chore(mojaloop/#3438): nodejs upgrade (#309)

chore(mojaloop/#3438): nodejs upgrade - mojaloop/project#3438 - Upgraded NodeJS from v16 to v18 LTS - Updated CI config to use NodeJS latest LTS version - Updated CI config to display runtime versions for each job - Upgraded NPM dependencies - Fixed CI bugs caused by the NodeJS upgrade - Updated CI pipeline use NVM to select node version from` .nvmrc` file - Upgraded circleci orbs - Migrated `master` branch to `main` - Optimized ci workflow to use cached image for some jobs - Updated unit test scripts to run "in band" to avoid failures by flaky tests. (Further investigation is needed to ascertain why `test/unit/server.tests.js` and `test/unit/serverStart.test.js` fail when run in parallel)
mojaloop · Sep 6, 2023 · d3aba52 · d3aba52
1 parent dd895c6
commit d3aba52
Show file tree

Hide file tree

Showing 16 changed files with 5,885 additions and 16,931 deletions.
diff --git a/.circleci/config.yml b/.circleci/config.yml
diff --git a/.nvmrc b/.nvmrc
@@ -1 +1 @@
-16.15.0
+18.17.1
diff --git a/.versionrc b/.versionrc
@@ -0,0 +1,15 @@
+{
+  "types": [
+    {"type": "feat", "section": "Features"},
+    {"type": "fix", "section": "Bug Fixes"},
+    {"type": "docs", "section": "Documentation"},
+    {"type": "style", "section": "Styling"},
+    {"type": "refactor", "section": "Refactors"},
+    {"type": "perf", "section": "Performance"},
+    {"type": "test", "section": "Tests"},
+    {"type": "build", "section": "Build System"},
+    {"type": "ci", "section": "CI"},
+    {"type": "chore", "section": "Chore"},
+    {"type": "revert", "section": "Reverts"}
+  ]
+}
diff --git a/Dockerfile b/Dockerfile
@@ -1,13 +1,24 @@
-FROM node:16.15.0-alpine as builder
+# Arguments
+ARG NODE_VERSION=lts-alpine
+
+# NOTE: Ensure you set NODE_VERSION Build Argument as follows...
+#
+#  export NODE_VERSION="$(cat .nvmrc)-alpine" \
+#  docker build \
+#    --build-arg NODE_VERSION=$NODE_VERSION \
+#    -t mojaloop/sdk-scheme-adapter:local \
+#    . \
+#
+
+# Build Image
+FROM node:${NODE_VERSION} as builder
 USER root
 
 WORKDIR /opt/app
 
 RUN apk --no-cache add git
-RUN apk add --no-cache -t build-dependencies make gcc g++ python3 libtool libressl-dev openssl-dev autoconf automake \
+RUN apk add --no-cache -t build-dependencies make gcc g++ python3 libtool openssl-dev autoconf automake bash \
     && cd $(npm root -g)/npm \
-    && npm config set unsafe-perm true \
-    && npm install -g node-gyp
 
 COPY package.json package-lock.json* /opt/app/
 
@@ -18,7 +29,7 @@ RUN apk del build-dependencies
 COPY src /opt/app/src
 COPY config /opt/app/config
 
-FROM node:16.15.0-alpine
+FROM node:${NODE_VERSION}
 
 WORKDIR /opt/app
 

diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # Quoting Service
 
-[![Git Commit](https://img.shields.io/github/last-commit/mojaloop/quoting-service.svg?style=flat)](https://github.com/mojaloop/quoting-service/commits/master)
+[![Git Commit](https://img.shields.io/github/last-commit/mojaloop/quoting-service.svg?style=flat)](https://github.com/mojaloop/quoting-service/commits/main)
 [![Git Releases](https://img.shields.io/github/release/mojaloop/quoting-service.svg?style=flat)](https://github.com/mojaloop/quoting-service/releases)
 [![Docker pulls](https://img.shields.io/docker/pulls/mojaloop/quoting-service.svg?style=flat)](https://hub.docker.com/r/mojaloop/quoting-service)
 [![CircleCI](https://circleci.com/gh/mojaloop/quoting-service.svg?style=svg)](https://app.circleci.com/pipelines/github/mojaloop/quoting-service)
@@ -36,12 +36,12 @@ Please follow the instruction in [Onboarding Document](onboarding.md) to setup a
 
 ## Auditing Dependencies
 
-We use `npm-audit-resolver` along with `npm audit` to check dependencies for node vulnerabilities, and keep track of resolved dependencies with an `audit-resolve.json` file.
+We use `audit-ci` along with `npm audit` to check dependencies for node vulnerabilities, and keep track of resolved dependencies with an `audit-ci.jsonc` file.
 
