@mojaloop/central-services-shared 18.36.0 → 18.37.0

package/.circleci/config.yml

@@ -20,7 +20,7 @@ version: 2.1
 setup: true
 
 orbs:
-  build: mojaloop/build@1.1.15
+  build: mojaloop/build@2.0.0
 
 workflows:
   setup:

package/.grype.yaml

@@ -1,57 +1,7 @@
 scan-type: source
 disabled: false
 ignore:
-  - vulnerability: GHSA-2g4f-4pwh-qvx6
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: ajv ReDoS (moderate) as of 2026-02-19"
-  - vulnerability: GHSA-3ppc-4f35-3m26
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: minimatch ReDoS - fix requires v10 major version break as of 2026-02-19"
-  - vulnerability: GHSA-2w6w-674q-4c4q
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (critical severity) as of 2026-04-07"
-  - vulnerability: GHSA-xjpj-3mr7-gcpf
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-3mfm-83xf-c92r
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-xhpv-hc6g-r9c6
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-25h7-pfq9-p65f
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-9cx6-37pm-9jff
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-rf6f-7fwh-wjgh
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: flatted (high severity) as of 2026-04-07"
-  - vulnerability: GHSA-7rx3-28cr-v5wh
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
-  - vulnerability: GHSA-2qvq-rjwj-gvw9
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (moderate severity) as of 2026-04-07"
-  - vulnerability: GHSA-442j-39wm-28r2
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: handlebars (low severity) as of 2026-04-07"
-  - vulnerability: GHSA-44fc-8fm5-q62h
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
-  - vulnerability: GHSA-hf2r-9gf9-rwch
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
-  - vulnerability: GHSA-48c2-rrv3-qjmp
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: unknown (unknown severity) as of 2026-04-07"
-  - vulnerability: GHSA-r4q5-vmmm-2653
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: follow-redirects (moderate severity) as of 2026-04-21"
-  - vulnerability: GHSA-xq3m-2v4x-88gg
-    include-aliases: true
-    reason: "Unfixable npm transitive vulnerability: @mojaloop/event-sdk>protobufjs (moderate severity) as of 2026-04-21"
+
 output:
   - table
   - json

package/.nvmrc

@@ -1 +1 @@
-22.22.2
+24.15.0

package/CHANGELOG.md

@@ -2,6 +2,20 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [18.37.0](https://github.com/mojaloop/central-services-shared/compare/v18.36.1...v18.37.0) (2026-06-12)
+
+
+### Features
+
+* make maxsocket configurable so it doesnt use infinite number of sockets ([#4482](https://github.com/mojaloop/central-services-shared/issues/4482)) ([#522](https://github.com/mojaloop/central-services-shared/issues/522)) ([46e9e16](https://github.com/mojaloop/central-services-shared/commit/46e9e16cef638824bd17b8adfe95da27a12fc3cf))
+
+### [18.36.1](https://github.com/mojaloop/central-services-shared/compare/v18.36.0...v18.36.1) (2026-05-18)
+
+
+### Bug Fixes
+
+* issue 4297 aligning tpp accounts request naming ([#521](https://github.com/mojaloop/central-services-shared/issues/521)) ([da0335d](https://github.com/mojaloop/central-services-shared/commit/da0335d46fabe5547ba622c9d9a3f446936827e0))
+
 ## [18.36.0](https://github.com/mojaloop/central-services-shared/compare/v18.35.7...v18.36.0) (2026-05-13)
 
 

package/README.md

@@ -7,6 +7,21 @@
 
 Shared code for central services
 
+## Configuration
+
+### Outbound HTTP agent
+
+The shared `sendRequest` helper (`src/util/request.js`) configures the default outbound `http.Agent` with a **bounded** connection pool to prevent outbound connection churn under sustained high load. The pool is configurable via the following environment variables:
+
+| Variable | Default | Description |
+| --- | --- | --- |
+| `HTTP_AGENT_KEEP_ALIVE` | `true` | Whether to keep sockets alive for reuse. Set to `false` to disable. |
+| `HTTP_AGENT_MAX_SOCKETS` | `512` | Maximum number of sockets per host. Bounds the pool so bursty concurrency queues requests instead of opening unbounded sockets (node's default is `Infinity`). |
+| `HTTP_AGENT_MAX_FREE_SOCKETS` | `512` | Maximum number of idle (free) sockets kept warm per host (node's default is `256`). |
+| `HTTP_AGENT_KEEP_ALIVE_MSECS` | `30000` | Initial delay (ms) for TCP Keep-Alive packets on kept-alive sockets. |
+
+Numeric values are parsed with `Number(...)` and fall back to the defaults above when unset or non-numeric.
+
 ## CI/CD
 
