From eb327b8f8d2f7b5e504bb10bb64d583f7c9ea01e Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 12:32:37 +0000 Subject: [PATCH 1/8] - suppress path-to-regexp vulnerability --- yarn-audit-known-issues | 1 + 1 file changed, 1 insertion(+) create mode 100644 yarn-audit-known-issues diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues new file mode 100644 index 00000000..96725888 --- /dev/null +++ b/yarn-audit-known-issues @@ -0,0 +1 @@ +{"actions":[],"advisories":{"1101081":{"findings":[{"version":"0.1.10","paths":["express>path-to-regexp","@hmcts/info-provider>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101081,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"moderate","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2024-12-06T00:33:29.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} From b908622d8a460a729224e8d5a00b1e452cc0b17b Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 12:59:19 +0000 Subject: [PATCH 2/8] - remove suppressions --- package.json | 3 ++- yarn-audit-known-issues | 1 - 2 files changed, 2 insertions(+), 2 deletions(-) delete mode 100644 yarn-audit-known-issues diff --git a/package.json b/package.json index d6969d71..6e1e4ba9 100644 --- a/package.json +++ b/package.json @@ -142,7 +142,8 @@ "micromatch": ">=4.0.8", "tar": ">=6.2.1", "braces": ">=3.0.3", - "cookie": ">=0.7.0" + "cookie": ">=0.7.0", + "express/path-to-regxp": ">=0.1.12" }, "packageManager": "yarn@3.6.4" } diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues deleted file mode 100644 index 96725888..00000000 --- a/yarn-audit-known-issues +++ /dev/null @@ -1 +0,0 @@ -{"actions":[],"advisories":{"1101081":{"findings":[{"version":"0.1.10","paths":["express>path-to-regexp","@hmcts/info-provider>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101081,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"moderate","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2024-12-06T00:33:29.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} From 9d1e92f7b83e459d9d308a769ccf1db71400b91c Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 13:18:26 +0000 Subject: [PATCH 3/8] - add suppressions --- yarn-audit-known-issues | 1 + 1 file changed, 1 insertion(+) create mode 100644 yarn-audit-known-issues diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues new file mode 100644 index 00000000..94e1a45a --- /dev/null +++ b/yarn-audit-known-issues @@ -0,0 +1 @@ +{"actions":[],"advisories":{},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} From 86ad7bd9a8c240d39e702edbe35b244954926325 Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 13:19:01 +0000 Subject: [PATCH 4/8] - remove typo dependency --- package.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/package.json b/package.json index 6e1e4ba9..d6969d71 100644 --- a/package.json +++ b/package.json @@ -142,8 +142,7 @@ "micromatch": ">=4.0.8", "tar": ">=6.2.1", "braces": ">=3.0.3", - "cookie": ">=0.7.0", - "express/path-to-regxp": ">=0.1.12" + "cookie": ">=0.7.0" }, "packageManager": "yarn@3.6.4" } From 2fe39736e5f3f2d1841c5ee34535b6486011bbd8 Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 13:25:43 +0000 Subject: [PATCH 5/8] - suppress path-to-regexp --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index 94e1a45a..96725888 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -1 +1 @@ -{"actions":[],"advisories":{},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":0,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} +{"actions":[],"advisories":{"1101081":{"findings":[{"version":"0.1.10","paths":["express>path-to-regexp","@hmcts/info-provider>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101081,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"moderate","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2024-12-06T00:33:29.