Merge pull request #240 from DEFRA/security-fix-expr-eval

alexluckett · web-flow · commit af0d6a53f51f · 2025-11-10T14:32:52.000Z
Switch to expr-eval-fork for security fixes (prototype pollution)
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -95,7 +95,7 @@
     "convict": "^6.2.4",
     "date-fns": "^4.1.0",
     "dotenv": "^17.2.1",
-    "expr-eval": "^2.0.2",
+    "expr-eval-fork": "^3.0.0",
     "govuk-frontend": "^5.11.1",
     "hapi-pino": "^12.1.0",
     "hapi-pulse": "^3.0.1",
diff --git a/src/server/plugins/engine/models/FormModel.ts b/src/server/plugins/engine/models/FormModel.ts
@@ -24,7 +24,7 @@ import {
   type Page
 } from '@defra/forms-model'
 import { add, format } from 'date-fns'
-import { Parser, type Value } from 'expr-eval'
+import { Parser, type Value } from 'expr-eval-fork'
 import joi from 'joi'
 
 import { createLogger } from '~/src/server/common/helpers/logging/logger.js'
diff --git a/src/server/plugins/engine/models/types.ts b/src/server/plugins/engine/models/types.ts
@@ -3,7 +3,7 @@ import {
   type FormComponentsDef,
   type Section
 } from '@defra/forms-model'
-import { type Expression } from 'expr-eval'
+import { type Expression } from 'expr-eval-fork'
 
 import {
   getAnswer,
