@mojaloop/central-ledger 19.13.1 → 19.14.0-snapshot.2

package/.grype.yaml

@@ -1,10 +1,5 @@
 scan-type: source
 ignore:
-  # Ignore cross-spawn vulnerabilities by CVE ID due to false positive
-  # as grype looks at package-lock.json where it shows versions with
-  # vulnerabilities, npm ls shows only 7.0.6 verion is used
-
-  # Ignore OpenSSL vulnerabilities in Alpine libcrypto3 and libssl3
   - vulnerability: GHSA-3ppc-4f35-3m26
     reason: minimatch upgrade breaks some dev tools so adding this to ignore list
   - vulnerability: CVE-2025-60876
@@ -19,14 +14,81 @@ ignore:
     include-aliases: true
   - vulnerability: GHSA-r6q2-hw4h-h46w
     include-aliases: true
-
-# Set output format defaults
+  - vulnerability: CVE-2025-15467
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (critical severity)"
+  - vulnerability: CVE-2025-69420
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-59465
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-69421
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-69419
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2026-22796
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-66199
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-15468
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2026-21637
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-55131
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-59466
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (high severity)"
+  - vulnerability: CVE-2025-55130
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (critical severity)"
+  - vulnerability: CVE-2026-22795
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-68160
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-11187
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: GHSA-73rr-hh4g-fpgx
+    include-aliases: true
+    reason: >-
+      Base image npm package: diff - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-23 (low severity)
+  - vulnerability: CVE-2025-55132
+    include-aliases: true
+    reason: "Node.js binary vulnerability: node - requires Node.js runtime update as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2026-27171
+    include-aliases: true
+    reason: "Alpine base image package (apk): zlib - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-15469
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: CVE-2025-69418
+    include-aliases: true
+    reason: "Alpine base image package (apk): libcrypto3 - no npm fix available as of 2026-02-23 (moderate severity)"
+  - vulnerability: GHSA-87r5-mp6g-5w5j
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: jsonpath (high severity) as of 2026-02-23"
+  - vulnerability: GHSA-378v-28hj-76wf
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: bn.js (moderate severity) as of 2026-02-23"
+  - vulnerability: GHSA-2g4f-4pwh-qvx6
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: ajv (moderate severity) as of 2026-02-23"
 output:
-  - "table"
-  - "json"
-
-# Modify your CircleCI job to check critical count
+  - table
+  - json
 search:
-  scope: "squashed"
+  scope: squashed
 quiet: false
 check-for-app-update: false

package/CHANGELOG.md

@@ -2,6 +2,31 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [19.14.0](https://github.com/mojaloop/central-ledger/compare/v19.13.2...v19.14.0) (2026-03-19)
+
+
+### Features
+
+* vendor the condition check from five-bells-condition into cryptoConditions ([#1264](https://github.com/mojaloop/central-ledger/issues/1264)) ([4d7c4d2](https://github.com/mojaloop/central-ledger/commit/4d7c4d27f5d24fc818c7663a966ca8bf8f855b65))
+
+
+### Bug Fixes
+
+* undefined fulfilment error not thrown ([#1281](https://github.com/mojaloop/central-ledger/issues/1281)) ([a9361d4](https://github.com/mojaloop/central-ledger/commit/a9361d4ee5d3fb44ca0cc0ceca893c0d2ff35b84))
+
+
+### Chore
+
+* **sbom:** update sbom [skip ci] ([21ce9d4](https://github.com/mojaloop/central-ledger/commit/21ce9d455e89568af3e6618b1528425afbbb7b2c))
+
+### [19.13.2](https://github.com/mojaloop/central-ledger/compare/v19.13.1...v19.13.2) (2026-02-27)
+
+
+### Chore
+
+* maintenance updates ([#1260](https://github.com/mojaloop/central-ledger/issues/1260)) ([464c50c](https://github.com/mojaloop/central-ledger/commit/464c50cda674ee63b23e94e2b9ff19ce4cd807f0))
+* **sbom:** update sbom [skip ci] ([2df7c77](https://github.com/mojaloop/central-ledger/commit/2df7c7731a9722d1ace56919ebbdef076ef1295c))
+
 ### [19.13.1](https://github.com/mojaloop/central-ledger/compare/v19.13.0...v19.13.1) (2026-02-26)
 
 

package/Dockerfile

@@ -1,5 +1,5 @@
 # Arguments
-ARG NODE_VERSION=22.21.1-alpine3.23
+ARG NODE_VERSION=22.22.0-alpine3.23
 
 # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
 #

package/audit-ci.jsonc

@@ -1,11 +1,8 @@
 {
   "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
   // audit-ci supports reading JSON, JSONC, and JSON5 config files.
-  // Only check production dependencies (devDependencies ignored)
-  "skip-dev": true,  
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
-  "allowlist": [
-    "GHSA-3ppc-4f35-3m26"
+  "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
   ]
 }

package/config/default-settlement.json

@@ -0,0 +1,160 @@
+{
+  "PORT": 3007,
+  "HOSTNAME": "http://central-settlement",
+  "DATABASE": {
+    "DIALECT": "mysql",
+    "HOST": "localhost",
+    "PORT": 3306,
+    "USER": "central_ledger",
+    "PASSWORD": "password",
+    "SCHEMA": "central_ledger",
+    "POOL_MIN_SIZE": 10,
+    "POOL_MAX_SIZE": 10,
+    "ACQUIRE_TIMEOUT_MILLIS": 30000,
+    "CREATE_TIMEOUT_MILLIS": 30000,
+    "DESTROY_TIMEOUT_MILLIS": 5000,
+    "IDLE_TIMEOUT_MILLIS": 30000,
+    "REAP_INTERVAL_MILLIS": 1000,
+    "CREATE_RETRY_INTERVAL_MILLIS": 200,
+    "DEBUG": false
+  },
+  "WINDOW_AGGREGATION": {
+    "RETRY_COUNT": 3,
+    "RETRY_INTERVAL": 3000
+  },
+  "TRANSFER_VALIDITY_SECONDS": "432000",
+  "HUB_PARTICIPANT": {
+    "ID": 1,
+    "NAME": "Hub"
+  },
+  "HANDLERS": {
+    "DISABLED": false,
+    "API": {
+      "DISABLED": false
+    },
+    "SETTINGS": {
+      "RULES": {
+        "SCRIPTS_FOLDER": "./scripts/transferSettlementTemp",
+        "SCRIPT_TIMEOUT": 100,
+        "CONSUMER_COMMIT": true,
+        "FROM_SWITCH": true
+      }
+    }
+  },
+  "API_DOC_ENDPOINTS_ENABLED": true,
+  "SWITCH_ENDPOINT": "http://localhost:3001",
+  "AMOUNT": {
+    "PRECISION": 18,
+    "SCALE": 4
+  },
+  "KAFKA": {
+    "TOPIC_TEMPLATES": {
+      "GENERAL_TOPIC_TEMPLATE": {
+        "TEMPLATE": "topic-{{functionality}}-{{action}}",
+        "REGEX": "topic-(.*)-(.*)"
+      }
+    },
+    "CONSUMER": {
+      "DEFERREDSETTLEMENT": {
+        "CLOSE": {
+          "config": {
+            "options": {
+              "mode": 2,
+              "batchSize": 1,
+              "pollFrequency": 10,
+              "recursiveTimeout": 100,
+              "messageCharset": "utf8",
+              "messageAsJSON": true,
+              "sync": true,
+              "consumeTimeout": 1000
+            },
+            "rdkafkaConf": {
+              "client.id": "cs-con-deferredsettlement-close",
+              "group.id": "cs-group-deferredsettlement-close",
+              "metadata.broker.list": "localhost:9092",
+              "socket.keepalive.enable": true,
+              "allow.auto.create.topics": true
+            },
+            "topicConf": {
+              "auto.offset.reset": "earliest"
+            }
+          }
+        }
+      },
+      "NOTIFICATION": {
+        "EVENT": {
+          "config": {
+            "options": {
+              "mode": 2,
+              "batchSize": 1,
+              "pollFrequency": 10,
+              "recursiveTimeout": 100,
+              "messageCharset": "utf8",
+              "messageAsJSON": true,
+              "sync": true,
+              "consumeTimeout": 1000
+            },
+            "rdkafkaConf": {
+              "client.id": "cs-con-notification-event",
+              "group.id": "cs-group-notification-event",
+              "metadata.broker.list": "localhost:9092",
+              "socket.keepalive.enable": true,
+              "allow.auto.create.topics": true
+            },
+            "topicConf": {
+              "auto.offset.reset": "earliest"
+            }
+          }
+        }
+      }
+    },
+    "PRODUCER": {
+      "NOTIFICATION": {
+        "EVENT": {
+          "config": {
+            "options": {
+              "messageCharset": "utf8"
+            },
+            "rdkafkaConf": {
+              "debug": "all",
+              "metadata.broker.list": "localhost:9092",
+              "client.id": "cs-prod-notification-event",
+              "event_cb": true,
+              "compression.codec": "none",
+              "retry.backoff.ms": 100,
+              "message.send.max.retries": 2,
+              "socket.keepalive.enable": true,
+              "queue.buffering.max.messages": 10000000,
+              "batch.num.messages": 100,
+              "dr_cb": true,
+              "socket.blocking.max.ms": 1,
+              "queue.buffering.max.ms": 1,
+              "broker.version.fallback": "0.10.1.0",
+              "api.version.request": true
+            }
+          }
+        }
+      },
+      "DEFERREDSETTLEMENT": {
+        "CLOSE": {
+          "config": {
+            "options": {
+              "messageCharset": "utf8"
+            },
+            "rdkafkaConf": {
+              "metadata.broker.list": "localhost:9092",
+              "client.id": "cs-prod-deferredsettlement-close",
+              "event_cb": true,
+              "dr_cb": true,
+              "socket.keepalive.enable": true,
+              "queue.buffering.max.messages": 10000000
+            },
+            "topicConf": {
+              "request.required.acks": "all"
+            }
+          }
+        }
+      }
+    }
+  }
+}

