From 5129da9bee9096a76b5bb3aab9fa1007801f0b80 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Wed, 27 Nov 2024 12:26:40 +0000 Subject: [PATCH 1/7] Address parameter pollution raised in ticket. This appears to be the location the referenced parameter is used (along with locale which is not mentioned) directly. The behaviour here should now be that: - we iterate left to right through 'lng' parameters - if we find one which is in our list of languages we use it - if not we iterate left to right through 'locale' parameters - if we find one which is in our list of languages we use it - otherwise we use english --- app.js | 19 +++++++++++++++---- 1 file changed, 15 insertions(+), 4 deletions(-) diff --git a/app.js b/app.js index 0f0eda0628..ddbaa45544 100644 --- a/app.js +++ b/app.js @@ -249,10 +249,21 @@ exports.init = function (isA11yTest = false, a11yTestSession = {}, ftValue) { } if (req.query) { - if (req.query.lng && config.languages.includes(req.query.lng)) { - req.session.language = req.query.lng; - } else if (req.query.locale && config.languages.includes(req.query.locale)) { - req.session.language = req.query.locale; + const getLangFromQuery = (queryVal) => { + if (queryVal) { + if (!Array.isArray(queryVal)) { + queryVal = [queryVal]; + } + + return queryVal.find((l) => config.languages.includes(l)); + } + }; + const fromLng = getLangFromQuery(req.query.lng); + const fromLocale = getLangFromQuery(req.query.locale); + if (fromLng) { + req.session.language = fromLng; + } else if (fromLocale) { + req.session.language = fromLocale; } } From 0000b93a52c8e41c83189379c4000b52dc85da04 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Wed, 27 Nov 2024 15:20:08 +0000 Subject: [PATCH 2/7] Add explicit timeout for strict-transport-security header. This was previously defaulted through helmet, but we have been flagged as the value not being sufficiently long. --- app.js | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/app.js b/app.js index ddbaa45544..6d48aea833 100644 --- a/app.js +++ b/app.js @@ -185,6 +185,10 @@ exports.init = function (isA11yTest = false, a11yTestSession = {}, ftValue) { app.use(nocache()); app.use(helmet.xssFilter({setOnOldIE: true})); + app.use(helmet.hsts({ + maxAge: 31536000, + })); + const caching = {cacheControl: true, setHeaders: (res) => res.setHeader('Cache-Control', 'max-age=604800')}; // Middleware to serve static assets From fda04a31f41d9231eb19299cabd157f6481a6b8f Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Wed, 27 Nov 2024 15:43:20 +0000 Subject: [PATCH 3/7] Update helmet to latest version. Also use long name for hsts (strictTransportSecurity) since this matches the name of the header (similar to the other helmet uses). --- app.js | 2 +- package.json | 2 +- yarn.lock | 713 +++++++++++++++++++++++++++++++++++++++------------ 3 files changed, 549 insertions(+), 168 deletions(-) diff --git a/app.js b/app.js index 6d48aea833..0bc916999e 100644 --- a/app.js +++ b/app.js @@ -185,7 +185,7 @@ exports.init = function (isA11yTest = false, a11yTestSession = {}, ftValue) { app.use(nocache()); app.use(helmet.xssFilter({setOnOldIE: true})); - app.use(helmet.hsts({ + app.use(helmet.strictTransportSecurity({ maxAge: 31536000, })); diff --git a/package.json b/package.json index 8f918c7402..e4630f349e 100644 --- a/package.json +++ b/package.json @@ -118,7 +118,7 @@ "get-port": "^4.2.0", "git-rev-sync": "^3.0.2", "govuk-frontend": "^4.9.0", - "helmet": "^3.23.3", + "helmet": "^8.0.0", "hpkp": "^3.0.0", "http-terminator": "^3.0.0", "https-proxy-agent": "^5.0.1", diff --git a/yarn.lock b/yarn.lock index 7d9f0d63c3..962679f47b 100644 --- a/yarn.lock +++ b/yarn.lock @@ -258,7 +258,18 @@ __metadata: languageName: node linkType: hard -"@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.21.4, @babel/code-frame@npm:^7.24.7": +"@babel/code-frame@npm:^7.0.0, @babel/code-frame@npm:^7.12.13, @babel/code-frame@npm:^7.21.4, @babel/code-frame@npm:^7.25.9": + version: 7.26.2 + resolution: "@babel/code-frame@npm:7.26.2" + dependencies: + "@babel/helper-validator-identifier": "npm:^7.25.9" + js-tokens: "npm:^4.0.0" + picocolors: "npm:^1.0.0" + checksum: 10/db2c2122af79d31ca916755331bb4bac96feb2b334cdaca5097a6b467fdd41963b89b14b6836a14f083de7ff887fc78fa1b3c10b14e743d33e12dbfe5ee3d223 + languageName: node + linkType: hard + +"@babel/code-frame@npm:^7.24.7": version: 7.24.7 resolution: "@babel/code-frame@npm:7.24.7" dependencies: @@ -298,7 +309,20 @@ __metadata: languageName: node linkType: hard -"@babel/generator@npm:^7.20.0, @babel/generator@npm:^7.25.0, @babel/generator@npm:^7.25.6": +"@babel/generator@npm:^7.20.0, @babel/generator@npm:^7.25.9": + version: 7.26.2 + resolution: "@babel/generator@npm:7.26.2" + dependencies: + "@babel/parser": "npm:^7.26.2" + "@babel/types": "npm:^7.26.0" + "@jridgewell/gen-mapping": "npm:^0.3.5" + "@jridgewell/trace-mapping": "npm:^0.3.25" + jsesc: "npm:^3.0.2" + checksum: 10/71ace82b5b07a554846a003624bfab93275ccf73cdb9f1a37a4c1094bf9dc94bb677c67e8b8c939dbd6c5f0eda2e8f268aa2b0d9c3b9511072565660e717e045 + languageName: node + linkType: hard + +"@babel/generator@npm:^7.25.0, @babel/generator@npm:^7.25.6": version: 7.25.6 resolution: "@babel/generator@npm:7.25.6" dependencies: @@ -319,6 +343,15 @@ __metadata: languageName: node linkType: hard +"@babel/helper-annotate-as-pure@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-annotate-as-pure@npm:7.25.9" + dependencies: + "@babel/types": "npm:^7.25.9" + checksum: 10/41edda10df1ae106a9b4fe617bf7c6df77db992992afd46192534f5cff29f9e49a303231733782dd65c5f9409714a529f215325569f14282046e9d3b7a1ffb6c + languageName: node + linkType: hard + "@babel/helper-compilation-targets@npm:^7.20.7, @babel/helper-compilation-targets@npm:^7.22.6, @babel/helper-compilation-targets@npm:^7.23.6, @babel/helper-compilation-targets@npm:^7.25.2": version: 7.25.2 resolution: "@babel/helper-compilation-targets@npm:7.25.2" @@ -332,7 +365,24 @@ __metadata: languageName: node linkType: hard -"@babel/helper-create-class-features-plugin@npm:^7.18.6, @babel/helper-create-class-features-plugin@npm:^7.24.1, @babel/helper-create-class-features-plugin@npm:^7.24.4": +"@babel/helper-create-class-features-plugin@npm:^7.18.6, @babel/helper-create-class-features-plugin@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-create-class-features-plugin@npm:7.25.9" + dependencies: + "@babel/helper-annotate-as-pure": "npm:^7.25.9" + "@babel/helper-member-expression-to-functions": "npm:^7.25.9" + "@babel/helper-optimise-call-expression": "npm:^7.25.9" + "@babel/helper-replace-supers": "npm:^7.25.9" + "@babel/helper-skip-transparent-expression-wrappers": "npm:^7.25.9" + "@babel/traverse": "npm:^7.25.9" + semver: "npm:^6.3.1" + peerDependencies: + "@babel/core": ^7.0.0 + checksum: 