From acaca5d4c2729b66f30c136c5afd7124a4343f88 Mon Sep 17 00:00:00 2001
From: "hmcts-github-ccd[bot]"
 <82895213+hmcts-github-ccd[bot]@users.noreply.github.com>
Date: Thu, 4 Jun 2026 12:57:22 +0000
Subject: [PATCH] chore(cve): implement CVE-2026-44289

---
 package.json            |   1 +
 yarn-audit-known-issues |  18 ------
 yarn.lock               | 125 ++--------------------------------------
 3 files changed, 7 insertions(+), 137 deletions(-)

diff --git a/package.json b/package.json
index eff1aac3..78e8ef50 100644
--- a/package.json
+++ b/package.json
@@ -173,6 +173,7 @@
     "cookiejar": "^2.1.4",
     "ua-parser-js": "^1.0.0",
     "http-cache-semantics": "^4.1.1",
+    "protobufjs": "npm:8.5.0",
     "jackspeak": "2.3.6",
     "semver": "7.8.1",
     "ip": "2.0.1",
diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
index 9183979e..37f80909 100644
--- a/yarn-audit-known-issues
+++ b/yarn-audit-known-issues
@@ -1,4 +1,3 @@
-{"value":"@protobufjs/utf8","children":{"ID":1118933,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=1.1.0","Tree Versions":["1.1.0"],"Dependents":["protobufjs@npm:8.0.1"]}}
 {"value":"@tootallnate/once","children":{"ID":1119438,"Issue":"@tootallnate/once vulnerable to Incorrect Control Flow Scoping","URL":"https://github.com/advisories/GHSA-vpq2-c234-7xj6","Severity":"low","Vulnerable Versions":"<2.0.1","Tree Versions":["2.0.0"],"Dependents":["http-proxy-agent@npm:5.0.0"]}}
 {"value":"abab","children":{"ID":"abab (deprecation)","Issue":"Use your platform's native atob() and btoa() methods instead","Severity":"moderate","Vulnerable Versions":"2.0.6","Tree Versions":["2.0.6"],"Dependents":["jsdom@virtual:765dd21400b9887d1cda8410e14996ece3abd2d473a1afb27695f43d295da769ea8bf3ebcf77d15b6687aeeeff789a6f299e6aeede434e237808bef39343fe75#npm:20.0.3"]}}
 {"value":"csurf","children":{"ID":"csurf (deprecation)","Issue":"This package is archived and no longer maintained. For support, visit https://github.com/expressjs/express/discussions","Severity":"moderate","Vulnerable Versions":"1.11.0","Tree Versions":["1.11.0"],"Dependents":["ccd-admin-web@workspace:."]}}
@@ -10,22 +9,5 @@
 {"value":"ip-address","children":{"ID":1118827,"Issue":"ip-address has XSS in Address6 HTML-emitting methods","URL":"https://github.com/advisories/GHSA-v2v4-37r5-5v8g","Severity":"moderate","Vulnerable Versions":"<=10.1.0","Tree Versions":["10.1.0"],"Dependents":["socks@npm:2.8.7"]}}
 {"value":"lodash.isequal","children":{"ID":"lodash.isequal (deprecation)","Issue":"This package is deprecated. Use require('node:util').isDeepStrictEqual instead.","Severity":"moderate","Vulnerable Versions":"4.5.0","Tree Versions":["4.5.0"],"Dependents":["@fast-csv/format@npm:4.3.5"]}}
 {"value":"multer","children":{"ID":"multer (deprecation)","Issue":"Multer 1.x is impacted by a number of vulnerabilities, which have been patched in 2.x. You should upgrade to the latest 2.x version.","Severity":"moderate","Vulnerable Versions":"1.4.5-lts.2","Tree Versions":["1.4.5-lts.2"],"Dependents":["ccd-admin-web@workspace:."]}}
-{"value":"protobufjs","children":{"ID":1117571,"Issue":"Arbitrary code execution in protobufjs","URL":"https://github.com/advisories/GHSA-xq3m-2v4x-88gg","Severity":"critical","Vulnerable