mojaloop · gibaros · Oct 21, 2025 · Oct 14, 2025 · Oct 14, 2025 · Oct 16, 2025
@@ -1,7 +1,7 @@
 version: 2.1
 setup: true
 orbs:
-  build: mojaloop/build@1.1.1
+  build: mojaloop/build@1.1.7
 workflows:
   setup:
     jobs:

@@ -1,23 +1,11 @@
 ignore:
-  # Ignore cross-spawn vulnerabilities by CVE ID due to false positive
-  # as grype looks at package-lock.json where it shows versions with
-  # vulnerabilities, npm ls shows only 7.0.6 verion is used
-  - vulnerability: "GHSA-3xgq-45jj-v275"
-    package:
-      name: "cross-spawn"
-  - vulnerability: "CVE-2025-23166"
-    package:
-      name: "node"
-  - vulnerability: "CVE-2025-23167"
-    package:
-      name: "node"
-  # Ignore validator URL validation bypass - no patch available yet
-  # Vulnerability: isURL() function can be bypassed using protocol delimiter differences
-  # Severity: Medium (CVSS 6.1) - Waiting for upstream fix
-  - vulnerability: "GHSA-9965-vmph-33xx"
-    package:
-      name: "validator"
-
+  - vulnerability: CVE-2025-46394
+    reason: "No fixes to busybox apk available as of 2025-10-16 on Dockerfile base image 22.20.0-alpine3.22"
+  - vulnerability: CVE-2024-58251
+    reason: "No fixes to busybox apk available as of 2025-10-16 on Dockerfile base image 22.20.0-alpine3.22"
+  - vulnerability: CVE-2025-56200
+    include-aliases: true
+    reason: "No fixes available as of 2025-10-16 on validator npm package"
 
 # Set output format defaults
 output:

@@ -1 +1 @@
-22.15.1
+22.20.0
@@ -6,7 +6,7 @@
 ## @global-owner1 and @global-owner2 will be requested for
 ## review when someone opens a pull request.
 #*       @global-owner1 @global-owner2
-*   @kleyow
+* @elnyry-sam-k  @bushjames @kleyow @shashi165 @gibaros
 ## Order is important; the last matching pattern takes the most
 ## precedence. When someone opens a pull request that only
 ## modifies JS files, only @js-owner and not the global

@@ -1,5 +1,5 @@
 # Arguments
-ARG NODE_VERSION=lts-alpine
+ARG NODE_VERSION=22.20.0-alpine3.22
 
 # NOTE: Ensure you set NODE_VERSION Build Argument as follows...
 #

@@ -5,15 +5,6 @@
   "moderate": true,
   "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
     // Currently no fixes available for the following
-    "GHSA-wf5p-g6vw-rhxx", // axios
-    "GHSA-pfrx-2q88-qq97", // npm-check-updates>update-notifier>latest-version>package-json>got
-    "GHSA-p8p7-x288-28g6", // npm-check-updates>pacote>@npmcli/run-script>node-gyp>request
-    "GHSA-72xf-g2v4-qvf3",  // npm-check-updates>pacote>@npmcli/run-script>node-gyp>request>tough-cookie
-    "GHSA-3xgq-45jj-v275", // https://github.com/advisories/GHSA-3xgq-45jj-v275
-    "GHSA-phwq-j96m-2c2q", // https://github.com/advisories/GHSA-phwq-j96m-2c2q
-    "GHSA-ghr5-ch3p-vcr6", // https://github.com/advisories/GHSA-ghr5-ch3p-vcr6
-    "GHSA-cgfm-xwp7-2cvr", // https://github.com/advisories/GHSA-cgfm-xwp7-2cvr
-    "GHSA-9965-vmph-33xx", // https://github.com/advisories/GHSA-9965-vmph-33xx
-    "GHSA-fjxv-7rqg-78g4" // https://github.com/advisories/GHSA-fjxv-7rqg-78g4
+    "GHSA-9965-vmph-33xx" // validator.js URL validation bypass - no fix available in validator <=13.15.15
   ]
 }