diff --git a/Jenkinsfile_CNP b/Jenkinsfile_CNP
index 169cf4fb..3833d904 100644
--- a/Jenkinsfile_CNP
+++ b/Jenkinsfile_CNP
@@ -42,14 +42,14 @@ withPipeline(type, product, component) {
   syncBranchesWithMaster(branchesToSync)
   loadVaultSecrets(secrets)
 
-  after('build') {
+  afterAlways('build') {
     yarnBuilder.yarn('build')
   }
   before('functionalTest:preview') {
     env.DS_UI_URL = "https://fis-ds-web-pr-${CHANGE_ID}.service.core-compute-preview.internal/?edgecaseType=FMP"
   }
 
-  after('functionalTest:preview') {
+  afterAlways('functionalTest:preview') {
     steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'output/**/*'
   }
 
@@ -57,7 +57,7 @@ withPipeline(type, product, component) {
     env.DS_UI_URL = "https://fis-ds-web-pr-${CHANGE_ID}.service.core-compute-preview.internal/?edgecaseType=FMP"
   }
 
-  after('smoketest:preview') {
+  afterAlways('smoketest:preview') {
     steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'output/**/*'
   }
 
@@ -65,7 +65,7 @@ withPipeline(type, product, component) {
     env.DS_UI_URL = "https://fis-ds-web-staging.service.core-compute-aat.internal/?edgecaseType=FMP"
   }
 
-  after('smoketest:aat') {
+  afterAlways('smoketest:aat') {
     steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'output/**/*'
   }
 
@@ -73,7 +73,7 @@ withPipeline(type, product, component) {
     env.ADOP_WEB_URL = "https://fis-ds-web-staging.service.core-compute-aat.internal/?edgecaseType=FMP"
   }
 
-  after('functionalTest:aat') {
+  afterAlways('functionalTest:aat') {
     steps.archiveArtifacts allowEmptyArchive: true, artifacts: 'output/**/*'
   }
 }
diff --git a/README.md b/README.md
index 54d5c6cc..b57aa739 100644
--- a/README.md
+++ b/README.md
@@ -33,7 +33,7 @@ $ yarn start
 
 The applications's home page will be available at https://localhost:4000
 
-### Running with Docker
+#### Running with Docker
 
 Create docker image:
 
diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
index dfa3254a..32ed6f73 100644
--- a/yarn-audit-known-issues
+++ b/yarn-audit-known-issues
@@ -1,7 +1,15 @@
-{"type":"auditAdvisory","data":{"resolution":{"id":1088341,"path":"tsconfig-paths>json5","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.0.1","paths":["tsconfig-paths>json5"]}],"metadata":null,"vulnerable_versions":"<1.0.2","module_name":"json5","severity":"high","github_advisory_id":"GHSA-9c47-m6qq-7p4h","cves":["CVE-2022-46175"],"access":"public","patched_versions":">=1.0.2","cvss":{"score":7.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"},"updated":"2023-01-11T22:37:41.000Z","recommendation":"Upgrade to version 1.0.2 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1088341,"references":"- https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h\n- https://nvd.nist.gov/vuln/detail/CVE-2022-46175\n- https://github.com/json5/json5/issues/199\n- https://github.com/json5/json5/issues/295\n- https://github.com/json5/json5/pull/298\n- https://github.com/advisories/GHSA-9c47-m6qq-7p4h","created":"2022-12-29T01:51:03.000Z","reported_by":null,"title":"Prototype Pollution in JSON5 via Parse Method","npm_advisory_id":null,"overview":"The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n  if (props.isAdmin) {\n    console.log('Doing dangerous thing as admin.');\n  } else {\n    console.log('Doing dangerous thing as user.');\n  }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n  let searchKeyFound = false;\n  Object.keys(obj).forEach((key) => {\n    if (searchKeys.indexOf(key) > -1) {\n      searchKeyFound = true;\n    }\n  });\n  return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n  throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props);\n} else {\n  throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n  throw new Error('Forbidden...');\n}\n ```","url":"https://github.com/advisories/GHSA-9c47-m6qq-7p4h"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088342,"path":"config>json5","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.2.0","paths":["config>json5"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <2.2.2","module_name":"json5","severity":"high","github_advisory_id":"GHSA-9c47-m6qq-7p4h","cves":["CVE-2022-46175"],"access":"public","patched_versions":">=2.2.2","cvss":{"score":7.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"},"updated":"2023-01-11T22:37:41.000Z","recommendation":"Upgrade to version 2.2.2 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1088342,"references":"- https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h\n- https://nvd.nist.gov/vuln/detail/CVE-2022-46175\n- https://github.com/json5/json5/issues/199\n- https://github.com/json5/json5/issues/295\n- https://github.com/json5/json5/pull/298\n- https://github.com/advisories/GHSA-9c47-m6qq-7p4h","created":"2022-12-29T01:51:03.000Z","reported_by":null,"title":"Prototype Pollution in JSON5 via Parse Method","npm_advisory_id":null,"overview":"The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n  if (props.isAdmin) {\n    console.log('Doing dangerous thing as admin.');\n  } else {\n    console.log('Doing dangerous thing as user.');\n  }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n  let searchKeyFound = false;\n  Object.keys(obj).forEach((key) => {\n    if (searchKeys.indexOf(key) > -1) {\n      searchKeyFound = true;\n    }\n  });\n  return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n  throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props);\n} else {\n  throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n  throw new Error('Forbidden...');\n}\n ```","url":"https://github.com/advisories/GHSA-9c47-m6qq-7p4h"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088600,"path":"@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["@hmcts/nodejs-logging>moment","@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-13T05:01:42.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1088600,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088600,"path":"@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["@hmcts/nodejs-logging>moment","@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-13T05:01:42.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1088600,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088613,"path":"glob>minimatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.0.4","paths":["glob>minimatch"]}],"metadata":null,"vulnerable_versions":"<3.0.5","module_name":"minimatch","severity":"high","github_advisory_id":"GHSA-f8q6-p94x-37v3","cves":["CVE-2022-3517"],"access":"public","patched_versions":">=3.0.5","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-17T05:42:23.000Z","recommendation":"Upgrade to version 3.0.5 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1088613,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-3517\n- https://github.com/grafana/grafana-image-renderer/issues/329\n- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\n- https://github.com/nodejs/node/issues/42510\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html\n- https://github.com/advisories/GHSA-f8q6-p94x-37v3","created":"2022-10-18T12:00:32.000Z","reported_by":null,"title":"minimatch ReDoS vulnerability","npm_advisory_id":null,"overview":"A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.","url":"https://github.com/advisories/GHSA-f8q6-p94x-37v3"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088073,"path":"express-fileupload>busboy>dicer","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"0.3.0","paths":["express-fileupload>busboy>dicer"]},{"version":"0.2.5","paths":["multer>busboy>dicer"]}],"metadata":null,"vulnerable_versions":"<=0.3.1","module_name":"dicer","severity":"high","github_advisory_id":"GHSA-wm7h-9275-46v2","cves":["CVE-2022-24434"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-11T05:07:48.000Z","recommendation":"None","cwe":["CWE-248"],"found_by":null,"deleted":null,"id":1088073,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/mscdex/busboy/issues/250\n- https://github.com/mscdex/dicer/pull/22\n- https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\n- https://snyk.io/vuln/SNYK-JS-DICER-2311764\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\n- https://github.com/advisories/GHSA-wm7h-9275-46v2","created":"2022-05-21T00:00:25.000Z","reported_by":null,"title":"Crash in HeaderParser in dicer","npm_advisory_id":null,"overview":"This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. A complete denial of service can be achived by sending the malicious form in a loop.","url":"https://github.com/advisories/GHSA-wm7h-9275-46v2"}}}