Versions":"<7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118640,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118641,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118923,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118924,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118925,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118926,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118927,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118928,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118929,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118930,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118931,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118932,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118934,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118935,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1119377,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":">=8.0.0 <8.2.0","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1119378,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":"<=7.5.7","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
 {"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["8.3.2"],"Dependents":["@azure/functions@npm:3.5.1"]}}
 {"value":"whatwg-encoding","children":{"ID":"whatwg-encoding (deprecation)","Issue":"Use @exodus/bytes instead for a more spec-conformant and faster implementation","Severity":"moderate","Vulnerable Versions":"2.0.0","Tree Versions":["2.0.0"],"Dependents":["jsdom@virtual:765dd21400b9887d1cda8410e14996ece3abd2d473a1afb27695f43d295da769ea8bf3ebcf77d15b6687aeeeff789a6f299e6aeede434e237808bef39343fe75#npm:20.0.3"]}}
diff --git a/yarn.lock b/yarn.lock
index c22aa8cc..15d3172a 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1680,79 +1680,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@protobufjs/aspromise@npm:^1.1.1, @protobufjs/aspromise@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/aspromise@npm:1.1.2"
-  checksum: 10/8a938d84fe4889411296db66b29287bd61ea3c14c2d23e7a8325f46a2b8ce899857c5f038d65d7641805e6c1d06b495525c7faf00c44f85a7ee6476649034969
-  languageName: node
-  linkType: hard
-
-"@protobufjs/base64@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/base64@npm:1.1.2"
-  checksum: 10/c71b100daeb3c9bdccab5cbc29495b906ba0ae22ceedc200e1ba49717d9c4ab15a6256839cebb6f9c6acae4ed7c25c67e0a95e734f612b258261d1a3098fe342
-  languageName: node
-  linkType: hard
-
-"@protobufjs/codegen@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "@protobufjs/codegen@npm:2.0.4"
-  checksum: 10/c6ee5fa172a8464f5253174d3c2353ea520c2573ad7b6476983d9b1346f4d8f2b44aa29feb17a949b83c1816bc35286a5ea265ed9d8fdd2865acfa09668c0447
-  languageName: node
-  linkType: hard
-
-"@protobufjs/eventemitter@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/eventemitter@npm:1.1.0"
-  checksum: 10/03af3e99f17ad421283d054c88a06a30a615922a817741b43ca1b13e7c6b37820a37f6eba9980fb5150c54dba6e26cb6f7b64a6f7d8afa83596fafb3afa218c3
-  languageName: node
-  linkType: hard
-
-"@protobufjs/fetch@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/fetch@npm:1.1.0"
-  dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.1"
-    "@protobufjs/inquire": "npm:^1.1.0"
-  checksum: 10/67ae40572ad536e4ef94269199f252c024b66e3059850906bdaee161ca1d75c73d04d35cd56f147a8a5a079f5808e342b99e61942c1dae15604ff0600b09a958
-  languageName: node
-  linkType: hard
-
-"@protobufjs/float@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "@protobufjs/float@npm:1.0.2"
-  checksum: 10/634c2c989da0ef2f4f19373d64187e2a79f598c5fb7991afb689d29a2ea17c14b796b29725945fa34b9493c17fb799e08ac0a7ccaae460ee1757d3083ed35187
-  languageName: node
-  linkType: hard
-
-"@protobufjs/inquire@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/inquire@npm:1.1.0"
-  checksum: 10/c09efa34a5465cb120775e1a482136f2340a58b4abce7e93d72b8b5a9324a0e879275016ef9fcd73d72a4731639c54f2bb755bb82f916e4a78892d1d840bb3d2
