Local Codex :: implement CVE-2026-44291 ** do not merge **

package.json

@@ -188,7 +188,9 @@
     "on-headers": "^1.1.0",
     "brace-expansion": "^1.1.13",
     "cookie": "^1.1.1",
-    "diff": "^8.0.3"
+    "diff": "^8.0.3",
+    "protobufjs@npm:8.0.1": "npm:8.5.0",
+    "protobufjs@npm:^7.5.3": "npm:7.6.2"
   },
   "nyc": {
     "extension": [

yarn-audit-known-issues

@@ -1,4 +1,3 @@
-{"value":"@protobufjs/utf8","children":{"ID":1118933,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=1.1.0","Tree Versions":["1.1.0"],"Dependents":["protobufjs@npm:8.0.1"]}}
 {"value":"@tootallnate/once","children":{"ID":1119438,"Issue":"@tootallnate/once vulnerable to Incorrect Control Flow Scoping","URL":"https://github.com/advisories/GHSA-vpq2-c234-7xj6","Severity":"low","Vulnerable Versions":"<2.0.1","Tree Versions":["2.0.0"],"Dependents":["http-proxy-agent@npm:5.0.0"]}}
 {"value":"abab","children":{"ID":"abab (deprecation)","Issue":"Use your platform's native atob() and btoa() methods instead","Severity":"moderate","Vulnerable Versions":"2.0.6","Tree Versions":["2.0.6"],"Dependents":["jsdom@virtual:765dd21400b9887d1cda8410e14996ece3abd2d473a1afb27695f43d295da769ea8bf3ebcf77d15b6687aeeeff789a6f299e6aeede434e237808bef39343fe75#npm:20.0.3"]}}
 {"value":"csurf","children":{"ID":"csurf (deprecation)","Issue":"This package is archived and no longer maintained. For support, visit https://github.com/expressjs/express/discussions","Severity":"moderate","Vulnerable Versions":"1.11.0","Tree Versions":["1.11.0"],"Dependents":["ccd-admin-web@workspace:."]}}
@@ -10,22 +9,5 @@
 {"value":"ip-address","children":{"ID":1118827,"Issue":"ip-address has XSS in Address6 HTML-emitting methods","URL":"https://github.com/advisories/GHSA-v2v4-37r5-5v8g","Severity":"moderate","Vulnerable Versions":"<=10.1.0","Tree Versions":["10.1.0"],"Dependents":["socks@npm:2.8.7"]}}
 {"value":"lodash.isequal","children":{"ID":"lodash.isequal (deprecation)","Issue":"This package is deprecated. Use require('node:util').isDeepStrictEqual instead.","Severity":"moderate","Vulnerable Versions":"4.5.0","Tree Versions":["4.5.0"],"Dependents":["@fast-csv/format@npm:4.3.5"]}}
 {"value":"multer","children":{"ID":"multer (deprecation)","Issue":"Multer 1.x is impacted by a number of vulnerabilities, which have been patched in 2.x. You should upgrade to the latest 2.x version.","Severity":"moderate","Vulnerable Versions":"1.4.5-lts.2","Tree Versions":["1.4.5-lts.2"],"Dependents":["ccd-admin-web@workspace:."]}}
-{"value":"protobufjs","children":{"ID":1117571,"Issue":"Arbitrary code execution in protobufjs","URL":"https://github.com/advisories/GHSA-xq3m-2v4x-88gg","Severity":"critical","Vulnerable Versions":"<7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118640,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118641,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118923,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118924,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118925,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118926,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118927,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118928,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118929,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118930,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118931,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118932,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1118934,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":">=8.0.0 <=8.0.1","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1118935,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
-{"value":"protobufjs","children":{"ID":1119377,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":">=8.0.0 <8.2.0","Tree Versions":["8.0.1"],"Dependents":["@opentelemetry/otlp-transformer@virtual:322a2107a6aa310c2a06b3448cb9bb76d7bbf254e8660a79ccc09aa7c7484ea03bf1600695c5f1a72214540162ed6438abe5c04b57cef81244dfd24705486c1b#npm:0.217.0"]}}
-{"value":"protobufjs","children":{"ID":1119378,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":"<=7.5.7","Tree Versions":["7.5.4"],"Dependents":["@grpc/proto-loader@npm:0.8.0"]}}
 {"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["8.3.2"],"Dependents":["@azure/functions@npm:3.5.1"]}}
 {"value":"whatwg-encoding","children":{"ID":"whatwg-encoding (deprecation)","Issue":"Use @exodus/bytes instead for a more spec-conformant and faster implementation","Severity":"moderate","Vulnerable Versions":"2.0.0","Tree Versions":["2.0.0"],"Dependents":["jsdom@virtual:765dd21400b9887d1cda8410e14996ece3abd2d473a1afb27695f43d295da769ea8bf3ebcf77d15b6687aeeeff789a6f299e6aeede434e237808bef39343fe75#npm:20.0.3"]}}

