ml-testing-toolkit 18.16.6 → 18.17.0-snapshot.2

package/.grype.yaml

@@ -1,13 +1,20 @@
 ignore:
-  # Ignore cross-spawn vulnerabilities by CVE ID due to false positive
-  # as grype looks at package-lock.json where it shows versions with
-  # vulnerabilities, npm ls shows only 7.0.6 verion is used
-  - vulnerability: CVE-2025-9230
-  - vulnerability: CVE-2025-9232
-  - vulnerability: CVE-2025-9231
-  - vulnerability: GHSA-3xgq-45jj-v275
-  - vulnerability: GHSA-5j98-mcp5-4vw2 # false positive report for glob 10.4.5, not found in package-lock.json
-  - vulnerability: CVE-2025-60876 # busybox and ssl_client from node 22.15.1 alpine image
+  # Remove this ignore after verifying CI builds fresh image
+  - vulnerability: GHSA-5j98-mcp5-4vw2
+    include-aliases: true
+  - vulnerability: CVE-2025-60876
+    reason: "No fixes available as of 2026-01-14 on Dockerfile base image 22.21.1-alpine3.23"
+  - vulnerability: CVE-2026-22184
+    reason: "No fixes available as of 2026-01-16 on Dockerfile base image 22.21.1-alpine3.23"
+  - vulnerability: CVE-2026-28309
+  - vulnerability: CVE-2025-59465
+  - vulnerability: CVE-2025-55131
+  - vulnerability: GHSA-r6q2-hw4h-h46w
+  - vulnerability: GHSA-8qq5-rm4j-mr97
+  - vulnerability: CVE-2025-55130
+  - vulnerability: CVE-2026-21637
+  - vulnerability: CVE-2025-59466
+  - vulnerability: GHSA-xxjr-mmjv-4gpg
 
 # Set output format defaults
 output:

package/.nvmrc

@@ -1 +1 @@
-22.15.1
+22.21.1

package/audit-ci.jsonc

@@ -4,6 +4,6 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [
-
+    "GHSA-xxjr-mmjv-4gpg"
   ]
 }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "ml-testing-toolkit",
   "description": "Testing Toolkit for Mojaloop implementations",
-  "version": "18.16.6",
+  "version": "18.17.0-snapshot.2",
   "license": "Apache-2.0",
   "author": "Vijaya Kumar Guthi, ModusBox Inc. ",
   "contributors": [
@@ -78,10 +78,10 @@
     "@hapi/hapi": "21.4.4",
     "@hapi/inert": "7.1.0",
     "@hapi/vision": "7.0.3",
-    "@mojaloop/central-services-logger": "11.10.2",
+    "@mojaloop/central-services-logger": "11.10.3",
     "@mojaloop/central-services-metrics": "12.8.3",
     "@mojaloop/ml-schema-transformer-lib": "2.7.13",
-    "@mojaloop/ml-testing-toolkit-shared-lib": "14.3.1",
+    "@mojaloop/ml-testing-toolkit-shared-lib": "14.3.2",
     "@mojaloop/sdk-standard-components": "19.18.4",
     "@now-ims/hapi-now-auth": "2.1.0",
     "@types/socket.io": "3.0.2",
@@ -93,7 +93,7 @@
     "connection-string": "^5.0.0",
     "cookie-parser": "1.4.7",
     "cookies": "0.9.1",
-    "cors": "2.8.5",
+    "cors": "2.8.6",
     "dotenv": "17.2.3",
     "express": "5.2.1",
     "express-validator": "7.3.1",
@@ -107,8 +107,8 @@
     "json-refs": "3.0.15",
     "json-rules-engine": "7.3.1",
     "jsonwebtoken": "9.0.3",
-    "lodash": "4.17.21",
-    "mongoose": "9.1.2",
+    "lodash": "4.17.23",
+    "mongoose": "9.1.5",
     "multer": "2.0.2",
     "mustache": "4.2.0",
     "mv": "2.1.1",

package/src/lib/db/adapters/dbAdapter.js

@@ -48,10 +48,7 @@ const getConnection = async () => {
     }
 
     // TLS/SSL support
-    const mongoOptions = {
-      useNewUrlParser: true,
-      useUnifiedTopology: true
-    }
+    const mongoOptions = {}
 
     if (systemConfig.DB.SSL_ENABLED) {
       mongoOptions.tls = true

package/src/lib/mocking/middleware-functions/ilpModel.js

@@ -140,8 +140,24 @@ const handleTransferIlp = (context, response) => {
       response.body.TxInfAndSts.ExctnConf = generatedFulfilment
     }
   }
+
   if (context.request.method === 'get' && response.method === 'put' && pathMatch.test(response.path)) {
-    delete response.body.fulfilment
+    const transferId = response.path.match(pathMatch)[1]
+    const storedTransfer = context.storedTransfers?.[transferId]
+
+    // Check if stored request exists and is within 30 seconds
+    if (storedTransfer) {
+      if (storedTransfer.request.ilpPacket) {
+        const generatedFulfilment = ilpObj.calculateFulfil(storedTransfer.request.ilpPacket).replace('"', '')
+        response.body.fulfilment = generatedFulfilment
+      } else if (storedTransfer.request.CdtTrfTxInf?.VrfctnOfTerms?.IlpV4PrepPacket) {
+        const generatedFulfilment = ilpV4Obj.calculateFulfil(storedTransfer.request.CdtTrfTxInf.VrfctnOfTerms.IlpV4PrepPacket).replace('"', '')
+        response.body.TxInfAndSts.ExctnConf = generatedFulfilment
+      }
+      delete context.storedTransfers[transferId]
+    } else {
+      delete response.body.fulfilment
+    }
   }
 }
 

package/src/lib/mocking/openApiMockHandler.js

@@ -318,6 +318,23 @@ const generateAsyncCallback = async (item, context, req) => {
       return
     }
   } else {
+    // Store transfers early - right after validation
+    const transferPathMatch = /\/transfers\/([^/]+)$/
+    const fxTransferPathMatch = /\/fxTransfers\/([^/]+)$/
+    if (req.method === 'post' && (transferPathMatch.test(req.path) || fxTransferPathMatch.test(req.path))) {
+      if (!context.storedTransfers) {
+        context.storedTransfers = {}
+      }
+      const isFxTransfer = fxTransferPathMatch.test(req.path)
+      const transferId = req.path.match(isFxTransfer ? fxTransferPathMatch : transferPathMatch)[1]
+      customLogger.logMessage('debug', 'Storing transfer for validation', { additionalData: { transferId }, request: req })
+
+      context.storedTransfers[transferId] = {
+        request: req.payload,
+        type: isFxTransfer ? 'fxTransfer' : 'transfer'
+      }
+    }
+
     // Getting callback info from callback map file
     try {
       const cbMapRawdata = await utils.readFileAsync(item.callbackMapFile)