rc.1 (2024-06-14)

Bug Fixes

• cactus-common: coerceUnknownToError() now uses HTML sanitize (d70488a)
• cactus-example-cbdc-bridging-backend: add missing CRPC port config option (84c0733)
• cmd-api-server: add runtime type validation to HTTP verbs pulled from OAS (b0ff599), closes #2751 #2751 #2751 #2754
• cmd-api-server: address CVE-2022-25881 (81da333), closes #2862
• cmd-api-server: fix CVE-2023-36665 protobufjs try 2 (4e8b553), closes #2682
• cmd-api-server: healthcheck broken due to missing wget binary (8f1ca3f), closes #2894
• connector-besu: error handling of DeployContractSolidityBytecodeEndpoint (89d9b93), closes #2868
• connector-besu: toBuffer only supports 0x-prefixed hex (1d00e32)
• connector-corda: contract deployment SSH reconnect race condition (0af2eb1)
• connector-fabric: address CVEs: CVE-2022-21190, CVE-2021-3918 (11e775d), closes #2864
• connector-quorum/ethereum: strengthen contract parameter validation (779bb7e), closes #2760
• corda-simple-app: use correct bond asset flows and contracts for bond asset exchange (caa2b3a)
• deps: bulk add missing dependencies - 2023-11-02 (8addb01), closes #2857
• GHSA-8qv2-5vq6-g2g7 webpki CPU denial of service in certificate path (e24458f)
• indy-vdr-nodejs: update dependency version (f81b46b)
• ledger-browser: fix vulnerability CVE-2022-37601 (55c7d3d)
• persistence-fabric: hide not critical API (793f94f)
• plugin-htlc-coordinator-besu: add missing HSTS header (dff34e8)
• plugin-keychain-vault: fix CVE-2024-0553 in vault server image (1eacf7e)
• security: address CVE-2021-3749 - axios >=0.22.0 (61fc700)
• security: mitigate CVE-2024-21505 (f48994f)
• security: remediate qs vulnerability CVE-2022-24999 (536b6b1)
• weaver-asset-transfer: return proper error messages for pledge status and claim status (f8f6bcb)
• weaver-fabric-node-sdk: made AES key length configurable in ECIES functions (e679801)
• weaver-go-cli: updated Weaver Fabric Go CLI module to ensure local compilation (1668cf4)
• weaver-go-sdk: corrected membership API function signatures (083ea4f)
• weaver-go-sdk: revert fabric-protos-go-apiv2 dep to fabric-protos-go (6994e5b)
• weaver-membership-functions: reverted earlier buggy change affecting identity mgmt (faf90dd)
• weaver-packages: removing unnecessary package-lock.json file (f3e53e4)
• weaver-satp: bug and configuration fixes in relays and Fabric drivers for sample SATP implementation (9f77871)
• weaver: improper exception handling (a33f30c), closes #2767
• weaver: upgraded Corda dependencies to overcome Log4j vulnerability (76f0c68)
• weaver: usage of weak PRNG issue (fa17b52), closes #2765

