@mojaloop/bulk-api-adapter 17.2.4 → 17.2.6

package/.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  build: mojaloop/build@1.1.10
+  build: mojaloop/build@1.1.16
 workflows:
   setup:
     jobs:

package/.grype.yaml

@@ -1,6 +1,6 @@
 disabled: false
+scan-type: source
 ignore:
-  # --- Existing ignores ---
   - vulnerability: GHSA-5j98-mcp5-4vw2
     include-aliases: true
     reason: >-
@@ -9,31 +9,41 @@ ignore:
   - vulnerability: CVE-2025-60876
     include-aliases: true
     reason: "Alpine base image package (apk): busybox - no npm fix available as of 2026-02-06 (moderate severity)"
-
-  # --- Base image npm packages (bundled in /usr/local/lib/node_modules/npm/) ---
   - vulnerability: GHSA-34x7-hfp2-rc4v
     include-aliases: true
-    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+    reason: >-
+      Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application
+      dependencies as of 2026-02-10
   - vulnerability: GHSA-8qq5-rm4j-mr97
     include-aliases: true
-    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+    reason: >-
+      Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application
+      dependencies as of 2026-02-10
   - vulnerability: GHSA-r6q2-hw4h-h46w
     include-aliases: true
-    reason: "Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+    reason: >-
+      Base image npm package: tar 6.2.1/7.4.3 - bundled in Node.js base image npm, not fixable via application
+      dependencies as of 2026-02-10
   - vulnerability: GHSA-73rr-hh4g-fpgx
     include-aliases: true
-    reason: "Base image npm package: diff 5.2.0 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10 (low severity)"
+    reason: >-
+      Base image npm package: diff 5.2.0 - bundled in Node.js base image npm, not fixable via application dependencies
+      as of 2026-02-10 (low severity)
   - vulnerability: GHSA-3966-f6p6-2qr9
     include-aliases: true
-    reason: "Base image npm package: npm 10.9.4 - bundled in Node.js base image, not fixable via application dependencies as of 2026-02-10"
+    reason: >-
+      Base image npm package: npm 10.9.4 - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-10
   - vulnerability: GHSA-g9mf-h72j-4rw9
     include-aliases: true
-    reason: "Base image npm package: undici - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
+    reason: >-
+      Base image npm package: undici - bundled in Node.js base image npm, not fixable via application dependencies as of
+      2026-02-10
   - vulnerability: GHSA-xxjr-mmjv-4gpg
     include-aliases: true
-    reason: "Base image npm package: lodash-es 4.17.21 - bundled in Node.js base image npm, not fixable via application dependencies as of 2026-02-10"
-
-  # --- Alpine base image packages (apk) - libcrypto3/libssl3 ---
+    reason: >-
+      Base image npm package: lodash-es 4.17.21 - bundled in Node.js base image npm, not fixable via application
+      dependencies as of 2026-02-10
   - vulnerability: CVE-2025-15467
     include-aliases: true
     reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (critical severity)"
@@ -70,8 +80,6 @@ ignore:
   - vulnerability: CVE-2025-69418
     include-aliases: true
     reason: "Alpine base image package (apk): libcrypto3/libssl3 - no npm fix available as of 2026-02-10 (medium severity)"
-
-  # --- Node.js binary vulnerabilities ---
   - vulnerability: CVE-2025-55130
     include-aliases: true
     reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (critical severity)"
@@ -90,7 +98,22 @@ ignore:
   - vulnerability: CVE-2025-55132
     include-aliases: true
     reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-10 (medium severity)"
-
+  - vulnerability: GHSA-3ppc-4f35-3m26
+    include-aliases: true
+    reason: >-
+      Base image npm package: minimatch - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-23 (high severity)
+  - vulnerability: GHSA-83g3-92jg-28cx
+    include-aliases: true
+    reason: >-
+      Base image npm package: tar - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-23 (high severity)
+  - vulnerability: CVE-2026-27171
+    include-aliases: true
+    reason: "Alpine base image package (apk): zlib - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: GHSA-2g4f-4pwh-qvx6
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: ajv (moderate severity) as of 2026-02-23"
 output:
   - table
   - json

