@mojaloop/central-services-shared 18.35.5 → 18.35.7

package/.grype.yaml

@@ -7,6 +7,45 @@ ignore:
   - vulnerability: GHSA-3ppc-4f35-3m26
     include-aliases: true
     reason: "Unfixable npm transitive vulnerability: minimatch ReDoS - fix requires v10 major version break as of 2026-02-19"
+  - vulnerability: GHSA-2w6w-674q-4c4q
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (critical severity) as of 2026-04-07"
+  - vulnerability: GHSA-xjpj-3mr7-gcpf
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-3mfm-83xf-c92r
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-xhpv-hc6g-r9c6
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-25h7-pfq9-p65f
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-9cx6-37pm-9jff
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-rf6f-7fwh-wjgh
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-7rx3-28cr-v5wh
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
+  - vulnerability: GHSA-2qvq-rjwj-gvw9
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
+  - vulnerability: GHSA-442j-39wm-28r2
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (low severity) as of 2026-04-07"
+  - vulnerability: GHSA-44fc-8fm5-q62h
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
+  - vulnerability: GHSA-hf2r-9gf9-rwch
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
+  - vulnerability: GHSA-48c2-rrv3-qjmp
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
 output:
   - table
   - json

package/.nvmrc

@@ -1 +1 @@
-22.22.0
+22.22.2

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [18.35.7](https://github.com/mojaloop/central-services-shared/compare/v18.35.6...v18.35.7) (2026-04-07)
+
+
+### Bug Fixes
+
+* require Accept header for initiating methods per FSPIOP spec ([#516](https://github.com/mojaloop/central-services-shared/issues/516)) ([4d29c23](https://github.com/mojaloop/central-services-shared/commit/4d29c23464ceaf31961991fa82d6ac986d47e4d4)), closes [mojaloop/project#4183](https://github.com/mojaloop/project/issues/4183)
+
+### [18.35.6](https://github.com/mojaloop/central-services-shared/compare/v18.35.5...v18.35.6) (2026-02-26)
+
+
+### Chore
+
+* rm circular dependency on sdk-standard-components ([#510](https://github.com/mojaloop/central-services-shared/issues/510)) ([7346920](https://github.com/mojaloop/central-services-shared/commit/7346920e3c3e0996aeebfd7cce4e24ac54d59313))
+
 ### [18.35.5](https://github.com/mojaloop/central-services-shared/compare/v18.35.4...v18.35.5) (2026-02-20)
 
 