 To start a new resolution process, run:
 
 ```bash
-npm run audit:resolve
+npm run audit:fix
 ```
 
 You can then check to see if the CI will pass based on the current dependencies with:
@@ -50,7 +50,7 @@ You can then check to see if the CI will pass based on the current dependencies
 npm run audit:check
 ```
 
-And commit the changed `audit-resolve.json` to ensure that CircleCI will build correctly.
+The [audit-ci.jsonc](./audit-ci.jsonc) contains any audit-exceptions that cannot be fixed to ensure that CircleCI will build correctly.
 
 ## Container Scans
 
@@ -69,28 +69,28 @@ As part of our CI/CD process, we use a combination of CircleCI, standard-version
 npm package and github-release CircleCI orb to automatically trigger our releases
 and image builds. This process essentially mimics a manual tag and release.
 
-On a merge to master, CircleCI is configured to use the mojaloopci github account
+On a merge to main, CircleCI is configured to use the mojaloopci github account
 to push the latest generated CHANGELOG and package version number.
 
-Once those changes are pushed, CircleCI will pull the updated master, tag and
+Once those changes are pushed, CircleCI will pull the updated main, tag and
 push a release triggering another subsequent build that also publishes a docker image.
 
 ### Potential problems
 
-- There is a case where the merge to master workflow will resolve successfully, triggering
+- There is a case where the merge to main workflow will resolve successfully, triggering
   a release. Then that tagged release workflow subsequently failing due to the image scan,
   audit check, vulnerability check or other "live" checks.
 
-  This will leave master without an associated published build. Fixes that require
+  This will leave main without an associated published build. Fixes that require
   a new merge will essentially cause a skip in version number or require a clean up
-  of the master branch to the commit before the CHANGELOG and bump.
+  of the main branch to the commit before the CHANGELOG and bump.
 
   This may be resolved by relying solely on the previous checks of the
-  merge to master workflow to assume that our tagged release is of sound quality.
+  merge to main workflow to assume that our tagged release is of sound quality.
   We are still mulling over this solution since catching bugs/vulnerabilities/etc earlier
   is a boon.
 
-- It is unknown if a race condition might occur with multiple merges with master in
+- It is unknown if a race condition might occur with multiple merges with main in
   quick succession, but this is a suspected edge case.
 
 

diff --git a/audit-ci.jsonc b/audit-ci.jsonc
@@ -0,0 +1,26 @@
+{
+  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+  // audit-ci supports reading JSON, JSONC, and JSON5 config files.
+  // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
+  "moderate": true,
+  "allowlist": [
+    "GHSA-v88g-cgmw-v5xw",
+    "GHSA-phwq-j96m-2c2q",
+    "GHSA-pfrx-2q88-qq97",
+    "GHSA-282f-qqgm-c34q",
+    "GHSA-8cf7-32gw-wr33",
+    "GHSA-hjrf-2m68-5959",
+    "GHSA-qwph-4952-7xr6",
+    "GHSA-4jv9-3563-23j3",
+    "GHSA-6vfc-qv3f-vr6c",
+    "GHSA-wc69-rhjr-hc9g",
+    "GHSA-vp56-6g26-6827",
+    "GHSA-g954-5hwp-pp24",
+    "GHSA-h755-8qp9-cq85",
+    "GHSA-mjxr-4v3x-q3m4",
+    "GHSA-rjqq-98f6-6j3r",
+    "GHSA-qgmg-gppg-76g5",
+    "GHSA-f9xv-q969-pqx4",
+    "GHSA-p9pc-299p-vxgp"
+  ]
+}
diff --git a/audit-resolve.json b/audit-resolve.json