package/.nvmrc

@@ -1 +1 @@
-22.21.1
+22.22.0

package/CHANGELOG.md

@@ -2,6 +2,26 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [17.2.6](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.5...v17.2.6) (2026-02-26)
+
+
+### Chore
+
+* maintenance updates ([#145](https://github.com/mojaloop/bulk-api-adapter/issues/145)) ([8813af4](https://github.com/mojaloop/bulk-api-adapter/commit/8813af4ccc5ed444df3624a85569ad3c8950946d))
+* **sbom:** update sbom [skip ci] ([2f97d59](https://github.com/mojaloop/bulk-api-adapter/commit/2f97d5943c4b1243978da6156d3ea42e82bac826))
+
+### [17.2.5](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.4...v17.2.5) (2026-02-19)
+
+
+### Bug Fixes
+
+* remove deprecared mongodb option ([#144](https://github.com/mojaloop/bulk-api-adapter/issues/144)) ([5d336d5](https://github.com/mojaloop/bulk-api-adapter/commit/5d336d5259f4ead8719db9884fdfaafdbda826a0))
+
+
+### Chore
+
+* **sbom:** update sbom [skip ci] ([f0a0d19](https://github.com/mojaloop/bulk-api-adapter/commit/f0a0d192490feecb99bb4e27a7c6836073545ad4))
+
 ### [17.2.4](https://github.com/mojaloop/bulk-api-adapter/compare/v17.2.3...v17.2.4) (2026-02-12)
 
 

package/Dockerfile

@@ -34,10 +34,20 @@ RUN ln -sf /dev/stdout ./logs/combined.log
 
 # Create a non-root user: app-user
 RUN adduser -D app-user
-USER app-user
 
 COPY --chown=app-user --from=builder /opt/app/ .
 RUN npm prune --production
 
+# Remove npm/npx from runtime image to eliminate npm's vulnerable tar - failing grype scan
+USER root
+RUN rm -rf /usr/local/lib/node_modules/npm \
+    /usr/local/bin/npm /usr/local/bin/npx
+RUN rm -rf \
+/opt/app/node_modules/@redocly/openapi-core/node_modules/minimatch \
+/opt/app/node_modules/filelist/node_modules/minimatch
+RUN node -e "require('./src/api/index.js'); console.log('startup ok')"    
+
+USER app-user
+
 EXPOSE 3000
 CMD ["node src/api/index.js"]

package/audit-ci.jsonc

@@ -4,5 +4,6 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
+    "GHSA-2g4f-4pwh-qvx6"
   ]
 }

package/eslint.config.mjs

@@ -0,0 +1,50 @@
+import js from "@eslint/js"
+import globals from "globals"
+
+export default [
+
+  // Base JS recommended rules
+  js.configs.recommended,
+
+  // Application code
+  {
+    files: ["**/*.js"],
+    ignores: [
+      "node_modules/**",
+      "coverage/**",
+      "dist/**"
+    ],
+    languageOptions: {
+      ecmaVersion: 2022,
+      sourceType: "commonjs",
+      globals: {
+        ...globals.node
+      }
+    },
+    rules: {
+      // Common good defaults
+      "no-unused-vars": ["warn", { argsIgnorePattern: "^_" }],
+      "no-console": "off",
+      "no-undef": "error",
+      "no-var": "error",
+      "prefer-const": "warn"
+    }
+  },
+
+  // Jest test files
+  {
+    files: ["**/*.test.js", "**/test/**/*.js"],
+    plugins: {
+      // jest: jestPlugin
+    },
+    languageOptions: {
+      globals: {
+        ...globals.node,
+        ...globals.jest
+      }
+    },
+    rules: {
+      // ...jestPlugin.configs.recommended.rules
+    }
+  }
+]

