@mojaloop/central-ledger 19.13.1 → 19.14.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.grype.yaml +74 -12
- package/CHANGELOG.md +25 -0
- package/Dockerfile +1 -1
- package/audit-ci.jsonc +1 -4
- package/package.json +19 -12
- package/{sbom-v19.13.0.csv → sbom-v19.13.2.csv} +62 -102
- package/src/cryptoConditions/index.js +24 -3
- package/src/handlers/transfers/handler.js +17 -1
- package/src/handlers/transfers/validator.js +1 -2
package/.grype.yaml
CHANGED
|
@@ -1,10 +1,5 @@
|
|
|
1
1
|
scan-type: source
|
|
2
2
|
ignore:
|
|
3
|
-
# Ignore cross-spawn vulnerabilities by CVE ID due to false positive
|
|
4
|
-
# as grype looks at package-lock.json where it shows versions with
|
|
5
|
-
# vulnerabilities, npm ls shows only 7.0.6 verion is used
|
|
6
|
-
|
|
7
|
-
# Ignore OpenSSL vulnerabilities in Alpine libcrypto3 and libssl3
|
|
8
3
|
- vulnerability: GHSA-3ppc-4f35-3m26
|
|
9
4
|
reason: minimatch upgrade breaks some dev tools so adding this to ignore list
|
|
10
5
|
- vulnerability: CVE-2025-60876
|
|
@@ -19,14 +14,81 @@ ignore:
|
|
|
19
14
|
include-aliases: true
|
|
20
15
|
- vulnerability: GHSA-r6q2-hw4h-h46w
|
|
21
16
|
include-aliases: true
|
|
22
|
-
|
|
23
|
-
|
|
17
|
+
- vulnerability: CVE-2025-15467
|
|
18
|
+
include-aliases: true
|
|
19
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (critical severity)"
|
|
20
|
+
- vulnerability: CVE-2025-69420
|
|
21
|
+
include-aliases: true
|
|
22
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
|
|
23
|
+
- vulnerability: CVE-2025-59465
|
|
24
|
+
include-aliases: true
|
|
25
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
|
|
26
|
+
- vulnerability: CVE-2025-69421
|
|
27
|
+
include-aliases: true
|
|
28
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
|
|
29
|
+
- vulnerability: CVE-2025-69419
|
|
30
|
+
include-aliases: true
|
|
31
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
|
|
32
|
+
- vulnerability: CVE-2026-22796
|
|
33
|
+
include-aliases: true
|
|
34
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
35
|
+
- vulnerability: CVE-2025-66199
|
|
36
|
+
include-aliases: true
|
|
37
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
38
|
+
- vulnerability: CVE-2025-15468
|
|
39
|
+
include-aliases: true
|
|
40
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
41
|
+
- vulnerability: CVE-2026-21637
|
|
42
|
+
include-aliases: true
|
|
43
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
|
|
44
|
+
- vulnerability: CVE-2025-55131
|
|
45
|
+
include-aliases: true
|
|
46
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
|
|
47
|
+
- vulnerability: CVE-2025-59466
|
|
48
|
+
include-aliases: true
|
|
49
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
|
|
50
|
+
- vulnerability: CVE-2025-55130
|
|
51
|
+
include-aliases: true
|
|
52
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (critical severity)"
|
|
53
|
+
- vulnerability: CVE-2026-22795
|
|
54
|
+
include-aliases: true
|
|
55
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
56
|
+
- vulnerability: CVE-2025-68160
|
|
57
|
+
include-aliases: true
|
|
58
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
59
|
+
- vulnerability: CVE-2025-11187
|
|
60
|
+
include-aliases: true
|
|
61
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
62
|
+
- vulnerability: GHSA-73rr-hh4g-fpgx
|
|
63
|
+
include-aliases: true
|
|
64
|
+
reason: >-
|
|
65
|
+
Base image npm package: diff - bundled in Node.js base image, not fixable via application dependencies as of
|
|
66
|
+
2026-02-23 (low severity)
|
|
67
|
+
- vulnerability: CVE-2025-55132
|
|
68
|
+
include-aliases: true
|
|
69
|
+
reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (moderate severity)"
|
|
70
|
+
- vulnerability: CVE-2026-27171
|
|
71
|
+
include-aliases: true
|
|
72
|
+
reason: "Alpine base image package (apk): zlib - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
