CVE-2026-44288: CVE-2026-44288 remediation plan for ccd-api-gateway

package.json

@@ -22,7 +22,7 @@
     "@hmcts/nodejs-healthcheck": "^1.8.0",
     "@hmcts/nodejs-logging": "^4.0.4",
     "@hmcts/properties-volume": "^0.0.14",
-    "applicationinsights": "3.14.0",
+    "applicationinsights": "3.15.0",
     "body-parser": "^2.0.0",
     "brace-expansion": "^5.0.5",
     "config": "^4.0.0",

yarn-audit-known-issues

@@ -1,15 +1,4 @@
-{"value":"@opentelemetry/exporter-prometheus","children":{"ID":1117943,"Issue":"Prometheus exporter process crash via malformed HTTP request","URL":"https://github.com/advisories/GHSA-q7rr-3cgh-j5r3","Severity":"high","Vulnerable Versions":"<0.217.0","Tree Versions":["0.208.0"],"Dependents":["@opentelemetry/sdk-node@virtual:80ada54060a8abbacc1898b1b2541ceb44fe11cabd792eebfb46d5f15800812cacdfde07a342a649235428a91534c4432d22cba3d7f1242d962e82d3c9d3f0cb#npm:0.208.0"]}}
-{"value":"@opentelemetry/sdk-node","children":{"ID":1117942,"Issue":"Prometheus exporter process crash via malformed HTTP request","URL":"https://github.com/advisories/GHSA-q7rr-3cgh-j5r3","Severity":"high","Vulnerable Versions":"<0.217.0","Tree Versions":["0.208.0"],"Dependents":["@azure/monitor-opentelemetry@npm:1.16.0"]}}
-{"value":"@protobufjs/utf8","children":{"ID":1118933,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=1.1.0","Tree Versions":["1.1.0"],"Dependents":["protobufjs@npm:7.5.5"]}}
 {"value":"glob","children":{"ID":"glob (deprecation)","Issue":"Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me","Severity":"moderate","Vulnerable Versions":"7.2.3","Tree Versions":["7.2.3"],"Dependents":["nyc@npm:15.1.0"]}}
 {"value":"inflight","children":{"ID":"inflight (deprecation)","Issue":"This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.","Severity":"moderate","Vulnerable Versions":"1.0.6","Tree Versions":["1.0.6"],"Dependents":["glob@npm:7.2.3"]}}
-{"value":"protobufjs","children":{"ID":1118641,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118924,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118926,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118928,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118930,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118932,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118935,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1119378,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":"<=7.5.7","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
 {"value":"rimraf","children":{"ID":"rimraf (deprecation)","Issue":"Rimraf versions prior to v4 are no longer supported","Severity":"moderate","Vulnerable Versions":"3.0.2","Tree Versions":["3.0.2"],"Dependents":["nyc@npm:15.1.0"]}}
 {"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["8.3.2"],"Dependents":["@azure/functions@npm:3.5.1"]}}