Skip to content

chore(deps): security #3296

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
tac0turtle merged 4 commits into from
Apr 29, 2026
Merged

chore(deps): security #3296

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
ac6b710
fix security deps
tac0turtle Apr 28, 2026
35bbbcb
Merge branch 'main' into marko/sec_deps
tac0turtle Apr 28, 2026
cc9dbc1
fix helpers
tac0turtle Apr 28, 2026
3c99304
Merge branch 'main' into marko/sec_deps
tac0turtle Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions execution/evm/test/execution_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ import (

const (
CHAIN_ID = "1234"
GENESIS_HASH = "0x2b8bbb1ea1e04f9c9809b4b278a8687806edc061a356c7dbc491930d8e922503"
GENESIS_STATEROOT = "0x05e9954443da80d86f2104e56ffdfd98fe21988730684360104865b3dc8191b4"
GENESIS_HASH = "0x6699a4ef6e7b76499c6cd68443455a3584e505b1da43cf82e6efaef41f5e1d8a"
GENESIS_STATEROOT = "0x0373244015ce5fa583ed6e575b7a22c39a542233a62d2bd47c37fd1a2b035366"
TEST_PRIVATE_KEY = "cece4f25ac74deb1468965160c7185e07dff413f23fcadb611b05ca37ab0a52e"
TEST_TO_ADDRESS = "0x944fDcD1c868E3cC566C78023CcB38A32cDA836E"
)
Comment on lines 22 to 28
Copy link
Copy Markdown
Contributor

@coderabbitai coderabbitai Bot Apr 29, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

Security: avoid committing a raw private key constant.

TEST_PRIVATE_KEY is hardcoded in the test file. Even if intended for local/E2E usage, this is still a sensitive artifact and can be reused accidentally or leaked via logs/exports.

Consider:

  • Read the key from an env var (and fail if missing), or
  • Generate a deterministic test key at runtime from a fixed seed (so CI stays reproducible) without storing the raw private key.
Proposed direction 
const (
  CHAIN_ID          = "1234"
  GENESIS_HASH      = "0x6699a4ef..."
  GENESIS_STATEROOT = "0x037324..."
- TEST_PRIVATE_KEY  = "cece4f25ac74deb1468965160c7185e07dff413f23fcadb611b05ca37ab0a52e"
+ // Load from env to avoid committing raw private key material.
+ // Fallback: generate deterministically from a fixed seed if you prefer
+ // (but avoid storing the raw key in the repo).
  TEST_TO_ADDRESS   = "0x944fDcD1c868E3cC566C78023CcB38A32cDA836E"
)

Then:

  • privKey := os.Getenv("EVM_TEST_PRIVATE_KEY")
  • require.NotEmpty(t, privKey, "missing EVM_TEST_PRIVATE_KEY")
  • use privKey in evm.GetRandomTransaction(...).
🧰 Tools
🪛 Betterleaks (1.1.2)

[high] 26-26: Detected a Generic API Key, potentially exposing access to various services and sensitive operations.

(generic-api-key)

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@execution/evm/test/execution_test.go` around lines 22 - 28, The test
currently embeds a raw private key constant TEST_PRIVATE_KEY; remove that
constant and instead obtain the test key at runtime—either read
EVM_TEST_PRIVATE_KEY from the environment (fail the test with
require.NotEmpty(t, privKey, "missing EVM_TEST_PRIVATE_KEY") if absent) or
derive a deterministic key from a fixed seed at test startup so CI is
reproducible; then pass the resulting privKey into the existing
evm.GetRandomTransaction(...) call (and any other places referencing
TEST_PRIVATE_KEY) so no raw private key is committed in execution_test.go.

Expand Down
53 changes: 31 additions & 22 deletions execution/evm/test/go.mod
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ module github.com/evstack/ev-node/execution/evm/test
go 1.25.7

