npm - @mojaloop/bulk-api-adapter - Versions diffs - 17.2.3 → 17.2.4 - Mend

@mojaloop/bulk-api-adapter 17.2.3 → 17.2.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/.circleci/config.yml +1 -1
package/.grype.yaml +91 -8
package/CHANGELOG.md +8 -0
package/Dockerfile +1 -2
package/package.json +17 -10
package/{sbom-v17.2.2.csv → sbom-v17.2.3.csv} +509 -486
package/src/handlers/notification/index.js +28 -1
package/src/lib/healthCheck/subServiceHealth.js +14 -3
package/test/unit/health.test.js +4 -4

package/.circleci/config.yml CHANGED Viewed

@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  build: mojaloop/build@1.1.9
+  build: mojaloop/build@1.1.10
 workflows:
   setup:
     jobs:

package/.grype.yaml CHANGED Viewed

@@ -1,17 +1,100 @@
 disabled: false
 ignore:
+  # --- Existing ignores ---
   - vulnerability: GHSA-5j98-mcp5-4vw2
     include-aliases: true
-    reason: "glob 10.4.5 is bundled in base image npm (/usr/local/lib/node_modules/npm/), not in application code. App uses glob 10.5.0."
+    reason: >-
+      glob 10.4.5 is bundled in base image npm (/usr/local/lib/node_modules/npm/), not in application code. App uses
+      glob 10.5.0.
+  - vulnerability: CVE-2025-60876
+    include-aliases: true
+    reason: "Alpine base image package (apk): busybox - no npm fix available as of 2026-02-06 (moderate severity)"
-# Set output format defaults
-output:
-  - "table"
-  - "json"
+  # --- Base image npm packages (bundled in /usr/local/lib/node_modules/npm/) ---
+  - vulnerability: GHSA-34x7-hfp2-rc4v
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-8qq5-rm4j-mr97
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-r6q2-hw4h-h46w
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-73rr-hh4g-fpgx
+    include-aliases: true
+    reason: "Base image npm package: diff 5.2.0 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10 (low severity)"
+  - vulnerability: GHSA-3966-f6p6-2qr9
+    include-aliases: true
+    reason: "Base image npm package: npm 10.9.4 - bundled in Node.js base image, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-g9mf-h72j-4rw9
+    include-aliases: true
+    reason: "Base image npm package: undici - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-xxjr-mmjv-4gpg
+    include-aliases: true
+    reason: "Base image npm package: lodash-es 4.17.21 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
-# Modify your CircleCI job to check critical count
+  # --- Alpine base image packages (apk) - libcrypto3/libssl3 ---
+  - vulnerability: CVE-2025-15467
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (critical severity)"
+  - vulnerability: CVE-2025-69420
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-69421
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-69419
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2026-22796
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-66199
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-15468
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2026-22795
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-68160
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-11187
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-15469
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-69418
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  # --- Node.js binary vulnerabilities ---
+  - vulnerability: CVE-2025-55130
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (critical severity)"
+  - vulnerability: CVE-2025-59465
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2026-21637
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-55131
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-59466
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-55132
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (medium severity)"
+output:
+  - table
+  - json
 search:
-  scope: "squashed"
+  scope: squashed
 quiet: false
 check-for-app-update: false

package/CHANGELOG.md CHANGED Viewed

@@ -2,6 +2,14 @@
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
+### [17.2.4](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.3...v17.2.4) (2026-02-12)
+### Chore
+* **ci:** update CircleCI orb to 1.1.10 ([#142](https://github.com/mojaloop/bulk-api-adapter/issues/142)) ([f1cb17f](https://github.com/mojaloop/bulk-api-adapter/commit/f1cb17f9d3e12fd959ab1bbfb3ac35fd7723516a))
+* **sbom:** update sbom [skip ci] ([20fda9b](https://github.com/mojaloop/bulk-api-adapter/commit/20fda9b327b40e890550a7f3a917ed46b041fed0))
 ### [17.2.3](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.2...v17.2.3) (2025-12-16)

package/Dockerfile CHANGED Viewed

@@ -1,6 +1,5 @@
 # Arguments
-ARG NODE_VERSION=22.21.1-alpine3.23
+ARG NODE_VERSION="22.22.0-alpine3.23"
 # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
 #
 #  export NODE_VERSION="$(cat .nvmrc)-alpine" \

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/bulk-api-adapter",
-  "version": "17.2.3",
+  "version": "17.2.4",
   "description": "Mojaloop Bulk API Adapter",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -72,17 +72,17 @@
     "@hapi/vision": "7.0.3",
     "@mojaloop/central-services-error-handling": "13.1.5",
     "@mojaloop/central-services-health": "15.2.1",
-    "@mojaloop/central-services-logger": "11.10.2",
+    "@mojaloop/central-services-logger": "11.10.3",
     "@mojaloop/central-services-metrics": "12.8.3",
     "@mojaloop/central-services-shared": "^18.26.2",
-    "@mojaloop/central-services-stream": "11.8.13",
+    "@mojaloop/central-services-stream": "11.9.0",
     "@mojaloop/event-sdk": "14.8.2",
     "@mojaloop/object-store-lib": "12.2.2",
-    "@mojaloop/sdk-standard-components": "19.18.1",
+    "@mojaloop/sdk-standard-components": "19.18.7",
     "@now-ims/hapi-now-auth": "2.1.0",
-    "axios": "1.13.2",
+    "axios": "1.13.5",
     "blipp": "4.0.2",
-    "commander": "14.0.2",
+    "commander": "14.0.3",
     "hapi-auth-bearer-token": "8.0.0",
     "hapi-openapi": "3.0.0",
     "hapi-swagger": "17.3.2",
@@ -111,7 +111,7 @@
       "path-to-regexp": "0.1.12",
       "sanitize-html": "2.12.1",
       "markdown-it": "12.3.2",
-      "undici": "6.21.2"
+      "undici": "6.23.0"
     },
     "widdershins": {
       "swagger2openapi": "7.0.8",
@@ -127,18 +127,25 @@
     "yargs-parser": "21.1.1",
     "validator": "13.15.22",
     "js-yaml": "3.14.2",
-    "jws": "4.0.1"
+    "jws": "4.0.1",
+    "fast-xml-parser": "5.3.4",
+    "qs": "6.14.1",
+    "undici": "6.23.0",
+    "axios": "1.13.5",
+    "lodash": "4.17.23",
+    "lodash-es": "4.17.23",
+    "diff": "8.0.3"
   },
   "devDependencies": {
     "audit-ci": "^7.1.0",
     "nodemon": "3.1.11",
-    "npm-check-updates": "19.2.0",
+    "npm-check-updates": "19.3.2",
     "nyc": "17.1.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "^1.2.2",
     "rewire": "9.0.1",
-    "sinon": "21.0.0",
+    "sinon": "21.0.1",
     "standard": "17.1.2",
     "standard-version": "^9.5.0",
     "swagmock": "1.0.0",