73
|
+
- vulnerability: CVE-2025-15469
|
|
74
|
+
include-aliases: true
|
|
75
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
76
|
+
- vulnerability: CVE-2025-69418
|
|
77
|
+
include-aliases: true
|
|
78
|
+
reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
|
|
79
|
+
- vulnerability: GHSA-87r5-mp6g-5w5j
|
|
80
|
+
include-aliases: true
|
|
81
|
+
reason: "Unfixable npm transitive vulnerability: jsonpath (high severity) as of 2026-02-23"
|
|
82
|
+
- vulnerability: GHSA-378v-28hj-76wf
|
|
83
|
+
include-aliases: true
|
|
84
|
+
reason: "Unfixable npm transitive vulnerability: bn.js (moderate severity) as of 2026-02-23"
|
|
85
|
+
- vulnerability: GHSA-2g4f-4pwh-qvx6
|
|
86
|
+
include-aliases: true
|
|
87
|
+
reason: "Unfixable npm transitive vulnerability: ajv (moderate severity) as of 2026-02-23"
|
|
24
88
|
output:
|
|
25
|
-
-
|
|
26
|
-
-
|
|
27
|
-
|
|
28
|
-
# Modify your CircleCI job to check critical count
|
|
89
|
+
- table
|
|
90
|
+
- json
|
|
29
91
|
search:
|
|
30
|
-
scope:
|
|
92
|
+
scope: squashed
|
|
31
93
|
quiet: false
|
|
32
94
|
check-for-app-update: false
|
package/CHANGELOG.md
CHANGED
|
@@ -2,6 +2,31 @@
|
|
|
2
2
|
|
|
3
3
|
All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
|
|
4
4
|
|
|
5
|
+
## [19.14.0](https://github.com/mojaloop/central-ledger/compare/v19.13.2...v19.14.0) (2026-03-19)
|
|
6
|
+
|
|
7
|
+
|
|
8
|
+
### Features
|
|
9
|
+
|
|
10
|
+
* vendor the condition check from five-bells-condition into cryptoConditions ([#1264](https://github.com/mojaloop/central-ledger/issues/1264)) ([4d7c4d2](https://github.com/mojaloop/central-ledger/commit/4d7c4d27f5d24fc818c7663a966ca8bf8f855b65))
|
|
11
|
+
|
|
12
|
+
|
|
13
|
+
### Bug Fixes
|
|
14
|
+
|
|
15
|
+
* undefined fulfilment error not thrown ([#1281](https://github.com/mojaloop/central-ledger/issues/1281)) ([a9361d4](https://github.com/mojaloop/central-ledger/commit/a9361d4ee5d3fb44ca0cc0ceca893c0d2ff35b84))
|
|
16
|
+
|
|
17
|
+
|
|
18
|
+
### Chore
|
|
19
|
+
|
|
20
|
+
* **sbom:** update sbom [skip ci] ([21ce9d4](https://github.com/mojaloop/central-ledger/commit/21ce9d455e89568af3e6618b1528425afbbb7b2c))
|
|
21
|
+
|
|
22
|
+
### [19.13.2](https://github.com/mojaloop/central-ledger/compare/v19.13.1...v19.13.2) (2026-02-27)
|
|
23
|
+
|
|
24
|
+
|
|
25
|
+
### Chore
|
|
26
|
+
|
|
27
|
+
* maintenance updates ([#1260](https://github.com/mojaloop/central-ledger/issues/1260)) ([464c50c](https://github.com/mojaloop/central-ledger/commit/464c50cda674ee63b23e94e2b9ff19ce4cd807f0))
|
|
28
|
+
* **sbom:** update sbom [skip ci] ([2df7c77](https://github.com/mojaloop/central-ledger/commit/2df7c7731a9722d1ace56919ebbdef076ef1295c))
|
|
29
|
+
|
|
5
30
|
### [19.13.1](https://github.com/mojaloop/central-ledger/compare/v19.13.0...v19.13.1) (2026-02-26)
|
|
6
31
|
|
|
7
32
|
|
package/Dockerfile
CHANGED
package/audit-ci.jsonc
CHANGED
|
@@ -1,11 +1,8 @@
|
|
|
1
1
|
{
|
|
2
2
|
"$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
|
|
3
3
|
// audit-ci supports reading JSON, JSONC, and JSON5 config files.
|
|
4
|
-
// Only check production dependencies (devDependencies ignored)
|
|
5
|
-
"skip-dev": true,
|
|
6
4
|
// Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
|
|
7
5
|
"moderate": true,
|
|
8
|
-
"allowlist": [
|
|
9
|
-
"GHSA-3ppc-4f35-3m26"
|
|
6
|
+
"allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
|
|
10
7
|
]
|
|
11
8
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@mojaloop/central-ledger",
|
|
3
|
-
"version": "19.
|
|
3
|
+
"version": "19.14.0",
|
|
4
4
|
"description": "Central ledger hosted by a scheme to record and settle transfers",
|
|
5
5
|
"license": "Apache-2.0",
|
|
6
6
|
"author": "ModusBox",
|
|
@@ -87,7 +87,7 @@
|
|
|
87
87
|
"@hapi/catbox": "12.1.1",
|
|
88
88
|
"@hapi/catbox-memory": "6.0.2",
|
|
89
89
|
"@hapi/good": "9.0.1",
|
|
90
|
-
"@hapi/hapi": "21.4.
