@mojaloop/central-services-shared 18.36.1 → 18.37.0

package/.circleci/config.yml

@@ -20,7 +20,7 @@ version: 2.1
 setup: true
 
 orbs:
-  build: mojaloop/build@1.1.15
+  build: mojaloop/build@2.0.0
 
 workflows:
   setup:

package/.grype.yaml

@@ -1,9 +1,7 @@
 scan-type: source
 disabled: false
 ignore:
-  - vulnerability: GHSA-rpr9-rxv7-x643
-    include-aliases: true
-    reason: "[05-16-2026][Critical][sanitize-html 2.12.1] No available fix. Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html"
+
 output:
   - table
   - json

package/.nvmrc

@@ -1 +1 @@
-22.22.2
+24.15.0

package/CHANGELOG.md

@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [18.37.0](https://github.com/mojaloop/central-services-shared/compare/v18.36.1...v18.37.0) (2026-06-12)
+
+
+### Features
+
+* make maxsocket configurable so it doesnt use infinite number of sockets ([#4482](https://github.com/mojaloop/central-services-shared/issues/4482)) ([#522](https://github.com/mojaloop/central-services-shared/issues/522)) ([46e9e16](https://github.com/mojaloop/central-services-shared/commit/46e9e16cef638824bd17b8adfe95da27a12fc3cf))
+
 ### [18.36.1](https://github.com/mojaloop/central-services-shared/compare/v18.36.0...v18.36.1) (2026-05-18)
 
 

package/README.md

@@ -7,6 +7,21 @@
 
 Shared code for central services
 
+## Configuration
+
+### Outbound HTTP agent
+
+The shared `sendRequest` helper (`src/util/request.js`) configures the default outbound `http.Agent` with a **bounded** connection pool to prevent outbound connection churn under sustained high load. The pool is configurable via the following environment variables:
+
+| Variable | Default | Description |
+| --- | --- | --- |
+| `HTTP_AGENT_KEEP_ALIVE` | `true` | Whether to keep sockets alive for reuse. Set to `false` to disable. |
+| `HTTP_AGENT_MAX_SOCKETS` | `512` | Maximum number of sockets per host. Bounds the pool so bursty concurrency queues requests instead of opening unbounded sockets (node's default is `Infinity`). |
+| `HTTP_AGENT_MAX_FREE_SOCKETS` | `512` | Maximum number of idle (free) sockets kept warm per host (node's default is `256`). |
+| `HTTP_AGENT_KEEP_ALIVE_MSECS` | `30000` | Initial delay (ms) for TCP Keep-Alive packets on kept-alive sockets. |
+
+Numeric values are parsed with `Number(...)` and fall back to the defaults above when unset or non-numeric.
+
 ## CI/CD
 
 This repository uses the [mojaloop/build](https://github.com/mojaloop/ci-config-orb-build) CircleCI orb for standardized CI/CD workflows, including automated Grype vulnerability scanning for source code security.

