Cardano Updates

Closes every code-resolvable open alert the direct bumps left as PARTIAL —
vulnerable transitive copies pinned by dev/build tooling. Prefer real parent
bumps; fall back to resolutions only where a transitive has multiple/deep
parents (node-gyp, mocha, eslint, npm internals) that no single direct-dep
bump can dislodge.

Parent bumps (clear the copy outright):
- tsx ^4.15 -> ^4.22  => esbuild 0.21 -> 0.27/0.28
- wait-on ^6 -> ^9 (cardano-services, wallet) => drops transitive [email protected]
  (whole axios tree now 1.18.0)
- pkg (archived/EOL, no fix) -> maintained fork @yao-pkg/pkg ^6.20 in
  golden-test-generator; build targets node14 -> node22

Resolutions (transitive copies with no single bumpable parent):
nanoid, on-headers, tar-fs, @opentelemetry/core, cross-spawn,
serialize-javascript, diff, ip-address, js-yaml, tar, tmp, uuid, ws — each
forced to its patched version. base-x clears naturally. minimatch is fixed
with descriptor-scoped resolutions (globule ~3.0.2 -> 3.1.5, mocha 5.0.1 ->
5.1.9) so eslint's own minimatch (3.1.5) is untouched.

Validated: full `yarn build` green; tsx runs under esbuild 0.28; unit tests
green across core/util/crypto/ogmios/hardware-trezor/cardano-services-client/
governance/key-management/tx-construction/input-selection (~2200 tests).

No upstream fix (deep transitives) — dismissed on GitHub with documented
rationale: elliptic (#203), bigint-buffer (#152).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps [undici](https://github.com/nodejs/undici) from 7.24.1 to 7.28.0.
- [Release notes](https://github.com/nodejs/undici/releases)
- [Commits](https://github.com/nodejs/undici/compare/v7.24.1...v7.28.0)

---
updated-dependencies:
- dependency-name: undici
  dependency-version: 7.28.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <[email protected]>

Bump actions/checkout from 6 to 7 in the actions group

Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9/10 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md
(follow-up section): OSV.dev clean for every resolved version, 0 residual
advisories in CISA KEV, production closure clean, no lockfile downgrades,
per-tier blast-radius diagrams, and the lone publisher transition (multer
linusu -> ulisesgascon) annotated as a known maintenance handoff.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

This TypeScript incremental-build cache has been committed since
1dcb0993c84 (2021-10-04) but was only added to .gitignore later in
f0a8724593b (2022-06-14). Git keeps already-tracked files even once
ignored, so it lingered in the tree — churning on every build and
showing up as spurious diffs. Remove it from version control (the file
stays locally; tsc regenerates it).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps the actions group with 1 update: [actions/checkout](https://github.com/actions/checkout).


Updates `actions/checkout` from 6 to 7
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v6...v7)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-version: '7'
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: actions
...

Signed-off-by: dependabot[bot] <[email protected]>

The Install moog step resolved the *latest* moog release via
`gh release view` (no tag). moog v2.0.0 (the moog-v2 MPFS cutover)
was published and marked Latest on 2026-06-13, so CI silently upgraded
to it. v2.0.0 is incompatible with the deployed v0.5.x MPFS at
mpfs.plutimus.com: `moog facts test-runs` now returns an error
envelope (it calls GET /status -> 404) instead of the array the Submit
step's jq expects, failing with "Cannot index string with string
\"key\"". Every scheduled launch has failed since, so no new
Antithesis runs were created.

Pin the tag to v0.5.1.5 (last v0.5.x, matches the production stack).

The Install moog step resolved the *latest* moog release via
`gh release view` (no tag). moog v2.0.0 (the moog-v2 MPFS cutover)
was published and marked Latest on 2026-06-13, so CI silently upgraded
to it. v2.0.0 is incompatible with the deployed v0.5.x MPFS at
mpfs.plutimus.com: `moog facts test-runs` now returns an error
envelope (it calls GET /status -> 404) instead of the array the Submit
step's jq expects, failing with "Cannot index string with string
\"key\"". Every scheduled launch has failed since, so no new
Antithesis runs were created.

Pin the tag to v0.5.1.5 (last v0.5.x, matches the production stack).

Co-authored-by: Denicio Bute <>

chore(nix): update `flake.lock`

Bump actions/checkout from 6 to 7 in the actions group

ip-address was used in exactly one place — pool-relay address (de)serialization
in ipUtils.ts (Address4/Address6 validation, IPv6 expansion to bytes, and
canonical formatting). Vendor a ~50-line functional parser (RFC 4291: `::`
zero-compression and trailing IPv4-mapped suffixes) and drop the dependency.

Because this feeds consensus-affecting serialization, the local implementation
was proven byte-for-byte identical to ip-address across a 26-case corpus
(validation, expansion, canonical formatting; valid/edge/invalid) before removal,
then locked in with vector-based unit tests.

Removes ip-address from core's production closure (no consumer pulls it via core
any longer). Full core suite (1018 tests) green.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Add docs/core-dependency-minimisation.md (decision table + transitive/size
impact) and a reusable dependency-minimisation skill (closure-aware targeting,
differential equivalence for consensus code, the two impact metrics, and the
gotchas hit along the way).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

@foxglove/crc was used in exactly one place — the Byron-era address
checksum. CRC-32 (IEEE 802.3 / zlib variant) is ~15 lines, so vendor a
local implementation and drop the dependency from core's closure.

Adds a dedicated crc32 unit test pinning the implementation bit-for-bit to
the canonical CRC-32 vectors (123456789 -> 0xCBF43926, empty -> 0, the
"quick brown fox" -> 0x414FA339, 0..255 -> 0x29058C73), so it provably
matches the variant @foxglove/crc provided. Byron address round-trips
(Address/PaymentAddress suites) cover the integration path.

Part of the core dependency-minimisation effort.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The rule wants uppercase hex digits, which conflicts head-on with the repo's
enforced Prettier config (lowercase) — making it unsatisfiable for any hex
literal containing a-f. It had accumulated `/* eslint-disable */` directives in
16 files as a workaround. Disable it once in the shared config (as no-bitwise
already is) and drop the redundant per-file directives.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

chore: target Node 22 LTS (drop EOL Node 18)

web-encoding polyfilled TextDecoder for environments lacking it. TextDecoder
has been a Node.js global since v11 — so it was already available under the
previous >=16.20.2 engine, independent of the Node 22 bump — and is native in
all bundler-targeted modern browsers, making the polyfill (and its ~8MB
@zxing/text-encoding dependency) dead weight. Both decode sites only use
`new TextDecoder('utf8', { fatal: true })` + `.decode()`, fully covered by the
global.

Removes ~9.5MB from core's node_modules closure. Behaviour unchanged; full core
suite (992 tests) green. Part of the core dependency-minimisation effort.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9/10 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Audits the wave in docs/security/dependency-vulnerability-audit-2026-06-19.md
(follow-up section): OSV.dev clean for every resolved version, 0 residual
advisories in CISA KEV, production closure clean, no lockfile downgrades,
per-tier blast-radius diagrams, and the lone publisher transition (multer
linusu -> ulisesgascon) annotated as a known maintenance handoff.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>