feat(mojaloop/#2092): upgrade nodeJS version for core services (#61) (#…

…243)

feat(mojaloop/#2092): upgrade nodeJS version for core services - mojaloop/project#2092
- standardised CI scripts
- updated docker-compose files to work correctly
- fixed lint issues
- updated .nvmrc to latest LTS version
- added standard CI scripts/config to package.json: release, snapshot, standard-version, etc
- updated gitignore to include standard IGNORE patterns
- updated README with standard auto-release information
- Fixed imports
- Cleaned up Package.json
- replaced npm-audit-resolves with audit-ci and added an applicable `audit-ci.jsonc` file with an audit allowList as per [mojaloop/design-authority-project/issues/92](mojaloop/design-authority-project#92)
- added safeguards for uncaught promises as required by Node v16 or otherwise the process will terminate in such an advent (possibly due to the legacy RXJS dependency

Notes:
- Helm chart mountPaths need to be updated from `/opt/central-event-processor` to `/opt/app` as follows:
    ```YAML
        volumeMounts:
        - mountPath: /opt/app/config
          name: <deployment-name>
    ```

BREAKING CHANGE: Major version bump for node v16 LTS support, re-structuring of project directories to align to core Mojaloop repositories and docker image now uses `/opt/app` instead of `/opt/central-event-processor` which will impact config mounts.

.gitignore

@@ -11,7 +11,6 @@ pids
 *.seed
 *.pid.lock
 .vscode
-package-lock.json
 
 # Directory for instrumented libs generated by jscoverage/JSCover
 lib-cov
@@ -62,3 +61,11 @@ typings/
 
 # next.js build output
 .next
+
+# https://devspace.sh/
+devspace*
+.devspace/**.*
+
+# Add ignores
+*IGNORE*
+*ignore*

.ncurc.yaml

@@ -0,0 +1,3 @@
+## Add a TODO comment indicating the reason for each rejected dependency upgrade added to this list, and what should be done to resolve it (i.e. handle it through a story, etc).
+reject: [
+]

.nvmrc

@@ -0,0 +1 @@
+16.15.0

CODEOWNERS

@@ -6,7 +6,7 @@
 ## @global-owner1 and @global-owner2 will be requested for
 ## review when someone opens a pull request.
 #*       @global-owner1 @global-owner2
-*   @vgenev @mdebarros @elnyry-sam-k @lewisdaly @oderayi @shashi165
+*  @vijayg10 @mdebarros @elnyry-sam-k
 
 ## Order is important; the last matching pattern takes the most
 ## precedence. When someone opens a pull request that only

Dockerfile

@@ -1,25 +1,18 @@
-FROM node:12.16.1-alpine as builder
-USER root
-
-WORKDIR /opt/central-event-processor
+FROM node:16.15.0-alpine as builder
+WORKDIR /opt/app
 
 RUN apk --no-cache add git
-RUN apk add --no-cache -t build-dependencies make gcc g++ python libtool autoconf automake \
-  && cd $(npm root -g)/npm \
-  && npm config set unsafe-perm true \
-  && npm install -g node-gyp
-
-COPY package.json package-lock.json* /opt/central-event-processor/
+RUN apk add --no-cache -t build-dependencies make gcc g++ python3 libtool libressl-dev openssl-dev autoconf automake \
+    && cd $(npm root -g)/npm \
+    && npm config set unsafe-perm true \
+    && npm install -g node-gyp
 
-RUN npm install
+COPY package*.json /opt/app/
 
-COPY src /opt/central-event-processor/src
-COPY config /opt/central-event-processor/config
-COPY app.js /opt/central-event-processor/
-COPY docs /opt/central-event-processor/docs
+RUN npm ci --production
 
-FROM node:12.16.1-alpine
-WORKDIR /opt/central-event-processor
+FROM node:16.15.0-alpine
+WORKDIR /opt/app
 
 # Create empty log file & link stdout to the application log file
 RUN mkdir ./logs && touch ./logs/combined.log
@@ -29,8 +22,10 @@ RUN ln -sf /dev/stdout ./logs/combined.log
 RUN adduser -D ml-user 
 USER ml-user
 
-COPY --chown=ml-user --from=builder /opt/central-event-processor .
-RUN npm prune --production
+COPY --chown=ml-user --from=builder /opt/app .
+
+COPY src /opt/app/src
+COPY config /opt/app/config
 
 EXPOSE 3080
-CMD node app.js
+CMD ["npm", "run", "start"]

LICENSE.md

@@ -3,7 +3,7 @@
 Copyright © 2020 Mojaloop Foundation
 
 The Mojaloop files are made available by the Mojaloop Foundation under the Apache License, Version 2.0
-(the "License") and you may not use these files except in compliance with the [License](http://www.apache.org/licenses/LICENSE-2.0). 
+(the "License") and you may not use these files except in compliance with the [License](http://www.apache.org/licenses/LICENSE-2.0).
 