 This repository uses the [mojaloop/build](https://github.com/mojaloop/ci-config-orb-build) CircleCI orb for standardized CI/CD workflows, including automated Grype vulnerability scanning for source code security.

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.36.0",
+  "version": "18.37.0",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -32,7 +32,8 @@
     "lint",
     "test",
     "dep:check",
-    "audit:check"
+    "audit:check",
+    "license:check"
   ],
   "scripts": {
     "pretest": "npm run lint",
@@ -61,6 +62,7 @@
     "audit:check": "npx audit-ci --config ./audit-ci.jsonc",
     "dep:check": "npx ncu -e 2",
     "dep:update": "npx ncu -u",
+    "license:check": "npx @mojaloop/license-scanner-tool .",
     "release": "npx standard-version --no-verify --releaseCommitMessageFormat 'chore(release): {{currentTag}} [skip ci]'",
     "snapshot": "npx standard-version --no-verify --skip.changelog --prerelease snapshot --releaseCommitMessageFormat 'chore(snapshot): {{currentTag}}'"
   },
@@ -73,19 +75,19 @@
     "@opentelemetry/api": "1.9.1",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.16.1",
+    "axios": "1.17.0",
     "clone": "2.1.2",
     "convict": "6.2.5",
     "dotenv": "17.4.2",
     "env-var": "7.5.0",
     "event-stream": "4.0.1",
     "fast-safe-stringify": "2.1.1",
-    "immutable": "5.1.5",
+    "immutable": "5.1.6",
     "ioredis": "5.6.1",
     "joi": "18.2.1",
     "lodash": "4.18.1",
     "mustache": "4.2.0",
-    "openapi-backend": "5.16.1",
+    "openapi-backend": "5.17.0",
     "raw-body": "3.0.2",
     "rc": "1.2.8",
     "redlock": "5.0.0-beta.2",
@@ -100,7 +102,8 @@
     "@mojaloop/central-services-logger": "11.10.4",
     "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/event-sdk": "14.8.4",
-    "@opentelemetry/auto-instrumentations-node": "^0.76.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.77.0",
+    "@mojaloop/license-scanner-tool": "^1.0.0",
     "@types/hapi__joi": "17.1.15",
     "ajv": "8.20.0",
     "ajv-formats": "^3.0.1",
@@ -108,7 +111,7 @@
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "22.2.0",
+    "npm-check-updates": "22.2.3",
     "nyc": "18.0.0",
     "portfinder": "1.0.38",
     "pre-commit": "2.0.0",
@@ -120,23 +123,23 @@
     "standard-version": "9.5.0",
     "tap-spec": "5.0.0",
     "tap-xunit": "2.4.1",
-    "tape": "5.9.0",
+    "tape": "5.10.1",
     "tapes": "4.1.0"
   },
   "overrides": {
-    "axios": "1.16.1",
-    "qs": "6.14.2",
+    "@grpc/grpc-js": "1.14.4",
+    "axios": "1.17.0",
+    "qs": "6.15.2",
     "brace-expansion": "1.1.13",
     "form-data": "4.0.5",
     "convict": "6.2.5",
     "nanoid": "3.3.11",
-    "postcss": "8.5.10",
+    "protobufjs": "8.2.0",
     "shins": {
       "ejs": "3.1.10",
-      "sanitize-html": "2.12.1",
+      "sanitize-html": "2.17.5",
       "jsonpointer": "5.0.0",
-      "markdown-it": "12.3.2",
-      "postcss": "8.4.31"
+      "markdown-it": "12.3.2"
     },
     "widdershins": {
       "markdown-it": "12.3.2",
@@ -152,7 +155,7 @@
     "lodash": "4.18.1",
     "lodash-es": "4.18.1",
     "undici": "6.25.0",
-    "@hapi/content": "6.0.1",
+    "@hapi/content": "6.0.2",
     "replace": {
       "minimatch": "3.1.4"
     },

