fix(security): resolve dependabot alerts without major bumps

[titaniumcloudwalk]

User description

Summary

• regenerate both e2e lockfiles with targeted overrides to land patched npm dependencies without a Hardhat major bump
• bump the Rust dependency graph for the open alerts and refresh cargo-vet imports/exemptions so the locked graph stays vetted
• update utils/compare_block/poetry.lock to move protobuf to a patched release
• replace the approach from fix(security): resolve Dependabot alerts #2476 with a narrower, safer dependency-only rollout

Motivation

#2476 had the right goal, but it solved the npm side by dragging in a
Hardhat major upgrade and messy lockfile churn. This PR keeps the
existing toolchain shape and applies targeted dependency updates only
where needed to clear the current Dependabot alerts.

How to test

1. Run cargo check --locked
2. Run cargo vet --locked
3. Run cd e2e && npm audit --json --package-lock-only | jq '.vulnerabilities | with_entries(select(.key | test("^(axios|undici|minimatch|fast-xml-parser|qs|lodash|immutable|serialize-javascript)$")))'
4. Run cd e2e/cloudwalk-contracts/integration && npm audit --json --package-lock-only | jq '.vulnerabilities | with_entries(select(.key | test("^(axios|undici|minimatch|fast-xml-parser|qs|lodash|immutable|serialize-javascript)$")))'
5. Inspect utils/compare_block/poetry.lock and confirm protobuf is on a patched release

Checklist

• Lint passes (cargo +nightly clippy --all-targets currently fails on pre-existing issues unrelated to this diff)
• Tests pass
• Type checks pass
• No secrets committed
• Documentation updated (if applicable)

---

PR Type

Bug fix

---

Description

• Bump Rust dependencies for security

• Update npm deps (axios, undici) in e2e projects

• Add targeted overrides for vulnerable sub-dependencies

• Revise supply-chain exemption versions

---

File Walkthrough

	Relevant files
Dependencies	Cargo.toml Bump oneshot and bytes dependencies                                            Cargo.toml Updated oneshot from 0.1.11 to 0.1.12 Updated bytes from 1.11.0 to 1.11.1 +2/-2      package.json Update integration npm dependencies and overrides                e2e/cloudwalk-contracts/integration/package.json Bumped axios to ^1.13.5 and undici to ^6.24.0 Added overrides for fast-xml-parser, immutable, lodash, qs Pinned minimatch across multiple packages Ensured undici resolution in Hardhat plugins +36/-3    package.json Update e2e npm dependencies and overrides                                e2e/package.json Bumped axios to ^1.13.5 and undici to ^6.24.0 Added same sub-dependency overrides as integration package Pinned minimatch and serialize-javascript versions +36/-3
Configuration changes	config.toml Revise supply-chain exemptions versions                                    supply-chain/config.toml Removed outdated crate exemptions entries Updated versions for aws-lc-rs, aws-lc-sys, quinn-proto and others Added exemption for oneshot to 0.1.12 +7/-55

---

[github-actions]

PR Reviewer Guide 🔍

Here are some key observations to aid the review process:

🎫 Ticket compliance analysis 🔶 2476 - Partially compliant Compliant requirements: Bulk resolution of security alerts via targeted npm and Rust dependency updates Semver-compatible version bumps for Rust crates and npm packages (axios, undici) Lockfiles regenerated with minimal changes and targeted overrides Protobuf bumped in utils/compare_block/poetry.lock No secrets committed Supply-chain exemptions revised to match updated Rust dependencies Non-compliant requirements: Lint passes (cargo +nightly clippy) are not yet confirmed Tests pass is unchecked Type checks pass is unchecked Documentation updates are missing Requires further human verification: Verify npm lockfile audit actually clears the targeted vulnerabilities Manually review removal of old exemptions to ensure no regressions

⏱️ Estimated effort to review: 2 🔵🔵⚪⚪⚪

🧪 No relevant tests

🔒 No security concerns identified

⚡ Recommended focus areas for review Missing Exemption The bytes dependency was bumped to 1.11.1 but there’s no matching entry in supply-chain/config.toml for cargo-vet exemptions. Add an exemption for bytes = "1.11.1" so cargo vet --locked will pass. tower-http = { version = "=0.6.8", features = ["cors"] } http = "=1.3.1" http-body = "=1.0.1" http-body-util = "=0.1.3" bytes = "=1.11.1" # observability log = "=0.4.29" Exemption Removals Multiple exemptions (e.g., chrono, anyhow, keccak) were removed in this PR. Verify removing them does not reintroduce blocked or vulnerable packages and that cargo-vet still approves the lock. criteria = "safe-to-deploy" [[exemptions.alloy-rlp-derive]] version = "0.3.12" criteria = "safe-to-deploy" [[exemptions.alloy-rpc-types-eth]] version = "1.0.24" criteria = "safe-to-deploy" [[exemptions.alloy-serde]] version = "1.0.24" criteria = "safe-to-deploy"

[github-actions]

PR Code Suggestions ✨

No code suggestions found for the PR.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.26%. Comparing base (d5188d5) to head (22a620d).
⚠️ Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2477      +/-   ##
==========================================
- Coverage   84.41%   84.26%   -0.15%     
==========================================
  Files         141      141              
  Lines       10808    10826      +18     
==========================================
- Hits         9124     9123       -1     
- Misses       1684     1703      +19     

Flag	Coverage Δ
contracts-rocks-asset-transit-desk	43.59% <ø> (-0.06%)	⬇️
contracts-rocks-balance-freezer	42.66% <ø> (-0.06%)	⬇️
contracts-rocks-balance-tracker	43.01% <ø> (-0.06%)	⬇️
contracts-rocks-base	43.56% <ø> (-0.06%)	⬇️
contracts-rocks-blueprint	43.93% <ø> (-0.04%)	⬇️
contracts-rocks-capybara-finance	44.24% <ø> (-0.06%)	⬇️
contracts-rocks-capybara-finance-v2	44.30% <ø> (-0.06%)	⬇️
contracts-rocks-card-payment-processor	44.01% <ø> (-0.06%)	⬇️
contracts-rocks-card-payment-processor-v2	44.35% <ø> (-0.02%)	⬇️
contracts-rocks-cashier	43.91% <ø> (-0.06%)	⬇️
contracts-rocks-credit-agent	43.20% <ø> (-0.06%)	⬇️
contracts-rocks-multisig	43.90% <ø> (-0.06%)	⬇️
contracts-rocks-net-yield-distributor	43.91% <ø> (-0.08%)	⬇️
contracts-rocks-periphery	42.66% <ø> (-0.06%)	⬇️
contracts-rocks-shared-wallet-controller	43.94% <ø> (-0.08%)	⬇️
contracts-rocks-token	44.03% <ø> (-0.06%)	⬇️
contracts-rocks-treasury	43.63% <ø> (-0.06%)	⬇️
e2e-admin-password	22.79% <ø> (-0.05%)	⬇️
e2e-clock-stratus	25.65% <ø> (-0.04%)	⬇️
e2e-genesis	27.18% <ø> (-0.05%)	⬇️
e2e-importer-offline	60.08% <ø> (-0.08%)	⬇️
e2e-rpc-downloader	55.08% <ø> (-0.08%)	⬇️
e2e-stratus	57.52% <ø> (-0.12%)	⬇️
leader-follower-	61.60% <ø> (-0.12%)	⬇️
rust-tests	31.92% <ø> (+1.19%)	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.