chore(release): publish v2.0.0-rc.1

[petermetz]

Important I know that there are quite a few PRs pending right now, but please do not ask to have those included in this release because that would force me to redo the entire release process from scratch. We can have subsequent v2.0.0-rc.2, v2.0.0-rc.3, v2.0.0-rc.4, etc.. releases as much as we like, but this one is particularly important to be issued ASAP because the currently "latest" version we have out on npm have dependency declaration issues that are urgently needing a fix.

2.0.0-rc.1 (2024-06-14)

Bug Fixes

• cactus-common: coerceUnknownToError() now uses HTML sanitize (d70488a)
• cactus-example-cbdc-bridging-backend: add missing CRPC port config option (84c0733)
• cmd-api-server: add runtime type validation to HTTP verbs pulled from OAS (b0ff599), closes #2751 #2751 #2751 #2754
• cmd-api-server: address CVE-2022-25881 (81da333), closes #2862
• cmd-api-server: fix CVE-2023-36665 protobufjs try 2 (4e8b553), closes #2682
• cmd-api-server: healthcheck broken due to missing wget binary (8f1ca3f), closes #2894
• connector-besu: error handling of DeployContractSolidityBytecodeEndpoint (89d9b93), closes #2868
• connector-besu: toBuffer only supports 0x-prefixed hex (1d00e32)
• connector-corda: contract deployment SSH reconnect race condition (0af2eb1)
• connector-fabric: address CVEs: CVE-2022-21190, CVE-2021-3918 (11e775d), closes #2864
• connector-quorum/ethereum: strengthen contract parameter validation (779bb7e), closes #2760
• corda-simple-app: use correct bond asset flows and contracts for bond asset exchange (caa2b3a)
• deps: bulk add missing dependencies - 2023-11-02 (8addb01), closes #2857
• GHSA-8qv2-5vq6-g2g7 webpki CPU denial of service in certificate path (e24458f)
• indy-vdr-nodejs: update dependency version (f81b46b)
• ledger-browser: fix vulnerability CVE-2022-37601 (55c7d3d)
• persistence-fabric: hide not critical API (793f94f)
• plugin-htlc-coordinator-besu: add missing HSTS header (dff34e8)
• plugin-keychain-vault: fix CVE-2024-0553 in vault server image (1eacf7e)
• security: address CVE-2021-3749 - axios >=0.22.0 (61fc700)
• security: mitigate CVE-2024-21505 (f48994f)
• security: remediate qs vulnerability CVE-2022-24999 (536b6b1)
• weaver-asset-transfer: return proper error messages for pledge status and claim status (f8f6bcb)
• weaver-fabric-node-sdk: made AES key length configurable in ECIES functions (e679801)
• weaver-go-cli: updated Weaver Fabric Go CLI module to ensure local compilation (1668cf4)
• weaver-go-sdk: corrected membership API function signatures (083ea4f)
• weaver-go-sdk: revert fabric-protos-go-apiv2 dep to fabric-protos-go (6994e5b)
• weaver-membership-functions: reverted earlier buggy change affecting identity mgmt (faf90dd)
• weaver-packages: removing unnecessary package-lock.json file (f3e53e4)
• weaver-satp: bug and configuration fixes in relays and Fabric drivers for sample SATP implementation (9f77871)
• weaver: improper exception handling (a33f30c), closes #2767
• weaver: upgraded Corda dependencies to overcome Log4j vulnerability (76f0c68)
• weaver: usage of weak PRNG issue (fa17b52), closes #2765

