@mojaloop/central-ledger 19.12.6 → 19.12.7

package/.grype.yaml

@@ -4,37 +4,10 @@ ignore:
   # vulnerabilities, npm ls shows only 7.0.6 verion is used
 
   # Ignore OpenSSL vulnerabilities in Alpine libcrypto3 and libssl3
-  - vulnerability: CVE-2025-9230
-  - vulnerability: CVE-2025-9232
-  - vulnerability: CVE-2025-9231
-  - vulnerability: GHSA-5j98-mcp5-4vw2 # glob, which comes from npm
+  - vulnerability: GHSA-3ppc-4f35-3m26
+    reason: minimatch upgrade breaks some dev tools so adding this to ignore list
   - vulnerability: CVE-2025-60876
-  - vulnerability: CVE-2026-22184
-  - vulnerability: GHSA-34x7-hfp2-rc4v
-  - vulnerability: CVE-2025-69420
-  - vulnerability: GHSA-r6q2-hw4h-h46w
-  - vulnerability: GHSA-8qq5-rm4j-mr97
-  - vulnerability: GHSA-xxjr-mmjv-4gpg
-  - vulnerability: CVE-2026-22796
-  - vulnerability: GHSA-g9mf-h72j-4rw9
-  # Node.js vulnerabilities - fix requires Node 22.22.0+ (not yet available in Alpine)
-  - vulnerability: CVE-2025-59465
-  - vulnerability: CVE-2025-55131
-  - vulnerability: CVE-2026-21637
-  - vulnerability: CVE-2025-59466
-  - vulnerability: CVE-2025-55130
-  - vulnerability: CVE-2025-55132
-  # diff npm package - fix requires 5.2.2 (breaking change)
-  - vulnerability: GHSA-73rr-hh4g-fpgx
-  - vulnerability: GHSA-6c59-mwgh-r2x6
-  
-  # Ignored: GHSA-37qj-frw5-hhjh affects a dependency only used in local tooling/CI,
-  # is not included in production runtime images, and is tracked for upgrade in our backlog.
-  - vulnerability: GHSA-37qj-frw5-hhjh
-  # Ignored: GHSA-p5wg-g6qr-c7cg affects a non-production/dev-only dependency;
-  # no exploitable path exists in our deployed environment, and mitigations are in place.
-  - vulnerability: GHSA-p5wg-g6qr-c7cg
-  - vulnerability: GHSA-3966-f6p6-2qr9
+    reason: No fix available as of 1.37.0-r30
 
 # Set output format defaults
 output:

package/CHANGELOG.md

@@ -2,6 +2,18 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [19.12.7](https://github.com/mojaloop/central-ledger/compare/v19.12.6...v19.12.7) (2026-02-19)
+
+
+### Bug Fixes
+
+* remove deprecated mongodb option ([#1258](https://github.com/mojaloop/central-ledger/issues/1258)) ([7a490fe](https://github.com/mojaloop/central-ledger/commit/7a490fef4dc3d33edad944fba762fc00a9efddfe))
+
+
+### Chore
+
+* **sbom:** update sbom [skip ci] ([14a29f3](https://github.com/mojaloop/central-ledger/commit/14a29f3341dfc9d32c550838032d2758dceeea2d))
+
 ### [19.12.6](https://github.com/mojaloop/central-ledger/compare/v19.12.5...v19.12.6) (2026-02-17)
 
 

package/Dockerfile

@@ -34,7 +34,6 @@ RUN ln -sf /dev/stdout ./logs/combined.log
 
 # Create a non-root user: ml-user
 RUN adduser -D ml-user
-USER ml-user
 
 COPY --chown=ml-user --from=builder /opt/app .
 
@@ -44,5 +43,14 @@ COPY migrations /opt/app/migrations
 COPY seeds /opt/app/seeds
 COPY test /opt/app/test
 
+# Remove npm/npx from runtime image to eliminate npm's vulnerable tar - failing grype scan
+USER root
+RUN rm -rf \
+  /usr/local/lib/node_modules/npm \
+  /usr/local/bin/npm \
+  /usr/local/bin/npx
+
+USER ml-user
+
 EXPOSE 3001
-CMD ["npm", "run", "start"]
+CMD ["node", "src/api/index.js"]

package/audit-ci.jsonc

@@ -1,8 +1,11 @@
 {
   "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
   // audit-ci supports reading JSON, JSONC, and JSON5 config files.
+  // Only check production dependencies (devDependencies ignored)
+  "skip-dev": true,  
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [
+    "GHSA-3ppc-4f35-3m26"
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-ledger",
-  "version": "19.12.6",
+  "version": "19.12.7",
   "description": "Central ledger hosted by a scheme to record and settle transfers",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -87,20 +87,20 @@
     "@hapi/catbox-memory": "6.0.2",
     "@hapi/catbox": "12.1.1",
     "@hapi/good": "9.0.1",
-    "@hapi/hapi": "21.4.4",
+    "@hapi/hapi": "21.4.6",
     "@hapi/inert": "7.1.0",
     "@hapi/vision": "7.0.3",
     "@mojaloop/central-services-error-handling": "13.1.6",
     "@mojaloop/central-services-health": "15.2.2",
     "@mojaloop/central-services-logger": "11.10.4",
-    "@mojaloop/central-services-metrics": "12.8.4",
+    "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/central-services-shared": "18.35.3",
     "@mojaloop/central-services-stream": "11.9.1",
-    "@mojaloop/database-lib": "11.3.5",
-    "@mojaloop/event-sdk": "14.8.2",
+    "@mojaloop/database-lib": "11.3.7",
+    "@mojaloop/event-sdk": "14.8.3",
     "@mojaloop/inter-scheme-proxy-cache-lib": "2.9.0",
     "@mojaloop/ml-number": "11.4.3",
-    "@mojaloop/object-store-lib": "12.2.2",
+    "@mojaloop/object-store-lib": "12.2.3",
     "@now-ims/hapi-now-auth": "2.1.0",
     "ajv": "8.18.0",
     "ajv-keywords": "5.1.0",
@@ -139,7 +139,7 @@
     "jsonpath": "1.2.1",
     "mock-knex": "0.4.13",
     "nodemon": "3.1.11",
-    "npm-check-updates": "19.3.2",
+    "npm-check-updates": "19.4.0",
     "nyc": "17.1.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
@@ -153,13 +153,23 @@
     "tapes": "4.1.0"
   },
   "overrides": {
+    "ajv": "8.18.0",
+    "eslint": {
+      "ajv": "6.12.6"
+    },
+    "eslint@9.39.2": {
+      "ajv": "6.12.6"
+    },
+    "@eslint/eslintrc": {
+      "ajv": "6.12.6"
+    },
     "axios": "1.13.5",
     "brace-expansion": "2.0.2",
     "form-data": "4.0.4",
     "lodash": "4.17.23",
     "undici": "6.23.0",
     "shins": {
-      "ajv": "6.12.3",
+      "ajv": "8.18.0",
       "ejs": "3.1.10",
       "sanitize-html": "2.12.1",
       "markdown-it": "12.3.2"
@@ -180,7 +190,7 @@
     "trim": "0.0.3",
     "cross-spawn": "7.0.6",
     "yargs-parser": "21.1.1",
-    "fast-xml-parser": "5.3.4"
+    "fast-xml-parser": "5.3.6"
   },
   "config": {
     "knex": "--knexfile ./config/knexfile.js",