-{"type":"auditAdvisory","data":{"resolution":{"id":1088073,"path":"multer>busboy>dicer","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"0.3.0","paths":["express-fileupload>busboy>dicer"]},{"version":"0.2.5","paths":["multer>busboy>dicer"]}],"metadata":null,"vulnerable_versions":"<=0.3.1","module_name":"dicer","severity":"high","github_advisory_id":"GHSA-wm7h-9275-46v2","cves":["CVE-2022-24434"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-11T05:07:48.000Z","recommendation":"None","cwe":["CWE-248"],"found_by":null,"deleted":null,"id":1088073,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/mscdex/busboy/issues/250\n- https://github.com/mscdex/dicer/pull/22\n- https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\n- https://snyk.io/vuln/SNYK-JS-DICER-2311764\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\n- https://github.com/advisories/GHSA-wm7h-9275-46v2","created":"2022-05-21T00:00:25.000Z","reported_by":null,"title":"Crash in HeaderParser in dicer","npm_advisory_id":null,"overview":"This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. A complete denial of service can be achived by sending the malicious form in a loop.","url":"https://github.com/advisories/GHSA-wm7h-9275-46v2"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1088659,"path":"@hmcts/nodejs-healthcheck>superagent>cookiejar","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.1.3","paths":["@hmcts/nodejs-healthcheck>superagent>cookiejar"]}],"metadata":null,"vulnerable_versions":"<2.1.4","module_name":"cookiejar","severity":"moderate","github_advisory_id":"GHSA-h452-7996-h45h","cves":["CVE-2022-25901"],"access":"public","patched_versions":">=2.1.4","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-01-23T16:59:53.000Z","recommendation":"Upgrade to version 2.1.4 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1088659,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25901\n- https://github.com/bmeck/node-cookiejar/pull/39\n- https://github.com/bmeck/node-cookiejar/pull/39/commits/eaa00021caf6ae09449dde826108153b578348e5\n- https://security.snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-3176681\n- https://security.snyk.io/vuln/SNYK-JS-COOKIEJAR-3149984\n- https://github.com/bmeck/node-cookiejar/blob/master/cookiejar.js#23L73\n- https://github.com/advisories/GHSA-h452-7996-h45h","created":"2023-01-18T06:31:03.000Z","reported_by":null,"title":"cookiejar Regular Expression Denial of Service via Cookie.parse function","npm_advisory_id":null,"overview":"Versions of the package cookiejar before 2.1.4 are vulnerable to Regular Expression Denial of Service (ReDoS) via the `Cookie.parse` function and other aspects of the API, which use an insecure regular expression for parsing cookie values. Applications could be stalled for extended periods of time if untrusted input is passed to cookie values or attempted to parse from request headers.\n\nProof of concept:\n\n```\nts\\nconst { CookieJar } = require(\"cookiejar\");\n\nconst jar = new CookieJar();\n\nconst start = performance.now();\n\nconst attack = \"a\" + \"t\".repeat(50_000);\njar.setCookie(attack);\n\nconsole.log(`CookieJar.setCookie(): ${performance.now() - start}ms`);\n\n```\n\n```\nCookieJar.setCookie(): 2963.214399999939ms\n```","url":"https://github.com/advisories/GHSA-h452-7996-h45h"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092461,"path":"@hmcts/nodejs-healthcheck>superagent>semver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"7.3.5","paths":["@hmcts/nodejs-healthcheck>superagent>semver"]}],"metadata":null,"vulnerable_versions":">=7.0.0 <7.5.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=7.5.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 7.5.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092461,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092425,"path":"tsconfig-paths>json5","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"1.0.1","paths":["tsconfig-paths>json5"]}],"metadata":null,"vulnerable_versions":"<1.0.2","module_name":"json5","severity":"high","github_advisory_id":"GHSA-9c47-m6qq-7p4h","cves":["CVE-2022-46175"],"access":"public","patched_versions":">=1.0.2","cvss":{"score":7.