Features

• actionlint: fix the errors produced by the ActionLint tool (e6d5d88)
• bungee-hermes: new plugin bungee-hermes (ecf52ec)
• bungee-hermes: process & merge views (231a5e5)
• bungee-hermes: viewProof & ethereum strategy (22f389f)
• cactus-core-api: add ISendRequestResultV1 for Fujitsu verifier (483de38)
• cactus-core: add ConnectRPC service interface and type guard (9e83087)
• cactus-core: add handleRestEndpointException utility to public API (bf9dfe8)
• cactus-example-discounted-asset-trade: use openapi ethereum connector (dcaf9fe), closes #2645
• cactus-example-discounted-asset-trade: use openapi sawtooth connector (86d6b38), closes #2825
• cactus-example-electricity-trade: use openapi ethereum connector (9e66850)
• cactus-plugin-ledger-connector-aries: add new connector plugin (afef5ae), closes #2946
• cactus-plugin-ledger-connector-cdl-socketio: separate endpoint for subscription key (b1048af)
• cactus-plugin-ledger-connector-cdl-socketio: support subscription key auth (a04fc5b)
• cactus-plugin-ledger-connector-cdl: add new connector plugin (6efd8de)
• cactus-plugin-ledger-connector-ethereum: add json-rpc proxy (ed04201)
• cactus-plugin-ledger-connector-ethereum: add signing utils (84c5b34)
• cactus-plugin-ledger-connector-ethereum: add stress test (55fa26e), closes #2631
• cactus-plugin-ledger-connector-ethereum: refactor connector API (cda279f), closes #2630
• cactus-plugin-ledger-connector-ethereum: support London fork gas prices (80a89dd), closes #2581
• cactus-plugin-ledger-connector-ethereum: update web3js to 4.X (55f82c9), closes #2580 #2535 #2578
• cactus-plugin-ledger-connector-fabric-socketio: remove fabric-socketio connector (704e201), closes #2644
• cactus-plugin-ledger-connector-fabric: support delegated (offline) signatures (e2812f4), closes #2598
• cactus-plugin-ledger-connector-iroha: remove deprecated iroha connector (fa27fde), closes #3159 #3155
• cactus-plugin-ledger-connector-sawtooth: add new connector plugin (e379504)
• cactus-plugin-persistence-ethereum: use openapi ethereum connector (b8f9b79), closes #2631
• cbdc-bridging: add frontend code for the CBDC example (5ad0ebf)
• cmd-api-server: add ConnectRPC auto-registration for plugins (c569460)
• cmd-api-server: add gRPC plugin auto-registration support (5762dad)
• common: add express http verb method name string literal type (8f048ea)
• common: add isGrpcStatusObjectWithCode user-defined type guard (941dbad)
• connector-besu: add continuous benchmarking with JMeter (379d41d)
• connector-besu: add gRPC support for operations (ab676d2), closes #3173
• connector-fabric: drop support for Fabric v1.x (ec8123c)
• connector-polkadot: add connector pkg, openapi specs, test suite (6a476a0)
• core-api: add IPluginGrpcService type & user-defined type guard (e87e577)
• core: add configureExpressAppBase() utility function (383f852)
• ethereum-connector: support block monitoring with http only connection (f4373a9)
• indy-sdk: replace indy SDK with AFJ (3291dcc), closes #2859 #2860
• indy-test-ledger: add helper class for indy ledger (8c746c3), closes #2861
• plugin-keychain-memory: add ConnectRPC support (c5fecf6), closes #3183
• plugin-keychain-memory: add observability via RxJS ReplaySubjects (9b41377)
• plugin-keychain-memory: add REST API endpoint implementations (c7a8fa5)
• plugin-satp-hermes: replace IPFS dependency in SATP package (3bb7157), closes #2984 #3006
• satp: sample implementation of SATP standard using relays (c23197c)
• supabase-all-in-one: update versions, use skopeo (eeb34f9), closes #3099
• test-tooling: add Stellar test ledger (58fa94e), closes #3239
• weaver-go: upgraded Weaver Fabric Go SDK with membership functions (43cce8e)
• weaver: add build script and fix minor issues (6d4fd00)

Performance Improvements

• cmd-api-server: add demonstration of continuous benchmarking (0804bab)

BREAKING CHANGES

• connector-fabric: The Open API specification that has the enums for
  ledger versions will no longer have an option for Fabric v1.x
  This means that in the core-api package the LedgerType enum has changes
  which means that code that depends on that enum value will need to be
  updated.

Fabric v1.x has had unmaintained dependencies associated with it such as
the native grpc package that stopped receiving security updates years ago
and therefore it's dangerous to have around.

There are also some issues with Fabric v1.x that make the AIO image flaky
which also makes the relevant tests flaky due to which we couldn't run
the v1.x Fabric tests on the CI for a while now anyway.

In order to reduce the CI resource usage and our own maintenance burden
I suggest that we get rid of the Fabric v1.x support meaning that we can
eliminate the AIO image build and some code complexity from the test ledger
code as well.

In addition some old fixtures can be removed that the tests were using.
Overall a net-positive as deleting code without losing functionality (that
we care about) is always a plus.

Signed-off-by: Peter Somogyvari peter.somogyvari@accenture.com

Pull Request Requirements

• Rebased onto upstream/main branch and squashed into single commit to help maintainers review it more efficient and to avoid spaghetti git commit graphs that obfuscate which commit did exactly what change, when and, why.
• Have git sign off at the end of commit message to avoid being marked red. You can add -s flag when using git commit command. You may refer to this link for more information.
• Follow the Commit Linting specification. You may refer to this link for more information.

Character Limit

• Pull Request Title and Commit Subject must not exceed 72 characters (including spaces and special characters).
• Commit Message per line must not exceed 80 characters (including spaces and special characters).

A Must Read for Beginners
For rebasing and squashing, here's a must read guide for beginners.

[sandeepnRES]

Hi @petermetz Please resolve my above comment,
and also did you run the last two steps (from release management) regarding updating version in weaver?
To me it seems tools/go-gen-checksum.sh script wasn't run.
It updates the go.mod and go.sum so that published go packages will refer to the latest versions of cacti dependencies instead of previous versions.

