Cardano Updates

Records the follow-up wave (uuid, ip-address, axios, express-openapi-validator/
multer) against the dependency-vulnerability audit: OSV.dev clean for every
resolved version, 0 residual advisories in CISA KEV, production closure clean,
no lockfile downgrades, and the lone publisher transition (multer linusu ->
ulisesgascon) annotated as a known maintenance handoff. Resolves the interim
uuid PARTIAL recorded in section A.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Consolidates the pure dependency version bumps that stack on top of the
Node 22 upgrade. Each is a behaviour-preserving bump that closes (or
hardens against) Dependabot alerts on consumer-facing and build-context
deps; no public API changes.

- uuid 8/9 -> ^11.1.1 across cardano-services, e2e, projection-typeorm,
  web-extension, wallet; drop now-redundant @types/uuid (uuid 11 ships
  its own types).
- core: ip-address ^9.0.5 -> ^10.2.0.
- axios relocked within ^1.7.4 to 1.18.0.
- cardano-services: express-openapi-validator ^4.13.8 -> ^5.6.2
  (pulls multer 2.x, removing the vulnerable multer 1.x). v5 renames
  the OpenAPIV3.Document type to DocumentV3 — updated in openApi.ts and
  its test.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps express-openapi-validator in cardano-services from ^4.13.8 to ^5.6.2,
which depends on multer ^2.0.2 — clearing the multer high-severity advisory
(< 2.x). The validation middleware options we pass (apiSpec, ignoreUndocumented,
validateRequests, validateResponses) are unchanged in v5.

v5 type rename fix: OpenAPIV3.Document -> OpenAPIV3.DocumentV3 (src + test).

Validated: cardano-services builds clean; openApi unit test passes; no new test
failures (the StakePoolBuilder DB test and TxSubmit are the pre-existing Node 22
baseline, unrelated). HTTP request/response validation behaviour is exercised by
CI's cardano-services HTTP suite.

Resolves #1705.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Refreshes the lockfile so the `^1.7.4` axios consumers (cardano-services,
cardano-services-client, util-dev) resolve to 1.18.0 — clears the axios 1.x
advisories (SSRF/credential-leak/DoS family, < 1.16.x). In-range relock, no
manifest change. Now viable on the Node 22 base (#1719).

A legacy axios `0.25.0` copy remains via an old transitive (axios 0.x -> 1.x is
a major for that parent) — tracked in #1704.

Validated: full clean build green on axios 1.18 (type-level). HTTP runtime
behaviour (HttpProvider) is exercised by CI; the local sandbox can't run the
in-process socket tests.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps the direct `ip-address` dependency in @cardano-sdk/core from ^9.0.5 to
^10.2.0 (advisory GHSA for ip-address < 10.1.1; ip-address@10 requires only
node >= 12). core's usage (Address4/Address6 isValid, toUnsignedByteArray,
fromUnsignedByteArray, canonicalForm in ipUtils) is unchanged across the major.

Closes the core direct-manifest alert. A transitive `[email protected]` remains
via `socks` (build/dev tooling: chromedriver/webdriverio proxy chain) and would
need that parent bumped — build-context only, tracked in #1707.

Validated: core builds; core suite 992/992 (covers ipUtils).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · engines.node: >=22 (all manifests)
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer + projection/e2e tests: type interval handles as
  NodeJS.Timeout (setInterval no longer returns the legacy NodeJS.Timer)
- e2e measurement-util (src + test): PerformanceEntry no longer carries `detail`
- shared jest base config: fakeTimers `doNotFake: ['performance']` (Node 22's
  read-only global `performance` can't be replaced by the fake-timers impl), and
  a setupFile disabling http(s).globalAgent keepAlive — Node 19+ defaults it to
  true, so HTTP tests that restart servers between cases reused stale sockets
  ("socket hang up" / AxiosError in HttpProvider + TxSubmit suites)
- cardano-services-client test: --runInBand (avoids a jest-worker circular-JSON
  IPC crash on a follow-redirects object)
- TypeormStakePoolProvider util test: assert toThrow(SyntaxError) (V8 JSON
  message wording differs across Node versions)

Docker: NODEJS_MAJOR_VERSION=22, plus a multi-stage `deps-builder` that installs
the build toolchain (build-essential/python3/libudev-dev/libusb/pkg-config) to
compile native modules — Node 22 has no prebuilds for some older native deps
(cpu-features, chacha-native, node-hid/usb). Toolchain stays in the builder;
runtime images copy the compiled node_modules and stay lean.