require (
github.com/celestiaorg/tastora v0.8.0
github.com/celestiaorg/tastora v0.19.0
github.com/ethereum/go-ethereum v1.17.2
github.com/evstack/ev-node/execution/evm v0.0.0-00010101000000-000000000000
github.com/golang-jwt/jwt/v5 v5.3.1
Expand All @@ -18,43 +18,50 @@ require (
cosmossdk.io/collections v0.4.0 // indirect
cosmossdk.io/core v0.11.1 // indirect
cosmossdk.io/depinject v1.1.0 // indirect
cosmossdk.io/errors v1.0.1 // indirect
cosmossdk.io/log v1.4.1 // indirect
cosmossdk.io/math v1.4.0 // indirect
cosmossdk.io/store v1.1.1 // indirect
cosmossdk.io/x/tx v0.13.7 // indirect
cosmossdk.io/errors v1.0.2 // indirect
cosmossdk.io/log v1.6.0 // indirect
cosmossdk.io/math v1.5.1 // indirect
cosmossdk.io/store v1.1.2 // indirect
cosmossdk.io/x/tx v0.13.8 // indirect
filippo.io/edwards25519 v1.1.1 // indirect
github.com/99designs/go-keychain v0.0.0-20191008050251-8e49817e8af4 // indirect
github.com/99designs/keyring v1.2.1 // indirect
github.com/99designs/keyring v1.2.2 // indirect
github.com/BurntSushi/toml v1.5.0 // indirect
github.com/DataDog/zstd v1.5.5 // indirect
github.com/DataDog/zstd v1.5.6 // indirect
github.com/Microsoft/go-winio v0.6.2 // indirect
github.com/ProjectZKM/Ziren/crates/go-runtime/zkvm_runtime v0.0.0-20251001021608-1fe7b43fc4d6 // indirect
github.com/StackExchange/wmi v1.2.1 // indirect
github.com/avast/retry-go/v4 v4.6.1 // indirect
github.com/bcp-innovations/hyperlane-cosmos v1.0.1 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/bgentry/speakeasy v0.1.1-0.20220910012023-760eaf8b6816 // indirect
github.com/bgentry/speakeasy v0.2.0 // indirect
github.com/bits-and-blooms/bitset v1.20.0 // indirect
github.com/bytedance/gopkg v0.1.3 // indirect
github.com/bytedance/sonic v1.15.0 // indirect
github.com/bytedance/sonic/loader v0.5.0 // indirect
github.com/celestiaorg/go-square/v3 v3.0.2 // indirect
github.com/cenkalti/backoff/v5 v5.0.3 // indirect
github.com/cespare/xxhash/v2 v2.3.0 // indirect
github.com/cloudwego/base64x v0.1.6 // indirect
github.com/cockroachdb/apd/v3 v3.2.1 // indirect
github.com/cockroachdb/errors v1.11.3 // indirect
github.com/cockroachdb/fifo v0.0.0-20240606204812-0bbfbd93a7ce // indirect
github.com/cockroachdb/logtags v0.0.0-20230118201751-21c54148d20b // indirect
github.com/cockroachdb/fifo v0.0.0-20240816210425-c5d0cb0b6fc0 // indirect
github.com/cockroachdb/logtags v0.0.0-20241215232642-bb51bb14a506 // indirect
github.com/cockroachdb/pebble v1.1.5 // indirect
github.com/cockroachdb/redact v1.1.5 // indirect
github.com/cockroachdb/tokenbucket v0.0.0-20230807174530-cc333fc44b06 // indirect
github.com/cometbft/cometbft v0.38.21 // indirect
github.com/cometbft/cometbft-db v0.14.1 // indirect
github.com/cometbft/cometbft-db v1.0.4 // indirect
github.com/consensys/gnark-crypto v0.18.2 // indirect
github.com/containerd/errdefs v1.0.0 // indirect
github.com/containerd/errdefs/pkg v0.3.0 // indirect
github.com/cosmos/btcutil v1.0.5 // indirect
github.com/cosmos/cosmos-db v1.1.1 // indirect
github.com/cosmos/cosmos-proto v1.0.0-beta.5 // indirect
github.com/cosmos/cosmos-sdk v0.50.15 // indirect
github.com/cosmos/go-bip39 v1.0.0 // indirect
github.com/cosmos/gogoproto v1.7.0 // indirect
github.com/cosmos/iavl v1.2.2 // indirect
github.com/cosmos/iavl v1.2.6 // indirect
github.com/cosmos/ics23/go v0.11.0 // indirect
github.com/cosmos/ledger-cosmos-go v0.15.0 // indirect
github.com/crate-crypto/go-eth-kzg v1.5.0 // indirect
Expand All @@ -65,8 +72,7 @@ require (
github.com/dgraph-io/badger/v4 v4.5.1 // indirect
github.com/dgraph-io/ristretto/v2 v2.1.0 // indirect
github.com/distribution/reference v0.6.0 // indirect