[petermetz]

Hi @petermetz Please resolve my above comment, and also did you run the last two steps (from release management) regarding updating version in weaver? To me it seems tools/go-gen-checksum.sh script wasn't run. It updates the go.mod and go.sum so that published go packages will refer to the latest versions of cacti dependencies instead of previous versions.

@sandeepnRES I ran that script and also the other one [1]. I tried running them again just to make sure I did not forget and they didn't make any changes that I could commit so I'm pretty sure I ran them. My only other guess is that the search and replace I did was wrong.

I'll update manually the changes you are asking just so that we make it work and push it over the line and then we can figure out later what went wrong with the scripts or with my search and replace.

Also, please feel free to edit these yourself too, the branch should be writable by all of the maintainers. (just make sure to take notes on what you changed so that we can adjust the scripts/release management docs accordingly)

[1]

./tools/weaver-update-version.sh 2.0.0-rc.1 .
./tools/go-gen-checksum.sh 2.0.0-rc.1 .

[sandeepnRES]

Hi @petermetz Please resolve my above comment, and also did you run the last two steps (from release management) regarding updating version in weaver? To me it seems tools/go-gen-checksum.sh script wasn't run. It updates the go.mod and go.sum so that published go packages will refer to the latest versions of cacti dependencies instead of previous versions.

@sandeepnRES I ran that script and also the other one [1]. I tried running them again just to make sure I did not forget and they didn't make any changes that I could commit so I'm pretty sure I ran them. My only other guess is that the search and replace I did was wrong.

I'll update manually the changes you are asking just so that we make it work and push it over the line and then we can figure out later what went wrong with the scripts or with my search and replace.

Also, please feel free to edit these yourself too, the branch should be writable by all of the maintainers. (just make sure to take notes on what you changed so that we can adjust the scripts/release management docs accordingly)

[1]

./tools/weaver-update-version.sh 2.0.0-rc.1 .
./tools/go-gen-checksum.sh 2.0.0-rc.1 .

That is strange, because without go.mod and go.sum updates, published go modules would break.
Let me investigate this quickly, something might be wrong with script.

[sandeepnRES]

Hi @petermetz I ran the same command for script what you shared, and it did change all the go.mod and go.sum files.
Did you see any error when running the script?
Are you using Mac, because I created the script on my Mac, may be this is the reason script is working for me and not for you? Let me know if this is the case I'll try to make it independent of Mac or Linux.

For now I've pushed the changes.

[sandeepnRES]

Hi @petermetz Two CI tests are failing because of expired certs in fabric testnet of weaver. My PR #3321 is already opened to fix this.
Do you want to merge that before release? I'm asking because I think it'd be good to not have CI broken on release commit. Although its just tests/sample code, not core components, so I don't mind release before that, and we can force merge the PR bypassing branch protections.

[petermetz]

Hi @petermetz I ran the same command for script what you shared, and it did change all the go.mod and go.sum files. Did you see any error when running the script? Are you using Mac, because I created the script on my Mac, may be this is the reason script is working for me and not for you? Let me know if this is the case I'll try to make it independent of Mac or Linux.

For now I've pushed the changes.

@sandeepnRES I'm on Linux (Ubuntu 22.04 LTS) indeed so that is most likely the problem because I know that some utilities like find and grep and glob patterns in general have to be quoted differently sometimes on Linux vs. Mac/Windows. I also spotted that a couple of the items in your path array declaration don't have opening/closing quotes matched up so that would be my first guess that my shell is a little more pedantic/insistent on that being correct, but we can test it out more later for sure.

## GO and Docker
VERSION_FILES=("weaver/common/protos-go
weaver/core/network/fabric-interop-cc/libs/utils"
"weaver/core/network/fabric-interop-cc/libs/assetexchange"
"weaver/core/network/fabric-interop-cc/interfaces/asset-mgmt"
"weaver/core/network/fabric-interop-cc/contracts/interop"
"weaver/sdks/fabric/go-sdk"
"weaver/core/drivers/corda-driver"
"weaver/core/drivers/fabric-driver"
"weaver/core/identity-management/iin-agent"
"weaver/core/relay")

[petermetz]

Hi @petermetz Two CI tests are failing because of expired certs in fabric testnet of weaver. My PR #3321 is already opened to fix this. Do you want to merge that before release? I'm asking because I think it'd be good to not have CI broken on release commit. Although its just tests/sample code, not core components, so I don't mind release before that, and we can force merge the PR bypassing branch protections.

@sandeepnRES Yeah I'm just gonna go ahead and ignore those for now because of what I described above. If this release works (and therefore the process itself works in general) then we can issue another release (2.0.0-rc.2) in a couple of weeks, no problem.