package/audit-ci.jsonc

@@ -4,10 +4,5 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
-    /** 
-      [05-16-2026] - No fix available for this vulnerability
-      Apostrophe has default XSS via `xmp` raw-text passthrough in `sanitize-html`
-    **/
-    "GHSA-rpr9-rxv7-x643"
   ]
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mojaloop/central-services-shared",
-  "version": "18.36.1",
+  "version": "18.37.0",
   "description": "Shared code for mojaloop central services",
   "license": "Apache-2.0",
   "author": "ModusBox",
@@ -32,7 +32,8 @@
     "lint",
     "test",
     "dep:check",
-    "audit:check"
+    "audit:check",
+    "license:check"
   ],
   "scripts": {
     "pretest": "npm run lint",
@@ -61,6 +62,7 @@
     "audit:check": "npx audit-ci --config ./audit-ci.jsonc",
     "dep:check": "npx ncu -e 2",
     "dep:update": "npx ncu -u",
+    "license:check": "npx @mojaloop/license-scanner-tool .",
     "release": "npx standard-version --no-verify --releaseCommitMessageFormat 'chore(release): {{currentTag}} [skip ci]'",
     "snapshot": "npx standard-version --no-verify --skip.changelog --prerelease snapshot --releaseCommitMessageFormat 'chore(snapshot): {{currentTag}}'"
   },
@@ -73,14 +75,14 @@
     "@opentelemetry/api": "1.9.1",
     "async-exit-hook": "2.0.1",
     "async-retry": "1.3.3",
-    "axios": "1.16.1",
+    "axios": "1.17.0",
     "clone": "2.1.2",
     "convict": "6.2.5",
     "dotenv": "17.4.2",
     "env-var": "7.5.0",
     "event-stream": "4.0.1",
     "fast-safe-stringify": "2.1.1",
-    "immutable": "5.1.5",
+    "immutable": "5.1.6",
     "ioredis": "5.6.1",
     "joi": "18.2.1",
     "lodash": "4.18.1",
@@ -100,7 +102,8 @@
     "@mojaloop/central-services-logger": "11.10.4",
     "@mojaloop/central-services-metrics": "12.8.5",
     "@mojaloop/event-sdk": "14.8.4",
-    "@opentelemetry/auto-instrumentations-node": "^0.76.0",
+    "@opentelemetry/auto-instrumentations-node": "^0.77.0",
+    "@mojaloop/license-scanner-tool": "^1.0.0",
     "@types/hapi__joi": "17.1.15",
     "ajv": "8.20.0",
     "ajv-formats": "^3.0.1",
@@ -108,7 +111,7 @@
     "audit-ci": "7.1.0",
     "base64url": "3.0.1",
     "chance": "1.1.13",
-    "npm-check-updates": "22.2.0",
+    "npm-check-updates": "22.2.3",
     "nyc": "18.0.0",
     "portfinder": "1.0.38",
     "pre-commit": "2.0.0",
@@ -120,23 +123,23 @@
     "standard-version": "9.5.0",
     "tap-spec": "5.0.0",
     "tap-xunit": "2.4.1",
-    "tape": "5.9.0",
+    "tape": "5.10.1",
     "tapes": "4.1.0"
   },
   "overrides": {
-    "axios": "1.16.1",
-    "qs": "6.14.2",
+    "@grpc/grpc-js": "1.14.4",
+    "axios": "1.17.0",
+    "qs": "6.15.2",
     "brace-expansion": "1.1.13",
     "form-data": "4.0.5",
     "convict": "6.2.5",
     "nanoid": "3.3.11",
-    "postcss": "8.5.10",
+    "protobufjs": "8.2.0",
     "shins": {
       "ejs": "3.1.10",
-      "sanitize-html": "2.12.1",
+      "sanitize-html": "2.17.5",
       "jsonpointer": "5.0.0",
-      "markdown-it": "12.3.2",
-      "postcss": "8.4.31"
+      "markdown-it": "12.3.2"
     },
     "widdershins": {
       "markdown-it": "12.3.2",
@@ -152,7 +155,7 @@
     "lodash": "4.18.1",
     "lodash-es": "4.18.1",
     "undici": "6.25.0",
-    "@hapi/content": "6.0.1",
+    "@hapi/content": "6.0.2",
     "replace": {
       "minimatch": "3.1.4"
     },

package/src/config.js

@@ -20,6 +20,30 @@ const config = convict({
     format: Number,
     default: 20000,
     env: 'SHARED_HTTP_REQUEST_TIMEOUT_MS'
+  },
+  httpAgentKeepAlive: {
+    doc: 'Enable HTTP keep-alive for the shared outbound http agent.',
+    format: Boolean,
+    default: true,
+    env: 'HTTP_AGENT_KEEP_ALIVE'
+  },
+  httpAgentMaxSockets: {
+    doc: 'Maximum number of sockets per host for the shared outbound http agent.',
+    format: Number,
+    default: 512,
+    env: 'HTTP_AGENT_MAX_SOCKETS'
+  },
+  httpAgentMaxFreeSockets: {
+    doc: 'Maximum number of idle sockets kept open for the shared outbound http agent.',
+    format: Number,
+    default: 512,
+    env: 'HTTP_AGENT_MAX_FREE_SOCKETS'
+  },
+  httpAgentKeepAliveMsecs: {
+    doc: 'Keep-alive interval in milliseconds for the shared outbound http agent.',
+    format: Number,
+    default: 30000,
+    env: 'HTTP_AGENT_KEEP_ALIVE_MSECS'
   }
 })
 

package/src/util/request.js

@@ -30,6 +30,7 @@
 'use strict'
 
 const http = require('node:http')
+const https = require('node:https')
 const request = require('axios')
 const stringify = require('fast-safe-stringify')
 const EventSdk = require('@mojaloop/event-sdk')
@@ -47,12 +48,24 @@ const MISSING_FUNCTION_PARAMETERS = 'Missing parameters for function'
 // By default it would insert `"Accept":"application/json, text/plain, */*"`.
 delete request.defaults.headers.common.Accept
 