yarn.lock

@@ -1694,27 +1694,26 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@protobufjs/codegen@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "@protobufjs/codegen@npm:2.0.4"
-  checksum: 10/c6ee5fa172a8464f5253174d3c2353ea520c2573ad7b6476983d9b1346f4d8f2b44aa29feb17a949b83c1816bc35286a5ea265ed9d8fdd2865acfa09668c0447
+"@protobufjs/codegen@npm:^2.0.5":
+  version: 2.0.5
+  resolution: "@protobufjs/codegen@npm:2.0.5"
+  checksum: 10/290335fa114f26202abc0695f279d53e2fd516b01cfd8298923591e0bda011295ff40e3582a1cda0a0f27cbc5039a0292082d5ad08872bb5d6243a614ac15c88
   languageName: node
   linkType: hard
 
-"@protobufjs/eventemitter@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/eventemitter@npm:1.1.0"
-  checksum: 10/03af3e99f17ad421283d054c88a06a30a615922a817741b43ca1b13e7c6b37820a37f6eba9980fb5150c54dba6e26cb6f7b64a6f7d8afa83596fafb3afa218c3
+"@protobufjs/eventemitter@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "@protobufjs/eventemitter@npm:1.1.1"
+  checksum: 10/a54dc1aff4475ffad4fdf3235c71a553f5e40e3b4cf6a2e217151895a61cb4eb0be20d63791db22441ca25e594671f1021977133f9939540750231ff7d8e9dd6
   languageName: node
   linkType: hard
 
-"@protobufjs/fetch@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/fetch@npm:1.1.0"
+"@protobufjs/fetch@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "@protobufjs/fetch@npm:1.1.1"
   dependencies:
     "@protobufjs/aspromise": "npm:^1.1.1"
-    "@protobufjs/inquire": "npm:^1.1.0"
-  checksum: 10/67ae40572ad536e4ef94269199f252c024b66e3059850906bdaee161ca1d75c73d04d35cd56f147a8a5a079f5808e342b99e61942c1dae15604ff0600b09a958
+  checksum: 10/427cf2da8c69b494b0df3b2fb1f43c97f0f71ca2c8ef8232dac7e44f2527ad0cc9cecb243eda14a918e86018bfa6d54d92252240d2b37ed205b13adb5506fa1d
   languageName: node
   linkType: hard
 
@@ -1725,10 +1724,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@protobufjs/inquire@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/inquire@npm:1.1.0"
-  checksum: 10/c09efa34a5465cb120775e1a482136f2340a58b4abce7e93d72b8b5a9324a0e879275016ef9fcd73d72a4731639c54f2bb755bb82f916e4a78892d1d840bb3d2
+"@protobufjs/inquire@npm:^1.1.2":
+  version: 1.1.2
+  resolution: "@protobufjs/inquire@npm:1.1.2"
+  checksum: 10/259756489c75a751552df60d18f82503d2534855646397b96b91cf15807fa852e99bd9eb73dabb64da37aec7913844032ecb031a4326d82aae622f5e4c2f8a17
   languageName: node
   linkType: hard
 
@@ -1746,10 +1745,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@protobufjs/utf8@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/utf8@npm:1.1.0"
-  checksum: 10/131e289c57534c1d73a0e55782d6751dd821db1583cb2f7f7e017c9d6747addaebe79f28120b2e0185395d990aad347fb14ffa73ef4096fa38508d61a0e64602
+"@protobufjs/utf8@npm:^1.1.1":
+  version: 1.1.1
+  resolution: "@protobufjs/utf8@npm:1.1.1"
+  checksum: 10/ed0c3f9ff1afd602a0aed54c4c03a0b8f641686a5587d8949e088dcac653fb2019d15691ed92eef23dfdf9f4293249532d0508ecd15cef810acf026917719a19
   languageName: node
   linkType: hard
 