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · engines.node: >=22 (all manifests)
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer + projection/e2e tests: type interval handles as
  NodeJS.Timeout (setInterval no longer returns the legacy NodeJS.Timer)
- e2e measurement-util (src + test): PerformanceEntry no longer carries `detail`
- shared jest base config: fakeTimers `doNotFake: ['performance']` — Node 22's
  read-only global `performance` cannot be replaced by the fake-timers impl
- TypeormStakePoolProvider util test: assert toThrow(SyntaxError) (V8 JSON
  message wording differs across Node versions)

Docker: NODEJS_MAJOR_VERSION=22, and a multi-stage `deps-builder` that installs
the build toolchain (build-essential/python3/libudev-dev/libusb/pkg-config) to
compile native modules from source — Node 22 has no prebuilds for some older
native deps (cpu-features, chacha-native, node-hid/usb). The toolchain stays in
the builder; the runtime images copy the compiled node_modules and remain lean.

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The project was pinned to the now-EOL Node 18.12.0 (.nvmrc + all CI workflows)
with a stale `engines: >=16.20.2`. Move to the Node 22 LTS line, tracked by
major so it doesn't go stale again:

- .nvmrc: 22 · all 9 CI workflows: node-version 22 · Dockerfile: NODEJS_MAJOR_VERSION=22
- engines.node: >=22 across root + every workspace manifest
- @types/node: ^18 -> ^22

Node 22 / @types/node 22 compatibility fixes (folded in so every commit builds):
- cardano-services WsServer: type heartbeat/stake intervals as NodeJS.Timeout
  (setInterval no longer returns the legacy NodeJS.Timer; clearInterval rejects it)
- e2e measurement-util: PerformanceEntry no longer carries `detail` (now on
  PerformanceMark/Measure) — cast the entry and narrow the mark filter
- shared jest base config: fakeTimers `doNotFake: ['performance']` — Node 22's
  read-only global `performance` cannot be replaced by the fake-timers impl
  (was crashing many suites across cardano-services/ogmios/web-extension/etc.)
- TypeormStakePoolProvider util test: assert `toThrow(SyntaxError)` instead of a
  V8 JSON.parse message string that differs across Node versions

Unblocks the Node-20+ dependency majors that couldn't pass CI on Node 18.

Validated: clean full build green on @types/node 22 (all 21 workspaces);
core/crypto/key-management + cardano-services unit suites green except
DB-backed tests (no local DB) and the in-process HTTP TxSubmit tests (local
sockets) — both validated by CI.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

@types/node@22 has setInterval return NodeJS.Timeout and clearInterval no
longer accept the legacy NodeJS.Timer, so `clearInterval(this.heartbeatInterval)`
failed to type-check (WsServer/server.ts). Retype the heartbeatInterval and
stakeInterval fields as NodeJS.Timeout | undefined.

(Masked locally by incremental tsc --build; caught on a clean CI compile.)

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The project was pinned to Node 18.12.0 (.nvmrc + all CI workflows) with a
stale `engines: >=16.20.2` — both Node 16 and 18 are EOL. Move to the current
Node 22 LTS line, tracked by major (not a stuck patch pin like 18.12.0) so it
doesn't go stale again:

- .nvmrc: 22
- all 9 CI workflows: node-version 22
- Dockerfile: NODEJS_MAJOR_VERSION=22
- engines.node: >=22 across root + all workspace manifests
- @types/node: ^18 -> ^22

Fix surfaced by @types/node@22: PerformanceEntry no longer carries `detail`
(it's on PerformanceMark/Measure) — measurement-util now casts the entry to
read it, and the mark filter is a type predicate so the target type narrows.

Unblocks the Node-20+ dependency majors (e.g. uuid@14) that previously
couldn't pass CI on Node 18.

Validated: full build green on @types/node@22; core/crypto/key-management
suites pass (sandbox runs Node 24, i.e. >=22).

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps the direct `uuid` dependency in cardano-services, e2e,
projection-typeorm, wallet and web-extension from ^8/^9/^10 to ^11.1.1 — the
minimal version that clears the advisory (GHSA for uuid < 11.1.1), staying
Node-16 compatible (unlike uuid@14 which Dependabot proposed and which
requires Node 20+, conflicting with engines >=16.20.2).

We only use named `import { v4 } from 'uuid'` (no removed deep imports), so
v11 is API-compatible. uuid@11 ships its own types, so the now-redundant
`@types/uuid@^8` is removed from cardano-services/e2e/web-extension.

Closes the 5 direct-manifest uuid alerts. Transitive copies (uuid 8/9 via
pg-boss, pouchdb, jayson, rpc-websockets, lerna-lite, devtools) remain and
would need a global resolution to clear — deferred, tracked in #1707.

Validated: full build green; wallet 440/440. (web-extension's 3
NonBackgroundMessenger reconnect-timing failures are pre-existing on master
in this environment and unrelated — uuid is not referenced there.)