-const keepAlive = (process.env.HTTP_AGENT_KEEP_ALIVE ?? 'true') === 'true'
+// http.Agent defaults to maxSockets: Infinity / maxFreeSockets: 256,
+// which churns sockets open/close under sustained load).
+const keepAlive = config.get('httpAgentKeepAlive')
+const maxSockets = config.get('httpAgentMaxSockets')
+const maxFreeSockets = config.get('httpAgentMaxFreeSockets')
+const keepAliveMsecs = config.get('httpAgentKeepAliveMsecs')
+
+const agentOpts = { keepAlive, maxSockets, maxFreeSockets, keepAliveMsecs }
 logger.verbose('http keepAlive:', { keepAlive })
+logger.verbose('http agent options:', agentOpts)
 
-// Enable keepalive for http
-request.defaults.httpAgent = new http.Agent({ keepAlive })
+// Enable keepalive with a bounded connection pool for both http and https outbound
+// requests, so https:// callback URLs get the same socket pooling as http:// ones
+// (axios otherwise falls back to a default https.Agent with maxSockets: Infinity).
+request.defaults.httpAgent = new http.Agent(agentOpts)
 request.defaults.httpAgent.toJSON = () => ({})
+request.defaults.httpsAgent = new https.Agent(agentOpts)
+request.defaults.httpsAgent.toJSON = () => ({})
 
 /**
  * @function sendRequest

package/test/unit/util/request.test.js

@@ -626,6 +626,64 @@ Test('ParticipantEndpoint Model Test', modelTest => {
       test.end()
     })
 
+    const configStub = (overrides = {}) => ({
+      '@noCallThru': true,
+      get: (key) => ({
+        httpAgentKeepAlive: true,
+        httpAgentMaxSockets: 512,
+        httpAgentMaxFreeSockets: 512,
+        httpAgentKeepAliveMsecs: 30000,
+        httpRequestTimeoutMs: 20000,
+        ...overrides
+      })[key]
+    })
+
+    getEndpointTest.test('create bounded http and https agents from the config defaults', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', { axios: request, '../config': configStub() })
+
+      for (const [name, agent] of [['http', request.defaults.httpAgent], ['https', request.defaults.httpsAgent]]) {
+        test.equal(agent.maxSockets, 512, `${name} maxSockets defaults to 512 (not Infinity)`)
+        test.equal(agent.maxFreeSockets, 512, `${name} maxFreeSockets defaults to 512`)
+        test.equal(agent.keepAliveMsecs, 30000, `${name} keepAliveMsecs defaults to 30000`)
+        test.ok(agent.keepAlive, `${name} keepAlive is enabled by default`)
+      }
+
+      test.end()
+    })
+
+    getEndpointTest.test('honor config values for the http and https agent socket pools', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', {
+        axios: request,
+        '../config': configStub({
+          httpAgentMaxSockets: 1000,
+          httpAgentMaxFreeSockets: 256,
+          httpAgentKeepAliveMsecs: 60000,
+          httpAgentKeepAlive: false
+        })
+      })
+
+      for (const [name, agent] of [['http', request.defaults.httpAgent], ['https', request.defaults.httpsAgent]]) {
+        test.equal(agent.maxSockets, 1000, `${name} maxSockets honors httpAgentMaxSockets`)
+        test.equal(agent.maxFreeSockets, 256, `${name} maxFreeSockets honors httpAgentMaxFreeSockets`)
+        test.equal(agent.keepAliveMsecs, 60000, `${name} keepAliveMsecs honors httpAgentKeepAliveMsecs`)
+        test.notOk(agent.keepAlive, `${name} keepAlive honors httpAgentKeepAlive`)
+      }
+
+      test.end()
+    })
+
+    getEndpointTest.test('redact both the http and https agents from serialized request options', async (test) => {
+      request = sandbox.stub().returns(Helper.getEndPointsResponse)
+      Model = proxyquire('../../../src/util/request', { axios: request, '../config': configStub() })
+
+      test.same(request.defaults.httpAgent.toJSON(), {}, 'httpAgent.toJSON() is redacted to {}')
+      test.same(request.defaults.httpsAgent.toJSON(), {}, 'httpsAgent.toJSON() is redacted to {}')
+
+      test.end()
+    })
+
     getEndpointTest.end()
   })