Merge pull request #32 from identity-com/master

Stage fetch polyfill

.circleci/config.yml

@@ -1,4 +1,6 @@
 defaults:
+  - &update_npm_on_machine
+    run: npm install [email protected] -g
   - &cache_restore
     restore_cache:
       keys:
@@ -54,7 +56,7 @@ workflows:
 jobs:
   build:
     docker:
-      - image: circleci/node:8.9
+      - image: circleci/node:8.15
       - image: trufflesuite/ganache-cli
         command: [ganache, -m, 'drum muscle maximum umbrella night initial prevent auction pink old fault media', -h, '0.0.0.0', -l, '7992181', -g, '1000000000', -e, '1000']
 
@@ -63,9 +65,8 @@ jobs:
     steps:
       - checkout
       - *cache_restore
-      - run:
-          command: |
-            npm install
+      - run: npm ci
+      - run: npm run audit-ci
       - *cache_save
       - run: npm run check-ci
 
@@ -79,7 +80,8 @@ jobs:
     - checkout
     - *cache_restore
     - *install_node
-    - run: npm install
+    - *update_npm_on_machine
+    - run: npm ci
     - *cache_save
     - run:
         name: Pull latest docker images
@@ -89,14 +91,14 @@ jobs:
 
   build-marketplace-tx-server-latest:
     docker:
-      - image: circleci/node:8.9
+      - image: circleci/node:8.15
 
     steps:
       - run: curl -d "build_parameters[CIRCLE_JOB]=build-docker-latest" "https://circleci.com/api/v1.1/project/github/civicteam/civic_js_node_server/tree/dev?circle-token=${CIRCLE_TOKEN}"
 
   build-marketplace-tx-server-test:
     docker:
-      - image: circleci/node:8.9
+      - image: circleci/node:8.15
 
     steps:
       - run: curl -d "build_parameters[CIRCLE_JOB]=build-docker-test" "https://circleci.com/api/v1.1/project/github/civicteam/civic_js_node_server/tree/master?circle-token=${CIRCLE_TOKEN}"

AUDIT.md

@@ -0,0 +1,15 @@
+This project uses [npm audit](https://docs.npmjs.com/cli/audit) to scan dependencies for vulnerabilities
+and automatically install any compatible updates to vulnerable dependencies.
+The security audit is also integrated into the project's CI pipeline via [audit-ci](https://github.com/IBM/audit-ci) command
+which fails the build if there is any vulnerability found.
+It is possible to ignore specific errors by whitelisting them in [audit-ci config.](./audit-ci.json).
+
+## NPM audit whitelist
+Whenever you whitelist a specific advisory it is required to refer it here and justify the whitelisting.
+
+### Advisories
+
+| #    | Level | Module | Title | Explanation |
+|------|-------|---------|------|-------------|
+|   |   |   |  |  |
+

README.md

@@ -14,15 +14,15 @@ We use the standard Identity.com terms for roles on the network:
 
 - __IDV__:  ID validator
 
-- __Scope request ID__: The UUID for PII request made by IDR to IDV, on the blockchain represented by a bytes32 string (64 hex chars) 
+- __Scope request ID__: The UUID for PII request made by IDR to IDV, on the blockchain represented by a bytes32 string (64 hex chars)
 
 - __Credential Item__:  Single piece of PII, can be claim (atom) or credential (molecule)
 
 - __Credential Item Internal ID__:  Credential items are identified by external or internal ID. The Internal ID is stored in the blockchain (bytes32 string of 64 hex chars) and is the keccak256 of the external ID.
 
 - __Credential Item External ID__:  The External ID consists of `Type, Name and Version`, using dash as a separator, e.g. `credential-ProofOfIdentity-v1.0`.
 
-### Installing 
+### Installing
 
 For development, fetch the library from github: [https://github.com/identity-com/marketplace-tx-js](https://github.com/identity-com/marketplace-tx-js)
 
@@ -71,7 +71,7 @@ module.exports = function override(config, env) {
   // Make Babel loader read the configuration from .babelrc file.
   const babelLoader = getBabelLoader(config.module.rules);
   babelLoader.options.babelrc = true;
-  
+
   config = rewireBabelLoader.include(
     config,
     resolveApp('node_modules/marketplace-tx')
@@ -118,7 +118,7 @@ const config = { ... };
 const marketplaceTx = new MarketplaceTx(context, config);
 ```
 
-### Logging 
+### Logging
 
 MarketplaceTx will log automatically to the console. To use your own logger:
 
@@ -129,14 +129,19 @@ const marketplaceTx = new MarketplaceTx({web3, logger}, config);
 
 ### Contracts
 
-MarketplaceTx requires contract artifacts - JSON files produced by [https://github.com/identity-com/smart-contracts](Marketplace Smart Contracts library) containing contract name, ABI, addresses on specified networks. 
-You can specify the path to to the artifacts folder by passing it to the config upon the initialisation:
+MarketplaceTx requires contract artifacts - JSON files produced by [https://github.com/identity-com/smart-contracts](Marketplace Smart Contracts library) containing contract name, ABI, addresses on specified networks.
+You can specify the path to to the artifacts directory by passing it to the config upon the initialisation:
 
 ```js
 const config = { contracts: { dir: 'contracts/' } };
 const marketplaceTx = new MarketplaceTx(context, config);
 ```
 
+It is also possible to refer the artifacts by providing absolute URL:
+```js
+const config = { contracts: { url: 'https://s3.amazonaws.com/<bucket>' } };
+const marketplaceTx = new MarketplaceTx(context, config);
+```
 
 ## Usage
 

audit-ci.json

@@ -0,0 +1,7 @@
+{
+  "low": true,
+  "package-manager": "auto",
+  "report": true,
+  "advisories": [],
+  "whitelist": []
+}