Merge pull request #210 from Flutterwave/FTPI-1574

FTPI-1574: 2026-04-15 Security Dependency Update

Author: corneliusyaovi

.github/workflows/package-publish.yml

@@ -4,6 +4,10 @@ on:
   release:
     types: [created]
 
+permissions:
+  id-token: write
+  contents: read
+
 jobs:
   check-readme-and-changelog:
     runs-on: ubuntu-latest
@@ -34,17 +38,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4
 
       - name: Setup Node Engine
-        uses: actions/setup-node@v1
+        uses: actions/setup-node@v4
         with:
-          node-version: 16
+          node-version: 24
           registry-url: https://registry.npmjs.org/
 
-      - name: Install Node dependencies
-        run: npm ci
-
       - run: npm publish
         env:
           NODE_AUTH_TOKEN: ${{secrets.npm_token}}

CHANGELOG.md

@@ -1,4 +1,28 @@
 # Changelog
+## 1.3.2 | 2026-04-15
+- [FIXED] remaining moderate vulnerabilities by updating dependencies and applying package overrides.
+- [ADDED] overrides to enforce safe versions for vulnerable transitive packages: 
+  - flatted → 3.4.2
+  - minimatch → 9.0.7
+  - follow-redirects → 1.16.0
+  - serialize-javascript → 7.0.5
+  - ajv → 6.14.0
+  - diff → 8.0.3
+- [UPDATED] axios from 1.13.3 → 1.15.0
+- [UPDATED] node-forge from 1.3.2 → 1.4.0
+
+## 1.3.1 | 2026-02-05
+Update dependencies and fix compatibility issues
+
+### Version Changes
+- [FIXED] Downgrade ESlint to v8 for better compatibility with dependencies.
+- [FIXED] Bump @modelcontextprotocol/sdk from 1.25.3 to 1.26.0
+- [FIXED] Bump node-forge from 1.3.0 to 1.3.2
+- [FIXED] Bump axios from 1.8.4 to 1.12.0
+- [FIXED] Bump brace-expansion from 1.1.11 to 1.1.12
+- [FIXED] Bump sha.js from 2.4.11 to 2.4.12
+- [FIXED] Bump form-data from 4.0.2 to 4.0.4
+
 ## 1.3.0 | 2025-04-17
 
 Remove SDK logger