Merge pull request #30 from mojaloop/chore/deps-security-20260225

chore: fix TS build, security updates, and CI config

Author: gibaros

.circleci/config.yml

@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  build: mojaloop/build@1.1.10
+  build: mojaloop/build@1.1.16
 workflows:
   setup:
     jobs:

.grype.yaml

@@ -1,22 +1,59 @@
-# Set to true to disable the Grype image scan completely
-disabled: false
-
+scan-type: source
 ignore:
-  - vulnerability: GHSA-5j98-mcp5-4vw2
-    reason: "No fixes to glob npm available as of 2026-01-14 on Dockerfile base image 22.21.1-alpine3.23"
   - vulnerability: CVE-2025-60876
-    reason: "No fixes to busybox apk available as of 2026-01-14 on Dockerfile base image 22.21.1-alpine3.23"
-  - vulnerability: CVE-2026-22184
-    reason: "No fixes to zlib apk available as of 2026-01-14 on Dockerfile base image 22.21.1-alpine3.23"
-
-
-# Set output format defaults
+    include-aliases: true
+    reason: "Alpine base image package (apk): busybox - no npm fix available as of 2026-02-25 (moderate severity)"
+  - vulnerability: GHSA-3ppc-4f35-3m26
+    include-aliases: true
+    reason: >-
+      Base image npm package: minimatch - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (high severity)
+  - vulnerability: GHSA-83g3-92jg-28cx
+    include-aliases: true
+    reason: >-
+      Base image npm package: tar - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (high severity)
+  - vulnerability: GHSA-34x7-hfp2-rc4v
+    include-aliases: true
+    reason: >-
+      Base image npm package: tar - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (high severity)
+  - vulnerability: GHSA-73rr-hh4g-fpgx
+    include-aliases: true
+    reason: >-
+      Base image npm package: diff - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (low severity)
+  - vulnerability: GHSA-r6q2-hw4h-h46w
+    include-aliases: true
+    reason: >-
+      Base image npm package: tar - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (high severity)
+  - vulnerability: GHSA-8qq5-rm4j-mr97
+    include-aliases: true
+    reason: >-
+      Base image npm package: tar - bundled in Node.js base image, not fixable via application dependencies as of
+      2026-02-25 (high severity)
+  - vulnerability: CVE-2026-27171
+    include-aliases: true
+    reason: "Alpine base image package (apk): zlib - no npm fix available as of 2026-02-25 (moderate severity)"
+  - vulnerability: GHSA-2g4f-4pwh-qvx6
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: ajv (moderate severity) as of 2026-02-25"
+  - vulnerability: GHSA-xxjr-mmjv-4gpg
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: lodash-es (moderate severity) as of 2026-02-25"
+  - vulnerability: GHSA-6rw7-vpxm-498p
+    include-aliases: true
+    reason: "Unfixable npm transitive vulnerability: qs (high severity) as of 2026-02-25"
+  - vulnerability: GHSA-5j98-mcp5-4vw2
+    include-aliases: true
+    reason: >-
+      Base image npm package: glob - bundled in Node.js base image npm, not fixable via application dependencies as of
+      2026-02-25 (high severity)
 output:
-  - "table"
-  - "json"
-
-# Modify your CircleCI job to check critical count
+  - table
+  - json
 search:
-  scope: "squashed"
+  scope: squashed
 quiet: false
 check-for-app-update: false

.nvmrc

@@ -1 +1 @@
-22.21.1
+22.22.0

Dockerfile

@@ -1,4 +1,4 @@
-ARG NODE_VERSION=22.21.1-alpine3.23
+ARG NODE_VERSION=22.22.0-alpine3.23
 # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
 #
 #  export NODE_VERSION="$(cat .nvmrc)-alpine" \

audit-ci.jsonc

@@ -4,19 +4,7 @@
   // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
-    "GHSA-282f-qqgm-c34q", // https://github.com/advisories/GHSA-282f-qqgm-c34q
-    "GHSA-3xgq-45jj-v275", // https://github.com/advisories/GHSA-3xgq-45jj-v275
-    "GHSA-6vfc-qv3f-vr6c", // https://github.com/advisories/GHSA-6vfc-qv3f-vr6c
-    "GHSA-7fh5-64p2-3v2j", // https://github.com/advisories/GHSA-7fh5-64p2-3v2j
-    "GHSA-c2qf-rxjj-qqgw", // https://github.com/advisories/GHSA-c2qf-rxjj-qqgw
-    "GHSA-cgfm-xwp7-2cvr", // https://github.com/advisories/GHSA-cgfm-xwp7-2cvr
-    "GHSA-ghr5-ch3p-vcr6", // https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
-    "GHSA-mjxr-4v3x-q3m4", // https://github.com/advisories/GHSA-mjxr-4v3x-q3m4
-    "GHSA-p9pc-299p-vxgp", // https://github.com/advisories/GHSA-p9pc-299p-vxgp
-    "GHSA-phwq-j96m-2c2q", // https://github.com/advisories/GHSA-phwq-j96m-2c2q
-    "GHSA-rjqq-98f6-6j3r", // https://github.com/advisories/GHSA-rjqq-98f6-6j3r
-    "GHSA-rm97-x556-q36h", // https://github.com/advisories/GHSA-rm97-x556-q36h
-    "GHSA-v88g-cgmw-v5xw", // https://github.com/advisories/GHSA-v88g-cgmw-v5xw
-    "GHSA-968p-4wvh-cqc8" // https://github.com/advisories/GHSA-968p-4wvh-cqc8
+    "GHSA-2g4f-4pwh-qvx6", // ajv ReDoS - no fix available in 8.x line, unfixable via override
+    "GHSA-xxjr-mmjv-4gpg" // lodash-es prototype pollution - transitive via ts-auto-mock in @mojaloop/api-snippets
   ]
 }