|
|
90
|
+
"@hapi/hapi": "21.4.7",
|
|
91
91
|
"@hapi/inert": "7.1.0",
|
|
92
92
|
"@hapi/vision": "7.0.3",
|
|
93
93
|
"@mojaloop/central-services-error-handling": "13.1.6",
|
|
@@ -111,7 +111,6 @@
|
|
|
111
111
|
"decimal.js": "10.6.0",
|
|
112
112
|
"docdash": "2.0.2",
|
|
113
113
|
"event-stream": "4.0.1",
|
|
114
|
-
"five-bells-condition": "5.0.1",
|
|
115
114
|
"hapi-auth-bearer-token": "8.0.0",
|
|
116
115
|
"hapi-swagger": "17.3.2",
|
|
117
116
|
"ilp-packet": "2.2.0",
|
|
@@ -129,16 +128,16 @@
|
|
|
129
128
|
},
|
|
130
129
|
"devDependencies": {
|
|
131
130
|
"@opentelemetry/api": "^1.9.0",
|
|
132
|
-
"@opentelemetry/auto-instrumentations-node": "^0.
|
|
131
|
+
"@opentelemetry/auto-instrumentations-node": "^0.71.0",
|
|
133
132
|
"@types/mock-knex": "0.4.8",
|
|
134
133
|
"async-retry": "1.3.3",
|
|
135
134
|
"audit-ci": "^7.1.0",
|
|
136
135
|
"get-port": "5.1.1",
|
|
137
136
|
"jsdoc": "4.0.5",
|
|
138
|
-
"jsonpath": "1.
|
|
137
|
+
"jsonpath": "1.3.0",
|
|
139
138
|
"mock-knex": "0.4.13",
|
|
140
139
|
"nodemon": "3.1.14",
|
|
141
|
-
"npm-check-updates": "19.6.
|
|
140
|
+
"npm-check-updates": "19.6.5",
|
|
142
141
|
"nyc": "18.0.0",
|
|
143
142
|
"pre-commit": "1.2.2",
|
|
144
143
|
"proxyquire": "2.1.3",
|
|
@@ -154,19 +153,19 @@
|
|
|
154
153
|
"overrides": {
|
|
155
154
|
"ajv": "8.18.0",
|
|
156
155
|
"eslint": {
|
|
157
|
-
"ajv": "6.
|
|
156
|
+
"ajv": "6.14.0"
|
|
158
157
|
},
|
|
159
158
|
"eslint@9.39.2": {
|
|
160
|
-
"ajv": "6.
|
|
159
|
+
"ajv": "6.14.0"
|
|
161
160
|
},
|
|
162
161
|
"@eslint/eslintrc": {
|
|
163
|
-
"ajv": "6.
|
|
162
|
+
"ajv": "6.14.0"
|
|
164
163
|
},
|
|
165
164
|
"axios": "1.13.5",
|
|
166
165
|
"brace-expansion": "2.0.2",
|
|
167
|
-
"form-data": "4.0.
|
|
166
|
+
"form-data": "4.0.5",
|
|
168
167
|
"lodash": "4.17.23",
|
|
169
|
-
"undici": "6.
|
|
168
|
+
"undici": "6.24.0",
|
|
170
169
|
"shins": {
|
|
171
170
|
"ajv": "8.18.0",
|
|
172
171
|
"ejs": "3.1.10",
|
|
@@ -183,13 +182,21 @@
|
|
|
183
182
|
"hapi-swagger": {
|
|
184
183
|
"joi": "18.0.1"
|
|
185
184
|
},
|
|
185
|
+
"immutable": "5.1.5",
|
|
186
186
|
"jsonwebtoken": "9.0.0",
|
|
187
187
|
"jsonpointer": "5.0.0",
|
|
188
188
|
"on-headers": "1.1.0",
|
|
189
189
|
"trim": "0.0.3",
|
|
190
190
|
"cross-spawn": "7.0.6",
|
|
191
191
|
"yargs-parser": "21.1.1",
|
|
192
|
-
"fast-xml-parser": "5.
|
|
192
|
+
"fast-xml-parser": "5.5.6",
|
|
193
|
+
"minimatch@<=3.1.3": "3.1.5",
|
|
194
|
+
"minimatch@5.1.7": "5.1.9",
|
|
195
|
+
"minimatch@9.0.6": "9.0.9",
|
|
196
|
+
"replace": {
|
|
197
|
+
"minimatch": "3.1.5"
|
|
198
|
+
},
|
|
199
|
+
"underscore": "1.13.8"
|
|
193
200
|
},
|
|
194
201
|
"config": {
|
|
195
202
|
"knex": "--knexfile ./config/knexfile.js",
|