package/docker/ml-api-adapter/default.json

@@ -7,6 +7,34 @@
   "HOSTNAME": "http://ml-api-adapter",
   "ENDPOINT_SOURCE_URL": "http://host.docker.internal:3001",
   "ENDPOINT_HEALTH_URL": "http://host.docker.internal:3001/health",
+  "PROXY_CACHE": {
+    "enabled": false,
+    "type": "redis-cluster",
+    "proxyConfig": {
+      "cluster": [
+        { "host": "redis-node-0", "port": 6379 }
+      ]
+    }
+  },
+  "PROTOCOL_VERSIONS": {
+    "CONTENT": {
+      "DEFAULT": "2.0",
+      "VALIDATELIST": ["1.0", "1.1", "2.0"]
+    },
+    "ACCEPT": {
+      "DEFAULT": "2",
+      "VALIDATELIST": ["1", "1.0", "1.1", "2", "2.0"]
+    }
+  },
+  "PAYLOAD_CACHE": {
+    "enabled": false,
+    "type": "redis-cluster",
+    "connectionConfig": {
+      "cluster": [
+        { "host": "localhost", "port": 6379 }
+      ]
+    }
+  },
   "ENDPOINT_CACHE_CONFIG": {
     "expiresIn": 180000,
     "generateTimeout": 30000

package/docker-compose.yml

@@ -73,6 +73,9 @@ services:
       - ./docker/wait-for:/opt/wait-for
     environment:
       - LOG_LEVEL=info
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "simulator:host-gateway"
     networks:
       - cl-mojaloop-net
     depends_on:
@@ -272,6 +275,9 @@ services:
       replicas: 1
     ports:
       - "8444:8444"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
+      - "simulator:host-gateway"
     environment:
       - LOG_LEVEL=info
       - TRANSFERS_ENDPOINT=http://host.docker.internal:3000

