Harden server fetch upstreams

[rossgalloway]

Summary

• Validate Enso proxy URLs against fixed HTTPS upstream origins and paths before server-side fetches.
• Reject upstream redirects for Enso and historical price fetches.
• Validate DefiLlama and yearn-prices historical price requests against their configured HTTPS upstreams.
• Add regression coverage for blocking non-HTTPS yearn-prices upstreams before fetch.

Validation

• bun run lint:fix
• bunx vitest run api/lib/holdings/services/defillama.test.ts
• bun run tslint
• bun run build

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
yearnfi	Ready	Preview, Comment	May 19, 2026 10:00pm

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
yearnfi-nextjs	Ignored		May 19, 2026 10:00pm

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Scanned Files

None

[rossgalloway]

Closing this PR because it has been superseded by the grouped remediation flow.

The Enso server-fetch side is now covered by the grouped Enso remediation. The DefiLlama-specific concern was disproven in later validation, so it is intentionally not carried forward as a fix branch.

Replacement:

• [codex] Enso proxy and transaction integrity #1249 on codex/fix-yearn-fi-group-enso-proxy-transaction-integrity, head commit e8a93e78