interledger · mkurapov · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026 · Apr 8, 2026
diff --git a/.github/workflows/node-build.yml b/.github/workflows/node-build.yml
@@ -506,7 +506,7 @@ jobs:
         run: |
           docker images
       - name: Scan docker image
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@v7
         with:
           image: /tmp/${{ github.sha }}-${{ matrix.package }}-${{ matrix.platform.name }}-${{ needs.version-generator.outputs.version }}.tar
           fail-build: true

diff --git a/.grype.yaml b/.grype.yaml
@@ -1,14 +1,15 @@
 ignore:
-  - vulnerability: GHSA-3xgq-45jj-v275
-  - vulnerability: CVE-2026-23950
-  - vulnerability: CVE-2026-23745
-
-  # CVE-2025-64756
-  - vulnerability: CVE-2025-64756
-  - vulnerability: GHSA-5j98-mcp5-4vw2
-
-  # CVE-2026-24842
-  - vulnerability: CVE-2026-24842
-  - vulnerability: GHSA-r6q2-hw4h-h46w
-  - vulnerability: GHSA-8qq5-rm4j-mr97
-  - vulnerability: GHSA-34x7-hfp2-rc4v
+  - vulnerability: CVE-2026-27903
+  - vulnerability: GHSA-7r86-cg39-jmmj
+
+  - vulnerability: CVE-2026-27904
+  - vulnerability: GHSA-23c5-xmqv-rm74
+
+  - vulnerability: CVE-2026-33671
+  - vulnerability: GHSA-c2c7-rcm5-vvqj
+
+  - vulnerability: CVE-2026-29786
+  - vulnerability: GHSA-qffp-2rhf-9h96
+
+  - vulnerability: CVE-2026-31802
+  - vulnerability: GHSA-9ppj-qmqm-q256
diff --git a/.trivyignore b/.trivyignore
@@ -1,5 +1,6 @@
-CVE-2024-21538 exp:2026-03-01
-CVE-2026-23950 exp:2026-03-01
-CVE-2025-64756 exp:2026-03-01
-CVE-2026-23745 exp:2026-03-01
-CVE-2026-24842 exp:2026-03-01
+CVE-2026-27903 exp:2026-06-01
+CVE-2026-27904 exp:2026-06-01
+CVE-2026-33671 exp:2026-06-01
+CVE-2026-29786 exp:2026-06-01
+CVE-2026-31802 exp:2026-06-01
+CVE-2026-22184 exp:2026-06-01
diff --git a/localenv/mock-account-servicing-entity/Dockerfile b/localenv/mock-account-servicing-entity/Dockerfile
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./
 

diff --git a/package.json b/package.json
@@ -4,10 +4,10 @@
   "license": "Apache-2.0",
   "repository": "https://github.com/interledger/rafiki",
   "engines": {
-    "pnpm": "^8.15.9",
+    "pnpm": "^10.33.0",
     "node": "24"
   },
-  "packageManager": "pnpm@8.15.9",
+  "packageManager": "pnpm@10.33.0",
   "scripts": {
     "preinstall": "npx only-allow pnpm",
     "lint": "eslint --max-warnings=0 --fix .",
@@ -68,18 +68,24 @@
       "json5@<1.0.2": ">=1.0.2",
       "katex": ">=0.16.21",
       "jose": ">=4.15.5",
+      "koa@>=2.0.0": "^2.16.4",
+      "koa@>=3.0.0": "^3.1.2",
       "undici@>=5.0.0": "^5.28.5",
-      "undici@>=6.0.0": "^6.21.2",
-      "tar": ">=7.5.4",
+      "undici@>=6.0.0": "^6.24.0",
+      "immutable@>=3.0.0": "^3.8.3",
+      "immutable@>=5.0.0": "^5.1.5",
+      "picomatch@>=2.0.0": "^2.3.2",
+      "picomatch@>=4.0.0": "^4.0.4",
+      "tar": ">=7.5.11",
       "braces@<3.0.3": ">=3.0.3",
       "dset@<3.1.4": ">=3.1.4",
-      "path-to-regexp@>=0.1.7": "^0.1.12",
+      "path-to-regexp@>=0.1.7": "^0.1.13",
       "path-to-regexp@>=6.3.0": "^6.3.0",
       "next": "^15.5.8",
       "form-data": "^4.0.4",
       "sha.js": ">=2.4.12",
       "@remix-run/router": ">=1.23.2",
-      "lodash": ">=4.17.23",
+      "lodash": ">=4.18.0",
       "qs@<6.14.1": ">=6.14.1",
       "@apollo/server": "^4.13.0"
     }

