@mojaloop/bulk-api-adapter 17.2.3 → 17.2.5

package/.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  build: mojaloop/build@1.1.9
+  build: mojaloop/build@1.1.10
 workflows:
   setup:
     jobs:

package/.grype.yaml

@@ -1,17 +1,100 @@
 disabled: false
-
 ignore:
+  # --- Existing ignores ---
   - vulnerability: GHSA-5j98-mcp5-4vw2
     include-aliases: true
-    reason: "glob 10.4.5 is bundled in base image npm (/usr/local/lib/node_modules/npm/), not in application code. App uses glob 10.5.0."
+    reason: >-
+      glob 10.4.5 is bundled in base image npm (/usr/local/lib/node_modules/npm/), not in application code. App uses
+      glob 10.5.0.
+  - vulnerability: CVE-2025-60876
+    include-aliases: true
+    reason: "Alpine base image package (apk): busybox - no npm fix available as of 2026-02-06 (moderate severity)"
 
-# Set output format defaults
-output:
-  - "table"
-  - "json"
+  # --- Base image npm packages (bundled in /usr/local/lib/node_modules/npm/) ---
+  - vulnerability: GHSA-34x7-hfp2-rc4v
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-8qq5-rm4j-mr97
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-r6q2-hw4h-h46w
+    include-aliases: true
+    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-73rr-hh4g-fpgx
+    include-aliases: true
+    reason: "Base image npm package: diff 5.2.0 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10 (low severity)"
+  - vulnerability: GHSA-3966-f6p6-2qr9
+    include-aliases: true
+    reason: "Base image npm package: npm 10.9.4 - bundled in Node.js base image, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-g9mf-h72j-4rw9
+    include-aliases: true
+    reason: "Base image npm package: undici - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+  - vulnerability: GHSA-xxjr-mmjv-4gpg
+    include-aliases: true
+    reason: "Base image npm package: lodash-es 4.17.21 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
 
-# Modify your CircleCI job to check critical count
+  # --- Alpine base image packages (apk) - libcrypto3/libssl3 ---
+  - vulnerability: CVE-2025-15467
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (critical severity)"
+  - vulnerability: CVE-2025-69420
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-69421
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-69419
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2026-22796
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-66199
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-15468
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2026-22795
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-68160
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-11187
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-15469
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+  - vulnerability: CVE-2025-69418
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
+
+  # --- Node.js binary vulnerabilities ---
+  - vulnerability: CVE-2025-55130
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (critical severity)"
+  - vulnerability: CVE-2025-59465
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2026-21637
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-55131
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-59466
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (high severity)"
+  - vulnerability: CVE-2025-55132
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (medium severity)"
+
+output:
+  - table
+  - json
 search:
-  scope: "squashed"
+  scope: squashed
 quiet: false
 check-for-app-update: false

package/.nvmrc

@@ -1 +1 @@
-22.21.1
+22.22.0

package/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [17.2.5](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.4...v17.2.5) (2026-02-19)
+
+
+### Bug Fixes
+
+* remove deprecared mongodb option ([#144](https://github.com/mojaloop/bulk-api-adapter/issues/144)) ([5d336d5](https://github.com/mojaloop/bulk-api-adapter/commit/5d336d5259f4ead8719db9884fdfaafdbda826a0))
+
+
+### Chore
+
+* **sbom:** update sbom [skip ci] ([f0a0d19](https://github.com/mojaloop/bulk-api-adapter/commit/f0a0d192490feecb99bb4e27a7c6836073545ad4))
+
+### [17.2.4](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.3...v17.2.4) (2026-02-12)
+
+
+### Chore
+
+* **ci:** update CircleCI orb to 1.1.10 ([#142](https://github.com/mojaloop/bulk-api-adapter/issues/142)) ([f1cb17f](https://github.com/mojaloop/bulk-api-adapter/commit/f1cb17f9d3e12fd959ab1bbfb3ac35fd7723516a))
+* **sbom:** update sbom [skip ci] ([20fda9b](https://github.com/mojaloop/bulk-api-adapter/commit/20fda9b327b40e890550a7f3a917ed46b041fed0))
+
 ### [17.2.3](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.2...v17.2.3) (2025-12-16)
 
 

package/Dockerfile

@@ -1,6 +1,5 @@
 # Arguments
-ARG NODE_VERSION=22.21.1-alpine3.23
-
+ARG NODE_VERSION="22.22.0-alpine3.23"
 # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
 #
 #  export NODE_VERSION="$(cat .nvmrc)-alpine" \
@@ -35,10 +34,20 @@ RUN ln -sf /dev/stdout ./logs/combined.log
 
 # Create a non-root user: app-user
 RUN adduser -D app-user
-USER app-user
 
 COPY --chown=app-user --from=builder /opt/app/ .
 RUN npm prune --production
 
+# Remove npm/npx from runtime image to eliminate npm's vulnerable tar - failing grype scan
+USER root
+RUN rm -rf /usr/local/lib/node_modules/npm \
+    /usr/local/bin/npm /usr/local/bin/npx
+RUN rm -rf \
+/opt/app/node_modules/@redocly/openapi-core/node_modules/minimatch \
+/opt/app/node_modules/filelist/node_modules/minimatch
+RUN node -e "require('./src/api/index.js'); console.log('startup ok')"    
+
+USER app-user
+
 EXPOSE 3000
 CMD ["node src/api/index.js"]

package/audit-ci.jsonc

@@ -1,8 +1,11 @@
 {
   "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
   // audit-ci supports reading JSON, JSONC, and JSON5 config files.
+  // Only check production dependencies (devDependencies ignored)
+  "skip-dev": true,
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
+    "GHSA-3ppc-4f35-3m26"
   ]
 }