-  languageName: node
-  linkType: hard
-
-"@protobufjs/path@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/path@npm:1.1.2"
-  checksum: 10/bb709567935fd385a86ad1f575aea98131bbd719c743fb9b6edd6b47ede429ff71a801cecbd64fc72deebf4e08b8f1bd8062793178cdaed3713b8d15771f9b83
-  languageName: node
-  linkType: hard
-
-"@protobufjs/pool@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/pool@npm:1.1.0"
-  checksum: 10/b9c7047647f6af28e92aac54f6f7c1f7ff31b201b4bfcc7a415b2861528854fce3ec666d7e7e10fd744da905f7d4aef2205bbcc8944ca0ca7a82e18134d00c46
-  languageName: node
-  linkType: hard
-
-"@protobufjs/utf8@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/utf8@npm:1.1.0"
-  checksum: 10/131e289c57534c1d73a0e55782d6751dd821db1583cb2f7f7e017c9d6747addaebe79f28120b2e0185395d990aad347fb14ffa73ef4096fa38508d61a0e64602
-  languageName: node
-  linkType: hard
-
 "@puppeteer/browsers@npm:2.3.0":
   version: 2.3.0
   resolution: "@puppeteer/browsers@npm:2.3.0"
@@ -1956,15 +1883,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/node@npm:>=13.7.0":
-  version: 25.3.3
-  resolution: "@types/node@npm:25.3.3"
-  dependencies:
-    undici-types: "npm:~7.18.0"
-  checksum: 10/883e8942b0ddf89f9aae56c4205af8d9a368acd6cab83aa052447a6c5e69ce2bc8ab3f54e549233ada160ba9216dad7f30c62c35867c584fe844ae99f7dea2e0
-  languageName: node
-  linkType: hard
-
 "@types/node@npm:^10.5.4":
   version: 10.17.60
   resolution: "@types/node@npm:10.17.60"
@@ -7823,7 +7741,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"long@npm:^5.0.0":
+"long@npm:^5.0.0, long@npm:^5.3.2":
   version: 5.3.2
   resolution: "long@npm:5.3.2"
   checksum: 10/b6b55ddae56fcce2864d37119d6b02fe28f6dd6d9e44fd22705f86a9254b9321bd69e9ffe35263b4846d54aba197c64882adcb8c543f2383c1e41284b321ea64
@@ -9511,43 +9429,12 @@ __metadata:
   languageName: node
   linkType: hard
 
-"protobufjs@npm:8.0.1":
-  version: 8.0.1
-  resolution: "protobufjs@npm:8.0.1"
-  dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.2"
-    "@protobufjs/base64": "npm:^1.1.2"
-    "@protobufjs/codegen": "npm:^2.0.4"
-    "@protobufjs/eventemitter": "npm:^1.1.0"
-    "@protobufjs/fetch": "npm:^1.1.0"
-    "@protobufjs/float": "npm:^1.0.2"
-    "@protobufjs/inquire": "npm:^1.1.0"
-    "@protobufjs/path": "npm:^1.1.2"
-    "@protobufjs/pool": "npm:^1.1.0"
-    "@protobufjs/utf8": "npm:^1.1.0"
-    "@types/node": "npm:>=13.7.0"
-    long: "npm:^5.0.0"
-  checksum: 10/71431cbb8013206052f404a01b0e10b2f1a07595937eebaba7f30e168b50d26ad1a1d5d6f6d23fa3497c0ee4ad2983ad598aec7e68f0f3ee17ed49a4842a86da
-  languageName: node
-  linkType: hard
-
-"protobufjs@npm:^7.5.3":
-  version: 7.5.4
-  resolution: "protobufjs@npm:7.5.4"
+"protobufjs@npm:8.5.0":
+  version: 8.5.0
+  resolution: "protobufjs@npm:8.5.0"
   dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.2"
-    "@protobufjs/base64": "npm:^1.1.2"
-    "@protobufjs/codegen": "npm:^2.0.4"
-    "@protobufjs/eventemitter": "npm:^1.1.0"
-    "@protobufjs/fetch": "npm:^1.1.0"
-    "@protobufjs/float": "npm:^1.0.2"
-    "@protobufjs/inquire": "npm:^1.1.0"
-    "@protobufjs/path": "npm:^1.1.2"
-    "@protobufjs/pool": "npm:^1.1.0"
-    "@protobufjs/utf8": "npm:^1.1.0"
-    "@types/node": "npm:>=13.7.0"
-    long: "npm:^5.0.0"
-  checksum: 10/88d677bb6f11a2ecec63fdd053dfe6d31120844d04e865efa9c8fbe0674cd077d6624ecfdf014018a20dcb114ae2a59c1b21966dd8073e920650c71370966439
+    long: "npm:^5.3.2"
+  checksum: 10/31fc8237b3d77a22e41f3aba75223dd254ceb85491de74595201830ddf49e14b785bde80fbacb2a01e6c7084906a43d3587759dbcd96b6cc8646b288da9efe19
   languageName: node
   linkType: hard