github.com/docker/docker v28.4.0+incompatible // indirect
github.com/docker/go-connections v0.5.0 // indirect
github.com/docker/go-connections v0.6.0 // indirect
github.com/docker/go-units v0.5.0 // indirect
github.com/dustin/go-humanize v1.0.1 // indirect
github.com/dvsekhvalnov/jose2go v1.7.0 // indirect
Expand All @@ -77,13 +83,14 @@ require (
github.com/felixge/httpsnoop v1.0.4 // indirect
github.com/ferranbt/fastssz v0.1.4 // indirect
github.com/fsnotify/fsnotify v1.9.0 // indirect
github.com/getsentry/sentry-go v0.27.0 // indirect
github.com/getsentry/sentry-go v0.31.1 // indirect
github.com/go-kit/kit v0.13.0 // indirect
github.com/go-kit/log v0.2.1 // indirect
github.com/go-logfmt/logfmt v0.6.0 // indirect
github.com/go-logr/logr v1.4.3 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-ole/go-ole v1.3.0 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/go-viper/mapstructure/v2 v2.5.0 // indirect
github.com/goccy/go-yaml v1.19.2 // indirect
github.com/godbus/dbus v0.0.0-20190726142602-4481cbc300e2 // indirect
Expand All @@ -103,7 +110,7 @@ require (
github.com/hashicorp/go-immutable-radix v1.3.1 // indirect
github.com/hashicorp/go-metrics v0.5.4 // indirect
github.com/hashicorp/golang-lru v1.0.2 // indirect
github.com/hdevalence/ed25519consensus v0.1.0 // indirect
github.com/hdevalence/ed25519consensus v0.2.0 // indirect
github.com/holiman/uint256 v1.3.2 // indirect
github.com/iancoleman/strcase v0.3.0 // indirect
github.com/inconshreveable/mousetrap v1.1.0 // indirect
Expand All @@ -113,15 +120,15 @@ require (
github.com/klauspost/cpuid/v2 v2.3.0 // indirect
github.com/kr/pretty v0.3.1 // indirect
github.com/kr/text v0.2.0 // indirect
github.com/linxGnu/grocksdb v1.8.14 // indirect
github.com/linxGnu/grocksdb v1.9.8 // indirect
github.com/magiconair/properties v1.8.10 // indirect
github.com/mattn/go-colorable v0.1.14 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/minio/sha256-simd v1.0.1 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
github.com/moby/docker-image-spec v1.3.1 // indirect
github.com/moby/moby v27.5.1+incompatible // indirect
github.com/moby/sys/sequential v0.6.0 // indirect
github.com/moby/moby/api v1.54.1 // indirect
github.com/moby/moby/client v0.4.0 // indirect
github.com/mr-tron/base58 v1.2.0 // indirect
github.com/mtibben/percent v0.2.1 // indirect
github.com/multiformats/go-base32 v0.1.0 // indirect
Expand Down Expand Up @@ -161,9 +168,10 @@ require (
github.com/tidwall/btree v1.7.0 // indirect
github.com/tklauser/go-sysconf v0.3.12 // indirect
github.com/tklauser/numcpus v0.6.1 // indirect
github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
github.com/zondax/hid v0.9.2 // indirect
github.com/zondax/ledger-go v1.0.0 // indirect
go.etcd.io/bbolt v1.4.0-alpha.0.0.20240404170359-43604f3112c5 // indirect
go.etcd.io/bbolt v1.4.0 // indirect
go.opencensus.io v0.24.0 // indirect
go.opentelemetry.io/auto/sdk v1.2.1 // indirect
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.67.0 // indirect
Expand All @@ -177,6 +185,7 @@ require (
go.uber.org/multierr v1.11.0 // indirect
go.yaml.in/yaml/v2 v2.4.4 // indirect
go.yaml.in/yaml/v3 v3.0.4 // indirect
golang.org/x/arch v0.15.0 // indirect
golang.org/x/crypto v0.50.0 // indirect
golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 // indirect
golang.org/x/net v0.53.0 // indirect
Expand All @@ -193,7 +202,7 @@ require (
gopkg.in/yaml.v3 v3.0.1 // indirect
gotest.tools/v3 v3.5.2 // indirect
lukechampine.com/blake3 v1.4.1 // indirect
pgregory.net/rapid v1.1.0 // indirect
pgregory.net/rapid v1.2.0 // indirect
sigs.k8s.io/yaml v1.4.0 // indirect
)

Expand Down
Loading
Loading