 You may obtain a copy of the License at [http://www.apache.org/licenses/LICENSE-2.0](http://www.apache.org/licenses/LICENSE-2.0)
 

README.md

@@ -39,10 +39,13 @@ The CEP can then be integrated with a notifier service, to send out notification
   - [Notifier flow (separate service)](#notifier-flow-separate-service)
   - [Auditing Dependencies](#auditing-dependencies)
   - [Container Scans](#container-scans)
+  - [Automated Releases](#automated-releases)
+    - [Potential problems](#potential-problems)
 
 ## Todo
 
 - Improve code-coverage to 90% across the board: [.nycrc.yml](./.nycrc.yml). Don't forget to un-comment out the code-coverage options & rules.
+- Fix `TypeError: finalizer.unsubscribe is not a function` RXJS error
 
 ## Deployment
 
@@ -215,3 +218,33 @@ For more information on anchore and anchore-cli, refer to:
 
 - [Anchore CLI](https://github.com/anchore/anchore-cli)
 - [Circle Orb Registry](https://circleci.com/orbs/registry/orb/anchore/anchore-engine)
+
+## Automated Releases
+
+As part of our CI/CD process, we use a combination of CircleCI, standard-version
+npm package and github-release CircleCI orb to automatically trigger our releases
+and image builds. This process essentially mimics a manual tag and release.
+
+On a merge to master, CircleCI is configured to use the mojaloopci github account
+to push the latest generated CHANGELOG and package version number.
+
+Once those changes are pushed, CircleCI will pull the updated master, tag and
+push a release triggering another subsequent build that also publishes a docker image.
+
+### Potential problems
+
+- There is a case where the merge to master workflow will resolve successfully, triggering
+  a release. Then that tagged release workflow subsequently failing due to the image scan,
+  audit check, vulnerability check or other "live" checks.
+
+  This will leave master without an associated published build. Fixes that require
+  a new merge will essentially cause a skip in version number or require a clean up
+  of the master branch to the commit before the CHANGELOG and bump.
+
+  This may be resolved by relying solely on the previous checks of the
+  merge to master workflow to assume that our tagged release is of sound quality.
+  We are still mulling over this solution since catching bugs/vulnerabilities/etc earlier
+  is a boon.
+
+- It is unknown if a race condition might occur with multiple merges with master in
+  quick succession, but this is a suspected edge case.

audit-ci.jsonc

@@ -0,0 +1,31 @@
+{
+  "$schema": "https://github.com/IBM/audit-ci/raw/main/docs/schema.json",
+  // audit-ci supports reading JSON, JSONC, and JSON5 config files.
+  // Only use one of ["low": true, "moderate": true, "high": true, "critical": true]
+  "moderate": true,
+  "allowlist": [ // NOTE: Please add as much information as possible to any items added to the allowList
+    // Currently no fixes available for the following
+    "GHSA-v88g-cgmw-v5xw",
+    "GHSA-93q8-gq69-wqmw",
+    "GHSA-fwr7-v2mv-hh25",
+    "GHSA-phwq-j96m-2c2q",
+    "GHSA-mhxj-85r3-2x55",
+    "GHSA-v5vg-g7rq-363w",
+    "GHSA-896r-f27r-55mw",
+    "GHSA-282f-qqgm-c34q",
+    "GHSA-6vfc-qv3f-vr6c",
+    "GHSA-xvch-5gv4-984h",
+    "GHSA-vh95-rmgr-6w4m",
+    "GHSA-wc69-rhjr-hc9g",
+    "GHSA-rp65-9cf3-cjxr",
+    "GHSA-g954-5hwp-pp24",
+    "GHSA-mjxr-4v3x-q3m4",
+    "GHSA-rjqq-98f6-6j3r",
+    "GHSA-w5p7-h5w8-2hfq",
+    "GHSA-gcv8-gh4r-25x6",
+    "GHSA-8h2f-7jc4-7m3m",
+    "GHSA-3vjf-82ff-p4r3",
+    "GHSA-gmv4-r438-p67f",
+    "GHSA-p9pc-299p-vxgp"
+  ]
+}