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

Bumps [nanoid](https://github.com/ai/nanoid) from 3.3.13 to 5.0.9.
- [Release notes](https://github.com/ai/nanoid/releases)
- [Changelog](https://github.com/ai/nanoid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/ai/nanoid/compare/3.3.13...5.0.9)

---
updated-dependencies:
- dependency-name: nanoid
  dependency-version: 5.0.9
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps the security-updates group with 1 update in the / directory: [axios](https://github.com/axios/axios).


Updates `axios` from 1.11.0 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](https://github.com/axios/axios/compare/v1.11.0...v1.16.0)

---
updated-dependencies:
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:production
  dependency-group: security-updates
...

Signed-off-by: dependabot[bot] <[email protected]>

Bumps the npm_and_yarn group with 1 update in the /packages/cardano-services directory: [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 1 update in the /packages/core directory: [ip-address](https://github.com/beaugunderson/ip-address).
Bumps the npm_and_yarn group with 1 update in the /packages/e2e directory: [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 1 update in the /packages/projection-typeorm directory: [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 1 update in the /packages/wallet directory: [uuid](https://github.com/uuidjs/uuid).
Bumps the npm_and_yarn group with 1 update in the /packages/web-extension directory: [uuid](https://github.com/uuidjs/uuid).


Updates `uuid` from 10.0.0 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v10.0.0...v14.0.0)

Updates `ip-address` from 9.0.5 to 10.2.0
- [Commits](https://github.com/beaugunderson/ip-address/compare/v9.0.5...v10.2.0)

Updates `uuid` from 8.3.2 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v10.0.0...v14.0.0)

Updates `uuid` from 9.0.1 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v10.0.0...v14.0.0)

Updates `uuid` from 8.3.2 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v10.0.0...v14.0.0)

Updates `uuid` from 8.3.2 to 14.0.0
- [Release notes](https://github.com/uuidjs/uuid/releases)
- [Changelog](https://github.com/uuidjs/uuid/blob/main/CHANGELOG.md)
- [Commits](https://github.com/uuidjs/uuid/compare/v10.0.0...v14.0.0)

---
updated-dependencies:
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: ip-address
  dependency-version: 10.2.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
- dependency-name: uuid
  dependency-version: 14.0.0
  dependency-type: direct:production
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>

chore(deps): drop abandoned mock-browser to remove [email protected] (resolves #1703)

chore(deps): bump artillery to eliminate vm2 (resolves #1702)

ci: make release workflow idempotent & recoverable

The release ran `lerna publish` as a single command that couples version
decision (commit/tag/push/GitHub release) with npm publishing. When npm
publishing failed partway, master was already bumped, tagged and released
on GitHub but the packages never reached npm — and re-running did nothing,
since `--conventional-graduate` finds no new commits.

Split the flow into two phases:

- `version:{stable,rc}` -> `lerna version` (bump, tag, push, GitHub release)
- `publish:{stable,rc}` -> `lerna publish from-package` (publish only the
  versions missing from the registry)

`from-package` queries the registry and ships only what's absent, and
`lerna version` no-ops when there are no new commits. Re-running the
workflow therefore converges to the correct state: it recovers a partial
publish without double-bumping or duplicating releases, and is a no-op once
everything is published.

Also bump deprecated actions (checkout@v3->v4, setup-node@v1->v4,
import-gpg@v5->v6) to clear the Node 20 deprecation warnings.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

mock-browser (last published 2022) pulled an ancient chain
mock-browser -> [email protected] -> [email protected] -> [email protected], the source
of the form-data unsafe-random-boundary alert (GHSA-fjxv-7rqg-78g4) that the
~2.3.2 range could not relock past.

- Removed the unused mock-browser devDependency from e2e and wallet.
- Replaced its single real use in dapp-connector's injectGlobal test with a
  minimal inline window stub (injectGlobal only touches window.cardano; the
  test only reads window.location.hostname) and dropped the module .d.ts shim.

Result: mock-browser, jsdom@9, request and [email protected] are all removed;
the only remaining form-data is the patched 4.0.6. dapp-connector tests
green (44/44); full build green.

Resolves #1703.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

The web-extension bundle pulls jsonschema, which does `require('url')`. The
webpack base config polyfills node builtins via resolve.fallback but had no
`url` entry — it only built because the `url` polyfill package happened to be
present transitively. Dropping the legacy artillery chain removed that
transitive `url`, exposing the gap (CI: "Module not found: Can't resolve 'url'").

Adds `url: require.resolve('url/')` to the fallback and `url` as an explicit
e2e devDependency, so the build no longer depends on `url` being present by
accident. Verified: `test:web-extension:build:sw` compiles successfully.

Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]>

 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]
 - @cardano-sdk/[email protected]