cardano-foundation · iFergal · Nov 20, 2025 · Nov 20, 2025 · Nov 20, 2025 · Dec 11, 2025
diff --git a/.github/workflows/dependency-check-owasp-android.yml b/.github/workflows/dependency-check-owasp-android.yml
@@ -29,6 +29,14 @@
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: "package.json"
+
+      - name: Install dependencies
+        run: npm ci
+
       # Run OWASP Dependency-Check via the official Action
       - name: Run Dependency-Check
         uses: dependency-check/Dependency-Check_Action@2ba636726705b0f74f126ebeaacaf2ad4600b967 # main at 01/10/2025
@@ -37,16 +45,28 @@
           path: "android"
           format: "ALL"
           out: "reports"
-          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }} --disableCentral"
+          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }} -s **/*.jar"
+        continue-on-error: false
+
+      - name: Run Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@2ba636726705b0f74f126ebeaacaf2ad4600b967 # main at 01/10/2025
+        with:
+          project: "veridian-wallet-android"
+          path: "node_modules"
+          format: "ALL"
+          out: "reports"
+          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }} -s **/*.jar"
         continue-on-error: false
 
       - name: Upload HTML report
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
         with:
           name: depcheck-android-report
-          path: "reports/dependency-check-report.html"
+          path: "./dependency-check-report.html"
 
       - name: Upload SARIF to code scanning
         uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        if: always()
         with:
           sarif_file: "reports/dependency-check-report.sarif"
diff --git a/.github/workflows/dependency-check-owasp-ios.yml b/.github/workflows/dependency-check-owasp-ios.yml
@@ -3,8 +3,7 @@
 on:
   push:
     paths: &shared-trigger-paths
-      - "ios/**"
-      - "**/Podfile*"
+      - "**/Podfile.lock"
       - "**/Package*.swift"
       - ".github/workflows/dependency-check-owasp-ios.yml"
     branches:
@@ -29,6 +28,14 @@
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
 
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: "package.json"
+
+      - name: Install dependencies
+        run: npm ci
+
       # Run OWASP Dependency-Check via the official Action
       - name: Run Dependency-Check
         uses: dependency-check/Dependency-Check_Action@2ba636726705b0f74f126ebeaacaf2ad4600b967 # main at 01/10/2025
@@ -37,7 +44,7 @@
           path: "ios"
           format: "ALL"
           out: "reports"
-          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }}"
+          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }} -s **/Podfile.lock"
         continue-on-error: false
 
       - name: Upload HTML report

diff --git a/.github/workflows/dependency-check-owasp.yaml b/.github/workflows/dependency-check-owasp.yaml
@@ -0,0 +1,61 @@
+name: dependency-check-owasp-package-json
+
+on:
+  pull_request:
+    paths: &shared-trigger-paths
+      - 'package.json'
+      - 'package-lock.json'
+      - '.github/workflows/dependency-check-owasp.yaml'
+    types: [ opened, synchronize ]
+  push:
+    paths: *shared-trigger-paths
+    branches:
+      - main
+      - develop
+      - release/**
+
+jobs:
+  depcheck:
+    runs-on: ubuntu-latest
+
+    permissions:
+      contents: read
+      security-events: write
+
+    env:
+      NVD_API_KEY: ${{ secrets.NVD_API_KEY }}
+
+    steps:
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+
+      - name: Setup Node
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4.4.0
+        with:
+          node-version-file: "package.json"
+
+      - name: Install dependencies
+        run: npm ci
+
+      # Run OWASP Dependency-Check via the official Action
+      - name: Run Dependency-Check
+        uses: dependency-check/Dependency-Check_Action@2ba636726705b0f74f126ebeaacaf2ad4600b967 # main at 01/10/2025
+        with:
+          project: "veridian-wallet"
+          path: "."
+          format: "ALL"
+          out: "reports"
+          args: "--failOnCVSS 7 --nvdApiKey ${{ env.NVD_API_KEY }} -s **/package*json"
+        continue-on-error: false
+
+      - name: Upload HTML report
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        if: always()
+        with:
+          name: depcheck-android-report
+          path: "./dependency-check-report.html"
+
+      - name: Upload SARIF to code scanning
+        uses: github/codeql-action/upload-sarif@3599b3baa15b485a2e49ef411a7a4bb2452e7f93 # v3.30.5
+        if: always()
+        with:
+          sarif_file: "reports/dependency-check-report.sarif"
diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -1,43 +1,17 @@
 {
   // $schema provides code completion hints to IDEs.
   "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
-  "moderate": false,
-  "critical": true,
+  "low": true,
   "allowlist": [
-    "GHSA-fjxv-7rqg-78g4",
-    {
-      "1100267": {
-        "active": true,
-        "notes": "This is a ReDOS vulnerability for email inputs in Appium drivers, so not applicable."
-      },
-      "1101851": {
-        "active": true,
-        "notes": "SSRF attacks are not relevant to our usage of Meerkat."
-      },
-      "1103618": {
-        "active": true,
-        "notes": "SSRF attacks on the Appium server when e2e testing do not impact the wallet."
-      },
-      "1105443": {
-        "active": true,
-        "notes": "REDS attacks on @capacitor/assets and the Appium server when e2e testing do not impact the wallet."
-      },
-      "1105444": {
-        "active": true,
-        "notes": "REDS attacks on @capacitor/assets and the Appium server when e2e testing do not impact the wallet."
-      },
-      "1106812": {
-        "active": true,
-        "notes": "On-headers is vulnerable to http response header on Appium server do not impact the wallet."
-      },
-      "1106507": {
-        "active": true,
-        "notes": "form-data uses Math.random() to select a boundary value for multipart form-encoded data. A hacker Can observe values produced by Math.random in the application and control the field of a form-data request on Appium server do not impact the wallet."
-      },
-      "1106849": {
-        "active": true,
-        "notes": "tmp allows arbitrary temporary file / directory write via symbolic link `dir` parameter"
-      }
-    }
+    "GHSA-2p57-rm9w-gvfp",  // SSRF attacks not relevant to our usage of Meerkat
+    "GHSA-4hjh-wcwx-xvwj",  // e2e tests
+    "GHSA-52f5-9888-hmc6",  // e2e tests
+    "GHSA-5j98-mcp5-4vw2",  // e2e tests
+    "GHSA-76c9-3jph-rj3q",  // e2e tests
+    "GHSA-fjxv-7rqg-78g4",  // e2e tests
+    "GHSA-jr5f-v2jv-69x6",  // e2e tests
+    "GHSA-mh29-5h37-fv8m",  // Only reads our config or jest/eslint related so little to no risk
+    "GHSA-rv73-9c8w-jp4c",  // e2e tests
+    "GHSA-v6h2-p8h4-qcjw"   // e2e tests or linting - low risk
   ]
 }
@@ -1,6 +1,6 @@
 ## Splashscreen and Icons  
 