10/d1d47a7b5fd317c6cb1446b0e4f4892c19ddaa69ea0229f04ba8bea5f273fc8168441e7114ad36ff919f2d310f97310cec51adc79002e22039a7e1640ccaf248 + languageName: node + linkType: hard + +"@babel/helper-create-class-features-plugin@npm:^7.24.1, @babel/helper-create-class-features-plugin@npm:^7.24.4": version: 7.24.4 resolution: "@babel/helper-create-class-features-plugin@npm:7.24.4" dependencies: @@ -405,6 +455,16 @@ __metadata: languageName: node linkType: hard +"@babel/helper-member-expression-to-functions@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-member-expression-to-functions@npm:7.25.9" + dependencies: + "@babel/traverse": "npm:^7.25.9" + "@babel/types": "npm:^7.25.9" + checksum: 10/ef8cc1c1e600b012b312315f843226545a1a89f25d2f474ce2503fd939ca3f8585180f291a3a13efc56cf13eddc1d41a3a040eae9a521838fd59a6d04cc82490 + languageName: node + linkType: hard + "@babel/helper-module-imports@npm:^7.22.15, @babel/helper-module-imports@npm:^7.24.1, @babel/helper-module-imports@npm:^7.24.3, @babel/helper-module-imports@npm:^7.24.7": version: 7.24.7 resolution: "@babel/helper-module-imports@npm:7.24.7" @@ -438,7 +498,23 @@ __metadata: languageName: node linkType: hard -"@babel/helper-plugin-utils@npm:^7.10.4, @babel/helper-plugin-utils@npm:^7.14.5, @babel/helper-plugin-utils@npm:^7.18.6, @babel/helper-plugin-utils@npm:^7.20.2, @babel/helper-plugin-utils@npm:^7.22.5, @babel/helper-plugin-utils@npm:^7.24.0, @babel/helper-plugin-utils@npm:^7.8.0": +"@babel/helper-optimise-call-expression@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-optimise-call-expression@npm:7.25.9" + dependencies: + "@babel/types": "npm:^7.25.9" + checksum: 10/f09d0ad60c0715b9a60c31841b3246b47d67650c512ce85bbe24a3124f1a4d66377df793af393273bc6e1015b0a9c799626c48e53747581c1582b99167cc65dc + languageName: node + linkType: hard + +"@babel/helper-plugin-utils@npm:^7.10.4, @babel/helper-plugin-utils@npm:^7.18.6, @babel/helper-plugin-utils@npm:^7.20.2, @babel/helper-plugin-utils@npm:^7.22.5, @babel/helper-plugin-utils@npm:^7.25.9, @babel/helper-plugin-utils@npm:^7.8.0": + version: 7.25.9 + resolution: "@babel/helper-plugin-utils@npm:7.25.9" + checksum: 10/e347d87728b1ab10b6976d46403941c8f9008c045ea6d99997a7ffca7b852dc34b6171380f7b17edf94410e0857ff26f3a53d8618f11d73744db86e8ca9b8c64 + languageName: node + linkType: hard + +"@babel/helper-plugin-utils@npm:^7.14.5, @babel/helper-plugin-utils@npm:^7.24.0": version: 7.24.0 resolution: "@babel/helper-plugin-utils@npm:7.24.0" checksum: 10/dc8c7af321baf7653d93315beffee1790eb2c464b4f529273a24c8743a3f3095bf3f2d11828cb2c52d56282ef43a4bdc67a79c9ab8dd845e35d01871f3f28a0e @@ -471,6 +547,19 @@ __metadata: languageName: node linkType: hard +"@babel/helper-replace-supers@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-replace-supers@npm:7.25.9" + dependencies: + "@babel/helper-member-expression-to-functions": "npm:^7.25.9" + "@babel/helper-optimise-call-expression": "npm:^7.25.9" + "@babel/traverse": "npm:^7.25.9" + peerDependencies: + "@babel/core": ^7.0.0 + checksum: 10/8ebf787016953e4479b99007bac735c9c860822fafc51bc3db67bc53814539888797238c81fa8b948b6da897eb7b1c1d4f04df11e501a7f0596b356be02de2ab + languageName: node + linkType: hard + "@babel/helper-simple-access@npm:^7.22.5, @babel/helper-simple-access@npm:^7.24.7": version: 7.24.7 resolution: "@babel/helper-simple-access@npm:7.24.7" @@ -481,7 +570,17 @@ __metadata: languageName: node linkType: hard -"@babel/helper-skip-transparent-expression-wrappers@npm:^7.20.0, @babel/helper-skip-transparent-expression-wrappers@npm:^7.22.5": +"@babel/helper-skip-transparent-expression-wrappers@npm:^7.20.0, @babel/helper-skip-transparent-expression-wrappers@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.25.9" + dependencies: + "@babel/traverse": "npm:^7.25.9" + "@babel/types": "npm:^7.25.9" + checksum: 10/fdbb5248932198bc26daa6abf0d2ac42cab9c2dbb75b7e9f40d425c8f28f09620b886d40e7f9e4e08ffc7aaa2cefe6fc2c44be7c20e81f7526634702fb615bdc + languageName: node + linkType: hard + +"@babel/helper-skip-transparent-expression-wrappers@npm:^7.22.5": version: 7.22.5 resolution: "@babel/helper-skip-transparent-expression-wrappers@npm:7.22.5" dependencies: @@ -506,6 +605,13 @@ __metadata: languageName: node linkType: hard +"@babel/helper-string-parser@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-string-parser@npm:7.25.9" + checksum: 10/c28656c52bd48e8c1d9f3e8e68ecafd09d949c57755b0d353739eb4eae7ba4f7e67e92e4036f1cd43378cc1397a2c943ed7bcaf5949b04ab48607def0258b775 + languageName: node + linkType: hard + "@babel/helper-validator-identifier@npm:^7.24.7": version: 7.24.7 resolution: "@babel/helper-validator-identifier@npm:7.24.7" @@ -513,6 +619,13 @@ __metadata: languageName: node linkType: hard +"@babel/helper-validator-identifier@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/helper-validator-identifier@npm:7.25.9" + checksum: 10/3f9b649be0c2fd457fa1957b694b4e69532a668866b8a0d81eabfa34ba16dbf3107b39e0e7144c55c3c652bf773ec816af8df4a61273a2bb4eb3145ca9cf478e + languageName: node + linkType: hard + "@babel/helper-validator-option@npm:^7.23.5, @babel/helper-validator-option@npm:^7.24.8": version: 7.24.8 resolution: "@babel/helper-validator-option@npm:7.24.8" @@ -553,7 +666,18 @@ __metadata: languageName: node linkType: hard -"@babel/parser@npm:^7.13.16, @babel/parser@npm:^7.20.0, @babel/parser@npm:^7.23.9, @babel/parser@npm:^7.25.0, @babel/parser@npm:^7.25.6, @babel/parser@npm:^7.8.3": +"@babel/parser@npm:^7.13.16, @babel/parser@npm:^7.20.0, @babel/parser@npm:^7.23.9, @babel/parser@npm:^7.25.9, @babel/parser@npm:^7.26.2, @babel/parser@npm:^7.8.3": + version: 7.26.2 + resolution: "@babel/parser@npm:7.26.2" + dependencies: + "@babel/types": "npm:^7.26.0" + bin: + parser: ./bin/babel-parser.js + checksum: 10/8baee43752a3678ad9f9e360ec845065eeee806f1fdc8e0f348a8a0e13eef0959dabed4a197c978896c493ea205c804d0a1187cc52e4a1ba017c7935bab4983d + languageName: node + linkType: hard + +"@babel/parser@npm:^7.25.0, @babel/parser@npm:^7.25.6": version: 7.25.6 resolution: "@babel/parser@npm:7.25.6" dependencies: @@ -798,6 +922,17 @@ __metadata: languageName: node linkType: hard +"@babel/plugin-syntax-typescript@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/plugin-syntax-typescript@npm:7.25.9" + dependencies: + "@babel/helper-plugin-utils": "npm:^7.25.9" + peerDependencies: + "@babel/core": ^7.0.0-0 + checksum: 10/0e9821e8ba7d660c36c919654e4144a70546942ae184e85b8102f2322451eae102cbfadbcadd52ce077a2b44b400ee52394c616feab7b5b9f791b910e933fd33 + languageName: node + linkType: hard + "@babel/plugin-transform-arrow-functions@npm:^7.0.0": version: 7.24.1 resolution: "@babel/plugin-transform-arrow-functions@npm:7.24.1" @@ -1070,7 +1205,7 @@ __metadata: languageName: node linkType: hard -"@babel/plugin-transform-typescript@npm:^7.24.1, @babel/plugin-transform-typescript@npm:^7.5.0": +"@babel/plugin-transform-typescript@npm:^7.24.1": version: 7.24.4 resolution: "@babel/plugin-transform-typescript@npm:7.24.4" dependencies: @@ -1084,6 +1219,21 @@ __metadata: languageName: node linkType: hard +"@babel/plugin-transform-typescript@npm:^7.5.0": + version: 7.25.9 + resolution: "@babel/plugin-transform-typescript@npm:7.25.9" + dependencies: + "@babel/helper-annotate-as-pure": "npm:^7.25.9" + "@babel/helper-create-class-features-plugin": "npm:^7.25.9" + "@babel/helper-plugin-utils": "npm:^7.25.9" + "@babel/helper-skip-transparent-expression-wrappers": "npm:^7.25.9" + "@babel/plugin-syntax-typescript": "npm:^7.25.9" + peerDependencies: + "@babel/core": ^7.0.0-0 + checksum: 10/91e2ec805f89a813e0bf9cf42dffb767f798429e983af3e2f919885a2826b10f29223dd8b40ccc569eb61858d3273620e82e14431603a893e4a7f9b4c1a3a3cf + languageName: node + linkType: hard + "@babel/plugin-transform-unicode-regex@npm:^7.0.0": version: 7.24.1 resolution: "@babel/plugin-transform-unicode-regex@npm:7.24.1" @@ -1146,7 +1296,7 @@ __metadata: languageName: node linkType: hard -"@babel/runtime@npm:^7.0.0, @babel/runtime@npm:^7.23.2": +"@babel/runtime@npm:^7.0.0": version: 7.25.6 resolution: "@babel/runtime@npm:7.25.6" dependencies: @@ -1155,7 +1305,27 @@ __metadata: languageName: node linkType: hard -"@babel/template@npm:^7.0.0, @babel/template@npm:^7.22.15, @babel/template@npm:^7.24.0, @babel/template@npm:^7.25.0": +"@babel/runtime@npm:^7.23.2": + version: 7.26.0 + resolution: "@babel/runtime@npm:7.26.0" + dependencies: + regenerator-runtime: "npm:^0.14.0" + checksum: 10/9f4ea1c1d566c497c052d505587554e782e021e6ccd302c2ad7ae8291c8e16e3f19d4a7726fb64469e057779ea2081c28b7dbefec6d813a22f08a35712c0f699 + languageName: node + linkType: hard + +"@babel/template@npm:^7.0.0, @babel/template@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/template@npm:7.25.9" + dependencies: + "@babel/code-frame": "npm:^7.25.9" + "@babel/parser": "npm:^7.25.9" + "@babel/types": "npm:^7.25.9" + checksum: 10/e861180881507210150c1335ad94aff80fd9e9be6202e1efa752059c93224e2d5310186ddcdd4c0f0b0fc658ce48cb47823f15142b5c00c8456dde54f5de80b2 + languageName: node + linkType: hard + +"@babel/template@npm:^7.22.15, @babel/template@npm:^7.24.0, @babel/template@npm:^7.25.0": version: 7.25.0 resolution: "@babel/template@npm:7.25.0" dependencies: @@ -1166,7 +1336,22 @@ __metadata: languageName: node linkType: hard -"@babel/traverse@npm:^7.20.0, @babel/traverse@npm:^7.24.7, @babel/traverse@npm:^7.25.2": +"@babel/traverse@npm:^7.20.0, @babel/traverse@npm:^7.25.9": + version: 7.25.9 + resolution: "@babel/traverse@npm:7.25.9" + dependencies: + "@babel/code-frame": "npm:^7.25.9" + "@babel/generator": "npm:^7.25.9" + "@babel/parser": "npm:^7.25.9" + "@babel/template": "npm:^7.25.9" + "@babel/types": "npm:^7.25.9" + debug: "npm:^4.3.1" + globals: "npm:^11.1.0" + checksum: 10/7431614d76d4a053e429208db82f2846a415833f3d9eb2e11ef72eeb3c64dfd71f4a4d983de1a4a047b36165a1f5a64de8ca2a417534cc472005c740ffcb9c6a + languageName: node + linkType: hard + +"@babel/traverse@npm:^7.24.7, @babel/traverse@npm:^7.25.2": version: 7.25.6 resolution: "@babel/traverse@npm:7.25.6" dependencies: @@ -1181,7 +1366,17 @@ __metadata: languageName: node linkType: hard -"@babel/types@npm:^7.20.0, @babel/types@npm:^7.22.19, @babel/types@npm:^7.22.5, @babel/types@npm:^7.23.0, @babel/types@npm:^7.23.4, @babel/types@npm:^7.24.7, @babel/types@npm:^7.25.0, @babel/types@npm:^7.25.2, @babel/types@npm:^7.25.6": +"@babel/types@npm:^7.20.0, @babel/types@npm:^7.24.7, @babel/types@npm:^7.25.9, @babel/types@npm:^7.26.0": + version: 7.26.0 + resolution: "@babel/types@npm:7.26.0" + dependencies: + "@babel/helper-string-parser": "npm:^7.25.9" + "@babel/helper-validator-identifier": "npm:^7.25.9" + checksum: 10/40780741ecec886ed9edae234b5eb4976968cc70d72b4e5a40d55f83ff2cc457de20f9b0f4fe9d858350e43dab0ea496e7ef62e2b2f08df699481a76df02cd6e + languageName: node + linkType: hard + +"@babel/types@npm:^7.22.19, @babel/types@npm:^7.22.5, @babel/types@npm:^7.23.0, @babel/types@npm:^7.23.4, @babel/types@npm:^7.25.0, @babel/types@npm:^7.25.2, @babel/types@npm:^7.25.6": version: 7.25.6 resolution: "@babel/types@npm:7.25.6" dependencies: @@ -1777,7 +1972,7 @@ __metadata: languageName: node linkType: hard -"@opentelemetry/core@npm:1.25.1, @opentelemetry/core@npm:^1.15.2, @opentelemetry/core@npm:^1.19.0": +"@opentelemetry/core@npm:1.25.1, @opentelemetry/core@npm:^1.15.2": version: 1.25.1 resolution: "@opentelemetry/core@npm:1.25.1" dependencies: @@ -1788,6 +1983,17 @@ __metadata: languageName: node linkType: hard +"@opentelemetry/core@npm:^1.19.0": + version: 1.28.0 + resolution: "@opentelemetry/core@npm:1.28.0" + dependencies: + "@opentelemetry/semantic-conventions": "npm:1.27.0" + peerDependencies: + "@opentelemetry/api": ">=1.0.0 <1.10.0" + checksum: 10/d662f991581bb82fffcb0d2cdc8296d08297399126b67b070d30cae7120200b540d71fe4db9a02556bf8ce53c0272fd1cd9095abe1fd1002b2566887b06f3b88 + languageName: node + linkType: hard + "@opentelemetry/instrumentation@npm:^0.41.2": version: 0.41.2 resolution: "@opentelemetry/instrumentation@npm:0.41.2" @@ -1828,13 +2034,27 @@ __metadata: languageName: node linkType: hard -"@opentelemetry/semantic-conventions@npm:1.25.1, @opentelemetry/semantic-conventions@npm:^1.19.0": +"@opentelemetry/semantic-conventions@npm:1.25.1": version: 1.25.1 resolution: "@opentelemetry/semantic-conventions@npm:1.25.1" checksum: 10/d84745a9e21a451560a293b4e6f996ee7c67bb983a7ec05408c23d207c6fc8b73a0af9c1ebea26e3acb4f0e3405ea7eb0d6bdf9adad9f954d60829bbb48ea307 languageName: node linkType: hard +"@opentelemetry/semantic-conventions@npm:1.27.0": + version: 1.27.0 + resolution: "@opentelemetry/semantic-conventions@npm:1.27.0" + checksum: 10/98166522f299e2fe3d43376adbdeb92679b75ebb172e2a3c4c71f2942bd91585e9537618efbbae6dc08177699e5719368edf66d7e69e8636f360b85217bbdbe1 + languageName: node + linkType: hard + +"@opentelemetry/semantic-conventions@npm:^1.19.0": + version: 1.28.0 + resolution: "@opentelemetry/semantic-conventions@npm:1.28.0" + checksum: 10/c182a3206769b5d5a8ab89a5c674d046fd789421cef27ea55af179990e314732433c98e5017aa23e99f15fd2b0e13cb129bb6c2282da6860ce9419adf32b2e87 + languageName: node + linkType: hard + "@pact-foundation/pact-core@npm:^15.1.0": version: 15.1.0 resolution: "@pact-foundation/pact-core@npm:15.1.0" @@ -1951,6 +2171,23 @@ __metadata: languageName: node linkType: hard +"@puppeteer/browsers@npm:1.9.1, @puppeteer/browsers@npm:^1.6.0": + version: 1.9.1 + resolution: "@puppeteer/browsers@npm:1.9.1" + dependencies: + debug: "npm:4.3.4" + extract-zip: "npm:2.0.1" + progress: "npm:2.0.3" + proxy-agent: "npm:6.3.1" + tar-fs: "npm:3.0.4" + unbzip2-stream: "npm:1.4.3" + yargs: "npm:17.7.2" + bin: + browsers: lib/cjs/main-cli.js + checksum: 10/804cbc18bcc68796f1abebc2b008346fdcc10952a224bfdb1b81b5618a63e4b685a6f2a71e997a454d5695c8faec58e05e04a7cf83e56a899d6adbe94427de3b + languageName: node + linkType: hard + "@puppeteer/browsers@npm:2.7.0": version: 2.7.0 resolution: "@puppeteer/browsers@npm:2.7.0" @@ -1969,23 +2206,6 @@ __metadata: languageName: node linkType: hard -"@puppeteer/browsers@npm:^1.6.0": - version: 1.9.1 - resolution: "@puppeteer/browsers@npm:1.9.1" - dependencies: - debug: "npm:4.3.4" - extract-zip: "npm:2.0.1" - progress: "npm:2.0.3" - proxy-agent: "npm:6.3.1" - tar-fs: "npm:3.0.4" - unbzip2-stream: "npm:1.4.3" - yargs: "npm:17.7.2" - bin: - browsers: lib/cjs/main-cli.js - checksum: 10/804cbc18bcc68796f1abebc2b008346fdcc10952a224bfdb1b81b5618a63e4b685a6f2a71e997a454d5695c8faec58e05e04a7cf83e56a899d6adbe94427de3b - languageName: node - linkType: hard - "@react-native-community/cli-clean@npm:12.3.6": version: 12.3.6 resolution: "@react-native-community/cli-clean@npm:12.3.6" @@ -2622,12 +2842,12 @@ __metadata: languageName: node linkType: hard -"@types/node@npm:*, @types/node@npm:^22.0.0": - version: 22.10.7 - resolution: "@types/node@npm:22.10.7" +"@types/node@npm:*, @types/node@npm:^22.0.0, @types/node@npm:^22.2.0": + version: 22.10.0 + resolution: "@types/node@npm:22.10.0" dependencies: undici-types: "npm:~6.20.0" - checksum: 10/64cde1c2f5e5f7d597d3bd462f52c3c2d688a66623eb75d25e1d1d63d384ef553a27100635ad0dbb7d74da517048aa636947863eb624cf85f25d2f22370ce474 + checksum: 10/e2561e15eaac6261cf828cd7dcd4882a5ce2e10104db4123566b00418acf30e18518e39c7a906682f44118b420c555cc774ac3e0e6f80e37f55884cfe6cf1f78 languageName: node linkType: hard @@ -2891,7 +3111,22 @@ __metadata: languageName: node linkType: hard -"@wdio/globals@npm:8.39.1, @wdio/globals@npm:^8.29.3": +"@wdio/config@npm:8.40.6": + version: 8.40.6 + resolution: "@wdio/config@npm:8.40.6" + dependencies: + "@wdio/logger": "npm:8.38.0" + "@wdio/types": "npm:8.40.6" + "@wdio/utils": "npm:8.40.6" + decamelize: "npm:^6.0.0" + deepmerge-ts: "npm:^5.0.0" + glob: "npm:^10.2.2" + import-meta-resolve: "npm:^4.0.0" + checksum: 10/8234a3151b84b9f4832b1e5e9433d398afb8ecb8e48a9b0fca343419b70b8967f0ca1f2123a6f5ed5ce8030c8a240d3f2e7f54db4a308359ae14582e86ea1f3d + languageName: node + linkType: hard + +"@wdio/globals@npm:8.39.1": version: 8.39.1 resolution: "@wdio/globals@npm:8.39.1" dependencies: @@ -2906,6 +3141,21 @@ __metadata: languageName: node linkType: hard +"@wdio/globals@npm:^8.29.3": + version: 8.40.6 + resolution: "@wdio/globals@npm:8.40.6" + dependencies: + expect-webdriverio: "npm:^4.11.2" + webdriverio: "npm:8.40.6" + dependenciesMeta: + expect-webdriverio: + optional: true + webdriverio: + optional: true + checksum: 10/f931fb1b0e78e68ae688ef9326c6e540e89a831a42fcf2fd0d3fd0d20b7d8a7d87dc44a354dc964c8a308b83e1e0b618dcebdd7e6c2edafb1768cf868864147b + languageName: node + linkType: hard + "@wdio/logger@npm:8.11.0": version: 8.11.0 resolution: "@wdio/logger@npm:8.11.0" @@ -2937,6 +3187,13 @@ __metadata: languageName: node linkType: hard +"@wdio/protocols@npm:8.40.3": + version: 8.40.3 + resolution: "@wdio/protocols@npm:8.40.3" + checksum: 10/ea5898a6181498c38cfff9bde4df87f63162762d9b393a7a9ec75347da472fe09ba023df79eeac70478d31e7ae28e2a7c23dddb2cb02df766d0836491843247c + languageName: node + linkType: hard + "@wdio/repl@npm:8.24.12": version: 8.24.12 resolution: "@wdio/repl@npm:8.24.12" @@ -2946,6 +3203,15 @@ __metadata: languageName: node linkType: hard +"@wdio/repl@npm:8.40.3": + version: 8.40.3 + resolution: "@wdio/repl@npm:8.40.3" + dependencies: + "@types/node": "npm:^22.2.0" + checksum: 10/48929af5bf99b72f1e3e626212db0b57f3425cae6b5d0d0992a2e28badb2d1a30b15b5cb10589600374c913c24d9e5e7137bbd83735ce1b7a2c2e76f0722218f + languageName: node + linkType: hard + "@wdio/selenium-standalone-service@npm:^8.10.4": version: 8.14.0 resolution: "@wdio/selenium-standalone-service@npm:8.14.0" @@ -2977,6 +3243,15 @@ __metadata: languageName: node linkType: hard +"@wdio/types@npm:8.40.6": + version: 8.40.6 + resolution: "@wdio/types@npm:8.40.6" + dependencies: + "@types/node": "npm:^22.2.0" + checksum: 10/19cdb35b26586488d985ae486de4d5f034ad59d7068bac1b5952af0bac5633039a323db4ec20a99947ea6c96a7aaee58cbc193ac7b25110bcdad803c9ad495c3 + languageName: node + linkType: hard + "@wdio/utils@npm:8.14.0": version: 8.14.0 resolution: "@wdio/utils@npm:8.14.0" @@ -3009,6 +3284,27 @@ __metadata: languageName: node linkType: hard +"@wdio/utils@npm:8.40.6": + version: 8.40.6 + resolution: "@wdio/utils@npm:8.40.6" + dependencies: + "@puppeteer/browsers": "npm:^1.6.0" + "@wdio/logger": "npm:8.38.0" + "@wdio/types": "npm:8.40.6" + decamelize: "npm:^6.0.0" + deepmerge-ts: "npm:^5.1.0" + edgedriver: "npm:^5.5.0" + geckodriver: "npm:^4.3.1" + get-port: "npm:^7.0.0" + import-meta-resolve: "npm:^4.0.0" + locate-app: "npm:^2.1.0" + safaridriver: "npm:^0.1.0" + split2: "npm:^4.2.0" + wait-port: "npm:^1.0.4" + checksum: 10/8b5b02fa46dccb3a79f2446a781b3c9984babd5ed7d6acf24b7283d548043695deb48e7e8c254149e6865372eee7ce7409d82fcc425db83c34b885eda2622311 + languageName: node + linkType: hard + "@xmldom/xmldom@npm:0.9.5": version: 0.9.5 resolution: "@xmldom/xmldom@npm:0.9.5" @@ -3674,7 +3970,7 @@ __metadata: languageName: node linkType: hard -"axios@npm:1.7.7, axios@npm:^1.7.4": +"axios@npm:1.7.7": version: 1.7.7 resolution: "axios@npm:1.7.7" dependencies: @@ -3685,6 +3981,17 @@ __metadata: languageName: node linkType: hard +"axios@npm:^1.7.4": + version: 1.7.8 + resolution: "axios@npm:1.7.8" + dependencies: + follow-redirects: "npm:^1.15.6" + form-data: "npm:^4.0.0" + proxy-from-env: "npm:^1.1.0" + checksum: 10/7ddcde188041ac55090186254b4025eb2af842be3cf615ce45393fd7f543c1eab0ad2fdd2017a5f6190695e3ecea73ee5e9c37f204854aec2698f9579046efdf + languageName: node + linkType: hard + "b4a@npm:^1.6.1, b4a@npm:^1.6.4": version: 1.6.6 resolution: "b4a@npm:1.6.6" @@ -3955,13 +4262,6 @@ __metadata: languageName: node linkType: hard -"bowser@npm:2.9.0": - version: 2.9.0 - resolution: "bowser@npm:2.9.0" - checksum: 10/e1067da6bef63956514db064a7e8158c5f0e48e1f0668ec596d6164b1e3e5c716ffbe831b8f1b08cec9e8e1cfff95f2541b52c7854d816f6b0c3c6d057e7c2e0 - languageName: node - linkType: hard - "brace-expansion@npm:^1.1.7": version: 1.1.11 resolution: "brace-expansion@npm:1.1.11" @@ -4437,13 +4737,6 @@ __metadata: languageName: node linkType: hard -"camelize@npm:1.0.0": - version: 1.0.0 - resolution: "camelize@npm:1.0.0" - checksum: 10/ad285ffc909e43fc0e973bebd269c063657c5b69344def478896b0d4a6d64643af1908b0455f50d1fe8ef0ea7591a8a649086f20eae0de4c7e1f8e1cdf5c552f - languageName: node - linkType: hard - "caniuse-lite@npm:^1.0.30001646": version: 1.0.30001663 resolution: "caniuse-lite@npm:1.0.30001663" @@ -4823,6 +5116,18 @@ __metadata: