@mojaloop/central-services-shared 18.35.6 → 18.35.7

package/.grype.yaml

@@ -7,6 +7,45 @@ ignore:
   - vulnerability: GHSA-3ppc-4f35-3m26
     include-aliases: true
     reason: "Unfixable npm transitive vulnerability: minimatch ReDoS - fix requires v10 major version break as of 2026-02-19"
+  - vulnerability: GHSA-2w6w-674q-4c4q
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (critical severity) as of 2026-04-07"
+  - vulnerability: GHSA-xjpj-3mr7-gcpf
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-3mfm-83xf-c92r
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-xhpv-hc6g-r9c6
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-25h7-pfq9-p65f
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-9cx6-37pm-9jff
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-rf6f-7fwh-wjgh
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
+  - vulnerability: GHSA-7rx3-28cr-v5wh
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
+  - vulnerability: GHSA-2qvq-rjwj-gvw9
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
+  - vulnerability: GHSA-442j-39wm-28r2
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: handlebars (low severity) as of 2026-04-07"
+  - vulnerability: GHSA-44fc-8fm5-q62h
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
+  - vulnerability: GHSA-hf2r-9gf9-rwch
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
+  - vulnerability: GHSA-48c2-rrv3-qjmp
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
 output:
   - table
   - json

package/.nvmrc

@@ -1 +1 @@
-22.22.0
+22.22.2

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [18.35.7](https://github.com/mojaloop/central-services-shared/compare/v18.35.6...v18.35.7) (2026-04-07)
+
+
+### Bug Fixes
+
+* require Accept header for initiating methods per FSPIOP spec ([#516](https://github.com/mojaloop/central-services-shared/issues/516)) ([4d29c23](https://github.com/mojaloop/central-services-shared/commit/4d29c23464ceaf31961991fa82d6ac986d47e4d4)), closes [mojaloop/project#4183](https://github.com/mojaloop/project/issues/4183)
+
 ### [18.35.6](https://github.com/mojaloop/central-services-shared/compare/v18.35.5...v18.35.6) (2026-02-26)
 
 

package/audit-ci.jsonc

@@ -5,6 +5,19 @@
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
     "GHSA-2g4f-4pwh-qvx6",
-    "GHSA-3ppc-4f35-3m26" // minimatch ReDoS - fix requires v10 (major version break), unfixable via override
+    "GHSA-3ppc-4f35-3m26",
+    "GHSA-2w6w-674q-4c4q",
+    "GHSA-xjpj-3mr7-gcpf",
+    "GHSA-3mfm-83xf-c92r",
+    "GHSA-xhpv-hc6g-r9c6",
+    "GHSA-25h7-pfq9-p65f",
+    "GHSA-9cx6-37pm-9jff",
+    "GHSA-rf6f-7fwh-wjgh",
+    "GHSA-7rx3-28cr-v5wh",
+    "GHSA-2qvq-rjwj-gvw9",
+    "GHSA-442j-39wm-28r2",
+    "GHSA-44fc-8fm5-q62h",
+    "GHSA-hf2r-9gf9-rwch",
+    "GHSA-48c2-rrv3-qjmp"
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.35.6",
+  "version": "18.35.7",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -67,23 +67,23 @@
   "dependencies": {
     "@hapi/catbox": "12.1.1",
     "@hapi/catbox-memory": "5.0.1",
-    "@hapi/hapi": "21.4.6",
+    "@hapi/hapi": "21.4.8",
     "@hapi/joi-date": "2.0.1",
-    "@mojaloop/inter-scheme-proxy-cache-lib": "2.9.0",
-    "@opentelemetry/api": "1.9.0",
+    "@mojaloop/inter-scheme-proxy-cache-lib": "2.10.0",
+    "@opentelemetry/api": "1.9.1",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.13.5",
+    "axios": "1.14.0",
     "clone": "2.1.2",
-    "convict": "^6.2.4",
-    "dotenv": "17.3.1",
+    "convict": "6.2.5",
+    "dotenv": "17.4.1",
     "env-var": "7.5.0",
     "event-stream": "4.0.1",
     "fast-safe-stringify": "2.1.1",
-    "immutable": "5.1.4",
+    "immutable": "5.1.5",
     "ioredis": "5.6.1",
-    "joi": "18.0.2",
-    "lodash": "4.17.23",
+    "joi": "18.1.2",
+    "lodash": "4.18.1",
     "mustache": "4.2.0",
     "openapi-backend": "5.16.1",
     "raw-body": "3.0.2",
@@ -93,14 +93,14 @@
     "ulidx": "2.4.1",
     "uuid4": "2.0.3",
     "widdershins": "4.0.1",
-    "yaml": "2.8.2"
+    "yaml": "2.8.3"
   },
   "devDependencies": {
     "@mojaloop/central-services-error-handling": "13.1.6",
     "@mojaloop/central-services-logger": "11.10.4",
     "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/event-sdk": "14.8.3",
-    "@opentelemetry/auto-instrumentations-node": "^0.70.1",
+    "@opentelemetry/auto-instrumentations-node": "^0.72.0",
     "@types/hapi__joi": "17.1.15",
     "ajv": "8.18.0",
     "ajv-formats": "^3.0.1",
@@ -108,14 +108,14 @@
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "19.5.0",
+    "npm-check-updates": "20.0.0",
     "nyc": "18.0.0",
     "portfinder": "1.0.38",
     "pre-commit": "1.2.2",
     "proxyquire": "2.1.3",
     "replace": "1.2.2",
     "rewire": "9.0.1",
-    "sinon": "21.0.1",
+    "sinon": "21.0.3",
     "standard": "17.1.2",
     "standard-version": "9.5.0",
     "tap-spec": "5.0.0",
@@ -124,9 +124,9 @@
     "tapes": "4.1.0"
   },
   "overrides": {
-    "axios": "1.13.5",
+    "axios": "1.14.0",
     "qs": "6.14.2",
-    "brace-expansion": "2.0.2",
+    "brace-expansion": "1.1.13",
     "form-data": "4.0.5",
     "nanoid": "5.1.5",
     "postcss": {
@@ -144,15 +144,21 @@
       "swagger2openapi": "7.0.8"
     },
     "markdown-it": "12.3.2",
-    "fast-xml-parser": "5.3.6",
+    "fast-xml-parser": "5.5.10",
     "trim": "0.0.3",
     "cross-spawn": "7.0.6",
     "yargs-parser": "21.1.1",
     "jws": "3.2.3",
     "validator": "13.15.22",
-    "lodash": "4.17.23",
-    "lodash-es": "4.17.23",
-    "undici": "7.18.2"
+    "lodash": "4.18.1",
+    "lodash-es": "4.18.1",
+    "undici": "7.24.7",
+    "@hapi/content": "6.0.1",
+    "replace": {
+      "minimatch": "3.1.4"
+    },
+    "path-to-regexp": "0.1.13",
+    "picomatch": "2.3.2"
   },
   "peerDependencies": {
     "@mojaloop/central-services-error-handling": "13.x.x",