-To customize the app icons and splash screens, the Veridian Wallet uses the [@capacitor/assets](https://github.com/ionic-team/capacitor-assets) package.    
+To customize the app icons and splash screens, the Veridian Wallet uses the [@capacitor/assets](https://github.com/ionic-team/capacitor-assets) package.
 
 ### Steps to Customize  
 
@@ -11,7 +11,7 @@ To customize the app icons and splash screens, the Veridian Wallet uses the [@ca
    Run the following command to generate platform-specific resources for all platforms:  
 
    ```bash  
-   npx capacitor-assets generate --assetPath ./src/assets  
+   npx capacitor-assets@latest generate --assetPath ./src/assets  
 
 This will generate the icons and splash screens for all platforms.  
 

diff --git a/osv-scanner.toml b/osv-scanner.toml
@@ -1,21 +1,48 @@
 [[IgnoredVulns]]
 id = "GHSA-2p57-rm9w-gvfp"
-reason = "pkg: ip - npte: no fix available yet"
-ignoreUntil = 2025-10-31 # lets review it at this date
+reason = "pkg: ip - note: SSRF attacks not relevant to our usage of Meerkat"
 
 [[IgnoredVulns]]
 id = "GHSA-4hjh-wcwx-xvwj"
-reason =  "pkg: axiox (dev) - note: used in e2e tests"
+reason =  "pkg: axiox (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
 
 [[IgnoredVulns]]
 id = "GHSA-52f5-9888-hmc6"
-reason = "pkg: tmp (dev) - note: used by cucumber"
-# 
-# ├─────────────────────────────────────┼──────┼───────────┼───────────────────┼─────────┼───────────────┼───────────────────────┤
-# │ https://osv.dev/GHSA-v6h2-p8h4-qcjw │ 3.1  │ npm       │ brace-expansion   │ 1.1.11  │ 1.1.12        │ src/package-lock.json │
-# │ https://osv.dev/GHSA-v6h2-p8h4-qcjw │ 3.1  │ npm       │ brace-expansion   │ 2.0.1   │ 2.0.2         │ src/package-lock.json │
-# │ https://osv.dev/GHSA-fjxv-7rqg-78g4 │ 9.4  │ npm       │ form-data (dev)   │ 4.0.2   │ 4.0.4         │ src/package-lock.json │
-# │ https://osv.dev/GHSA-76c9-3jph-rj3q │ 3.4  │ npm       │ on-headers (dev)  │ 1.0.2   │ 1.1.0         │ src/package-lock.json │
-# │ https://osv.dev/GHSA-95m3-7q98-8xr5 │ 9.1  │ npm       │ sha.js (dev)      │ 2.4.11  │ 2.4.12        │ src/package-lock.json │
-# │ https://osv.dev/GHSA-rv73-9c8w-jp4c │ 6.6  │ npm       │ validate.js (dev) │ 0.13.1  │ --            │ src/package-lock.json │
-# ╰─────────────────────────────────────┴──────┴───────────┴───────────────────┴─────────┴───────────────┴───────────────────────╯
+reason = "pkg: tmp (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-jr5f-v2jv-69x6"
+reason = "pkg: axios (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-v6h2-p8h4-qcjw"
+reason = "pkg: brace-expansion (dev) - note: e2e tests or linting - low risk"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-fjxv-7rqg-78g4"
+reason = "pkg: form-data (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-5j98-mcp5-4vw2"
+reason = "pkg: glob (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-mh29-5h37-fv8m"
+reason = "pkg: js-yaml (dev) - note: Only reads our config or jest/eslint related so little to no risk"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-76c9-3jph-rj3q"
+reason = "pkg: on-headers (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31
+
+[[IgnoredVulns]]
+id = "GHSA-rv73-9c8w-jp4c"
+reason = "pkg: validate.js (dev) - note: e2e tests"
+ignoreUntil = 2026-01-31