@mojaloop/central-ledger 19.13.0 → 19.14.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (10) hide show
  1. package/.grype.yaml +74 -12
  2. package/CHANGELOG.md +37 -0
  3. package/Dockerfile +1 -1
  4. package/audit-ci.jsonc +1 -4
  5. package/migrations/950120_fxQuoteConversionTerms_sourceAmount_nullable.js +66 -0
  6. package/package.json +19 -12
  7. package/{sbom-v19.12.8.csv → sbom-v19.13.2.csv} +153 -187
  8. package/src/cryptoConditions/index.js +24 -3
  9. package/src/handlers/transfers/handler.js +17 -1
  10. package/src/handlers/transfers/validator.js +1 -2
package/.grype.yaml CHANGED
@@ -1,10 +1,5 @@
1
1
  scan-type: source
2
2
  ignore:
3
- # Ignore cross-spawn vulnerabilities by CVE ID due to false positive
4
- # as grype looks at package-lock.json where it shows versions with
5
- # vulnerabilities, npm ls shows only 7.0.6 verion is used
6
-
7
- # Ignore OpenSSL vulnerabilities in Alpine libcrypto3 and libssl3
8
3
  - vulnerability: GHSA-3ppc-4f35-3m26
9
4
  reason: minimatch upgrade breaks some dev tools so adding this to ignore list
10
5
  - vulnerability: CVE-2025-60876
@@ -19,14 +14,81 @@ ignore:
19
14
  include-aliases: true
20
15
  - vulnerability: GHSA-r6q2-hw4h-h46w
21
16
  include-aliases: true
22
-
23
- # Set output format defaults
17
+ - vulnerability: CVE-2025-15467
18
+ include-aliases: true
19
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (critical severity)"
20
+ - vulnerability: CVE-2025-69420
21
+ include-aliases: true
22
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
23
+ - vulnerability: CVE-2025-59465
24
+ include-aliases: true
25
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
26
+ - vulnerability: CVE-2025-69421
27
+ include-aliases: true
28
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
29
+ - vulnerability: CVE-2025-69419
30
+ include-aliases: true
31
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
32
+ - vulnerability: CVE-2026-22796
33
+ include-aliases: true
34
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
35
+ - vulnerability: CVE-2025-66199
36
+ include-aliases: true
37
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
38
+ - vulnerability: CVE-2025-15468
39
+ include-aliases: true
40
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
41
+ - vulnerability: CVE-2026-21637
42
+ include-aliases: true
43
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
44
+ - vulnerability: CVE-2025-55131
45
+ include-aliases: true
46
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
47
+ - vulnerability: CVE-2025-59466
48
+ include-aliases: true
49
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
50
+ - vulnerability: CVE-2025-55130
51
+ include-aliases: true
52
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (critical severity)"
53
+ - vulnerability: CVE-2026-22795
54
+ include-aliases: true
55
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
56
+ - vulnerability: CVE-2025-68160
57
+ include-aliases: true
58
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
59
+ - vulnerability: CVE-2025-11187
60
+ include-aliases: true
61
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
62
+ - vulnerability: GHSA-73rr-hh4g-fpgx
63
+ include-aliases: true
64
+ reason: >-
65
+ Base image npm package: diff - bundled in Node.js base image, not fixable via application dependencies as of
66
+ 2026-02-23 (low severity)
67
+ - vulnerability: CVE-2025-55132
68
+ include-aliases: true
69
+ reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (moderate severity)"
70
+ - vulnerability: CVE-2026-27171
71
+ include-aliases: true
72
+ reason: "Alpine base image package (apk): zlib - no npm fix available as of 2026-02-23 (moderate severity)"
73
+ - vulnerability: CVE-2025-15469
74
+ include-aliases: true
75
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
76
+ - vulnerability: CVE-2025-69418
77
+ include-aliases: true
78
+ reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
79
+ - vulnerability: GHSA-87r5-mp6g-5w5j
80
+ include-aliases: true
81
+ reason: "Unfixable npm transitive vulnerability: jsonpath (high severity) as of 2026-02-23"
82
+ - vulnerability: GHSA-378v-28hj-76wf
83
+ include-aliases: true
84
+ reason: "Unfixable npm transitive vulnerability: bn.js (moderate severity) as of 2026-02-23"
85
+ - vulnerability: GHSA-2g4f-4pwh-qvx6
86
+ include-aliases: true
87
+ reason: "Unfixable npm transitive vulnerability: ajv (moderate severity) as of 2026-02-23"
24
88
  output:
25
- - "table"
26
- - "json"
27
-
28
- # Modify your CircleCI job to check critical count
89
+ - table
90
+ - json
29
91
  search:
30
- scope: "squashed"
92
+ scope: squashed
31
93
  quiet: false
32
94
  check-for-app-update: false
package/CHANGELOG.md CHANGED
@@ -2,6 +2,43 @@
2
2
 
