From fa1dc09e1c5a930296a057718b020a8761024517 Mon Sep 17 00:00:00 2001
From: "hmcts-github-ccd[bot]"
 <82895213+hmcts-github-ccd[bot]@users.noreply.github.com>
Date: Tue, 9 Jun 2026 10:55:20 +0000
Subject: [PATCH] chore(cve): implement CVE-2026-44290

---
 yarn-audit-known-issues |   9 ----
 yarn.lock               | 112 +++-------------------------------------
 2 files changed, 6 insertions(+), 115 deletions(-)

diff --git a/yarn-audit-known-issues b/yarn-audit-known-issues
index a7df4f216..b64dcf3f2 100644
--- a/yarn-audit-known-issues
+++ b/yarn-audit-known-issues
@@ -1,15 +1,6 @@
 {"value":"@opentelemetry/exporter-prometheus","children":{"ID":1120253,"Issue":"Prometheus exporter process crash via malformed HTTP request","URL":"https://github.com/advisories/GHSA-q7rr-3cgh-j5r3","Severity":"high","Vulnerable Versions":"<0.217.0","Tree Versions":["0.208.0"],"Dependents":["@opentelemetry/sdk-node@virtual:80ada54060a8abbacc1898b1b2541ceb44fe11cabd792eebfb46d5f15800812cacdfde07a342a649235428a91534c4432d22cba3d7f1242d962e82d3c9d3f0cb#npm:0.208.0"]}}
 {"value":"@opentelemetry/sdk-node","children":{"ID":1120252,"Issue":"Prometheus exporter process crash via malformed HTTP request","URL":"https://github.com/advisories/GHSA-q7rr-3cgh-j5r3","Severity":"high","Vulnerable Versions":"<0.217.0","Tree Versions":["0.208.0"],"Dependents":["@azure/monitor-opentelemetry@npm:1.16.0"]}}
-{"value":"@protobufjs/utf8","children":{"ID":1118933,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=1.1.0","Tree Versions":["1.1.0"],"Dependents":["protobufjs@npm:7.5.5"]}}
 {"value":"glob","children":{"ID":"glob (deprecation)","Issue":"Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me","Severity":"moderate","Vulnerable Versions":"7.2.3","Tree Versions":["7.2.3"],"Dependents":["nyc@npm:15.1.0"]}}
 {"value":"inflight","children":{"ID":"inflight (deprecation)","Issue":"This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.","Severity":"moderate","Vulnerable Versions":"1.0.6","Tree Versions":["1.0.6"],"Dependents":["glob@npm:7.2.3"]}}
-{"value":"protobufjs","children":{"ID":1118641,"Issue":"protobuf.js: Code injection through bytes field defaults in generated toObject code","URL":"https://github.com/advisories/GHSA-66ff-xgx4-vchm","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118924,"Issue":"protobuf.js: Denial of service from crafted field names in generated code","URL":"https://github.com/advisories/GHSA-2pr8-phx7-x9h3","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118926,"Issue":"protobuf.js: Prototype injection in generated message constructors","URL":"https://github.com/advisories/GHSA-fx83-v9x8-x52w","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118928,"Issue":"protobuf.js: Code generation gadget after prototype pollution","URL":"https://github.com/advisories/GHSA-75px-5xx7-5xc7","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118930,"Issue":"protobuf.js: Process-wide denial of service through unsafe option paths","URL":"https://github.com/advisories/GHSA-jvwf-75h9-cwgg","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118932,"Issue":"protobuf.js: Denial of service through unbounded protobuf recursion","URL":"https://github.com/advisories/GHSA-685m-2w69-288q","Severity":"high","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1118935,"Issue":"protobufjs has overlong UTF-8 decoding","URL":"https://github.com/advisories/GHSA-q6x5-8v7m-xcrf","Severity":"moderate","Vulnerable Versions":"<=7.5.5","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
-{"value":"protobufjs","children":{"ID":1119378,"Issue":"protobufjs: Denial of Service via unbounded recursive JSON descriptor expansion","URL":"https://github.com/advisories/GHSA-jggg-4jg4-v7c6","Severity":"moderate","Vulnerable Versions":"<=7.5.7","Tree Versions":["7.5.5"],"Dependents":["@opentelemetry/otlp-transformer@virtual:e5e738d5f8fd0ff82fd4a132fa0a52b7cd5ef9973a73f79167e24d95e4e4fcd3d3eec44802acf4c68bc02a289d56ee19dbc37a8dae5b1c48fa8b5380189af860#npm:0.208.0"]}}
 {"value":"rimraf","children":{"ID":"rimraf (deprecation)","Issue":"Rimraf versions prior to v4 are no longer supported","Severity":"moderate","Vulnerable Versions":"3.0.2","Tree Versions":["3.0.2"],"Dependents":["nyc@npm:15.1.0"]}}