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/bulk-api-adapter",
-  "version": "17.2.4",
+  "version": "17.2.6",
   "description": "Mojaloop Bulk API Adapter",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -36,10 +36,8 @@
     "start:api": "node src/api/index.js",
     "watch:api": "npx nodemon src/api/index.js",
     "regenerate": "yo swaggerize:test --framework hapi --apiPath './src/interface/swagger.yaml'",
-    "standard": "npx standard",
-    "standard:fix": "npx standard --fix",
-    "lint": "npm run standard",
-    "lint:fix": "npm run standard:fix",
+    "lint": "eslint .",
+    "lint:fix": "eslint . --fix",
     "test": "npm run test:unit",
     "test:all": "npm run test",
     "test:unit": "tape 'test/unit/**/*.test.js' | tap-spec",
@@ -67,18 +65,18 @@
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "6.0.2",
     "@hapi/good": "9.0.1",
-    "@hapi/hapi": "21.4.4",
+    "@hapi/hapi": "21.4.6",
     "@hapi/inert": "7.1.0",
     "@hapi/vision": "7.0.3",
-    "@mojaloop/central-services-error-handling": "13.1.5",
-    "@mojaloop/central-services-health": "15.2.1",
-    "@mojaloop/central-services-logger": "11.10.3",
-    "@mojaloop/central-services-metrics": "12.8.3",
+    "@mojaloop/central-services-error-handling": "13.1.6",
+    "@mojaloop/central-services-health": "15.2.2",
+    "@mojaloop/central-services-logger": "11.10.4",
+    "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/central-services-shared": "^18.26.2",
-    "@mojaloop/central-services-stream": "11.9.0",
-    "@mojaloop/event-sdk": "14.8.2",
-    "@mojaloop/object-store-lib": "12.2.2",
-    "@mojaloop/sdk-standard-components": "19.18.7",
+    "@mojaloop/central-services-stream": "11.9.1",
+    "@mojaloop/event-sdk": "14.8.3",
+    "@mojaloop/object-store-lib": "12.2.3",
+    "@mojaloop/sdk-standard-components": "19.18.8",
     "@now-ims/hapi-now-auth": "2.1.0",
     "axios": "1.13.5",
     "blipp": "4.0.2",
@@ -95,9 +93,20 @@
     "uuid4": "2.0.3"
   },
   "overrides": {
-    "form-data": "4.0.4",
+    "ajv": "8.18.0",
+    "eslint": {
+      "ajv": "6.12.6"
+    },
+    "eslint@9.39.2": {
+      "ajv": "6.12.6"
+    },
+    "@eslint/eslintrc": {
+      "ajv": "6.12.6"
+    },
+    "form-data": "4.0.5",
     "on-headers": "1.1.0",
-    "brace-expansion": "2.0.2",
+    "brace-expansion": "5.0.3",
+    "minimatch@3.0.5": "3.1.5",
     "ansi-regex": "5.0.1",
     "postcss": {
       "nanoid": "^3.3.8"
@@ -105,13 +114,14 @@
     "swagmock": {
       "validator": "13.15.22"
     },
+    "ejs": "3.1.10",
     "shins": {
-      "ajv": "6.12.3",
-      "ejs": "3.1.10",
+      "ajv": "8.18.0",
       "path-to-regexp": "0.1.12",
       "sanitize-html": "2.12.1",
       "markdown-it": "12.3.2",
-      "undici": "6.23.0"
+      "undici": "6.23.0",
+      "ejs": "3.1.10"
     },
     "widdershins": {
       "swagger2openapi": "7.0.8",
@@ -127,9 +137,9 @@
     "yargs-parser": "21.1.1",
     "validator": "13.15.22",
     "js-yaml": "3.14.2",
-    "jws": "4.0.1",
-    "fast-xml-parser": "5.3.4",
-    "qs": "6.14.1",
+    "jws": "3.2.3",
+    "fast-xml-parser": "5.3.6",
+    "qs": "6.14.2",
     "undici": "6.23.0",
     "axios": "1.13.5",
     "lodash": "4.17.23",
@@ -137,16 +147,18 @@
     "diff": "8.0.3"
   },
   "devDependencies": {
-    "audit-ci": "^7.1.0",
-    "nodemon": "3.1.11",
-    "npm-check-updates": "19.3.2",
-    "nyc": "17.1.0",
+    "@eslint/js": "10.0.1",
+    "audit-ci": "7.1.0",
+    "eslint": "10.0.2",
+    "globals": "17.3.0",
+    "nodemon": "3.1.14",
+    "npm-check-updates": "19.5.0",
+    "nyc": "18.0.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "^1.2.2",
     "rewire": "9.0.1",
     "sinon": "21.0.1",
-    "standard": "17.1.2",
     "standard-version": "^9.5.0",
     "swagmock": "1.0.0",
     "tap-spec": "^5.0.0",