3
3
  All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
4
4
 
5
+ ## [19.14.0](https://github.com/mojaloop/central-ledger/compare/v19.13.2...v19.14.0) (2026-03-19)
6
+
7
+
8
+ ### Features
9
+
10
+ * vendor the condition check from five-bells-condition into cryptoConditions ([#1264](https://github.com/mojaloop/central-ledger/issues/1264)) ([4d7c4d2](https://github.com/mojaloop/central-ledger/commit/4d7c4d27f5d24fc818c7663a966ca8bf8f855b65))
11
+
12
+
13
+ ### Bug Fixes
14
+
15
+ * undefined fulfilment error not thrown ([#1281](https://github.com/mojaloop/central-ledger/issues/1281)) ([a9361d4](https://github.com/mojaloop/central-ledger/commit/a9361d4ee5d3fb44ca0cc0ceca893c0d2ff35b84))
16
+
17
+
18
+ ### Chore
19
+
20
+ * **sbom:** update sbom [skip ci] ([21ce9d4](https://github.com/mojaloop/central-ledger/commit/21ce9d455e89568af3e6618b1528425afbbb7b2c))
21
+
22
+ ### [19.13.2](https://github.com/mojaloop/central-ledger/compare/v19.13.1...v19.13.2) (2026-02-27)
23
+
24
+
25
+ ### Chore
26
+
27
+ * maintenance updates ([#1260](https://github.com/mojaloop/central-ledger/issues/1260)) ([464c50c](https://github.com/mojaloop/central-ledger/commit/464c50cda674ee63b23e94e2b9ff19ce4cd807f0))
28
+ * **sbom:** update sbom [skip ci] ([2df7c77](https://github.com/mojaloop/central-ledger/commit/2df7c7731a9722d1ace56919ebbdef076ef1295c))
29
+
30
+ ### [19.13.1](https://github.com/mojaloop/central-ledger/compare/v19.13.0...v19.13.1) (2026-02-26)
31
+
32
+
33
+ ### Bug Fixes
34
+
35
+ * make fxQuoteConversionTerms.sourceAmount nullable ([#1267](https://github.com/mojaloop/central-ledger/issues/1267)) ([f770970](https://github.com/mojaloop/central-ledger/commit/f770970159fdf5624c0763562edff89db97beb5c))
36
+
37
+
38
+ ### Chore
39
+
40
+ * **sbom:** update sbom [skip ci] ([b834732](https://github.com/mojaloop/central-ledger/commit/b834732ce99fd8639a5e35f410294f1fef391c82))
41
+
5
42
  ## [19.13.0](https://github.com/mojaloop/central-ledger/compare/v19.12.8...v19.13.0) (2026-02-26)
6
43
 
7
44
 
package/Dockerfile CHANGED
@@ -1,5 +1,5 @@
1
1
  # Arguments
2
- ARG NODE_VERSION=22.21.1-alpine3.23
2
+ ARG NODE_VERSION=22.22.0-alpine3.23
3
3
 