package/src/config.js

@@ -20,6 +20,30 @@ const config = convict({
     format: Number,
     default: 20000,
     env: 'SHARED_HTTP_REQUEST_TIMEOUT_MS'
+  },
+  httpAgentKeepAlive: {
+    doc: 'Enable HTTP keep-alive for the shared outbound http agent.',
+    format: Boolean,
+    default: true,
+    env: 'HTTP_AGENT_KEEP_ALIVE'
+  },
+  httpAgentMaxSockets: {
+    doc: 'Maximum number of sockets per host for the shared outbound http agent.',
+    format: Number,
+    default: 512,
+    env: 'HTTP_AGENT_MAX_SOCKETS'
+  },
+  httpAgentMaxFreeSockets: {
+    doc: 'Maximum number of idle sockets kept open for the shared outbound http agent.',
+    format: Number,
+    default: 512,
+    env: 'HTTP_AGENT_MAX_FREE_SOCKETS'
+  },
+  httpAgentKeepAliveMsecs: {
+    doc: 'Keep-alive interval in milliseconds for the shared outbound http agent.',
+    format: Number,
+    default: 30000,
+    env: 'HTTP_AGENT_KEEP_ALIVE_MSECS'
   }
 })
 

package/src/enums/endpoints.js

@@ -102,10 +102,10 @@ const FspEndpointTypes = {
   TP_CB_URL_SERVICES_GET: 'TP_CB_URL_SERVICES_GET',
   TP_CB_URL_SERVICES_PUT: 'TP_CB_URL_SERVICES_PUT',
   TP_CB_URL_SERVICES_PUT_ERROR: 'TP_CB_URL_SERVICES_PUT_ERROR',
-  TPP_CB_URL_ACCOUNT_REQUEST_POST: 'TPP_CB_URL_ACCOUNT_REQUEST_POST',
-  TPP_CB_URL_ACCOUNT_REQUEST_PUT: 'TPP_CB_URL_ACCOUNT_REQUEST_PUT',
-  TPP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR: 'TPP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR',
-  TPP_CB_URL_ACCOUNT_REQUEST_GET: 'TPP_CB_URL_ACCOUNT_REQUEST_GET',
+  TPP_CB_URL_ACCOUNTS_REQUEST_POST: 'TPP_CB_URL_ACCOUNTS_REQUEST_POST',
+  TPP_CB_URL_ACCOUNTS_REQUEST_PUT: 'TPP_CB_URL_ACCOUNTS_REQUEST_PUT',
+  TPP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR: 'TPP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR',
+  TPP_CB_URL_ACCOUNTS_REQUEST_GET: 'TPP_CB_URL_ACCOUNTS_REQUEST_GET',
   TPP_CB_URL_ACCOUNTS_GET: 'TPP_CB_URL_ACCOUNTS_GET',
   TPP_CB_URL_ACCOUNTS_PUT: 'TPP_CB_URL_ACCOUNTS_PUT',
   TPP_CB_URL_CONSENT_REQUEST_POST: 'TPP_CB_URL_CONSENT_REQUEST_POST',
@@ -180,10 +180,10 @@ const FspEndpointTemplates = {
   TP_SERVICES_GET: '/services/{{ServiceType}}',
   TP_SERVICES_PUT: '/services/{{ServiceType}}',
   TP_SERVICES_PUT_ERROR: '/services/{{ServiceType}}/error',
-  TPP_ACCOUNT_REQUEST_POST: '/tppAccountRequest',
-  TPP_ACCOUNT_REQUEST_PUT: '/tppAccountRequest/{{ID}}',
-  TPP_ACCOUNT_REQUEST_PUT_ERROR: '/tppAccountRequest/{{ID}}/error',
-  TPP_ACCOUNT_REQUEST_GET: '/tppAccountRequest/{{ID}}',
+  TPP_ACCOUNTS_REQUEST_POST: '/tppAccountsRequest',
+  TPP_ACCOUNTS_REQUEST_PUT: '/tppAccountsRequest/{{ID}}',
+  TPP_ACCOUNTS_REQUEST_PUT_ERROR: '/tppAccountsRequest/{{ID}}/error',
+  TPP_ACCOUNTS_REQUEST_GET: '/tppAccountsRequest/{{ID}}',
   TPP_ACCOUNTS_GET: '/tppAccounts/{{ID}}/{{SignedChallenge}}',
   TPP_ACCOUNTS_PUT: '/tppAccounts/{{ID}}',
   TPP_ACCOUNTS_PUT_ERROR: '/tppAccounts/{{ID}}/error',