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"},"updated":"2023-07-07T18:17:19.000Z","recommendation":"Upgrade to version 1.0.2 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092425,"references":"- https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h\n- https://nvd.nist.gov/vuln/detail/CVE-2022-46175\n- https://github.com/json5/json5/issues/199\n- https://github.com/json5/json5/issues/295\n- https://github.com/json5/json5/pull/298\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/\n- https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972\n- https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8\n- https://github.com/advisories/GHSA-9c47-m6qq-7p4h","created":"2022-12-29T01:51:03.000Z","reported_by":null,"title":"Prototype Pollution in JSON5 via Parse Method","npm_advisory_id":null,"overview":"The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n  if (props.isAdmin) {\n    console.log('Doing dangerous thing as admin.');\n  } else {\n    console.log('Doing dangerous thing as user.');\n  }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n  let searchKeyFound = false;\n  Object.keys(obj).forEach((key) => {\n    if (searchKeys.indexOf(key) > -1) {\n      searchKeyFound = true;\n    }\n  });\n  return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n  throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props);\n} else {\n  throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n  throw new Error('Forbidden...');\n}\n ```","url":"https://github.com/advisories/GHSA-9c47-m6qq-7p4h"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1091174,"path":"glob>minimatch","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.0.4","paths":["glob>minimatch"]}],"metadata":null,"vulnerable_versions":"<3.0.5","module_name":"minimatch","severity":"high","github_advisory_id":"GHSA-f8q6-p94x-37v3","cves":["CVE-2022-3517"],"access":"public","patched_versions":">=3.0.5","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-02-28T19:28:58.000Z","recommendation":"Upgrade to version 3.0.5 or later","cwe":["CWE-400"],"found_by":null,"deleted":null,"id":1091174,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-3517\n- https://github.com/grafana/grafana-image-renderer/issues/329\n- https://github.com/isaacs/minimatch/commit/a8763f4388e51956be62dc6025cec1126beeb5e6\n- https://github.com/nodejs/node/issues/42510\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00011.html\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MTEUUTNIEBHGKUKKLNUZSV7IEP6IP3Q3/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UM6XJ73Q3NAM5KSGCOKJ2ZIA6GUWUJLK/\n- https://github.com/advisories/GHSA-f8q6-p94x-37v3","created":"2022-10-18T12:00:32.000Z","reported_by":null,"title":"minimatch ReDoS vulnerability","npm_advisory_id":null,"overview":"A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.","url":"https://github.com/advisories/GHSA-f8q6-p94x-37v3"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1091441,"path":"@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["@hmcts/nodejs-logging>moment","@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-03-20T23:29:32.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091441,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4\n- https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe\n- https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1091441,"path":"@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.29.2","paths":["@hmcts/nodejs-logging>moment","@hmcts/nodejs-healthcheck>@hmcts/nodejs-logging>moment"]}],"metadata":null,"vulnerable_versions":">=2.18.0 <2.29.4","module_name":"moment","severity":"high","github_advisory_id":"GHSA-wc69-rhjr-hc9g","cves":["CVE-2022-31129"],"access":"public","patched_versions":">=2.29.4","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-03-20T23:29:32.000Z","recommendation":"Upgrade to version 2.29.4 or