Features

• actionlint: fix the errors produced by the ActionLint tool (e6d5d88)
• bungee-hermes: new plugin bungee-hermes (ecf52ec)
• bungee-hermes: process & merge views (231a5e5)
• bungee-hermes: viewProof & ethereum strategy (22f389f)
• cactus-core-api: add ISendRequestResultV1<T> for Fujitsu verifier (483de38)
• cactus-core: add ConnectRPC service interface and type guard (9e83087)
• cactus-core: add handleRestEndpointException utility to public API (bf9dfe8)
• cactus-example-discounted-asset-trade: use openapi ethereum connector (dcaf9fe), closes #2645
• cactus-example-discounted-asset-trade: use openapi sawtooth connector (86d6b38), closes #2825
• cactus-example-electricity-trade: use openapi ethereum connector (9e66850)
• cactus-plugin-ledger-connector-aries: add new connector plugin (afef5ae), closes #2946
• cactus-plugin-ledger-connector-cdl-socketio: separate endpoint for subscription key (b1048af)
• cactus-plugin-ledger-connector-cdl-socketio: support subscription key auth (a04fc5b)
• cactus-plugin-ledger-connector-cdl: add new connector plugin (6efd8de)
• cactus-plugin-ledger-connector-ethereum: add json-rpc proxy (ed04201)
• cactus-plugin-ledger-connector-ethereum: add signing utils (84c5b34)
• cactus-plugin-ledger-connector-ethereum: add stress test (55fa26e), closes #2631
• cactus-plugin-ledger-connector-ethereum: refactor connector API (cda279f), closes #2630
• cactus-plugin-ledger-connector-ethereum: support London fork gas prices (80a89dd), closes #2581
• cactus-plugin-ledger-connector-ethereum: update web3js to 4.X (55f82c9), closes #2580 #2535 #2578
• cactus-plugin-ledger-connector-fabric-socketio: remove fabric-socketio connector (704e201), closes #2644
• cactus-plugin-ledger-connector-fabric: support delegated (offline) signatures (e2812f4), closes #2598
• cactus-plugin-ledger-connector-iroha: remove deprecated iroha connector (fa27fde), closes #3159 #3155
• cactus-plugin-ledger-connector-sawtooth: add new connector plugin (e379504)
• cactus-plugin-persistence-ethereum: use openapi ethereum connector (b8f9b79), closes #2631
• cbdc-bridging: add frontend code for the CBDC example (5ad0ebf)
• cmd-api-server: add ConnectRPC auto-registration for plugins (c569460)
• cmd-api-server: add gRPC plugin auto-registration support (5762dad)
• common: add express http verb method name string literal type (8f048ea)
• common: add isGrpcStatusObjectWithCode user-defined type guard (941dbad)
• connector-besu: add continuous benchmarking with JMeter (379d41d)
• connector-besu: add gRPC support for operations (ab676d2), closes #3173
• connector-fabric: drop support for Fabric v1.x (ec8123c)
• connector-polkadot: add connector pkg, openapi specs, test suite (6a476a0)
• core-api: add IPluginGrpcService type & user-defined type guard (e87e577)
• core: add configureExpressAppBase() utility function (383f852)
• ethereum-connector: support block monitoring with http only connection (f4373a9)
• indy-sdk: replace indy SDK with AFJ (3291dcc), closes #2859 #2860
• indy-test-ledger: add helper class for indy ledger (8c746c3), closes #2861
• plugin-keychain-memory: add ConnectRPC support (c5fecf6), closes #3183
• plugin-keychain-memory: add observability via RxJS ReplaySubjects (9b41377)
• plugin-keychain-memory: add REST API endpoint implementations (c7a8fa5)
• plugin-satp-hermes: replace IPFS dependency in SATP package (3bb7157), closes #2984 #3006
• satp: sample implementation of SATP standard using relays (c23197c)
• supabase-all-in-one: update versions, use skopeo (eeb34f9), closes #3099
• test-tooling: add Stellar test ledger (58fa94e), closes #3239
• weaver-go: upgraded Weaver Fabric Go SDK with membership functions (43cce8e)
• weaver: add build script and fix minor issues (6d4fd00)

Performance Improvements

• cmd-api-server: add demonstration of continuous benchmarking (0804bab)

BREAKING CHANGES

• connector-fabric: The Open API specification that has the enums for ledger versions will no longer have an option for Fabric v1.x This means that in the core-api package the LedgerType enum has changes which means that code that depends on that enum value will need to be updated.

Fabric v1.x has had unmaintained dependencies associated with it such as the native grpc package that stopped receiving security updates years ago and therefore it's dangerous to have around.

There are also some issues with Fabric v1.x that make the AIO image flaky which also makes the relevant tests flaky due to which we couldn't run the v1.x Fabric tests on the CI for a while now anyway.

In order to reduce the CI resource usage and our own maintenance burden I suggest that we get rid of the Fabric v1.x support meaning that we can eliminate the AIO image build and some code complexity from the test ledger code as well.

In addition some old fixtures can be removed that the tests were using. Overall a net-positive as deleting code without losing functionality (that we care about) is always a plus.

Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com