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-ledger",
-  "version": "19.13.1",
+  "version": "19.14.0-snapshot.2",
   "description": "Central ledger hosted by a scheme to record and settle transfers",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -44,14 +44,14 @@
     "lint": "npx standard",
     "lint:fix": "npx standard --fix",
     "test": "npm run test:unit:spec",
-    "test:unit": "tape 'test/unit/**/*.test.js'",
+    "test:unit": "tape 'test/unit/**/*.test.js' 'test/settlement/unit/**/*.test.js'",
     "test:unit:spec": "npm run test:unit | tap-spec",
     "test:unit:distLock": "npx tape 'test/unit/lib/distLock/**/*.test.js'",
     "test:unit:participants-routes": "npx tape test/unit/api/participants/routes.test.js",
     "test:xunit": "npm run test:unit | tap-xunit > ./test/results/xunit.xml",
-    "test:coverage": "npx nyc --reporter=lcov --reporter=text-summary tapes -- 'test/unit/**/**.test.js'",
+    "test:coverage": "npx nyc --reporter=lcov --reporter=text-summary tapes -- 'test/unit/**/**.test.js' 'test/settlement/unit/**/**.test.js'",
     "test:coverage-check": "npm run test:coverage && nyc check-coverage",
-    "test:int": "npx tape 'test/integration/**/*.test.js' ",
+    "test:int": "npx tape 'test/integration/**/*.test.js' 'test/settlement/integration/**/*.test.js' ",
     "test:int-override": "npx tape 'test/integration-override/**/*.test.js'",
     "test:int:spec": "npm run test:int | npx tap-spec",
     "test:xint": "npm run test:int | tee /dev/tty | tap-xunit > ./test/results/xunit-integration.xml",
@@ -87,37 +87,38 @@
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "6.0.2",
     "@hapi/good": "9.0.1",
-    "@hapi/hapi": "21.4.6",
+    "@hapi/hapi": "21.4.8",
     "@hapi/inert": "7.1.0",
     "@hapi/vision": "7.0.3",
     "@mojaloop/central-services-error-handling": "13.1.6",
     "@mojaloop/central-services-health": "15.2.2",
     "@mojaloop/central-services-logger": "11.10.4",
     "@mojaloop/central-services-metrics": "12.8.5",
-    "@mojaloop/central-services-shared": "18.35.6",
+    "@mojaloop/central-services-shared": "18.35.7",
     "@mojaloop/central-services-stream": "11.9.1",
     "@mojaloop/database-lib": "11.3.7",
     "@mojaloop/event-sdk": "14.8.3",
-    "@mojaloop/inter-scheme-proxy-cache-lib": "2.9.0",
+    "@mojaloop/inter-scheme-proxy-cache-lib": "2.10.0",
     "@mojaloop/ml-number": "11.4.3",
     "@mojaloop/object-store-lib": "12.2.3",
     "@now-ims/hapi-now-auth": "2.1.0",
     "ajv": "8.18.0",
     "ajv-keywords": "5.1.0",
     "base64url": "3.0.1",
+    "bignumber.js": "11.0.0",
     "blipp": "4.0.2",
     "commander": "14.0.3",
     "cron": "4.4.0",
     "decimal.js": "10.6.0",
     "docdash": "2.0.2",
     "event-stream": "4.0.1",
-    "five-bells-condition": "5.0.1",
     "hapi-auth-bearer-token": "8.0.0",
+    "hapi-openapi": "3.0.0",
     "hapi-swagger": "17.3.2",
     "ilp-packet": "2.2.0",
     "joi": "18.0.1",
-    "knex": "3.1.0",
-    "lodash": "4.17.23",
+    "knex": "3.2.9",
+    "lodash": "4.18.1",
     "moment": "2.30.1",
     "mongo-uri-builder": "^4.0.0",
     "parse-strings-in-object": "2.0.0",
@@ -128,45 +129,51 @@
     "mysql": "2.18.1"
   },
   "devDependencies": {
-    "@opentelemetry/api": "^1.9.0",
-    "@opentelemetry/auto-instrumentations-node": "^0.70.1",
+    "@hapi/joi": "17.1.1",
+    "@opentelemetry/api": "1.9.1",
+    "@opentelemetry/auto-instrumentations-node": "0.73.0",
     "@types/mock-knex": "0.4.8",
     "async-retry": "1.3.3",
     "audit-ci": "^7.1.0",
     "get-port": "5.1.1",
     "jsdoc": "4.0.5",
-    "jsonpath": "1.2.1",
+    "jsonpath": "1.3.0",
     "mock-knex": "0.4.13",
     "nodemon": "3.1.14",
-    "npm-check-updates": "19.6.0",
+    "npm-check-updates": "21.0.3",
     "nyc": "18.0.0",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "^1.2.2",
+    "rewire": "^9.0.1",
     "sinon": "17.0.0",
     "standard": "17.1.2",
     "standard-version": "^9.5.0",
+    "swagmock": "1.0.0",
     "tap-spec": "^5.0.0",
     "tap-xunit": "2.4.1",
     "tape": "4.17.0",
     "tapes": "4.1.0"
   },
   "overrides": {
+    "protobufjs": "8.0.1",
+    "handlebars": "4.7.9",
     "ajv": "8.18.0",
     "eslint": {
-      "ajv": "6.12.6"
+      "ajv": "6.14.0"
     },
     "eslint@9.39.2": {
-      "ajv": "6.12.6"
+      "ajv": "6.14.0"
     },
     "@eslint/eslintrc": {
-      "ajv": "6.12.6"
+      "ajv": "6.14.0"
     },
-    "axios": "1.13.5",
-    "brace-expansion": "2.0.2",
-    "form-data": "4.0.4",
-    "lodash": "4.17.23",
-    "undici": "6.23.0",
+    "axios": "1.15.0",
+    "brace-expansion": "2.0.3",
+    "convict": "6.2.5",
+    "form-data": "4.0.5",
+    "lodash": "4.18.1",
+    "undici": "6.24.0",
     "shins": {
       "ajv": "8.18.0",
       "ejs": "3.1.10",
@@ -183,13 +190,24 @@
     "hapi-swagger": {
       "joi": "18.0.1"
     },
+    "immutable": "5.1.5",
     "jsonwebtoken": "9.0.0",
     "jsonpointer": "5.0.0",
     "on-headers": "1.1.0",
+    "path-to-regexp": "0.1.13",
     "trim": "0.0.3",
     "cross-spawn": "7.0.6",
+    "yaml": "1.10.3",
+    "validator": "13.15.22",
     "yargs-parser": "21.1.1",
-    "fast-xml-parser": "5.3.6"
+    "fast-xml-parser": "5.5.7",
+    "minimatch@<=3.1.3": "3.1.5",
+    "minimatch@5.1.7": "5.1.9",
+    "minimatch@9.0.6": "9.0.9",
+    "replace": {
+      "minimatch": "3.1.5"
+    },
+    "underscore": "1.13.8"
   },
   "config": {
     "knex": "--knexfile ./config/knexfile.js",