later","cwe":["CWE-400","CWE-1333"],"found_by":null,"deleted":null,"id":1091441,"references":"- https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g\n- https://github.com/moment/moment/pull/6015#issuecomment-1152961973\n- https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3\n- https://nvd.nist.gov/vuln/detail/CVE-2022-31129\n- https://huntr.dev/bounties/f0952b67-f2ff-44a9-a9cd-99e0a87cb633/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6QIO6YNLTK2T7SPKDS4JEL45FANLNC2Q/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ORJX2LF6KMPIHP6B2P6KZIVKMLE3LVJ5/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IWY24RJA3SBJGA5N4CU4VBPHJPPPJL5O/\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZMX5YHELQVCGKKQVFXIYOTBMN23YYSRO/\n- https://security.netapp.com/advisory/ntap-20221014-0003/\n- https://lists.debian.org/debian-lts-announce/2023/01/msg00035.html\n- https://github.com/moment/moment/pull/6015/commits/4bbb9f3ccbe231de40207503f344fe5ce97584f4\n- https://github.com/moment/moment/pull/6015/commits/bfd4f2375d5c1a2106246721d693a9611dddfbfe\n- https://github.com/moment/moment/pull/6015/commits/dc0d180e90d8a84f7ff13572363330a22b3ea504\n- https://github.com/advisories/GHSA-wc69-rhjr-hc9g","created":"2022-07-06T18:38:49.000Z","reported_by":null,"title":"Moment.js vulnerable to Inefficient Regular Expression Complexity","npm_advisory_id":null,"overview":"### Impact\n\n* using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs\n* noticeable slowdown is observed with inputs above 10k characters\n* users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks\n\n### Patches\nThe problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.\n\n### Workarounds\nIn general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.\n\n### References\nThere is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=\n\n### Details\nThe issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. `moment(\"(\".repeat(500000))` will take a few minutes to process, which is unacceptable.","url":"https://github.com/advisories/GHSA-wc69-rhjr-hc9g"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1091775,"path":"nunjucks","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"3.2.3","paths":["nunjucks"]}],"metadata":null,"vulnerable_versions":"<3.2.4","module_name":"nunjucks","severity":"moderate","github_advisory_id":"GHSA-x77j-w7wf-fjmw","cves":["CVE-2023-2142"],"access":"public","patched_versions":">=3.2.4","cvss":{"score":0,"vectorString":null},"updated":"2023-04-20T21:19:27.000Z","recommendation":"Upgrade to version 3.2.4 or later","cwe":["CWE-79"],"found_by":null,"deleted":null,"id":1091775,"references":"- https://github.com/mozilla/nunjucks/security/advisories/GHSA-x77j-w7wf-fjmw\n- https://github.com/mozilla/nunjucks/pull/1437\n- https://github.com/mozilla/nunjucks/commit/ec16d210e7e13f862eccdb0bc9af9f60ff6749d6\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\n- https://github.com/mozilla/nunjucks/releases/tag/v3.2.4\n- https://github.com/advisories/GHSA-x77j-w7wf-fjmw","created":"2023-04-20T21:19:24.000Z","reported_by":null,"title":"Nunjucks autoescape bypass leads to cross site scripting","npm_advisory_id":null,"overview":"### Impact\nIn Nunjucks versions prior to version 3.2.4, it was possible to bypass the restrictions which are provided by the autoescape functionality. If there are two user-controlled parameters on the same line used in the views, it was possible to inject cross site scripting payloads using the backslash `\\` character.\n\n#### Example\nIf the user-controlled parameters were used in the views similar to the following:\n```\n<script>\nlet testObject = { lang: '{{ lang }}', place: '{{ place }}' };\n</script>\n```\n\nIt is possible to inject XSS payload using the below parameters:\n```\nhttps://<application-url>/?lang=jp\\&place=};alert(document.domain)//\n```\n\n### Patches\nThe issue was patched in version 3.2.4.\n\n### References\n\n- https://bugzilla.mozilla.org/show_bug.cgi?id=1825980\n","url":"https://github.com/advisories/GHSA-x77j-w7wf-fjmw"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092301,"path":"applicationinsights>@azure/core-http>xml2js","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"0.4.23","paths":["applicationinsights>@azure/core-http>xml2js"]}],"metadata":null,"vulnerable_versions":"<0.5.0","module_name":"xml2js","severity":"moderate","github_advisory_id":"GHSA-776f-qx25-q3cc","cves":["CVE-2023-0842"],"access":"public","patched_versions":">=0.5.0","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"},"updated":"2023-06-21T18:11:17.000Z","recommendation":"Upgrade to version 0.5.0 