hmcts · Thor-tech-of-metal · Sep 27, 2023 · Sep 27, 2023 · Sep 27, 2023 · Sep 27, 2023
diff --git a/.github/renovate.json b/.github/renovate.json
@@ -0,0 +1,23 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "schedule": "after 7am and before 11am every weekday",
+  "extends": [
+    "local>hmcts/.github:renovate-config",
+    "local>hmcts/.github//renovate/automerge-all"
+  ],
+  "labels": ["dependencies"],
+  "helmv3": {
+    "bumpVersion": "patch"
+  },
+  "regexManagers": [
+    {
+      "fileMatch": ["^Dockerfile$"],
+      "matchStrings": [
+        "datasource=(?<datasource>.*?) depName=(?<depName>.*?)( versioning=(?<versioning>.*?))?\\sARG .*?_VERSION=(?<currentValue>.*)\\s"
+      ]
+    }
+  ],
+  "platformAutomerge": true,
+  "automerge": true,
+  "automergeType": "pr"
+}
diff --git a/.gitignore b/.gitignore
@@ -1 +1,12 @@
-node_modules
+# exclude all by default
+*
+
+# exceptions from `exclude all` rule
+
+!.yarn/**
+!.yarnrc.yml
+!package.json
+!yarn.lock
+
+!serviceCallbackFunction/**
+!config/**
diff --git a/.nvmrc b/.nvmrc
@@ -0,0 +1 @@
+14.17.0
diff --git a/.yarnrc.yml b/.yarnrc.yml
@@ -1,3 +1,3 @@
 nodeLinker: node-modules
 
-yarnPath: .yarn/releases/yarn-3.6.2.cjs
+yarnPath: .yarn/releases/yarn-3.6.2.cjs
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,9 @@
-FROM hmctspublic.azurecr.io/base/node:18-alpine as base
+FROM hmctspublic.azurecr.io/base/node:14-alpine as base
 
 COPY --chown=hmcts:hmcts package.json yarn.lock ./
 RUN yarn install --production  && rm -r ~/.cache/yarn
 
 # ---- Runtime imge ----
 FROM base as runtime
-COPY . .
+
+COPY --chown=hmcts:hmcts . .
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -0,0 +1,16 @@
+version: '2.1'
+
+services:
+  ccpay-cpo-callback-function:
+    build:
+      context: .
+      args:
+        - http_proxy
+        - https_proxy
+        - no_proxy
+    image: hmcts.azurecr.io/hmcts/ccpay-cpo-callback-function
+    container_name: ccpay-cpo-callback-function
+    environment:
+      - S2S_URL=http://rpe-service-auth-provider-aat.service.core-compute-aat.internal
+      - MICROSERVICE_PAYMENT_APP=payment_app
+
diff --git a/package.json b/package.json
@@ -4,7 +4,7 @@
   "private": true,
   "main": "index.js",
   "engines": {
-    "node": ">=v18.7.1"
+    "node": ">=12.16.1"
   },
   "scripts": {
     "start": "node serviceCallbackFunction/index.js",
@@ -15,8 +15,10 @@
     "sonar-scan": "node_modules/sonar-scanner/bin/sonar-scanner"
   },
   "dependencies": {
+    "@azure/core-auth": "1.3.0",
+    "@azure/logger": "1.0.0",
     "@azure/service-bus": "^1.1.7",
-    "@hmcts/properties-volume": "^1.0.0",
+    "@hmcts/properties-volume": "^0.0.9",
     "applicationinsights": "^1.7.5",
     "config": "^3.3.1",
     "otp": "^0.1.3",
@@ -48,6 +50,8 @@
     ]
   },
   "resolutions": {
+    "@azure/logger": "1.0.0",
+    "@azure/core-auth": "1.3.0",
     "node-fetch": ">=3.3.2",
     "cookiejar": ">=2.1.4",
     "xml2js": ">=0.6.2",

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
@@ -1 +1 @@
-{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.2","paths":["request","request-promise>request","request-promise>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":0,"critical":0},"dependencies":185,"devDependencies":0,"optionalDependencies":0,"totalDependencies":185}}
+{"actions":[],"advisories":{"1092972":{"findings":[{"version":"2.88.2","paths":["request","request-promise>request","request-promise>request-promise-core>request"]}],"metadata":null,"vulnerable_versions":"<=2.88.2","module_name":"request","severity":"moderate","github_advisory_id":"GHSA-p8p7-x288-28g6","cves":["CVE-2023-28155"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":6.1,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"},"updated":"2023-08-14T20:53:47.000Z","recommendation":"None","cwe":["CWE-918"],"found_by":null,"deleted":null,"id":1092972,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-28155\n- https://github.com/request/request/issues/3442\n- https://github.com/request/request/pull/3444\n- https://doyensec.com/resources/Doyensec_Advisory_RequestSSRF_Q12023.pdf\n- https://security.netapp.com/advisory/ntap-20230413-0007/\n- https://github.com/github/advisory-database/pull/2500\n- https://github.com/cypress-io/request/blob/master/lib/redirect.js#L116\n- https://github.com/request/request/blob/master/lib/redirect.js#L111\n- https://github.com/cypress-io/request/pull/28\n- https://github.com/cypress-io/request/commit/c5bcf21d40fb61feaff21a0e5a2b3934a440024f\n- https://github.com/cypress-io/request/releases/tag/v3.0.0\n- https://github.com/advisories/GHSA-p8p7-x288-28g6","created":"2023-03-16T15:30:19.000Z","reported_by":null,"title":"Server-Side Request Forgery in Request","npm_advisory_id":null,"overview":"The `request` package through 2.88.2 for Node.js and the `@cypress/request` package prior to 3.0.0 allow a bypass of SSRF mitigations via an attacker-controller server that does a cross-protocol redirect (HTTP to HTTPS, or HTTPS to HTTP).\n\nNOTE: The `request` package is no longer supported by the maintainer.","url":"https://github.com/advisories/GHSA-p8p7-x288-28g6"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":3,"high":0,"critical":0},"dependencies":150,"devDependencies":0,"optionalDependencies":0,"totalDependencies":150}}