fix: bump valibot to ^1.2.0 to address ReDoS vulnerability

[DanielDerefaka]

Summary

Bumps valibot from ^0.38.0 to ^1.2.0 to fix a HIGH severity ReDoS vulnerability in EMOJI_REGEX.

Security Advisory

• Advisory: GHSA-vqpr-j7v3-hqw9
• Severity: HIGH
• Fixed in: valibot 1.2.0

Testing

• Build passes
• All 2660 unit tests pass

Fixes #2303

Contribution by Gittensor, see my contribution statistics at https://gittensor.io/miners/details?githubId=101010297

[DanielDerefaka]

@Sjors would you review this PR?

[jasonandjay]

Okay, let's solve this problem.

[DanielDerefaka]

@jasonandjay just checking if there's anything else needed for this to be merged?

[junderw]

I am fine with bumping the dependency if it doesn't break anything.

But I don't understand how this affects us. If you could explain how the vulnerability affects this library I will treat this PR with more urgency.

Please remove the peer: true stuff.

[junderw]

The gitdiff job failure is probably due to all the peer: true stuff that was added for some reason.

[DanielDerefaka]

Hi @junderw, thank you for the feedback!

I've removed the peer: true additions from package-lock.json - those were unintentionally added by npm during the install process.

How this vulnerability affects bitcoinjs-lib:

The valibot library is used in bitcoinjs-lib for input validation (schema validation). The vulnerability GHSA-vqpr-j7v3-hqw9) is a ReDoS (Regular Expression Denial of Service) issue in valibot's EMOJI_REGEX pattern.

While bitcoinjs-lib may not directly use emoji validation, the vulnerable regex pattern exists in the valibot package regardless. An attacker could potentially:

1. Craft malicious input strings that trigger catastrophic backtracking in the regex
2. Cause the validation to hang or consume excessive CPU resources
3. Lead to denial of service if validation is performed on untrusted input

Bumping to valibot v1.2.0 fixes this by using a safer regex implementation that doesn't suffer from exponential backtracking.

The fix is a low-risk dependency bump that addresses a potential DoS vector without any breaking changes to the API.

[junderw]

ahhh ok I see. The gitdiff problem was caused by the update to valibot.

Please run npm run build locally and commit the changes to the *.d.ts files as well.

Thanks.

I am still not sure if this is a vulnerability in all string validations or if it's just a vulnerability in a specific validation that we don't use.

[maxkalash]

I am still not sure if this is a vulnerability in all string validations or if it's just a vulnerability in a specific validation that we don't use.

Even if the affected validation isn’t used in practice, the advisory still propagates to downstream projects and causes audit / CI failures.
From a consumer standpoint, updating or constraining the dependency would help a lot.

[junderw]

Close in favor of #2308