Multiple DoS Security threat vectors exposed by chain-node

[therealklanni]

Your module is making use of chain-node which currently uses an older version of request that exposes multiple threat vectors.

│               │ Denial-of-Service Extended Event Loop Blocking
│ Name          │ qs
│ Installed     │ 0.6.6
│ Vulnerable    │ <1.0.0
│ Patched       │ >= 1.x
│ Path          │ bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > qs@0.6.6
│ More Info     │ https://nodesecurity.io/advisories/28

│               │ Denial-of-Service Memory Exhaustion
│ Name          │ qs
│ Installed     │ 0.6.6
│ Vulnerable    │ <1.0.0
│ Patched       │ >= 1.x
│ Path          │ bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > qs@0.6.6
│ More Info     │ https://nodesecurity.io/advisories/29

│               │ Regular Expression Denial of Service
│ Name          │ hawk
│ Installed     │ 1.0.0
│ Vulnerable    │ <4.1.1
│ Patched       │ >=4.1.1
│ Path          │ bitgo@0.11.64 > chain-node@0.0.17 > request@2.36.0 > hawk@1.0.0
│ More Info     │ https://nodesecurity.io/advisories/77

Information generated by nsp

Unless you find another solution, chain-node is currently blocking this

[masonicGIT]

Thanks @therealklanni, we did the following:

1. Removed the recovery tool from BitGoJS. This was the only repo relying on chain-node.
2. We still needed the recovery tool functionality and so we placed a version of it which relies on blockr (instead of chain-node) in a separate repo: (https://github.com/BitGo/bitgo-recovery-tool)

-Mason