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092301,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-0842\n- https://fluidattacks.com/advisories/myers/\n- https://github.com/Leonidas-from-XIV/node-xml2js/issues/663\n- https://github.com/Leonidas-from-XIV/node-xml2js/pull/603/commits/581b19a62d88f8a3c068b5a45f4542c2d6a495a5\n- https://github.com/advisories/GHSA-776f-qx25-q3cc","created":"2023-04-05T21:30:24.000Z","reported_by":null,"title":"xml2js is vulnerable to prototype pollution","npm_advisory_id":null,"overview":"xml2js versions before 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the application does not properly validate incoming JSON keys, thus allowing the `__proto__` property to be edited.","url":"https://github.com/advisories/GHSA-776f-qx25-q3cc"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092426,"path":"config>json5","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"2.2.0","paths":["config>json5"]}],"metadata":null,"vulnerable_versions":">=2.0.0 <2.2.2","module_name":"json5","severity":"high","github_advisory_id":"GHSA-9c47-m6qq-7p4h","cves":["CVE-2022-46175"],"access":"public","patched_versions":">=2.2.2","cvss":{"score":7.1,"vectorString":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:L/A:H"},"updated":"2023-07-07T18:17:19.000Z","recommendation":"Upgrade to version 2.2.2 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092426,"references":"- https://github.com/json5/json5/security/advisories/GHSA-9c47-m6qq-7p4h\n- https://nvd.nist.gov/vuln/detail/CVE-2022-46175\n- https://github.com/json5/json5/issues/199\n- https://github.com/json5/json5/issues/295\n- https://github.com/json5/json5/pull/298\n- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3S26TLPLVFAJTUN3VIXFDEBEXDYO22CE/\n- https://github.com/json5/json5/commit/62a65408408d40aeea14c7869ed327acead12972\n- https://github.com/json5/json5/commit/7774c1097993bc3ce9f0ac4b722a32bf7d6871c8\n- https://github.com/advisories/GHSA-9c47-m6qq-7p4h","created":"2022-12-29T01:51:03.000Z","reported_by":null,"title":"Prototype Pollution in JSON5 via Parse Method","npm_advisory_id":null,"overview":"The `parse` method of the JSON5 library before and including version `2.2.1` does not restrict parsing of keys named `__proto__`, allowing specially crafted strings to pollute the prototype of the resulting object.\n\nThis vulnerability pollutes the prototype of the object returned by `JSON5.parse` and not the global Object prototype, which is the commonly understood definition of Prototype Pollution. However, polluting the prototype of a single object can have significant security impact for an application if the object is later used in trusted operations.\n\n## Impact\nThis vulnerability could allow an attacker to set arbitrary and unexpected keys on the object returned from `JSON5.parse`. The actual impact will depend on how applications utilize the returned object and how they filter unwanted keys, but could include denial of service, cross-site scripting, elevation of privilege, and in extreme cases, remote code execution.\n\n## Mitigation\nThis vulnerability is patched in json5 v2.2.2 and later. A patch has also been backported for json5 v1 in versions v1.0.2 and later.\n\n## Details\n \nSuppose a developer wants to allow users and admins to perform some risky operation, but they want to restrict what non-admins can do. To accomplish this, they accept a JSON blob from the user, parse it using `JSON5.parse`, confirm that the provided data does not set some sensitive keys, and then performs the risky operation using the validated data:\n \n```js\nconst JSON5 = require('json5');\n\nconst doSomethingDangerous = (props) => {\n  if (props.isAdmin) {\n    console.log('Doing dangerous thing as admin.');\n  } else {\n    console.log('Doing dangerous thing as user.');\n  }\n};\n\nconst secCheckKeysSet = (obj, searchKeys) => {\n  let searchKeyFound = false;\n  Object.keys(obj).forEach((key) => {\n    if (searchKeys.indexOf(key) > -1) {\n      searchKeyFound = true;\n    }\n  });\n  return searchKeyFound;\n};\n\nconst props = JSON5.parse('{\"foo\": \"bar\"}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as user.\"\n} else {\n  throw new Error('Forbidden...');\n}\n```\n \nIf the user attempts to set the `isAdmin` key, their request will be rejected:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"isAdmin\": true}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props);\n} else {\n  throw new Error('Forbidden...'); // Error: Forbidden...