Skip to content

CVE-2026-54285: Remediate CVE-2026-54285 in ccd-case-activity-api @opentelemetry/core#631

Open
hmcts-github-ccd[bot] wants to merge 1 commit into
masterfrom
cve-2026-54285-8740f7da-97ac-4cd6-9731-18e4ea45c956
Open

CVE-2026-54285: Remediate CVE-2026-54285 in ccd-case-activity-api @opentelemetry/core#631
hmcts-github-ccd[bot] wants to merge 1 commit into
masterfrom
cve-2026-54285-8740f7da-97ac-4cd6-9731-18e4ea45c956

Conversation

@hmcts-github-ccd

Copy link
Copy Markdown
Contributor

Summary:
Applied the Yarn 4 remediation for CVE-2026-54285 by resolving @opentelemetry/core descriptors from 2.7.1 to 2.8.0 in yarn.lock. Node source was .nvmrc=20.20.2 and active node was v20.20.2; Yarn 4.16.0 was used. Verified yarn install --immutable passed with existing peer warnings, yarn why shows applicationinsights paths resolving @opentelemetry/core@2.8.0, lint passed with the pre-existing validate-request.js console warning, unit tests passed with 72 passing, and test:smoke/test:a11y passed as TODO scripts. No build/compile/tsc or Dockerfile-derived compile script is configured. Re-ran production audit to yarn-audit-known-issues; CVE-2026-54285, GHSA-8988-4f7v-96qf, and @opentelemetry/core are absent. Remaining production audit findings are unrelated: form-data, lodash.clone deprecation, lodash.pick deprecation, and uuid.

Resolved CVEs: CVE-2026-54285

Plan ID: 8740f7da-97ac-4cd6-9731-18e4ea45c956

Approved by: james

@dinesh1patel dinesh1patel left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant