chore(mojaloop/#3458): nodejs upgrade (#244)

chore(mojaloop/#3458): NodeJS version upgrade - mojaloop/project#3458
- Upgraded nodejs from v16 to v18 LTS
- Applied CI changes as previously implemented in [sdk-scheme-adapter](mojaloop/sdk-scheme-adapter#453)
- Updated NPM dependencies
- Resolved all audit issues
- Migrated `master` branch to `main` branch

.ncurc.yaml

@@ -1,17 +1,4 @@
 ## Add a TODO comment indicating the reason for each rejected dependency upgrade added to this list, and what should be done to resolve it (i.e. handle it through a story, etc).
 reject: [
-  # TODO: Upgrading ws is causing some incompatibility issues connecting to sdk-scheme-adapter ws server and causing some test failures
-  "ws",
-  # TODO: Upgrading axios is breaking lot of unit tests. It might be because of breaking changes in axios.
-  "axios",
-  # TODO: Upgrading jest is causing test failures
-  "jest",
-  # Upgrading `npm-check-updates` introduces rimraf>glob as a dependency that is under the BlueOak-1.0.0 licensing
-  # which is still being investigated if it aligns with Mojaloop's policies.
-  # An override is also in place for npm-check-updates>rimraf in package.json.
-  # If you have trouble with package-lock.json not containing the override
-  # delete BOTH node_modules/ and package-lock.json. Might be due to
-  # https://github.com/npm/cli/issues/4232
-  # This is a temporary fix until Mojaloop decides on Blue Oak licensing.
-  "npm-check-updates",
 ]
+

.nvmrc

@@ -1 +1 @@
-16.15.0
+18.17.1

.versionrc.js

@@ -0,0 +1,16 @@
+module.exports = {
+  header: '# Changelog: [mojaloop/thirdparty-api-svc](https://github.com/mojaloop/thirdparty-api-svc)',
+  types: [
+    {"type": "feat", "section": "Features"},
+    {"type": "fix", "section": "Bug Fixes"},
+    {"type": "docs", "section": "Documentation"},
+    {"type": "style", "section": "Styling"},
+    {"type": "refactor", "section": "Refactors"},
+    {"type": "perf", "section": "Performance"},
+    {"type": "test", "section": "Tests"},
+    {"type": "build", "section": "Build System"},
+    {"type": "ci", "section": "CI"},
+    {"type": "chore", "section": "Chore"},
+    {"type": "revert", "section": "Reverts"}
+  ]
+}

Dockerfile

@@ -1,11 +1,22 @@
-FROM node:16.15.0-alpine as builder
+# Arguments
+ARG NODE_VERSION=lts-alpine
+
+# NOTE: Ensure you set NODE_VERSION Build Argument as follows...
+#
+#  export NODE_VERSION="$(cat .nvmrc)-alpine" \
+#  docker build \
+#    --build-arg NODE_VERSION=$NODE_VERSION \
+#    -t mojaloop/sdk-scheme-adapter:local \
+#    . \
+#
+
+# Build Image
+FROM node:${NODE_VERSION} as builder
 
 WORKDIR /opt/app
 
-RUN apk add --no-cache -t build-dependencies make gcc g++ python3 libtool libressl-dev openssl-dev autoconf automake \
-    && cd $(npm root -g)/npm \
-    && npm config set unsafe-perm true \
-    && npm install -g node-gyp
+RUN apk add --no-cache -t build-dependencies make gcc g++ python3 libtool openssl-dev autoconf automake \
+    && cd $(npm root -g)/npm
 
 COPY package.json package-lock.json* /opt/app/
 RUN npm ci
@@ -15,7 +26,7 @@ COPY spec_files /opt/app/spec_files
 COPY examples /opt/app/examples
 RUN mkdir /opt/app/uploads
 
-FROM node:16.15.0-alpine
+FROM node:${NODE_VERSION}
 WORKDIR /opt/app
 
 # Create a non-root user: ml-user

README.md

@@ -80,12 +80,12 @@ For Command line tool follow this [CLI User Guide](/documents/User-Guide-CLI.md)
 
 ## Auditing Dependencies
 
-We use `npm-audit-resolver` along with `npm audit` to check dependencies for node vulnerabilities, and keep track of resolved dependencies with an `audit-resolve.json` file.
+We use `audit-ci` along with `npm audit` to check dependencies for node vulnerabilities, and keep track of resolved dependencies with an `audit-ci.jsonc` file.
 
 To start a new resolution process, run:
 
 ```bash
-npm run audit:resolve
+npm run audit:fix
 ```
 
 You can then check to see if the CI will pass based on the current dependencies with:
@@ -94,7 +94,7 @@ You can then check to see if the CI will pass based on the current dependencies
 npm run audit:check
 ```
 
-And commit the changed `audit-resolve.json` to ensure that CircleCI will build correctly.
+The [audit-ci.jsonc](./audit-ci.jsonc) contains any audit-exceptions that cannot be fixed to ensure that CircleCI will build correctly.
 
 ## Container Scans
 
@@ -112,8 +112,8 @@ As part of our CI/CD process, we use a combination of CircleCI, standard-version
 npm package and github-release CircleCI orb to automatically trigger our releases
 and image builds. This process essentially mimics a manual tag and release.
 
-On a merge to master, CircleCI is configured to use the mojaloopci github account
+On a merge to main, CircleCI is configured to use the mojaloopci github account
 to push the latest generated CHANGELOG and package version number.
 
-Once those changes are pushed, CircleCI will pull the updated master, tag and
+Once those changes are pushed, CircleCI will pull the updated main, tag and
 push a release triggering another subsequent build that also publishes a docker image.

audit-ci.jsonc

@@ -5,18 +5,13 @@
   "moderate": true,
   "allowlist": [
     // TODO: multer lib is using some vulnerable dependency
-    "GHSA-wm7h-9275-46v2",
-    // postman-collection: no fix available
-    "GHSA-mhxj-85r3-2x55",
-    // multer: no fix available
-    "GHSA-8qr4-xgw6-wmr3",
+    "GHSA-wm7h-9275-46v2", // https://github.com/advisories/GHSA-wm7h-9275-46v2
     // json web token, no fix available
-    "GHSA-8cf7-32gw-wr33",
-    "GHSA-8cf7-32gw-wr33",
-    "GHSA-27h2-hvpr-p74q",
-    "GHSA-qwph-4952-7xr6",
-    "GHSA-hjrf-2m68-5959",
+    "GHSA-8cf7-32gw-wr33", // https://github.com/advisories/GHSA-8cf7-32gw-wr33
+    "GHSA-hjrf-2m68-5959", // https://github.com/advisories/GHSA-hjrf-2m68-5959
+    "GHSA-qwph-4952-7xr6", // https://github.com/advisories/GHSA-qwph-4952-7xr6
     // request-provise-native, no fix available
-    "GHSA-p8p7-x288-28g6"
+    "GHSA-p8p7-x288-28g6", // https://github.com/advisories/GHSA-p8p7-x288-28g6
+    "GHSA-72xf-g2v4-qvf3"  // https://github.com/advisories/GHSA-72xf-g2v4-qvf3
   ]
 }