diff --git a/packages/auth/Dockerfile.dev b/packages/auth/Dockerfile.dev
@@ -8,7 +8,7 @@ USER rafiki
 RUN mkdir -p /home/rafiki/.local/bin
 ENV PATH="/home/rafiki/.local/bin:$PATH"
 RUN corepack enable --install-directory ~/.local/bin
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 

diff --git a/packages/auth/Dockerfile.prod b/packages/auth/Dockerfile.prod
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./
 

diff --git a/packages/backend/Dockerfile.dev b/packages/backend/Dockerfile.dev
@@ -8,7 +8,7 @@ USER rafiki
 RUN mkdir -p /home/rafiki/.local/bin
 ENV PATH="/home/rafiki/.local/bin:$PATH"
 RUN corepack enable --install-directory ~/.local/bin
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 
 # Fetch the pnpm dependencies, but use a local cache.

diff --git a/packages/backend/Dockerfile.prod b/packages/backend/Dockerfile.prod
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./
 

diff --git a/packages/card-service/Dockerfile.dev b/packages/card-service/Dockerfile.dev
@@ -8,7 +8,7 @@ USER rafiki
 RUN mkdir -p /home/rafiki/.local/bin
 ENV PATH="/home/rafiki/.local/bin:$PATH"
 RUN corepack enable --install-directory ~/.local/bin
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 
 # Fetch the pnpm dependencies, but use a local cache.
@@ -30,6 +30,5 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     --recursive \
     --offline \
     --frozen-lockfile
-RUN pnpm --filter card-service build:deps
 
 CMD pnpm --filter card-service dev
diff --git a/packages/card-service/Dockerfile.prod b/packages/card-service/Dockerfile.prod
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./
 

diff --git a/packages/frontend/Dockerfile.dev b/packages/frontend/Dockerfile.dev
@@ -8,7 +8,7 @@ USER rafiki
 RUN mkdir -p /home/rafiki/.local/bin
 ENV PATH="/home/rafiki/.local/bin:$PATH"
 RUN corepack enable --install-directory ~/.local/bin
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 COPY packages/frontend ./packages/frontend

diff --git a/packages/frontend/Dockerfile.prod b/packages/frontend/Dockerfile.prod
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./
 

diff --git a/packages/point-of-sale/Dockerfile.dev b/packages/point-of-sale/Dockerfile.dev
@@ -8,7 +8,7 @@ USER rafiki
 RUN mkdir -p /home/rafiki/.local/bin
 ENV PATH="/home/rafiki/.local/bin:$PATH"
 RUN corepack enable --install-directory ~/.local/bin
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 
 # Fetch the pnpm dependencies, but use a local cache.
@@ -30,6 +30,5 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     --recursive \
     --offline \
     --frozen-lockfile
-RUN pnpm --filter point-of-sale build:deps
 
 CMD pnpm --filter point-of-sale dev
diff --git a/packages/point-of-sale/Dockerfile.prod b/packages/point-of-sale/Dockerfile.prod
@@ -6,7 +6,7 @@ ENV PNPM_HOME="/pnpm"
 ENV PATH="$PNPM_HOME:$PATH"
 
 RUN corepack enable
-RUN corepack prepare pnpm@8.7.4 --activate
+RUN corepack prepare pnpm@10.33.0 --activate
 
 COPY pnpm-lock.yaml ./