4
4
  # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
5
5
  #
package/audit-ci.jsonc CHANGED
@@ -1,11 +1,8 @@
1
1
  {
2
2
  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
3
3
  // audit-ci supports reading JSON, JSONC, and JSON5 config files.
4
- // Only check production dependencies (devDependencies ignored)
5
- "skip-dev": true,
6
4
  // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
7
5
  "moderate": true,
8
- "allowlist": [
9
- "GHSA-3ppc-4f35-3m26"
6
+ "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
10
7
  ]
11
8
  }
package/migrations/950120_fxQuoteConversionTerms_sourceAmount_nullable.js ADDED
@@ -0,0 +1,66 @@
1
+ /*****
2
+ License
3
+ --------------
4
+ Copyright © 2020-2026 Mojaloop Foundation
5
+ The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0 (the "License") and you may not use these files except in compliance with the License. You may obtain a copy of the License at
6
+
7
+ http://www.apache.org/licenses/LICENSE-2.0
8
+
9
+ Unless required by applicable law or agreed to in writing, the Mojaloop files are distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
10
+
11
+ Contributors
12
+ --------------
13
+ This is the official list of the Mojaloop project contributors for this file.
14
+ Names of the original copyright holders (individuals or organizations)
15
+ should be listed with a '*' in the first column. People who have
16
+ contributed from an organization can be listed under the organization
17
+ that actually holds the copyright for their contributions (see the
18
+ Mojaloop Foundation for an example). Those individuals should have
19
+ their names indented and be marked with a '-'. Email address can be added
20
+ optionally within square brackets <email>.
21
+
22
+ * Mojaloop Foundation
23
+ - Name Surname <name.surname@mojaloop.io>
24
+ - Shashikant Hirugade <shashi.mojaloop@gmail.com>
25
+
26
+ --------------
27
+
28
+ ******/
29
+ 'use strict'
30
+
31
+ exports.up = function (knex) {
32
+ return knex.schema.hasTable('fxQuoteConversionTerms')
33
+ .then(function (exists) {
34
+ if (!exists) return
35
+
36
+ return knex.schema.hasColumn('fxQuoteConversionTerms', 'sourceAmount')
37
+ .then(function (columnExists) {
38
+ if (!columnExists) return
39
+
40
+ return knex.schema.alterTable('fxQuoteConversionTerms', function (t) {
41
+ t.decimal('sourceAmount', 18, 4)
42
+ .nullable()
43
+ .defaultTo(null)
44
+ .alter()
45
+ })
46
+ })
47
+ })
48
+ }
49
+
50
+ exports.down = function (knex) {
51
+ return knex.schema.hasTable('fxQuoteConversionTerms')
52
+ .then(function (exists) {
53
+ if (!exists) return
54
+
55
+ return knex.schema.hasColumn('fxQuoteConversionTerms', 'sourceAmount')
56
+ .then(function (columnExists) {
57
+ if (!columnExists) return
58
+
59
+ return knex.schema.alterTable('fxQuoteConversionTerms', function (t) {
60
+ t.decimal('sourceAmount', 18, 4)
61
+ .notNullable()
62
+ .alter()
63
+ })
64
+ })
65
+ })
66
+ }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@mojaloop/central-ledger",
3
- "version": "19.13.0",
3
+ "version": "19.14.0",
4
4
  "description": "Central ledger hosted by a scheme to record and settle transfers",
5
5
  "license": "Apache-2.0",
6
6
  "author": "ModusBox",
@@ -87,7 +87,7 @@
87
87
  "@hapi/catbox": "12.1.1",
88
88
  "@hapi/catbox-memory": "6.0.2",
89
89
  "@hapi/good": "9.0.1",
90
- "@hapi/hapi": "21.4.6",
90
+ "@hapi/hapi": "21.4.7",
91
91
  "@hapi/inert": "7.1.0",
92
92
  "@hapi/vision": "7.0.3",
93
93
  "@mojaloop/central-services-error-handling": "13.1.6",
@@ -111,7 +111,6 @@
111
111
  "decimal.js": "10.6.0",
112
112
  "docdash": "2.0.2",
113
113
  "event-stream": "4.0.1",
114
- "five-bells-condition": "5.0.1",
115
114
  "hapi-auth-bearer-token": "8.0.0",
116
115
  "hapi-swagger": "17.3.2",
117
116
  "ilp-packet": "2.2.0",
@@ -129,16 +128,16 @@
129
128
  },
130
129
  "devDependencies": {
131
130
  "@opentelemetry/api": "^1.9.0",
132
- "@opentelemetry/auto-instrumentations-node": "^0.70.1",
131
+ "@opentelemetry/auto-instrumentations-node": "^0.71.0",
133
132
  "@types/mock-knex": "0.4.8",
134
133
  "async-retry": "1.3.3",
135
134
  "audit-ci": "^7.1.0",
136
135
  "get-port": "5.1.1",
137
136
  "jsdoc": "4.0.5",
138
- "jsonpath": "1.2.1",
137
+ "jsonpath": "1.3.0",
139
138
  "mock-knex": "0.4.13",
140
139
  "nodemon": "3.1.14",
141
- "npm-check-updates": "19.5.0",
140
+ "npm-check-updates": "19.6.5",
142
141
  "nyc": "18.0.0",
143
142
  "pre-commit": "1.2.2",
144
143
  "proxyquire": "2.1.3",
@@ -154,19 +153,19 @@
154
153
  "overrides": {
155
154
  "ajv": "8.18.0",
156
155
  "eslint": {
157
- "ajv": "6.12.6"
156
+ "ajv": "6.14.0"
158
157
  },
159
158
  "eslint@9.39.2": {
160
- "ajv": "6.12.6"
159
+ "ajv": "6.14.0"
161
160
  },
162
161
  "@eslint/eslintrc": {
163
- "ajv": "6.12.6"
162
+ "ajv": "6.14.0"
164
163
  },
165
164
  "axios": "1.13.5",
166
165
  "brace-expansion": "2.0.2",
167
- "form-data": "4.0.4",
166
+ "form-data": "4.0.5",
168
167
  "lodash": "4.17.23",
169
- "undici": "6.23.0",
168
+ "undici": "6.24.0",
170
169
  "shins": {
171
170
  "ajv": "8.18.0",
172
171
  "ejs": "3.1.10",
@@ -183,13 +182,21 @@
183
182
  "hapi-swagger": {
184
183
  "joi": "18.0.1"
185
184
  },
185
+ "immutable": "5.1.5",
186
186
  "jsonwebtoken": "9.0.0",
187
187
  "jsonpointer": "5.0.0",
188
188
  "on-headers": "1.1.0",
189
189
  "trim": "0.0.3",
190
190
  "cross-spawn": "7.0.6",
191
191
  "yargs-parser": "21.1.1",
192
- "fast-xml-parser": "5.3.6"
192
+ "fast-xml-parser": "5.5.6",
193
+ "minimatch@<=3.1.3": "3.1.5",
194
+ "minimatch@5.1.7": "5.1.9",
195
+ "minimatch@9.0.6": "9.0.9",
196
+ "replace": {
197
+ "minimatch": "3.1.5"
198
+ },
199
+ "underscore": "1.13.8"
193
200
  },
194
201
  "config": {
195
202
  "knex": "--knexfile ./config/knexfile.js",