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} From 0bcbcd48d2e2ea869c7d53fca7132d9dfcb9e321 Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 15:50:09 +0000 Subject: [PATCH 6/8] - updates path-to-regexp, lowers info-provider and express --- .pnp.cjs | 31 ++++++++++++------------------- package.json | 9 +++++---- yarn-audit-known-issues | 1 - yarn.lock | 33 +++++++++++++-------------------- 4 files changed, 30 insertions(+), 44 deletions(-) delete mode 100644 yarn-audit-known-issues diff --git a/.pnp.cjs b/.pnp.cjs index 7a7456c7..d9366acf 100755 --- a/.pnp.cjs +++ b/.pnp.cjs @@ -81,7 +81,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["cucumber", "npm:6.0.7"],\ ["debug", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:4.3.7"],\ ["eslint", "npm:8.57.1"],\ - ["express", "npm:4.21.0"],\ + ["express", "npm:4.21.2"],\ ["express-nunjucks", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:3.1.2"],\ ["glob-parent", "npm:6.0.2"],\ ["govuk-frontend", "npm:4.9.0"],\ @@ -3557,7 +3557,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { "packageLocation": "./.yarn/cache/@hmcts-info-provider-npm-1.2.2-a0b80fce74-2d9dc7bb58.zip/node_modules/@hmcts/info-provider/",\ "packageDependencies": [\ ["@hmcts/info-provider", "npm:1.2.2"],\ - ["express", "npm:4.21.0"],\ + ["express", "npm:4.21.2"],\ ["js-yaml", "npm:4.1.0"]\ ],\ "linkType": "HARD"\ @@ -9469,10 +9469,10 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { }]\ ]],\ ["express", [\ - ["npm:4.21.0", {\ - "packageLocation": "./.yarn/cache/express-npm-4.21.0-377d90d8f4-1c5212993f.zip/node_modules/express/",\ + ["npm:4.21.2", {\ + "packageLocation": "./.yarn/cache/express-npm-4.21.2-9b3bd32250-3aef1d3556.zip/node_modules/express/",\ "packageDependencies": [\ - ["express", "npm:4.21.0"],\ + ["express", "npm:4.21.2"],\ ["accepts", "npm:1.3.8"],\ ["array-flatten", "npm:1.1.1"],\ ["body-parser", "npm:1.20.3"],\ @@ -9492,7 +9492,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["methods", "npm:1.1.2"],\ ["on-finished", "npm:2.4.1"],\ ["parseurl", "npm:1.3.3"],\ - ["path-to-regexp", "npm:0.1.10"],\ + ["path-to-regexp", "npm:0.1.12"],\ ["proxy-addr", "npm:2.0.7"],\ ["qs", "npm:6.11.2"],\ ["range-parser", "npm:1.2.1"],\ @@ -9522,7 +9522,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["express-nunjucks", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:3.1.2"],\ ["@types/express", "npm:5.0.0"],\ ["@types/nunjucks", "npm:3.2.6"],\ - ["express", "npm:4.21.0"],\ + ["express", "npm:4.21.2"],\ ["nunjucks", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:3.2.4"],\ ["nunjucks-async-loader", "virtual:aeca60741bf899216659964f2d211325d66126d93bc7d135d9cc9e7dd1655f70ec566f32285c098fd5a47bafec21c0bc8128b4a51118b64080a1b69400929e40#npm:2.1.3"]\ ],\ @@ -9662,7 +9662,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["cucumber", "npm:6.0.7"],\ ["debug", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:4.3.7"],\ ["eslint", "npm:8.57.1"],\ - ["express", "npm:4.21.0"],\ + ["express", "npm:4.21.2"],\ ["express-nunjucks", "virtual:a19c5d45c91db68c2747317aa473fe5d57578fe6e1aacbda18f5798bcaa77b2f4e2379016587e880623e46738f4948ce214dc05fd152754f4261b7f65c23d4eb#npm:3.1.2"],\ ["glob-parent", "npm:6.0.2"],\ ["govuk-frontend", "npm:4.9.0"],\ @@ -13786,7 +13786,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["@sinonjs/fake-timers", "npm:13.0.5"],\ ["@sinonjs/text-encoding", "npm:0.7.3"],\ ["just-extend", "npm:6.2.0"],\ - ["path-to-regexp", "npm:8.2.0"]\ + ["path-to-regexp", "npm:0.1.12"]\ ],\ "linkType": "HARD"\ }]\ @@ -14549,17 +14549,10 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { }]\ ]],\ ["path-to-regexp", [\ - ["npm:0.1.10", {\ - "packageLocation": "./.yarn/cache/path-to-regexp-npm-0.1.10-63516149e0-ab7a3b7a0b.zip/node_modules/path-to-regexp/",\ + ["npm:0.1.12", {\ + "packageLocation": "./.yarn/cache/path-to-regexp-npm-0.1.12-a9bf1de212-ab237858be.zip/node_modules/path-to-regexp/",\ "packageDependencies": [\ - ["path-to-regexp", "npm:0.1.10"]\ - ],\ - "linkType": "HARD"\ - }],\ - ["npm:8.2.0", {\ - "packageLocation": "./.yarn/cache/path-to-regexp-npm-8.2.0-71c92fc0c6-56e13e4596.zip/node_modules/path-to-regexp/",\ - "packageDependencies": [\ - ["path-to-regexp", "npm:8.2.0"]\ + ["path-to-regexp", "npm:0.1.12"]\ ],\ "linkType": "HARD"\ }]\ diff --git a/package.json b/package.json index d6969d71..5b29ebeb 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ }, "dependencies": { "@hmcts/cookie-manager": "1.0.0", - "@hmcts/info-provider": "^1.2.2", + "@hmcts/info-provider": "^1.1.0", "@hmcts/nodejs-healthcheck": "^1.8.5", "@hmcts/nodejs-logging": "^4.0.4", "@hmcts/properties-volume": "^1.2.0", @@ -51,7 +51,7 @@ "config": "^3.3.12", "cookie-parser": "^1.4.7", "csurf": "^1.11.0", - "express": "4.21.1", + "express": "^4.17.17", "express-nunjucks": "^3.1.2", "glob-parent": "6.0.2", "govuk-frontend": "^4.9.0", @@ -138,11 +138,12 @@ "axios>follow-redirects": ">=1.15.4", "http-proxy-middleware>http-proxy>follow-redirects": ">=1.15.4", "@types/http-proxy-middleware>http-proxy-middleware>http-proxy>follow-redirects": ">=1.15.4", - "express": "4.21.0", + "express": "^4.17.17", "micromatch": ">=4.0.8", "tar": ">=6.2.1", "braces": ">=3.0.3", - "cookie": ">=0.7.0" + "cookie": ">=0.7.0", + "path-to-regexp": "^0.1.12" }, "packageManager": "yarn@3.6.4" } diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues deleted file mode 100644 index 96725888..00000000 --- a/yarn-audit-known-issues +++ /dev/null @@ -1 +0,0 @@ -{"actions":[],"advisories":{"1101081":{"findings":[{"version":"0.1.10","paths":["express>path-to-regexp","@hmcts/info-provider>express>path-to-regexp"]}],"found_by":null,"deleted":null,"references":"- https://github.com/pillarjs/path-to-regexp/security/advisories/GHSA-rhx6-c78j-4q9w\n- https://blakeembrey.com/posts/2024-09-web-redos\n- https://nvd.nist.gov/vuln/detail/CVE-2024-52798\n- https://github.com/pillarjs/path-to-regexp/commit/f01c26a013b1889f0c217c643964513acf17f6a4\n- https://github.com/advisories/GHSA-rhx6-c78j-4q9w","created":"2024-12-05T22:40:47.000Z","id":1101081,"npm_advisory_id":null,"overview":"### Impact\n\nThe regular expression that is vulnerable to backtracking can be generated in the 0.1.x release of `path-to-regexp`, originally reported in CVE-2024-45296\n\n### Patches\n\nUpgrade to 0.1.12.\n\n### Workarounds\n\nAvoid using two parameters within a single path segment, when the separator is not `.` (e.g. no `/:a-:b`). Alternatively, you can define the regex used for both parameters and ensure they do not overlap to allow backtracking.\n\n### References\n\n- https://github.com/advisories/GHSA-9wv6-86v2-598j\n- https://blakeembrey.com/posts/2024-09-web-redos/","reported_by":null,"title":"Unpatched `path-to-regexp` ReDoS in 0.1.x","metadata":null,"cves":["CVE-2024-52798"],"access":"public","severity":"moderate","module_name":"path-to-regexp","vulnerable_versions":"<0.1.12","github_advisory_id":"GHSA-rhx6-c78j-4q9w","recommendation":"Upgrade to version 0.1.12 or later","patched_versions":">=0.1.12","updated":"2024-12-06T00:33:29.000Z","cvss":{"score":0,"vectorString":null},"cwe":["CWE-1333"],"url":"https://github.com/advisories/GHSA-rhx6-c78j-4q9w"}},"muted":[],"metadata":{"vulnerabilities":{"info":0,"low":0,"moderate":2,"high":0,"critical":0},"dependencies":356,"devDependencies":0,"optionalDependencies":0,"totalDependencies":356}} diff --git a/yarn.lock b/yarn.lock index cfdc1b0c..1e43ce5a 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2144,7 +2144,7 @@ __metadata: languageName: node linkType: hard -"@hmcts/info-provider@npm:^1.2.2": +"@hmcts/info-provider@npm:^1.1.0": version: 1.2.2 resolution: "@hmcts/info-provider@npm:1.2.2" dependencies: @@ -7088,16 +7088,16 @@ __metadata: languageName: node linkType: hard -"express@npm:4.21.0": - version: 4.21.0 - resolution: "express@npm:4.21.0" +"express@npm:^4.17.17": + version: 4.21.2 + resolution: "express@npm:4.21.2" dependencies: accepts: ~1.3.8 array-flatten: 1.1.1 body-parser: 1.20.3 content-disposition: 0.5.4 content-type: ~1.0.4 - cookie: 0.6.0 + cookie: 0.7.1 cookie-signature: 1.0.6 debug: 2.6.9 depd: 2.0.0 @@ -7111,7 +7111,7 @@ __metadata: methods: ~1.1.2 on-finished: 2.4.1 parseurl: ~1.3.3 - path-to-regexp: 0.1.10 + path-to-regexp: 0.1.12 proxy-addr: ~2.0.7 qs: 6.13.0 range-parser: ~1.2.1 @@ -7123,7 +7123,7 @@ __metadata: type-is: ~1.6.18 utils-merge: 1.0.1 vary: ~1.1.2 - checksum: 1c5212993f665809c249bf00ab550b989d1365a5b9171cdfaa26d93ee2ef10cd8add520861ec8d5da74b3194d8374e1d9d53e85ef69b89fd9c4196b87045a5d4 + checksum: 3aef1d355622732e20b8f3a7c112d4391d44e2131f4f449e1f273a309752a41abfad714e881f177645517cbe29b3ccdc10b35e7e25c13506114244a5b72f549d languageName: node linkType: hard @@ -7201,7 +7201,7 @@ __metadata: "@codeceptjs/allure-legacy": ^1.0.2 "@codeceptjs/configure": ^0.10.0 "@hmcts/cookie-manager": 1.0.0 - "@hmcts/info-provider": ^1.2.2 + "@hmcts/info-provider": ^1.1.0 "@hmcts/nodejs-healthcheck": ^1.8.5 "@hmcts/nodejs-logging": ^4.0.4 "@hmcts/properties-volume": ^1.2.0 @@ -7249,7 +7249,7 @@ __metadata: cucumber: ^6.0.7 debug: ^4.3.7 eslint: ^8.57.1 - express: 4.21.1 + express: ^4.17.17 express-nunjucks: ^3.1.2 glob-parent: 6.0.2 govuk-frontend: ^4.9.0 @@ -11627,17 +11627,10 @@ __metadata: languageName: node linkType: hard -"path-to-regexp@npm:0.1.10": - version: 0.1.10 - resolution: "path-to-regexp@npm:0.1.10" - checksum: ab7a3b7a0b914476d44030340b0a65d69851af2a0f33427df1476100ccb87d409c39e2182837a96b98fb38c4ef2ba6b87bdad62bb70a2c153876b8061760583c - languageName: node - linkType: hard - -"path-to-regexp@npm:^8.1.0": - version: 8.2.0 - resolution: "path-to-regexp@npm:8.2.0" - checksum: 56e13e45962e776e9e7cd72e87a441cfe41f33fd539d097237ceb16adc922281136ca12f5a742962e33d8dda9569f630ba594de56d8b7b6e49adf31803c5e771 +"path-to-regexp@npm:^0.1.12": + version: 0.1.12 + resolution: "path-to-regexp@npm:0.1.12" + checksum: ab237858bee7b25ecd885189f175ab5b5161e7b712b360d44f5c4516b8d271da3e4bf7bf0a7b9153ecb04c7d90ce8ff5158614e1208819cf62bac2b08452722e languageName: node linkType: hard From bbbbd2c9d05c189b8762305dd2ab12b01b544a85 Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 16:28:19 +0000 Subject: [PATCH 7/8] - updates path-to-regexp, updates info-provider and express --- package.json | 8 ++++---- yarn.lock | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/package.json b/package.json index 5b29ebeb..9b4472ef 100644 --- a/package.json +++ b/package.json @@ -26,7 +26,7 @@ }, "dependencies": { "@hmcts/cookie-manager": "1.0.0", - "@hmcts/info-provider": "^1.1.0", + "@hmcts/info-provider": "^1.2.2", "@hmcts/nodejs-healthcheck": "^1.8.5", "@hmcts/nodejs-logging": "^4.0.4", "@hmcts/properties-volume": "^1.2.0", @@ -51,7 +51,7 @@ "config": "^3.3.12", "cookie-parser": "^1.4.7", "csurf": "^1.11.0", - "express": "^4.17.17", + "express": "4.21.2", "express-nunjucks": "^3.1.2", "glob-parent": "6.0.2", "govuk-frontend": "^4.9.0", @@ -138,12 +138,12 @@ "axios>follow-redirects": ">=1.15.4", "http-proxy-middleware>http-proxy>follow-redirects": ">=1.15.4", "@types/http-proxy-middleware>http-proxy-middleware>http-proxy>follow-redirects": ">=1.15.4", - "express": "^4.17.17", + "express": "4.21.2", "micromatch": ">=4.0.8", "tar": ">=6.2.1", "braces": ">=3.0.3", "cookie": ">=0.7.0", - "path-to-regexp": "^0.1.12" + "path-to-regexp": "0.1.12" }, "packageManager": "yarn@3.6.4" } diff --git a/yarn.lock b/yarn.lock index 1e43ce5a..a71040ac 100644 --- a/yarn.lock +++ b/yarn.lock @@ -2144,7 +2144,7 @@ __metadata: languageName: node linkType: hard -"@hmcts/info-provider@npm:^1.1.0": +"@hmcts/info-provider@npm:^1.2.2": version: 1.2.2 resolution: "@hmcts/info-provider@npm:1.2.2" dependencies: @@ -7088,7 +7088,7 @@ __metadata: languageName: node linkType: hard -"express@npm:^4.17.17": +"express@npm:4.21.2": version: 4.21.2 resolution: "express@npm:4.21.2" dependencies: @@ -7201,7 +7201,7 @@ __metadata: "@codeceptjs/allure-legacy": ^1.0.2 "@codeceptjs/configure": ^0.10.0 "@hmcts/cookie-manager": 1.0.0 - "@hmcts/info-provider": ^1.1.0 + "@hmcts/info-provider": ^1.2.2 "@hmcts/nodejs-healthcheck": ^1.8.5 "@hmcts/nodejs-logging": ^4.0.4 "@hmcts/properties-volume": ^1.2.0 @@ -7249,7 +7249,7 @@ __metadata: cucumber: ^6.0.7 debug: ^4.3.7 eslint: ^8.57.1 - express: ^4.17.17 + express: 4.21.2 express-nunjucks: ^3.1.2 glob-parent: 6.0.2 govuk-frontend: ^4.9.0 @@ -11627,7 +11627,7 @@ __metadata: languageName: node linkType: hard -"path-to-regexp@npm:^0.1.12": +"path-to-regexp@npm:0.1.12": version: 0.1.12 resolution: "path-to-regexp@npm:0.1.12" checksum: ab237858bee7b25ecd885189f175ab5b5161e7b712b360d44f5c4516b8d271da3e4bf7bf0a7b9153ecb04c7d90ce8ff5158614e1208819cf62bac2b08452722e From a9a857f1a4e2cccd3d6b18869bd473b72aa7ba50 Mon Sep 17 00:00:00 2001 From: Ruth Bovell Date: Mon, 9 Dec 2024 16:46:31 +0000 Subject: [PATCH 8/8] - narrows path-to-regexp resolution --- .pnp.cjs | 9 ++++++++- package.json | 2 +- yarn.lock | 7 +++++++ 3 files changed, 16 insertions(+), 2 deletions(-) diff --git a/.pnp.cjs b/.pnp.cjs index d9366acf..8db1e6fe 100755 --- a/.pnp.cjs +++ b/.pnp.cjs @@ -13786,7 +13786,7 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["@sinonjs/fake-timers", "npm:13.0.5"],\ ["@sinonjs/text-encoding", "npm:0.7.3"],\ ["just-extend", "npm:6.2.0"],\ - ["path-to-regexp", "npm:0.1.12"]\ + ["path-to-regexp", "npm:8.2.0"]\ ],\ "linkType": "HARD"\ }]\ @@ -14555,6 +14555,13 @@ function $$SETUP_STATE(hydrateRuntimeState, basePath) { ["path-to-regexp", "npm:0.1.12"]\ ],\ "linkType": "HARD"\ + }],\ + ["npm:8.2.0", {\ + "packageLocation": "./.yarn/cache/path-to-regexp-npm-8.2.0-71c92fc0c6-56e13e4596.zip/node_modules/path-to-regexp/",\ + "packageDependencies": [\ + ["path-to-regexp", "npm:8.2.0"]\ + ],\ + "linkType": "HARD"\ }]\ ]],\ ["path-type", [\ diff --git a/package.json b/package.json index 9b4472ef..580bb431 100644 --- a/package.json +++ b/package.json @@ -143,7 +143,7 @@ "tar": ">=6.2.1", "braces": ">=3.0.3", "cookie": ">=0.7.0", - "path-to-regexp": "0.1.12" + "@hmcts/info-provider/path-to-regexp": "0.1.12" }, "packageManager": "yarn@3.6.4" } diff --git a/yarn.lock b/yarn.lock index a71040ac..292ea9ef 100644 --- a/yarn.lock +++ b/yarn.lock @@ -11634,6 +11634,13 @@ __metadata: languageName: node linkType: hard +"path-to-regexp@npm:^8.1.0": + version: 8.2.0 + resolution: "path-to-regexp@npm:8.2.0" + checksum: 56e13e45962e776e9e7cd72e87a441cfe41f33fd539d097237ceb16adc922281136ca12f5a742962e33d8dda9569f630ba594de56d8b7b6e49adf31803c5e771 + languageName: node + linkType: hard + "path-type@npm:^3.0.0": version: 3.0.0 resolution: "path-type@npm:3.0.0"