@@ -7823,7 +7822,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"long@npm:^5.0.0":
+"long@npm:^5.0.0, long@npm:^5.3.2":
   version: 5.3.2
   resolution: "long@npm:5.3.2"
   checksum: 10/b6b55ddae56fcce2864d37119d6b02fe28f6dd6d9e44fd22705f86a9254b9321bd69e9ffe35263b4846d54aba197c64882adcb8c543f2383c1e41284b321ea64
@@ -9511,43 +9510,32 @@ __metadata:
   languageName: node
   linkType: hard
 
-"protobufjs@npm:8.0.1":
-  version: 8.0.1
-  resolution: "protobufjs@npm:8.0.1"
+"protobufjs@npm:7.6.2":
+  version: 7.6.2
+  resolution: "protobufjs@npm:7.6.2"
   dependencies:
     "@protobufjs/aspromise": "npm:^1.1.2"
     "@protobufjs/base64": "npm:^1.1.2"
-    "@protobufjs/codegen": "npm:^2.0.4"
-    "@protobufjs/eventemitter": "npm:^1.1.0"
-    "@protobufjs/fetch": "npm:^1.1.0"
+    "@protobufjs/codegen": "npm:^2.0.5"
+    "@protobufjs/eventemitter": "npm:^1.1.1"
+    "@protobufjs/fetch": "npm:^1.1.1"
     "@protobufjs/float": "npm:^1.0.2"
-    "@protobufjs/inquire": "npm:^1.1.0"
+    "@protobufjs/inquire": "npm:^1.1.2"
     "@protobufjs/path": "npm:^1.1.2"
     "@protobufjs/pool": "npm:^1.1.0"
-    "@protobufjs/utf8": "npm:^1.1.0"
+    "@protobufjs/utf8": "npm:^1.1.1"
     "@types/node": "npm:>=13.7.0"
-    long: "npm:^5.0.0"
-  checksum: 10/71431cbb8013206052f404a01b0e10b2f1a07595937eebaba7f30e168b50d26ad1a1d5d6f6d23fa3497c0ee4ad2983ad598aec7e68f0f3ee17ed49a4842a86da
+    long: "npm:^5.3.2"
+  checksum: 10/964e39237febf2369cba371175a49602ccc7582f059504ab35e27adb01c690ad669bc2c134577f08f5fb55d1dc8320483f6a65a97f236dc6e749046d89283b5f
   languageName: node
   linkType: hard
 
-"protobufjs@npm:^7.5.3":
-  version: 7.5.4
-  resolution: "protobufjs@npm:7.5.4"
+"protobufjs@npm:8.5.0":
+  version: 8.5.0
+  resolution: "protobufjs@npm:8.5.0"
   dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.2"
-    "@protobufjs/base64": "npm:^1.1.2"
-    "@protobufjs/codegen": "npm:^2.0.4"
-    "@protobufjs/eventemitter": "npm:^1.1.0"
-    "@protobufjs/fetch": "npm:^1.1.0"
-    "@protobufjs/float": "npm:^1.0.2"
-    "@protobufjs/inquire": "npm:^1.1.0"
-    "@protobufjs/path": "npm:^1.1.2"
-    "@protobufjs/pool": "npm:^1.1.0"
-    "@protobufjs/utf8": "npm:^1.1.0"
-    "@types/node": "npm:>=13.7.0"
-    long: "npm:^5.0.0"
-  checksum: 10/88d677bb6f11a2ecec63fdd053dfe6d31120844d04e865efa9c8fbe0674cd077d6624ecfdf014018a20dcb114ae2a59c1b21966dd8073e920650c71370966439
+    long: "npm:^5.3.2"
+  checksum: 10/31fc8237b3d77a22e41f3aba75223dd254ceb85491de74595201830ddf49e14b785bde80fbacb2a01e6c7084906a43d3587759dbcd96b6cc8646b288da9efe19
   languageName: node
   linkType: hard