languageName: node linkType: hard +"chromium-bidi@npm:0.5.8": + version: 0.5.8 + resolution: "chromium-bidi@npm:0.5.8" + dependencies: + mitt: "npm:3.0.1" + urlpattern-polyfill: "npm:10.0.0" + peerDependencies: + devtools-protocol: "*" + checksum: 10/2eaa4d07ebee562f2a1ddbefea6b0e935ae78b51d2b6b7c38a9932b6168db56bae3a760c9bc8ddf2cbde6ff629b4402d45895db656e82e638c6a011801950afc + languageName: node + linkType: hard + "chromium-edge-launcher@npm:^1.0.0": version: 1.0.0 resolution: "chromium-edge-launcher@npm:1.0.0" @@ -5374,13 +5679,6 @@ __metadata: languageName: node linkType: hard -"content-security-policy-builder@npm:2.1.0": - version: 2.1.0 - resolution: "content-security-policy-builder@npm:2.1.0" - checksum: 10/9c7017594360e1d01abc5a133a1e81952f02692b98b7a6bffdde7b09a968077b5460155d07efbd6b353b4040e07de2958686cbc1edf2028f85dfcd90747fef3e - languageName: node - linkType: hard - "content-type@npm:~1.0.4, content-type@npm:~1.0.5": version: 1.0.5 resolution: "content-type@npm:1.0.5" @@ -5664,13 +5962,6 @@ __metadata: languageName: node linkType: hard -"dasherize@npm:2.0.0": - version: 2.0.0 - resolution: "dasherize@npm:2.0.0" - checksum: 10/c7e62f03d31070939d60a358e2df43ebc5001b167cf80f37bdecedb2001e2b93cc9eabd9cd9dad52ae4372ddb1a064798cd075b9d5cb9fde4adbae7073bbfe3b - languageName: node - linkType: hard - "data-uri-to-buffer@npm:3": version: 3.0.1 resolution: "data-uri-to-buffer@npm:3.0.1" @@ -6130,6 +6421,13 @@ __metadata: languageName: node linkType: hard +"devtools-protocol@npm:0.0.1232444": + version: 0.0.1232444 + resolution: "devtools-protocol@npm:0.0.1232444" + checksum: 10/c2b56a501ed8cda9220e1dc8b12364732bdc2bbad7d16a00fbbcaae5bf8a07414b0dfec1224fa1c3d9ce5851eb952a21c086938e73891630a7a6c440e4a1f0b0 + languageName: node + linkType: hard + "devtools-protocol@npm:0.0.1380148": version: 0.0.1380148 resolution: "devtools-protocol@npm:0.0.1380148" @@ -6144,6 +6442,13 @@ __metadata: languageName: node linkType: hard +"devtools-protocol@npm:^0.0.1359167": + version: 0.0.1359167 + resolution: "devtools-protocol@npm:0.0.1359167" + checksum: 10/57509d917933169561f2136be82d2bbc021109168c21ededbdffa918601a4b4b0bac8cff62a5b38dc425dfa191083ce32ea974b8dcbe423e6ff1503fce578a89 + languageName: node + linkType: hard + "dezalgo@npm:^1.0.4": version: 1.0.4 resolution: "dezalgo@npm:1.0.4" @@ -6247,13 +6552,6 @@ __metadata: languageName: node linkType: hard -"dont-sniff-mimetype@npm:1.1.0": - version: 1.1.0 - resolution: "dont-sniff-mimetype@npm:1.1.0" - checksum: 10/04eaedebaa4894967f62e02b3816a43d7c34de96b71dea4341e1f4221b5d30ec6b87b11e6496338d3dd65f961936f934b5890546a58810ecb71819814e1ec01c - languageName: node - linkType: hard - "dot-case@npm:^3.0.4": version: 3.0.4 resolution: "dot-case@npm:3.0.4" @@ -7328,7 +7626,7 @@ __metadata: languageName: node linkType: hard -"fast-fifo@npm:^1.1.0, fast-fifo@npm:^1.2.0": +"fast-fifo@npm:^1.1.0, fast-fifo@npm:^1.2.0, fast-fifo@npm:^1.3.2": version: 1.3.2 resolution: "fast-fifo@npm:1.3.2" checksum: 10/6bfcba3e4df5af7be3332703b69a7898a8ed7020837ec4395bb341bd96cc3a6d86c3f6071dd98da289618cf2234c70d84b2a6f09a33dd6f988b1ff60d8e54275 @@ -7426,13 +7724,6 @@ __metadata: languageName: node linkType: hard -"feature-policy@npm:0.3.0": - version: 0.3.0 - resolution: "feature-policy@npm:0.3.0" - checksum: 10/5e94e72dd081d12561d43503d8eee356e6dbaaa761705242bc8b13c6c8bea2edd462ff153c63a7702aa90606644bf0b921d4b275516f2931524ac6b0060310eb - languageName: node - linkType: hard - "fetch-blob@npm:^3.1.2, fetch-blob@npm:^3.1.4": version: 3.2.0 resolution: "fetch-blob@npm:3.2.0" @@ -8674,41 +8965,10 @@ __metadata: languageName: node linkType: hard -"helmet-crossdomain@npm:0.4.0": - version: 0.4.0 - resolution: "helmet-crossdomain@npm:0.4.0" - checksum: 10/ad484f3bfa720ddedf66be8ffa38a3f745f3c3e58b373b74608b1813ce9567d6da656e53aef291e0997ccc7dc5b7b31ba757f4b8c15842ef0c629671e14d3942 - languageName: node - linkType: hard - -"helmet-csp@npm:2.10.0": - version: 2.10.0 - resolution: "helmet-csp@npm:2.10.0" - dependencies: - bowser: "npm:2.9.0" - camelize: "npm:1.0.0" - content-security-policy-builder: "npm:2.1.0" - dasherize: "npm:2.0.0" - checksum: 10/6bd76303f27237bf4d3ca83003992c37ac4d9c7d2609b61e3f694ee9bfd746182820df7bba63c70088156f78ac2c9c252555fcd21036434eceb3f35da7729a13 - languageName: node - linkType: hard - -"helmet@npm:^3.23.3": - version: 3.23.3 - resolution: "helmet@npm:3.23.3" - dependencies: - depd: "npm:2.0.0" - dont-sniff-mimetype: "npm:1.1.0" - feature-policy: "npm:0.3.0" - helmet-crossdomain: "npm:0.4.0" - helmet-csp: "npm:2.10.0" - hide-powered-by: "npm:1.1.0" - hpkp: "npm:2.0.0" - hsts: "npm:2.2.0" - nocache: "npm:2.1.0" - referrer-policy: "npm:1.2.0" - x-xss-protection: "npm:1.3.0" - checksum: 10/ba01b1ca63abd8c856d6424602fe0feb211c88eb13eb549fa0d3af9983c7abdc5780bc3c7f1fa290896d7a37ee73fe6637764fd5efd275c77ed9d0e492bb5a99 +"helmet@npm:^8.0.0": + version: 8.0.0 + resolution: "helmet@npm:8.0.0" + checksum: 10/cf30579d1dbd095e301458265fb6b3446d1ee0598c99b5e946afda8a72c035a6a7ebf2176168d5ca2541e6e522a88fb58d06f0eeec4ab378646960de9aea6584 languageName: node linkType: hard @@ -8770,13 +9030,6 @@ __metadata: languageName: node linkType: hard -"hide-powered-by@npm:1.1.0": - version: 1.1.0 - resolution: "hide-powered-by@npm:1.1.0" - checksum: 10/d0da01a19bf5b2cd15679012f2894bada3190c8fb9a6630d95a1ca34785ab20bb670b5509f93c57ffc532685c15eeaa1d3749d476adcdfa31e28aff813bfd58f - languageName: node - linkType: hard - "hoopy@npm:^0.1.4": version: 0.1.4 resolution: "hoopy@npm:0.1.4" @@ -8800,13 +9053,6 @@ __metadata: languageName: node linkType: hard -"hpkp@npm:2.0.0": - version: 2.0.0 - resolution: "hpkp@npm:2.0.0" - checksum: 10/01f8df366e9cd4a9bf3829e0023335485991c91120d77cbc3c5eeafa172ac47556a00bc202dccba0e1356a578097bdc373ee1c863da6bb1586a05b1fbb36220f - languageName: node - linkType: hard - "hpkp@npm:^3.0.0": version: 3.0.0 resolution: "hpkp@npm:3.0.0" @@ -8814,15 +9060,6 @@ __metadata: languageName: node linkType: hard -"hsts@npm:2.2.0": - version: 2.2.0 - resolution: "hsts@npm:2.2.0" - dependencies: - depd: "npm:2.0.0" - checksum: 10/0c835196ec008a21e06ab345e98630546d1c04104165aab9bb790f59c03c8016329477837c0ac2c2e7d1075540aafbca67ed73ef2cb85f0f4ac414b3f2aea233 - languageName: node - linkType: hard - "html-encoding-sniffer@npm:^4.0.0": version: 4.0.0 resolution: "html-encoding-sniffer@npm:4.0.0" @@ -9016,7 +9253,7 @@ __metadata: languageName: node linkType: hard -"https-proxy-agent@npm:^7.0.0, https-proxy-agent@npm:^7.0.1, https-proxy-agent@npm:^7.0.2, https-proxy-agent@npm:^7.0.4": +"https-proxy-agent@npm:^7.0.0, https-proxy-agent@npm:^7.0.1, https-proxy-agent@npm:^7.0.2, https-proxy-agent@npm:^7.0.4, https-proxy-agent@npm:^7.0.5": version: 7.0.5 resolution: "https-proxy-agent@npm:7.0.5" dependencies: @@ -10457,6 +10694,15 @@ __metadata: languageName: node linkType: hard +"jsesc@npm:^3.0.2": + version: 3.0.2 + resolution: "jsesc@npm:3.0.2" + bin: + jsesc: bin/jsesc + checksum: 10/8e5a7de6b70a8bd71f9cb0b5a7ade6a73ae6ab55e697c74cc997cede97417a3a65ed86c36f7dd6125fe49766e8386c845023d9e213916ca92c9dfdd56e2babf3 + languageName: node + linkType: hard + "jsesc@npm:~0.5.0": version: 0.5.0 resolution: "jsesc@npm:0.5.0" @@ -11721,13 +11967,20 @@ __metadata: languageName: node linkType: hard -"mime-db@npm:1.52.0, mime-db@npm:>= 1.43.0 < 2": +"mime-db@npm:1.52.0": version: 1.52.0 resolution: "mime-db@npm:1.52.0" checksum: 10/54bb60bf39e6f8689f6622784e668a3d7f8bed6b0d886f5c3c446cb3284be28b30bf707ed05d0fe44a036f8469976b2629bbea182684977b084de9da274694d7 languageName: node linkType: hard +"mime-db@npm:>= 1.43.0 < 2": + version: 1.53.0 + resolution: "mime-db@npm:1.53.0" + checksum: 10/82409c568a20254cc67a763a25e581d2213e1ef5d070a0af805239634f8a655f5d8a15138200f5f81c5b06fc6623d27f6168c612d447642d59e37eb7f20f7412 + languageName: node + linkType: hard + "mime-db@npm:~1.12.0": version: 1.12.0 resolution: "mime-db@npm:1.12.0" @@ -12418,13 +12671,20 @@ __metadata: languageName: node linkType: hard -"negotiator@npm:0.6.3, negotiator@npm:^0.6.2, negotiator@npm:^0.6.3": +"negotiator@npm:0.6.3": version: 0.6.3 resolution: "negotiator@npm:0.6.3" checksum: 10/2723fb822a17ad55c93a588a4bc44d53b22855bf4be5499916ca0cab1e7165409d0b288ba2577d7b029f10ce18cf2ed8e703e5af31c984e1e2304277ef979837 languageName: node linkType: hard +"negotiator@npm:^0.6.2, negotiator@npm:^0.6.3": + version: 0.6.4 + resolution: "negotiator@npm:0.6.4" + checksum: 10/d98c04a136583afd055746168f1067d58ce4bfe6e4c73ca1d339567f81ea1f7e665b5bd1e81f4771c67b6c2ea89b21cb2adaea2b16058c7dc31317778f931dab + languageName: node + linkType: hard + "neo-async@npm:^2.5.0": version: 2.6.2 resolution: "neo-async@npm:2.6.2" @@ -12462,13 +12722,6 @@ __metadata: languageName: node linkType: hard -"nocache@npm:2.1.0": - version: 2.1.0 - resolution: "nocache@npm:2.1.0" - checksum: 10/cea7277b22a8113243991b2bd4516db2b7de8013750b7634eb34c3debb04575021aa6c20eb9f8cdea7b7060036b969463eeab6c507a3c1961c6e12f85b2b644b - languageName: node - linkType: hard - "nocache@npm:^3.0.1": version: 3.0.4 resolution: "nocache@npm:3.0.4" @@ -13406,7 +13659,7 @@ __metadata: languageName: node linkType: hard -"pac-proxy-agent@npm:^7.0.0, pac-proxy-agent@npm:^7.0.1": +"pac-proxy-agent@npm:^7.0.0": version: 7.0.1 resolution: "pac-proxy-agent@npm:7.0.1" dependencies: @@ -13422,6 +13675,22 @@ __metadata: languageName: node linkType: hard +"pac-proxy-agent@npm:^7.0.1": + version: 7.0.2 + resolution: "pac-proxy-agent@npm:7.0.2" + dependencies: + "@tootallnate/quickjs-emscripten": "npm:^0.23.0" + agent-base: "npm:^7.0.2" + debug: "npm:^4.3.4" + get-uri: "npm:^6.0.1" + http-proxy-agent: "npm:^7.0.0" + https-proxy-agent: "npm:^7.0.5" + pac-resolver: "npm:^7.0.1" + socks-proxy-agent: "npm:^8.0.4" + checksum: 10/bb9b53b32ba98f085fd98ad0ea5e4201498585bf8d9390b3365c057b692b8562997be166d44224878ac216a81f1016c1f55f4e1dec52a6d92e5aa659eba9124c + languageName: node + linkType: hard + "pac-proxy-agent@npm:^7.1.0": version: 7.1.0 resolution: "pac-proxy-agent@npm:7.1.0" @@ -13999,7 +14268,7 @@ __metadata: get-port: "npm:^4.2.0" git-rev-sync: "npm:^3.0.2" govuk-frontend: "npm:^4.9.0" - helmet: "npm:^3.23.3" + helmet: "npm:^8.0.0" hpkp: "npm:^3.0.0" http-terminator: "npm:^3.0.0" https-proxy-agent: "npm:^5.0.1" @@ -14402,6 +14671,20 @@ __metadata: languageName: node linkType: hard +"puppeteer-core@npm:^21.11.0": + version: 21.11.0 + resolution: "puppeteer-core@npm:21.11.0" + dependencies: + "@puppeteer/browsers": "npm:1.9.1" + chromium-bidi: "npm:0.5.8" + cross-fetch: "npm:4.0.0" + debug: "npm:4.3.4" + devtools-protocol: "npm:0.0.1232444" + ws: "npm:8.16.0" + checksum: 10/44bda6ab4995a224358d6cf8bd877ed2251446fbe9e36c38325bf5e09fd7e783e27ba4a76046140a38bfdd3c47df8ded6597c832e418db3212bebfb193382692 + languageName: node + linkType: hard + "puppeteer@npm:^24.0.0": version: 24.1.0 resolution: "puppeteer@npm:24.1.0" @@ -14870,13 +15153,6 @@ __metadata: languageName: node linkType: hard -"referrer-policy@npm:1.2.0": - version: 1.2.0 - resolution: "referrer-policy@npm:1.2.0" - checksum: 10/1ba6beec3e49c6c79270d4c14878efe6779bfe3512637f7fc538403e8846f50f4a4541eaffb04e7221d79a61f77aab885a4da0ac44a0e4f74d72248affd35ea7 - languageName: node - linkType: hard - "reflect-metadata@npm:0.2.2": version: 0.2.2 resolution: "reflect-metadata@npm:0.2.2" @@ -16077,7 +16353,7 @@ __metadata: languageName: node linkType: hard -"socks-proxy-agent@npm:^8.0.1, socks-proxy-agent@npm:^8.0.2, socks-proxy-agent@npm:^8.0.3": +"socks-proxy-agent@npm:^8.0.1": version: 8.0.3 resolution: "socks-proxy-agent@npm:8.0.3" dependencies: @@ -16088,6 +16364,17 @@ __metadata: languageName: node linkType: hard +"socks-proxy-agent@npm:^8.0.2, socks-proxy-agent@npm:^8.0.3, socks-proxy-agent@npm:^8.0.4": + version: 8.0.4 + resolution: "socks-proxy-agent@npm:8.0.4" + dependencies: + agent-base: "npm:^7.1.1" + debug: "npm:^4.3.4" + socks: "npm:^2.8.3" + checksum: 10/c8e7c2b398338b49a0a0f4d2bae5c0602aeeca6b478b99415927b6c5db349ca258448f2c87c6958ebf83eea17d42cbc5d1af0bfecb276cac10b9658b0f07f7d7 + languageName: node + linkType: hard + "socks-proxy-agent@npm:^8.0.5": version: 8.0.5 resolution: "socks-proxy-agent@npm:8.0.5" @@ -16447,7 +16734,22 @@ __metadata: languageName: node linkType: hard -"streamx@npm:^2.12.5, streamx@npm:^2.13.0, streamx@npm:^2.15.0": +"streamx@npm:^2.12.5, streamx@npm:^2.15.0": + version: 2.20.2 + resolution: "streamx@npm:2.20.2" + dependencies: + bare-events: "npm:^2.2.0" + fast-fifo: "npm:^1.3.2" + queue-tick: "npm:^1.0.1" + text-decoder: "npm:^1.1.0" + dependenciesMeta: + bare-events: + optional: true + checksum: 10/4363d81880295bd913eafb75f14c3f4e9d10fcb8f84e819c8339c0290feedf2542fc9de55f4f68d0dfd494659111451c316d8d7bb17eb90466ee1af6aa17d707 + languageName: node + linkType: hard + +"streamx@npm:^2.13.0": version: 2.16.1 resolution: "streamx@npm:2.16.1" dependencies: @@ -16981,6 +17283,13 @@ __metadata: languageName: node linkType: hard +"text-decoder@npm:^1.1.0": + version: 1.2.1 + resolution: "text-decoder@npm:1.2.1" + checksum: 10/87adfb2204105c0b37e6d24132a58f4951d6933a906f65a6d4825636df7c550d1ef24cfecd6951c473e0d53e62d83020d5d4ea59637d72987c69fcb2cf2482f0 + languageName: node + linkType: hard + "text-table@npm:^0.2.0": version: 0.2.0 resolution: "text-table@npm:0.2.0" @@ -17812,6 +18121,13 @@ __metadata: languageName: node linkType: hard +"urlpattern-polyfill@npm:10.0.0": + version: 10.0.0 + resolution: "urlpattern-polyfill@npm:10.0.0" + checksum: 10/346819dbe718e929988298d02a988b8ddfa601d08daaa7e69b1148eab699c86c0f0f933d68d8c8cf913166fe64156ed28904e673200d18ef7e9ed6b58cea3fc7 + languageName: node + linkType: hard + "userhome@npm:1.0.0": version: 1.0.0 resolution: "userhome@npm:1.0.0" @@ -18008,7 +18324,26 @@ __metadata: languageName: node linkType: hard -"webdriverio@npm:8.39.1, webdriverio@npm:^8.10.5, webdriverio@npm:^8.29.3": +"webdriver@npm:8.40.6": + version: 8.40.6 + resolution: "webdriver@npm:8.40.6" + dependencies: + "@types/node": "npm:^22.2.0" + "@types/ws": "npm:^8.5.3" + "@wdio/config": "npm:8.40.6" + "@wdio/logger": "npm:8.38.0" + "@wdio/protocols": "npm:8.40.3" + "@wdio/types": "npm:8.40.6" + "@wdio/utils": "npm:8.40.6" + deepmerge-ts: "npm:^5.1.0" + got: "npm:^12.6.1" + ky: "npm:^0.33.0" + ws: "npm:^8.8.0" + checksum: 10/a750590b75fa97bab8fb0f907e7e90c75f042a0da9ef04e355dc7d25fdd3a78922c1e757376c4670fd3324582831369bb2a39f07173390e5ab2641874fef758b + languageName: node + linkType: hard + +"webdriverio@npm:8.39.1": version: 8.39.1 resolution: "webdriverio@npm:8.39.1" dependencies: @@ -18046,6 +18381,44 @@ __metadata: languageName: node linkType: hard +"webdriverio@npm:8.40.6, webdriverio@npm:^8.10.5, webdriverio@npm:^8.29.3": + version: 8.40.6 + resolution: "webdriverio@npm:8.40.6" + dependencies: + "@types/node": "npm:^22.2.0" + "@wdio/config": "npm:8.40.6" + "@wdio/logger": "npm:8.38.0" + "@wdio/protocols": "npm:8.40.3" + "@wdio/repl": "npm:8.40.3" + "@wdio/types": "npm:8.40.6" + "@wdio/utils": "npm:8.40.6" + archiver: "npm:^7.0.0" + aria-query: "npm:^5.0.0" + css-shorthand-properties: "npm:^1.1.1" + css-value: "npm:^0.0.1" + devtools-protocol: "npm:^0.0.1359167" + grapheme-splitter: "npm:^1.0.2" + import-meta-resolve: "npm:^4.0.0" + is-plain-obj: "npm:^4.1.0" + jszip: "npm:^3.10.1" + lodash.clonedeep: "npm:^4.5.0" + lodash.zip: "npm:^4.2.0" + minimatch: "npm:^9.0.0" + puppeteer-core: "npm:^21.11.0" + query-selector-shadow-dom: "npm:^1.0.0" + resq: "npm:^1.9.1" + rgb2hex: "npm:0.2.5" + serialize-error: "npm:^11.0.1" + webdriver: "npm:8.40.6" + peerDependencies: + devtools: ^8.14.0 + peerDependenciesMeta: + devtools: + optional: true + checksum: 10/aa114555673e4b040613a5e31e76f16ead9d929828eda28c21ad8a361be89c4434f8520521813037fc7b12a86a548423daa1716d176bac24eb3807d4bef8fbd2 + languageName: node + linkType: hard + "webidl-conversions@npm:^3.0.0": version: 3.0.1 resolution: "webidl-conversions@npm:3.0.1" @@ -18372,6 +18745,21 @@ __metadata: languageName: node linkType: hard +"ws@npm:8.16.0": + version: 8.16.0 + resolution: "ws@npm:8.16.0" + peerDependencies: + bufferutil: ^4.0.1 + utf-8-validate: ">=5.0.2" + peerDependenciesMeta: + bufferutil: + optional: true + utf-8-validate: + optional: true + checksum: 10/7c511c59e979bd37b63c3aea4a8e4d4163204f00bd5633c053b05ed67835481995f61a523b0ad2b603566f9a89b34cb4965cb9fab9649fbfebd8f740cea57f17 + languageName: node + linkType: hard + "ws@npm:^6.2.2": version: 6.2.3 resolution: "ws@npm:6.2.3" @@ -18411,13 +18799,6 @@ __metadata: languageName: node linkType: hard -"x-xss-protection@npm:1.3.0": - version: 1.3.0 - resolution: "x-xss-protection@npm:1.3.0" - checksum: 10/8fc5ea8d7043e4cf03056dc07a145dcb6d7173bdce4528719db9bbbfe89421010ec6946b283139f068a842e9abc408b0dd9be5b0c3681b824e2b1849b2b848b4 - languageName: node - linkType: hard - "xml-name-validator@npm:^5.0.0": version: 5.0.0 resolution: "xml-name-validator@npm:5.0.0" From 4909da44ea19f37d615eca1af589726a73030b61 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Wed, 27 Nov 2024 16:22:46 +0000 Subject: [PATCH 4/7] Move session language handling into a named unit. I think this should make testing slightly cleaner? --- app.js | 26 +++----------------- app/middleware/setSessionLanguage.js | 36 ++++++++++++++++++++++++++++ 2 files changed, 39 insertions(+), 23 deletions(-) create mode 100644 app/middleware/setSessionLanguage.js diff --git a/app.js b/app.js index 0bc916999e..abdcd0bcdd 100644 --- a/app.js +++ b/app.js @@ -32,6 +32,7 @@ const eligibilityCookie = new EligibilityCookie(); const caseTypes = require('app/utils/CaseTypes'); const featureToggles = require('app/featureToggles'); const sanitizeRequestBody = require('app/middleware/sanitizeRequestBody'); +const setSessionLanguage = require('app/middleware/setSessionLanguage'); const isEmpty = require('lodash').isEmpty; const setupHealthCheck = require('app/utils/setupHealthCheck'); @@ -247,30 +248,9 @@ exports.init = function (isA11yTest = false, a11yTestSession = {}, ftValue) { next(); }); - app.use((req, res, next) => { - if (!req.session.language) { - req.session.language = 'en'; - } - - if (req.query) { - const getLangFromQuery = (queryVal) => { - if (queryVal) { - if (!Array.isArray(queryVal)) { - queryVal = [queryVal]; - } - - return queryVal.find((l) => config.languages.includes(l)); - } - }; - const fromLng = getLangFromQuery(req.query.lng); - const fromLocale = getLangFromQuery(req.query.locale); - if (fromLng) { - req.session.language = fromLng; - } else if (fromLocale) { - req.session.language = fromLocale; - } - } + app.use(setSessionLanguage); + app.use((req, res, next) => { if (isA11yTest && !isEmpty(a11yTestSession)) { req.session = Object.assign(req.session, a11yTestSession); } diff --git a/app/middleware/setSessionLanguage.js b/app/middleware/setSessionLanguage.js new file mode 100644 index 0000000000..bbb689fe8f --- /dev/null +++ b/app/middleware/setSessionLanguage.js @@ -0,0 +1,36 @@ +'use strict'; + +const config = require('config'); + +const isLanguageAvailable = (lang) => { + return config.languages.includes(lang); +}; + +const getAvailableLanguageFromQueryParams = (queryParam) => { + if (queryParam) { + if (!Array.isArray(queryParam)) { + queryParam = [queryParam]; + } + + return queryParam.find(isLanguageAvailable); + } +}; + +const setLanguageForSession = (req, res, next) => { + if (!req.session.language) { + req.session.language = 'en'; + } + + if (req.query) { + const fromLng = getAvailableLanguageFromQueryParams(req.query.lng); + const fromLocale = getAvailableLanguageFromQueryParams(req.query.locale); + if (fromLng) { + req.session.language = fromLng; + } else if (fromLocale) { + req.session.language = fromLocale; + } + } + next(); +}; + +module.exports = setLanguageForSession; From f79dd4da0fc4fe89e9da82aa67dd327378e557d2 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Wed, 27 Nov 2024 17:10:27 +0000 Subject: [PATCH 5/7] Add testing for setSessionLanguage. --- .../unit/middleware/testSetSessionLanguage.js | 111 ++++++++++++++++++ 1 file changed, 111 insertions(+) create mode 100644 test/unit/middleware/testSetSessionLanguage.js diff --git a/test/unit/middleware/testSetSessionLanguage.js b/test/unit/middleware/testSetSessionLanguage.js new file mode 100644 index 0000000000..1c680840b8 --- /dev/null +++ b/test/unit/middleware/testSetSessionLanguage.js @@ -0,0 +1,111 @@ +'use strict'; + +const setSessionLanguage = require('../../../app/middleware/setSessionLanguage'); + +const {assert} = require('chai'); +const sinon = require('sinon'); + +describe('SetSessionLanguage', () => { + let req; + let res; + let next; + + const preset = {'preset': null}; + const en = 'en'; + const cy = 'cy'; + // we do not support french + const invalid = 'fr'; + + beforeEach(() => { + res = {}; + req = { + session: { + language: null, + }, + query: null, + }; + next = sinon.spy(); + }); + + describe('setSessionLanguage()', () => { + + it('should default session lang to en if no value is set in the request or the query', () => { + setSessionLanguage(req, res, next); + assert.equal(req.session.language, en); + }); + + it('should leave session lang set if no value in the query', () => { + req.session.language = preset; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, preset); + }); + + it('should not override session lang if query lng value invalid', () => { + req.session.language = preset; + req.query = {lng: invalid}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, preset); + }); + + it('should not override session lang if query lng array all invalid', () => { + req.session.language = preset; + req.query = {lng: [invalid, invalid]}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, preset); + }); + + it('should override session lang to valid query lng value', () => { + req.session.language = preset; + req.query = {lng: cy}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, cy); + }); + + it('should override session lang to first valid query lng array value', () => { + req.session.language = preset; + req.query = {lng: [invalid, cy]}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, cy); + }); + + // + + it('should not override session lang if query locale value invalid', () => { + req.session.language = preset; + req.query = {locale: invalid}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, preset); + }); + + it('should not override session lang if query locale array all invalid', () => { + req.session.language = preset; + req.query = {locale: [invalid, invalid]}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, preset); + }); + + it('should override session lang to valid query locale value', () => { + req.session.language = preset; + req.query = {locale: cy}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, cy); + }); + + it('should override session lang to first valid query locale array value', () => { + req.session.language = preset; + req.query = {locale: [invalid, cy]}; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, cy); + }); + + it('should use query lng value rather than query locale value', () => { + req.session.language = preset; + req.query = { + lng: en, + locale: cy, + }; + setSessionLanguage(req, res, next); + assert.equal(req.session.language, en); + }); + }); +}); From a495e018d2230f550c75d7958a13734818088cb9 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Thu, 28 Nov 2024 15:25:35 +0000 Subject: [PATCH 6/7] Add test that strictTransportHandling is instantiated from helmet. I have not been able to figure a way to confirm that the resulting output is passed to the express app itself as i can't seem to intercept the original express() call in app.js. --- test/component/testHelmet.js | 40 ++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) create mode 100644 test/component/testHelmet.js diff --git a/test/component/testHelmet.js b/test/component/testHelmet.js new file mode 100644 index 0000000000..3b0fe8bb90 --- /dev/null +++ b/test/component/testHelmet.js @@ -0,0 +1,40 @@ +'use strict'; + +const {assert} = require('chai'); +const proxyquire = require('proxyquire'); +const sinon = require('sinon'); +const express = require('express'); +const helmet = require('helmet'); + +const app = proxyquire('app', { + 'express': express, + 'helmet': helmet, +}); + +describe('app-config-helmet', () => { + it('should use helmet.strictTransportSecurity with appropriate maxAge', (done) => { + const stsSpy = sinon.spy(helmet, 'strictTransportSecurity'); + + const server = app.init(); + server.http.close(); + + stsSpy.restore(); + + const expectedMinimumMaxAge = 31536000; + const seenAges = []; + + assert( + stsSpy.calledWith( + sinon.match.has('maxAge', sinon.match((val) => { + seenAges.push(val); + return val >= expectedMinimumMaxAge; + }))), + `strictTransportSecurity not called with maxAge >= ${expectedMinimumMaxAge}, saw ${seenAges.join()}`); + + const called = stsSpy.callCount; + assert.equal(called, 1, + `Expected strictTransportSecurity to be called once but was called ${called} times`); + + done(); + }); +}); From da7ad4744be2ef465599990e60912aaf98d9bbf0 Mon Sep 17 00:00:00 2001 From: Tom Saunders Date: Mon, 2 Dec 2024 15:30:49 +0000 Subject: [PATCH 7/7] Update yarn-audit-known-issues. --- yarn-audit-known-issues | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues index e38b190eb5..2c862fafc8 100644 --- a/yarn-audit-known-issues +++ b/yarn-audit-known-issues @@ -9,4 +9,4 @@ {"value":"rimraf","children":{"ID":"rimraf (deprecation)","Issue":"Rimraf versions prior to v4 are no longer supported","Severity":"moderate","Vulnerable Versions":"2.7.1","Tree Versions":["2.7.1"],"Dependents":["fstream@npm:1.0.12"]}} {"value":"tough-cookie","children":{"ID":1097682,"Issue":"tough-cookie Prototype Pollution vulnerability","URL":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3","Severity":"moderate","Vulnerable Versions":"<4.1.3","Tree Versions":["2.5.0"],"Dependents":["request@npm:2.88.2"]}} {"value":"uuid","children":{"ID":"uuid (deprecation)","Issue":"Please upgrade to version 7 or higher. Older versions may use Math.random() in certain circumstances, which is known to be problematic. See https://v8.dev/blog/math-random for details.","Severity":"moderate","Vulnerable Versions":"3.4.0","Tree Versions":["3.4.0"],"Dependents":["request@npm:2.88.2"]}} -{"value":"ws","children":{"ID":1098392,"Issue":"ws affected by a DoS when handling a request with many HTTP headers","URL":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q","Severity":"high","Vulnerable Versions":">=8.0.0 <8.17.1","Tree Versions":["8.13.0"],"Dependents":["puppeteer-core@virtual:9c3ab89bc6ffaa83ae7ee58d9f1b7b4ced81beaf168bd0f17e701a7eb3b1f1cebbfa39b9ec96184d21605ed14a2d9090c02ee4d77744445e46cebef8b5b4dc83#npm:20.9.0"]}} +{"value":"ws","children":{"ID":1098392,"Issue":"ws affected by a DoS when handling a request with many HTTP headers","URL":"https://github.com/advisories/GHSA-3h5v-q93c-6h6q","Severity":"high","Vulnerable Versions":">=8.0.0 <8.17.1","Tree Versions":["8.13.0"],"Dependents":["puppeteer-core@npm:21.11.0", "puppeteer-core@virtual:337caec2a3c4a9d98980f7a6edb1a88914aacf82463dd61584cb9802a17c747ed9548326469043cf91fccce15e72b10937248a8f7cba2ca22089a5d6a027ad74#npm:20.9.0"]}}