Skip to content

Commit e0826ac

Browse files
JamesCollettCGIJamesCollettCGIhmcts-jenkins-a-to-c[bot]RebeccaBakerhemantt
authored
CCD-6955: Investigate / fix CVE-2025-13466 (#515)
* Update yarn-audit-known-issues * Update body-parser to 2.2.1 * Update package.json * Update redis from 20.13.4 to 24.0.8 * Bumping chart version/ fixing aliases * updated yarn knowns * updated yarn.lock --------- Co-authored-by: JamesCollettCGI <james.collett@hmcts.net> Co-authored-by: hmcts-jenkins-a-to-c <62422075+hmcts-jenkins-a-to-c[bot]@users.noreply.github.com> Co-authored-by: Rebecca Di Libero (Baker) <38425793+RebeccaBaker@users.noreply.github.com> Co-authored-by: Hemanth Potipati <hrpotipati@gmail.com> Co-authored-by: Dinesh Patel <dinesh1.patel@btinternet.com> Co-authored-by: dinesh1patel <74076102+dinesh1patel@users.noreply.github.com>
1 parent 66a2544 commit e0826ac

3 files changed

Lines changed: 340 additions & 375 deletions

File tree

package.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,7 +39,7 @@
3939
"@hmcts/nodejs-logging": "^4.0.4",
4040
"@hmcts/properties-volume": "^0.0.14",
4141
"applicationinsights": "2.9.8",
42-
"body-parser": "^1.20.1",
42+
"body-parser": "^2.2.1",
4343
"config": "^1.26.1",
4444
"connect-timeout": "^1.9.0",
4545
"cookie": "^0.7.0",
@@ -104,7 +104,8 @@
104104
"qs": "6.14.1",
105105
"semver": "7.7.2",
106106
"@grpc/grpc-js": "1.13.4",
107-
"cross-spawn": "^7.0.6"
107+
"cross-spawn": "^7.0.6",
108+
"body-parser": "^2.2.1"
108109
},
109110
"packageManager": "yarn@4.9.4"
110111
}

yarn-audit-known-issues

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,5 @@
1-
{"value":"body-parser","children":{"ID":1110858,"Issue":"body-parser is vulnerable to denial of service when url encoding is used","URL":"https://github.com/advisories/GHSA-wqch-xfxh-vrr4","Severity":"moderate","Vulnerable Versions":">=2.2.0 <2.2.1","Tree Versions":["2.2.0"],"Dependents":["express@npm:5.1.0"]}}
1+
{"value":"js-yaml","children":{"ID":1112714,"Issue":"js-yaml has prototype pollution in merge (<<)","URL":"https://github.com/advisories/GHSA-mh29-5h37-fv8m","Severity":"moderate","Vulnerable Versions":"<3.14.2","Tree Versions":["3.14.1"],"Dependents":["@hmcts/nodejs-healthcheck@npm:1.8.6"]}}
22
{"value":"lodash","children":{"ID":1112455,"Issue":"Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions","URL":"https://github.com/advisories/GHSA-xxjr-mmjv-4gpg","Severity":"moderate","Vulnerable Versions":">=4.0.0 <=4.17.22","Tree Versions":["4.17.21"],"Dependents":["@hmcts/properties-volume@npm:0.0.14"]}}
33
{"value":"lodash.clone","children":{"ID":"lodash.clone (deprecation)","Issue":"This package is deprecated. Use structuredClone instead.","Severity":"moderate","Vulnerable Versions":"4.5.0","Tree Versions":["4.5.0"],"Dependents":["ioredis@npm:3.2.2"]}}
44
{"value":"lodash.pick","children":{"ID":"lodash.pick (deprecation)","Issue":"This package is deprecated. Use destructuring assignment syntax instead.","Severity":"moderate","Vulnerable Versions":"3.1.0","Tree Versions":["3.1.0"],"Dependents":["ioredis@npm:3.2.2"]}}
5+
{"value":"qs","children":{"ID":1111755,"Issue":"qs's arrayLimit bypass in its bracket notation allows DoS via memory exhaustion","URL":"https://github.com/advisories/GHSA-6rw7-vpxm-498p","Severity":"high","Vulnerable Versions":"<6.14.1","Tree Versions":["6.14.0"],"Dependents":["body-parser@npm:2.2.1"]}}

0 commit comments

Comments
 (0)