package/audit-ci.jsonc

@@ -5,6 +5,19 @@
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
     "GHSA-2g4f-4pwh-qvx6",
-    "GHSA-3ppc-4f35-3m26" // minimatch ReDoS - fix requires v10 (major version break), unfixable via override
+    "GHSA-3ppc-4f35-3m26",
+    "GHSA-2w6w-674q-4c4q",
+    "GHSA-xjpj-3mr7-gcpf",
+    "GHSA-3mfm-83xf-c92r",
+    "GHSA-xhpv-hc6g-r9c6",
+    "GHSA-25h7-pfq9-p65f",
+    "GHSA-9cx6-37pm-9jff",
+    "GHSA-rf6f-7fwh-wjgh",
+    "GHSA-7rx3-28cr-v5wh",
+    "GHSA-2qvq-rjwj-gvw9",
+    "GHSA-442j-39wm-28r2",
+    "GHSA-44fc-8fm5-q62h",
+    "GHSA-hf2r-9gf9-rwch",
+    "GHSA-48c2-rrv3-qjmp"
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.35.5",
+  "version": "18.35.7",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -67,25 +67,25 @@
   "dependencies": {
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "5.0.1",
-    "@hapi/hapi": "21.4.6",
+    "@hapi/hapi": "21.4.8",
     "@hapi/joi-date": "2.0.1",
-    "@mojaloop/inter-scheme-proxy-cache-lib": "2.9.0",
-    "@opentelemetry/api": "1.9.0",
+    "@mojaloop/inter-scheme-proxy-cache-lib": "2.10.0",
+    "@opentelemetry/api": "1.9.1",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.13.5",
+    "axios": "1.14.0",
     "clone": "2.1.2",
-    "convict": "^6.2.4",
-    "dotenv": "17.3.1",
+    "convict": "6.2.5",
+    "dotenv": "17.4.1",
     "env-var": "7.5.0",
     "event-stream": "4.0.1",
     "fast-safe-stringify": "2.1.1",
-    "immutable": "5.1.4",
+    "immutable": "5.1.5",
     "ioredis": "5.6.1",
-    "joi": "18.0.2",
-    "lodash": "4.17.23",
+    "joi": "18.1.2",
+    "lodash": "4.18.1",
     "mustache": "4.2.0",
-    "openapi-backend": "5.15.0",
+    "openapi-backend": "5.16.1",
     "raw-body": "3.0.2",
     "rc": "1.2.8",
     "redlock": "5.0.0-beta.2",
@@ -93,15 +93,14 @@
     "ulidx": "2.4.1",
     "uuid4": "2.0.3",
     "widdershins": "4.0.1",
-    "yaml": "2.8.2"
+    "yaml": "2.8.3"
   },
   "devDependencies": {
     "@mojaloop/central-services-error-handling": "13.1.6",
     "@mojaloop/central-services-logger": "11.10.4",
     "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/event-sdk": "14.8.3",
-    "@mojaloop/sdk-standard-components": "19.18.7",
-    "@opentelemetry/auto-instrumentations-node": "^0.70.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.72.0",
     "@types/hapi__joi": "17.1.15",
     "ajv": "8.18.0",
     "ajv-formats": "^3.0.1",
@@ -109,14 +108,14 @@
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "19.4.1",
-    "nyc": "17.1.0",
+    "npm-check-updates": "20.0.0",
+    "nyc": "18.0.0",
     "portfinder": "1.0.38",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "1.2.2",
     "rewire": "9.0.1",
-    "sinon": "21.0.1",
+    "sinon": "21.0.3",
     "standard": "17.1.2",
     "standard-version": "9.5.0",
     "tap-spec": "5.0.0",
@@ -125,9 +124,9 @@
     "tapes": "4.1.0"
   },
   "overrides": {
-    "axios": "1.13.5",
+    "axios": "1.14.0",
     "qs": "6.14.2",
-    "brace-expansion": "2.0.2",
+    "brace-expansion": "1.1.13",
     "form-data": "4.0.5",
     "nanoid": "5.1.5",
     "postcss": {
@@ -145,15 +144,21 @@
       "swagger2openapi": "7.0.8"
     },
     "markdown-it": "12.3.2",
-    "fast-xml-parser": "5.3.6",
+    "fast-xml-parser": "5.5.10",
     "trim": "0.0.3",
     "cross-spawn": "7.0.6",
     "yargs-parser": "21.1.1",
     "jws": "3.2.3",
     "validator": "13.15.22",
-    "lodash": "4.17.23",
-    "lodash-es": "4.17.23",
-    "undici": "7.18.2"
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
+    "undici": "7.24.7",
+    "@hapi/content": "6.0.1",
+    "replace": {
+      "minimatch": "3.1.4"
+    },
+    "path-to-regexp": "0.1.13",
+    "picomatch": "2.3.2"
   },
   "peerDependencies": {
     "@mojaloop/central-services-error-handling": "13.x.x",

package/src/util/hapi/plugins/headerValidation.js

@@ -81,9 +81,10 @@ const plugin = {
 
       if (needProxySourceValidation) validateProxySourceHeaders(request.headers)
 