package/src/index.d.ts

@@ -115,10 +115,10 @@ declare namespace CentralServicesShared {
     TP_CB_URL_SERVICES_GET = 'TP_CB_URL_SERVICES_GET',
     TP_CB_URL_SERVICES_PUT = 'TP_CB_URL_SERVICES_PUT',
     TP_CB_URL_SERVICES_PUT_ERROR = 'TP_CB_URL_SERVICES_PUT_ERROR',
-    TP_CB_URL_ACCOUNT_REQUEST_POST = 'TP_CB_URL_ACCOUNT_REQUEST_POST',
-    TP_CB_URL_ACCOUNT_REQUEST_PUT = 'TP_CB_URL_ACCOUNT_REQUEST_PUT',
-    TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR = 'TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR',
-    TP_CB_URL_ACCOUNT_REQUEST_GET = 'TP_CB_URL_ACCOUNT_REQUEST_GET',
+    TP_CB_URL_ACCOUNTS_REQUEST_POST = 'TP_CB_URL_ACCOUNTS_REQUEST_POST',
+    TP_CB_URL_ACCOUNTS_REQUEST_PUT = 'TP_CB_URL_ACCOUNTS_REQUEST_PUT',
+    TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR = 'TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR',
+    TP_CB_URL_ACCOUNTS_REQUEST_GET = 'TP_CB_URL_ACCOUNTS_REQUEST_GET',
   }
   interface EndPointsEnum {
     EndpointType: {
@@ -191,10 +191,10 @@ declare namespace CentralServicesShared {
       TP_CB_URL_SERVICES_GET: FspEndpointTypesEnum.TP_CB_URL_SERVICES_GET;
       TP_CB_URL_SERVICES_PUT: FspEndpointTypesEnum.TP_CB_URL_SERVICES_PUT;
       TP_CB_URL_SERVICES_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_SERVICES_PUT_ERROR;
-      TP_CB_URL_ACCOUNT_REQUEST_POST: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_POST;
-      TP_CB_URL_ACCOUNT_REQUEST_PUT: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_PUT;
-      TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_PUT_ERROR;
-      TP_CB_URL_ACCOUNT_REQUEST_GET: FspEndpointTypesEnum.TP_CB_URL_ACCOUNT_REQUEST_GET;
+      TP_CB_URL_ACCOUNTS_REQUEST_POST: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_POST;
+      TP_CB_URL_ACCOUNTS_REQUEST_PUT: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_PUT;
+      TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_PUT_ERROR;
+      TP_CB_URL_ACCOUNTS_REQUEST_GET: FspEndpointTypesEnum.TP_CB_URL_ACCOUNTS_REQUEST_GET;
     };
     FspEndpointTemplates: {
       TRANSACTION_REQUEST_POST: string;

package/src/util/request.js

@@ -30,6 +30,7 @@
 'use strict'
 
 const http = require('node:http')
+const https = require('node:https')
 const request = require('axios')
 const stringify = require('fast-safe-stringify')
 const EventSdk = require('@mojaloop/event-sdk')
@@ -47,12 +48,24 @@ const MISSING_FUNCTION_PARAMETERS = 'Missing parameters for function'
 // By default it would insert `"Accept":"application/json, text/plain, */*"`.
 delete request.defaults.headers.common.Accept
 