\n}\n```\n \nHowever, users can instead set the `__proto__` key to `{\"isAdmin\": true}`. `JSON5` will parse this key and will set the `isAdmin` key on the prototype of the returned object, allowing the user to bypass the security check and run their request as an admin:\n \n```js\nconst props = JSON5.parse('{\"foo\": \"bar\", \"__proto__\": {\"isAdmin\": true}}');\nif (!secCheckKeysSet(props, ['isAdmin', 'isMod'])) {\n  doSomethingDangerous(props); // \"Doing dangerous thing as admin.\"\n} else {\n  throw new Error('Forbidden...');\n}\n ```","url":"https://github.com/advisories/GHSA-9c47-m6qq-7p4h"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092470,"path":"applicationinsights>@azure/core-http>tough-cookie","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"4.0.0","paths":["applicationinsights>@azure/core-http>tough-cookie"]}],"metadata":null,"vulnerable_versions":"<4.1.3","module_name":"tough-cookie","severity":"moderate","github_advisory_id":"GHSA-72xf-g2v4-qvf3","cves":["CVE-2023-26136"],"access":"public","patched_versions":">=4.1.3","cvss":{"score":6.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"},"updated":"2023-07-11T13:44:36.000Z","recommendation":"Upgrade to version 4.1.3 or later","cwe":["CWE-1321"],"found_by":null,"deleted":null,"id":1092470,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2023-26136\n- https://github.com/salesforce/tough-cookie/issues/282\n- https://github.com/salesforce/tough-cookie/commit/12d474791bb856004e858fdb1c47b7608d09cf6e\n- https://github.com/salesforce/tough-cookie/releases/tag/v4.1.3\n- https://security.snyk.io/vuln/SNYK-JS-TOUGHCOOKIE-5672873\n- https://lists.debian.org/debian-lts-announce/2023/07/msg00010.html\n- https://github.com/advisories/GHSA-72xf-g2v4-qvf3","created":"2023-07-01T06:30:16.000Z","reported_by":null,"title":"tough-cookie Prototype Pollution vulnerability","npm_advisory_id":null,"overview":"Versions of the package tough-cookie before 4.1.3 are vulnerable to Prototype Pollution due to improper handling of Cookies when using CookieJar in `rejectPublicSuffixes=false` mode. This issue arises from the manner in which the objects are initialized.","url":"https://github.com/advisories/GHSA-72xf-g2v4-qvf3"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1088997,"path":"express-fileupload>busboy>dicer","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"0.3.0","paths":["express-fileupload>busboy>dicer"]},{"version":"0.2.5","paths":["multer>busboy>dicer"]}],"metadata":null,"vulnerable_versions":"<=0.3.1","module_name":"dicer","severity":"high","github_advisory_id":"GHSA-wm7h-9275-46v2","cves":["CVE-2022-24434"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-27T05:02:36.000Z","recommendation":"None","cwe":["CWE-248"],"found_by":null,"deleted":null,"id":1088997,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/mscdex/busboy/issues/250\n- https://github.com/mscdex/dicer/pull/22\n- https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\n- https://snyk.io/vuln/SNYK-JS-DICER-2311764\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\n- https://github.com/advisories/GHSA-wm7h-9275-46v2","created":"2022-05-21T00:00:25.000Z","reported_by":null,"title":"Crash in HeaderParser in dicer","npm_advisory_id":null,"overview":"This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. A complete denial of service can be achived by sending the malicious form in a loop.","url":"https://github.com/advisories/GHSA-wm7h-9275-46v2"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1088997,"path":"multer>busboy>dicer","dev":false,"bundled":false,"optional":false},"advisory":{"findings":[{"version":"0.3.0","paths":["express-fileupload>busboy>dicer"]},{"version":"0.2.5","paths":["multer>busboy>dicer"]}],"metadata":null,"vulnerable_versions":"<=0.3.1","module_name":"dicer","severity":"high","github_advisory_id":"GHSA-wm7h-9275-46v2","cves":["CVE-2022-24434"],"access":"public","patched_versions":"<0.0.0","cvss":{"score":7.5,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},"updated":"2023-01-27T05:02:36.000Z","recommendation":"None","cwe":["CWE-248"],"found_by":null,"deleted":null,"id":1088997,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-24434\n- https://github.com/mscdex/busboy/issues/250\n- https://github.com/mscdex/dicer/pull/22\n- https://github.com/mscdex/dicer/pull/22/commits/b7fca2e93e8e9d4439d8acc5c02f5e54a0112dac\n- https://snyk.io/vuln/SNYK-JS-DICER-2311764\n- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-2838865\n- https://github.com/advisories/GHSA-wm7h-9275-46v2","created":"2022-05-21T00:00:25.000Z","reported_by":null,"title":"Crash