package/src/util/hapi/plugins/headerValidation.js

@@ -81,9 +81,10 @@ const plugin = {
 
       if (needProxySourceValidation) validateProxySourceHeaders(request.headers)
 
-      // Always validate the accept header for a get request, or optionally if it has been
-      // supplied
-      if (request.method.toLowerCase() === 'get' || request.headers.accept) {
+      // Require accept header for request-initiating methods (GET, POST, DELETE)
+      // per FSPIOP API spec. PUT/PATCH callbacks do not require Accept.
+      const methodRequiresAccept = ['get', 'post', 'delete'].includes(request.method.toLowerCase())
+      if (methodRequiresAccept || request.headers.accept) {
         if (request.headers.accept === undefined) {
           throw createFSPIOPError(Enums.FSPIOPErrorCodes.MISSING_ELEMENT, errorMessages.REQUIRE_ACCEPT_HEADER)
         }

package/test/unit/util/hapi/plugins/headerValidation.test.js

@@ -151,7 +151,8 @@ Test('headerValidation plugin test', async (pluginTest) => {
     t.end()
   })
 
-  pluginTest.test('accept validation is not performed on post, put requests without an accept header', async t => {
+  pluginTest.test('accept validation is performed on post requests without an accept header', async t => {
+    const fspiopCode = ErrorHandling.Enums.FSPIOPErrorCodes.MISSING_ELEMENT
     const opts = {
       url: `/${resource}`,
       headers: {
@@ -159,11 +160,25 @@ Test('headerValidation plugin test', async (pluginTest) => {
         date: new Date().toUTCString()
       }
     }
-    await Promise.all(['post', 'put'].map(async method => {
-      const res = await server.inject({ ...opts, method })
-      t.is(res.payload, '')
-      t.is(res.statusCode, 202)
-    }))
+    const res = await server.inject({ ...opts, method: 'post' })
+    t.is(res.statusCode, fspiopCode.httpStatusCode)
+    const payload = JSON.parse(res.payload)
+    t.is(payload.apiErrorCode.code, fspiopCode.code)
+    t.is(payload.message, errorMessages.REQUIRE_ACCEPT_HEADER)
+    t.end()
+  })
+
+  pluginTest.test('accept validation is not required for put requests without an accept header', async t => {
+    const opts = {
+      url: `/${resource}`,
+      headers: {
+        'content-type': generateContentTypeHeader(resource, 1),
+        date: new Date().toUTCString()
+      }
+    }
+    const res = await server.inject({ ...opts, method: 'put' })
+    t.is(res.payload, '')
+    t.is(res.statusCode, 202)
     t.end()
   })