-const keepAlive = (process.env.HTTP_AGENT_KEEP_ALIVE ?? 'true') === 'true'
+// http.Agent defaults to maxSockets: Infinity / maxFreeSockets: 256,
+// which churns sockets open/close under sustained load).
+const keepAlive = config.get('httpAgentKeepAlive')
+const maxSockets = config.get('httpAgentMaxSockets')
+const maxFreeSockets = config.get('httpAgentMaxFreeSockets')
+const keepAliveMsecs = config.get('httpAgentKeepAliveMsecs')
+
+const agentOpts = { keepAlive, maxSockets, maxFreeSockets, keepAliveMsecs }
 logger.verbose('http keepAlive:', { keepAlive })
+logger.verbose('http agent options:', agentOpts)
 
-// Enable keepalive for http
-request.defaults.httpAgent = new http.Agent({ keepAlive })
+// Enable keepalive with a bounded connection pool for both http and https outbound
+// requests, so https:// callback URLs get the same socket pooling as http:// ones
+// (axios otherwise falls back to a default https.Agent with maxSockets: Infinity).
+request.defaults.httpAgent = new http.Agent(agentOpts)
 request.defaults.httpAgent.toJSON = () => ({})
+request.defaults.httpsAgent = new https.Agent(agentOpts)
+request.defaults.httpsAgent.toJSON = () => ({})
 
 /**
  * @function sendRequest

package/test/unit/util/request.test.js

@@ -626,6 +626,64 @@ Test('ParticipantEndpoint Model Test', modelTest => {
       test.end()
     })
 
+    const configStub = (overrides = {}) => ({
+      '@noCallThru': true,
+      get: (key) => ({
+        httpAgentKeepAlive: true,
+        httpAgentMaxSockets: 512,
+        httpAgentMaxFreeSockets: 512,
+        httpAgentKeepAliveMsecs: 30000,
+        httpRequestTimeoutMs: 20000,
+        ...overrides
+      })[key]
+    })
+
+    getEndpointTest.test('create bounded http and https agents from the config defaults', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', { axios: request, '../config': configStub() })
+
+      for (const [name, agent] of [['http', request.defaults.httpAgent], ['https', request.defaults.httpsAgent]]) {
+        test.equal(agent.maxSockets, 512, `${name} maxSockets defaults to 512 (not Infinity)`)
+        test.equal(agent.maxFreeSockets, 512, `${name} maxFreeSockets defaults to 512`)
+        test.equal(agent.keepAliveMsecs, 30000, `${name} keepAliveMsecs defaults to 30000`)
+        test.ok(agent.keepAlive, `${name} keepAlive is enabled by default`)
+      }
+
+      test.end()
+    })
+
+    getEndpointTest.test('honor config values for the http and https agent socket pools', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', {
+        axios: request,
+        '../config': configStub({
+          httpAgentMaxSockets: 1000,
+          httpAgentMaxFreeSockets: 256,
+          httpAgentKeepAliveMsecs: 60000,
+          httpAgentKeepAlive: false
+        })
+      })
+
+      for (const [name, agent] of [['http', request.defaults.httpAgent], ['https', request.defaults.httpsAgent]]) {
+        test.equal(agent.maxSockets, 1000, `${name} maxSockets honors httpAgentMaxSockets`)
+        test.equal(agent.maxFreeSockets, 256, `${name} maxFreeSockets honors httpAgentMaxFreeSockets`)
+        test.equal(agent.keepAliveMsecs, 60000, `${name} keepAliveMsecs honors httpAgentKeepAliveMsecs`)
+        test.notOk(agent.keepAlive, `${name} keepAlive honors httpAgentKeepAlive`)
+      }
+
+      test.end()
+    })
+
+    getEndpointTest.test('redact both the http and https agents from serialized request options', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', { axios: request, '../config': configStub() })
+
+      test.same(request.defaults.httpAgent.toJSON(), {}, 'httpAgent.toJSON() is redacted to {}')
+      test.same(request.defaults.httpsAgent.toJSON(), {}, 'httpsAgent.toJSON() is redacted to {}')
+
+      test.end()
+    })
+
     getEndpointTest.end()
   })