-      // Always validate the accept header for a get request, or optionally if it has been
-      // supplied
-      if (request.method.toLowerCase() === 'get' || request.headers.accept) {
+      // Require accept header for request-initiating methods (GET, POST, DELETE)
+      // per FSPIOP API spec. PUT/PATCH callbacks do not require Accept.
+      const methodRequiresAccept = ['get', 'post', 'delete'].includes(request.method.toLowerCase())
+      if (methodRequiresAccept || request.headers.accept) {
         if (request.headers.accept === undefined) {
           throw createFSPIOPError(Enums.FSPIOPErrorCodes.MISSING_ELEMENT, errorMessages.REQUIRE_ACCEPT_HEADER)
         }

package/test/unit/util/hapi/plugins/headerValidation.test.js

@@ -151,7 +151,8 @@ Test('headerValidation plugin test', async (pluginTest) => {
     t.end()
   })
 
-  pluginTest.test('accept validation is not performed on post, put requests without an accept header', async t => {
+  pluginTest.test('accept validation is performed on post requests without an accept header', async t => {
+    const fspiopCode = ErrorHandling.Enums.FSPIOPErrorCodes.MISSING_ELEMENT
     const opts = {
       url: `/${resource}`,
       headers: {
@@ -159,11 +160,25 @@ Test('headerValidation plugin test', async (pluginTest) => {
         date: new Date().toUTCString()
       }
     }
-    await Promise.all(['post', 'put'].map(async method => {
-      const res = await server.inject({ ...opts, method })
-      t.is(res.payload, '')
-      t.is(res.statusCode, 202)
-    }))
+    const res = await server.inject({ ...opts, method: 'post' })
+    t.is(res.statusCode, fspiopCode.httpStatusCode)
+    const payload = JSON.parse(res.payload)
+    t.is(payload.apiErrorCode.code, fspiopCode.code)
+    t.is(payload.message, errorMessages.REQUIRE_ACCEPT_HEADER)
+    t.end()
+  })
+
+  pluginTest.test('accept validation is not required for put requests without an accept header', async t => {
+    const opts = {
+      url: `/${resource}`,
+      headers: {
+        'content-type': generateContentTypeHeader(resource, 1),
+        date: new Date().toUTCString()
+      }
+    }
+    const res = await server.inject({ ...opts, method: 'put' })
+    t.is(res.payload, '')
+    t.is(res.statusCode, 202)
     t.end()
   })
 

