Defensive audit finding.
Running npm audit --omit=dev --json in sysnode-backend on 2026-05-07 reports production dependency advisories:
- 19 total production vulnerabilities: 5 high, 3 moderate, 11 low.
- High-severity chain through
syscoinjs-lib@1.0.268 into eth-proof / isomorphic-rpc / isomorphic-fetch / node-fetch@1.7.3.
node-fetch advisory: GHSA-r683-j2x4-v87g, "node-fetch forwards secure headers to untrusted sites", range <2.6.7.- Moderate advisory through
express-rate-limit@8.3.2 -> ip-address@10.1.0: GHSA-v2v4-37r5-5v8g.
geoip-country@4.1.49 also pulls an affected ip-address path per audit output.
Relevant lockfile entries:
package-lock.json:9265-9276 pins syscoinjs-lib@1.0.268.package-lock.json:7878-7886 pins node-fetch@1.7.3.package-lock.json:4419-4426 pins express-rate-limit@8.3.2 with ip-address@10.1.0.
Impact:
The backend handles authenticated governance/vault-adjacent flows and talks to Core/Blockbook/RPC services. Even if the current call paths do not pass secrets through the affected node-fetch chain, high-severity advisories in production dependencies should either be upgraded away or documented as non-exploitable after review.
Suggested fix:
- Investigate the
syscoinjs-lib dependency tree and upgrade/override the vulnerable node-fetch path to >=2.6.7 where compatible.
- Upgrade
express-rate-limit once it no longer pulls an affected ip-address, or add a reviewed override if safe.
- Review/replace/downgrade
geoip-country only if needed to remove the affected ip-address path.
- Add a CI check such as
npm audit --omit=dev --audit-level=high so high-severity production advisories are caught before deploy.
Defensive audit finding.
Running
npm audit --omit=dev --jsoninsysnode-backendon 2026-05-07 reports production dependency advisories:syscoinjs-lib@1.0.268intoeth-proof/isomorphic-rpc/isomorphic-fetch/node-fetch@1.7.3.node-fetchadvisory: GHSA-r683-j2x4-v87g, "node-fetch forwards secure headers to untrusted sites", range<2.6.7.express-rate-limit@8.3.2->ip-address@10.1.0: GHSA-v2v4-37r5-5v8g.geoip-country@4.1.49also pulls an affectedip-addresspath per audit output.Relevant lockfile entries:
package-lock.json:9265-9276pinssyscoinjs-lib@1.0.268.package-lock.json:7878-7886pinsnode-fetch@1.7.3.package-lock.json:4419-4426pinsexpress-rate-limit@8.3.2withip-address@10.1.0.Impact:
The backend handles authenticated governance/vault-adjacent flows and talks to Core/Blockbook/RPC services. Even if the current call paths do not pass secrets through the affected
node-fetchchain, high-severity advisories in production dependencies should either be upgraded away or documented as non-exploitable after review.Suggested fix:
syscoinjs-libdependency tree and upgrade/override the vulnerablenode-fetchpath to>=2.6.7where compatible.express-rate-limitonce it no longer pulls an affectedip-address, or add a reviewed override if safe.geoip-countryonly if needed to remove the affectedip-addresspath.npm audit --omit=dev --audit-level=highso high-severity production advisories are caught before deploy.