package/eslint.config.mjs

@@ -0,0 +1,50 @@
+import js from "@eslint/js"
+import globals from "globals"
+
+export default [
+
+  // Base JS recommended rules
+  js.configs.recommended,
+
+  // Application code
+  {
+    files: ["**/*.js"],
+    ignores: [
+      "node_modules/**",
+      "coverage/**",
+      "dist/**"
+    ],
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: "commonjs",
+      globals: {
+        ...globals.node
+      }
+    },
+    rules: {
+      // Common good defaults
+      "no-unused-vars": ["warn", { argsIgnorePattern: "^_" }],
+      "no-console": "off",
+      "no-undef": "error",
+      "no-var": "error",
+      "prefer-const": "warn"
+    }
+  },
+
+  // Jest test files
+  {
+    files: ["**/*.test.js", "**/test/**/*.js"],
+    plugins: {
+      // jest: jestPlugin
+    },
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...globals.jest
+      }
+    },
+    rules: {
+      // ...jestPlugin.configs.recommended.rules
+    }
+  }
+]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/bulk-api-adapter",
-  "version": "17.2.3",
+  "version": "17.2.5",
   "description": "Mojaloop Bulk API Adapter",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -36,10 +36,8 @@
     "start:api": "node src/api/index.js",
     "watch:api": "npx nodemon src/api/index.js",
     "regenerate": "yo swaggerize:test --framework hapi --apiPath './src/interface/swagger.yaml'",
-    "standard": "npx standard",
-    "standard:fix": "npx standard --fix",
-    "lint": "npm run standard",
-    "lint:fix": "npm run standard:fix",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "test": "npm run test:unit",
     "test:all": "npm run test",
     "test:unit": "tape 'test/unit/**/*.test.js' | tap-spec",
@@ -67,22 +65,22 @@
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "6.0.2",
     "@hapi/good": "9.0.1",
-    "@hapi/hapi": "21.4.4",
+    "@hapi/hapi": "21.4.5",
     "@hapi/inert": "7.1.0",
     "@hapi/vision": "7.0.3",
-    "@mojaloop/central-services-error-handling": "13.1.5",
-    "@mojaloop/central-services-health": "15.2.1",
-    "@mojaloop/central-services-logger": "11.10.2",
-    "@mojaloop/central-services-metrics": "12.8.3",
+    "@mojaloop/central-services-error-handling": "13.1.6",
+    "@mojaloop/central-services-health": "15.2.2",
+    "@mojaloop/central-services-logger": "11.10.4",
+    "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/central-services-shared": "^18.26.2",
-    "@mojaloop/central-services-stream": "11.8.13",
-    "@mojaloop/event-sdk": "14.8.2",
-    "@mojaloop/object-store-lib": "12.2.2",
-    "@mojaloop/sdk-standard-components": "19.18.1",
+    "@mojaloop/central-services-stream": "11.9.1",
+    "@mojaloop/event-sdk": "14.8.3",
+    "@mojaloop/object-store-lib": "12.2.3",
+    "@mojaloop/sdk-standard-components": "19.18.7",
     "@now-ims/hapi-now-auth": "2.1.0",
-    "axios": "1.13.2",
+    "axios": "1.13.5",
     "blipp": "4.0.2",
-    "commander": "14.0.2",
+    "commander": "14.0.3",
     "hapi-auth-bearer-token": "8.0.0",
     "hapi-openapi": "3.0.0",
     "hapi-swagger": "17.3.2",
@@ -95,6 +93,16 @@
     "uuid4": "2.0.3"
   },
   "overrides": {
+    "ajv": "8.18.0",
+    "eslint": {
+      "ajv": "6.12.6"
+    },
+    "eslint@9.39.2": {
+      "ajv": "6.12.6"
+    },
+    "@eslint/eslintrc": {
+      "ajv": "6.12.6"
+    },
     "form-data": "4.0.4",
     "on-headers": "1.1.0",
     "brace-expansion": "2.0.2",
@@ -105,13 +113,14 @@
     "swagmock": {
       "validator": "13.15.22"
     },
+    "ejs": "3.1.10",
     "shins": {
-      "ajv": "6.12.3",
-      "ejs": "3.1.10",
+      "ajv": "8.18.0",
       "path-to-regexp": "0.1.12",
       "sanitize-html": "2.12.1",
       "markdown-it": "12.3.2",
-      "undici": "6.21.2"
+      "undici": "6.23.0",
+      "ejs": "3.1.10"
     },
     "widdershins": {
       "swagger2openapi": "7.0.8",
@@ -127,19 +136,28 @@
     "yargs-parser": "21.1.1",
     "validator": "13.15.22",
     "js-yaml": "3.14.2",
-    "jws": "4.0.1"
+    "jws": "4.0.1",
+    "fast-xml-parser": "5.3.6",
+    "qs": "6.14.1",
+    "undici": "6.23.0",
+    "axios": "1.13.5",
+    "lodash": "4.17.23",
+    "lodash-es": "4.17.23",
+    "diff": "8.0.3"
   },
   "devDependencies": {
-    "audit-ci": "^7.1.0",
+    "@eslint/js": "10.0.1",
+    "audit-ci": "7.1.0",
+    "eslint": "10.0.0",
+    "globals": "17.3.0",
     "nodemon": "3.1.11",
-    "npm-check-updates": "19.2.0",
+    "npm-check-updates": "19.4.0",
     "nyc": "17.1.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "^1.2.2",
     "rewire": "9.0.1",
-    "sinon": "21.0.0",
-    "standard": "17.1.2",
+    "sinon": "21.0.1",
     "standard-version": "^9.5.0",
     "swagmock": "1.0.0",
     "tap-spec": "^5.0.0",