fix(deps): bump basic-ftp to 5.3.1 to resolve GHSA-rpmf-866q-6p89

[Doddanna17]

ticket: SI-512

Summary

• Bumps basic-ftp from 5.2.2 to 5.3.1 in root resolutions to patch GHSA-rpmf-866q-6p89
• Updates yarn.lock accordingly
• Only package.json and yarn.lock changed — no source code touched

Why this works

get-uri@6.0.5 (the direct consumer of basic-ftp) requires basic-ftp: ^5.0.2, so 5.3.1 is a fully compatible upgrade. The previous resolutions pin of 5.2.2 was keeping the patched version out.

What this fixes

GHSA-rpmf-866q-6p89 (HIGH, CVSS 7.5): DoS via unbounded multiline FTP control response buffering in basic-ftp. Patched in 5.3.1. This advisory was appearing 5 times in the yarn audit output (same advisory across 5 different dependency paths), blocking the chore(root): publish modules CI job.

Dependency chain

@bitgo/sdk-api > proxy-agent > pac-proxy-agent > get-uri > basic-ftp (5.2.2 → 5.3.1)

Impact

Unblocks the publish of @bitgo/sdk-coin-hbar containing the explainTransaction fix for HBAR staking (PR #8700), which is needed to unblock end-to-end HBAR stake signing on staging.

Related

• SI-511: BitGoJS explainTransaction fix for HBAR (PR fet(hbar): add AccountUpdate support to explainTransaction in BitGoJS #8700)
• SI-508: bitgo-microservices stakedNodeId fix
• SI-506: staking-service HBAR implementation
• Failing CI run: https://github.com/BitGo/BitGoJS/actions/runs/25464115442/job/74714441980

[linear-code]

SI-512 fix(bitgojs): exclude GHSA-rpmf-866q-6p89 (basic-ftp DoS) from yarn audit to unblock publish