package/test/unit/util/request.test.js

@@ -10,35 +10,6 @@ const Enum = require('../../../src/enums')
 const Helper = require('../../util/helper')
 const Metrics = require('@mojaloop/central-services-metrics')
 const Uuid = require('uuid4')
-const JwsSigner = require('@mojaloop/sdk-standard-components').Jws.signer
-
-const signingKey = `-----BEGIN RSA PRIVATE KEY-----
-MIIEowIBAAKCAQEA0eJEh3Op5p6x137lRkAsvmEBbd32dbRChrCUItZbtxjf/qfB
-yD5k8Hn4n4vbqzP8XSGS0f6KmNC+iRaP74HVgzAqc4Uid4J8dtSBq3VmucYQYzLc
-101QjuvD+SKmZwlw/q0PtulmqlASI2SbMfwcAraMi6ab7v5W4EGNeIPLEIo3BXsQ
-DTCWqiZb7aXkHkcY7sOjAzK/2bNGYFmAthdYrHzvCkqnJ7LAHX3Oj7rJea5MqtuN
-B9POZYaD10n9JuYWdwPqLrw6/hVgPSFEy+ulrVbXf54ZH0dfMThAYRvFrT81yulk
-H95JhXWGdi6cTp6t8LVOKFhnNfxjWw0Jayj9xwIDAQABAoIBADB2u/Y/CgNbr5sg
-DRccqHhJdAgHkep59kadrYch0knEL6zg1clERxCUSYmlxNKSjXp/zyQ4T46b3PNQ
-x2m5pDDHxXWpT10jP1Q9G7gYwuCw0IXnb8EzdB+cZ0M28g+myXW1RoSo/nDjTlzn
-1UJEgb9Kocd5cFZOWocr+9vRKumlZULMsA8yiNwlAfJHcMBM7acsa3myCqVhLyWt
-4BQylVuLFa+A6QzpMXEwFCq8EOXf07gl1XVzC6LJ1fTa9gVM3N+YE+oEXKrsHCxG
-/ACgKsjepL27QjJ7qvecWPP0F2LxEZYOm5tbXaKJTobzQUJHgUokanZMhjYprDsZ
-zumLw9kCgYEA/DUWcnLeImlfq/EYdhejkl3J+WX3vhS23OqVgY1amu7CZzaai6vt
-H0TRc8Zsbi4jgmFDU8PFzytP6qz6Tgom4R736z6oBi7bjnGyN17/NSbf+DaRVcM6
-vnZr7jNC2FJlECmIN+dkwUA/YCr2SA7hxZXM9mIYSc+6+glDiIO5Cf0CgYEA1Qo/
-uQbVHhW+Cp8H0kdMuhwUbkBquRrxRZlXS1Vrf3f9me9JLUy9UPWb3y3sKVurG5+O
-SIlr4hDcZyXdE198MtDMhBIGqU9ORSjppJDNDVvtt+n2FD4XmWIU70vKBJBivX0+
-Bow6yduis+p12fuvpvpnKCz8UjOgOQJhLZ4GQBMCgYBP6gpozVjxkm4ML2LO2IKt
-+CXtbo/nnOysZ3BkEoQpH4pd5gFmTF3gUJAFnVPyPZBm2abZvejJ0jGKbLELVVAo
-eQWZdssK2oIbSo9r2CAJmX3SSogWorvUafWdDoUZwlHfoylUfW+BhHgQYsyS3JRR
-ZTwCveZwTPA0FgdeFE7niQKBgQCHaD8+ZFhbCejDqXb4MXdUJ3rY5Lqwsq491YwF
-huKPn32iNNQnJcqCxclv3iln1Cr6oLx34Fig1KSyLv/IS32OcuY635Y6UPznumxe
-u+aJIjADIILXNOwdAplZy6s4oWkRFaSx1rmbCa3tew2zImTv1eJxR76MpOGmupt3
-uiQw3wKBgFjBT/aVKdBeHeP1rIHHldQV5QQxZNkc6D3qn/oAFcwpj9vcGfRjQWjO
-ARzXM2vUWEet4OVn3DXyOdaWFR1ppehz7rAWBiPgsMg4fjAusYb9Mft1GMxMzuwT
-Oyqsp6pzAWFrCD3JAoTLxClV+j5m+SXZ/ItD6ziGpl/h7DyayrFZ
------END RSA PRIVATE KEY-----`
 
 Test('ParticipantEndpoint Model Test', modelTest => {
   let sandbox
@@ -483,10 +454,9 @@ Test('ParticipantEndpoint Model Test', modelTest => {
         method: 'post',
         headers: Helper.defaultHeaders(fsp, Enum.Http.HeaderResources.PARTICIPANTS, payeefsp)
       }
-      const jwsSigner = new JwsSigner({
-        logger: null,
-        signingKey
-      })
+      const jwsSigner = {
+        getSignature: () => 'mock-jws-signature'
+      }
       request = sandbox.stub().returns({ status: 200 })
       Model = proxyquire('../../../src/util/request', { axios: request })
       const signSpy = Sinon.spy(jwsSigner, 'getSignature')
@@ -517,10 +487,9 @@ Test('ParticipantEndpoint Model Test', modelTest => {
         method: 'post',
         headers: Helper.defaultHeaders(fsp, Enum.Http.HeaderResources.PARTICIPANTS, payeefsp)
       }
-      const jwsSigner = new JwsSigner({
-        logger: null,
-        signingKey
-      })
+      const jwsSigner = {
+        getSignature: () => 'mock-jws-signature'
+      }
       request = sandbox.stub().returns({ status: 200 })
       Model = proxyquire('../../../src/util/request', { axios: request })
       const signSpy = Sinon.spy(jwsSigner, 'getSignature')