in HeaderParser in dicer","npm_advisory_id":null,"overview":"This affects all versions of package dicer. A malicious attacker can send a modified form to server, and crash the nodejs service. A complete denial of service can be achived by sending the malicious form in a loop.","url":"https://github.com/advisories/GHSA-wm7h-9275-46v2"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092459,"path":"applicationinsights>cls-hooked>semver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.7.1","paths":["applicationinsights>cls-hooked>semver"]},{"version":"5.7.1","paths":["applicationinsights>continuation-local-storage>async-listener>semver"]},{"version":"5.7.1","paths":["applicationinsights>diagnostic-channel>semver"]}],"metadata":null,"vulnerable_versions":"<5.7.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=5.7.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 5.7.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092459,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092459,"path":"applicationinsights>continuation-local-storage>async-listener>semver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.7.1","paths":["applicationinsights>cls-hooked>semver"]},{"version":"5.7.1","paths":["applicationinsights>continuation-local-storage>async-listener>semver"]},{"version":"5.7.1","paths":["applicationinsights>diagnostic-channel>semver"]}],"metadata":null,"vulnerable_versions":"<5.7.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=5.7.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 5.7.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092459,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"}}}
+{"type":"auditAdvisory","data":{"resolution":{"id":1092459,"path":"applicationinsights>diagnostic-channel>semver","dev":false,"optional":false,"bundled":false},"advisory":{"findings":[{"version":"5.7.1","paths":["applicationinsights>cls-hooked>semver"]},{"version":"5.7.1","paths":["applicationinsights>continuation-local-storage>async-listener>semver"]},{"version":"5.7.1","paths":["applicationinsights>diagnostic-channel>semver"]}],"metadata":null,"vulnerable_versions":"<5.7.2","module_name":"semver","severity":"moderate","github_advisory_id":"GHSA-c2qf-rxjj-qqgw","cves":["CVE-2022-25883"],"access":"public","patched_versions":">=5.7.2","cvss":{"score":5.3,"vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},"updated":"2023-07-10T22:57:58.000Z","recommendation":"Upgrade to version 5.7.2 or later","cwe":["CWE-1333"],"found_by":null,"deleted":null,"id":1092459,"references":"- https://nvd.nist.gov/vuln/detail/CVE-2022-25883\n- https://github.com/npm/node-semver/pull/564\n- https://github.com/npm/node-semver/commit/717534ee353682f3bcf33e60a8af4292626d4441\n- https://security.snyk.io/vuln/SNYK-JS-SEMVER-3247795\n- https://github.com/npm/node-semver/blob/main/classes/range.js#L97-L104\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L138\n- https://github.com/npm/node-semver/blob/main/internal/re.js#L160\n- https://github.com/npm/node-semver/pull/585\n- https://github.com/npm/node-semver/commit/928e56d21150da0413a3333a3148b20e741a920c\n- https://github.com/npm/node-semver/pull/593\n- https://github.com/npm/node-semver/commit/2f8fd41487acf380194579ecb6f8b1bbfe116be0\n- https://github.com/advisories/GHSA-c2qf-rxjj-qqgw","created":"2023-06-21T06:30:28.000Z","reported_by":null,"title":"semver vulnerable to Regular Expression Denial of Service","npm_advisory_id":null,"overview":"Versions of the package semver before 7.5.2 on the 7.x branch, before 6.3.1 on the 6.x branch, and all other versions before 5.7.2 are vulnerable to Regular Expression Denial of Service (ReDoS) via the function new Range, when untrusted user data is provided as a range.","url":"https://github.com/advisories/GHSA-c2qf-rxjj-qqgw"}}}