 {"value":"uuid","children":{"ID":1119441,"Issue":"uuid: Missing buffer bounds check in v3/v5/v6 when buf is provided","URL":"https://github.com/advisories/GHSA-w5hq-g745-h8pq","Severity":"moderate","Vulnerable Versions":"<11.1.1","Tree Versions":["8.3.2"],"Dependents":["@azure/functions@npm:3.5.1"]}}
diff --git a/yarn.lock b/yarn.lock
index 834e5cafb..5d7aa10ef 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -1385,79 +1385,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@protobufjs/aspromise@npm:^1.1.1, @protobufjs/aspromise@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/aspromise@npm:1.1.2"
-  checksum: 10/8a938d84fe4889411296db66b29287bd61ea3c14c2d23e7a8325f46a2b8ce899857c5f038d65d7641805e6c1d06b495525c7faf00c44f85a7ee6476649034969
-  languageName: node
-  linkType: hard
-
-"@protobufjs/base64@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/base64@npm:1.1.2"
-  checksum: 10/c71b100daeb3c9bdccab5cbc29495b906ba0ae22ceedc200e1ba49717d9c4ab15a6256839cebb6f9c6acae4ed7c25c67e0a95e734f612b258261d1a3098fe342
-  languageName: node
-  linkType: hard
-
-"@protobufjs/codegen@npm:^2.0.4":
-  version: 2.0.4
-  resolution: "@protobufjs/codegen@npm:2.0.4"
-  checksum: 10/c6ee5fa172a8464f5253174d3c2353ea520c2573ad7b6476983d9b1346f4d8f2b44aa29feb17a949b83c1816bc35286a5ea265ed9d8fdd2865acfa09668c0447
-  languageName: node
-  linkType: hard
-
-"@protobufjs/eventemitter@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/eventemitter@npm:1.1.0"
-  checksum: 10/03af3e99f17ad421283d054c88a06a30a615922a817741b43ca1b13e7c6b37820a37f6eba9980fb5150c54dba6e26cb6f7b64a6f7d8afa83596fafb3afa218c3
-  languageName: node
-  linkType: hard
-
-"@protobufjs/fetch@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/fetch@npm:1.1.0"
-  dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.1"
-    "@protobufjs/inquire": "npm:^1.1.0"
-  checksum: 10/67ae40572ad536e4ef94269199f252c024b66e3059850906bdaee161ca1d75c73d04d35cd56f147a8a5a079f5808e342b99e61942c1dae15604ff0600b09a958
-  languageName: node
-  linkType: hard
-
-"@protobufjs/float@npm:^1.0.2":
-  version: 1.0.2
-  resolution: "@protobufjs/float@npm:1.0.2"
-  checksum: 10/634c2c989da0ef2f4f19373d64187e2a79f598c5fb7991afb689d29a2ea17c14b796b29725945fa34b9493c17fb799e08ac0a7ccaae460ee1757d3083ed35187
-  languageName: node
-  linkType: hard
-
-"@protobufjs/inquire@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/inquire@npm:1.1.0"
-  checksum: 10/c09efa34a5465cb120775e1a482136f2340a58b4abce7e93d72b8b5a9324a0e879275016ef9fcd73d72a4731639c54f2bb755bb82f916e4a78892d1d840bb3d2
-  languageName: node
-  linkType: hard
-
-"@protobufjs/path@npm:^1.1.2":
-  version: 1.1.2
-  resolution: "@protobufjs/path@npm:1.1.2"
-  checksum: 10/bb709567935fd385a86ad1f575aea98131bbd719c743fb9b6edd6b47ede429ff71a801cecbd64fc72deebf4e08b8f1bd8062793178cdaed3713b8d15771f9b83
-  languageName: node
-  linkType: hard
-
-"@protobufjs/pool@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/pool@npm:1.1.0"
-  checksum: 10/b9c7047647f6af28e92aac54f6f7c1f7ff31b201b4bfcc7a415b2861528854fce3ec666d7e7e10fd744da905f7d4aef2205bbcc8944ca0ca7a82e18134d00c46
-  languageName: node
-  linkType: hard
-
-"@protobufjs/utf8@npm:^1.1.0":
-  version: 1.1.0
-  resolution: "@protobufjs/utf8@npm:1.1.0"
-  checksum: 10/131e289c57534c1d73a0e55782d6751dd821db1583cb2f7f7e017c9d6747addaebe79f28120b2e0185395d990aad347fb14ffa73ef4096fa38508d61a0e64602
-  languageName: node
-  linkType: hard
-
 "@puppeteer/browsers@npm:2.3.0":
   version: 2.3.0
   resolution: "@puppeteer/browsers@npm:2.3.0"
@@ -1593,15 +1520,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"@types/node@npm:>=13.7.0":
-  version: 25.6.0
-  resolution: "@types/node@npm:25.6.0"
-  dependencies:
-    undici-types: "npm:~7.19.0"
-  checksum: 10/99b18690a4be55904cbf8f6a6ac8eed5ec5b8d791fdd8ee2ae598b46c0fa9b83cda7b70dd7f00dbfb18189dcfc67648fdc7fdd3fcced2619a5a6453d9aec107d
-  languageName: node
-  linkType: hard
-
 "@types/pg-pool@npm:2.0.6":
   version: 2.0.6
   resolution: "@types/pg-pool@npm:2.0.6"
@@ -4564,7 +4482,7 @@ __metadata:
   languageName: node
   linkType: hard
 
-"long@npm:^5.0.0":
+"long@npm:^5.0.0, long@npm:^5.3.2":
   version: 5.3.2
   resolution: "long@npm:5.3.2"
   checksum: 10/b6b55ddae56fcce2864d37119d6b02fe28f6dd6d9e44fd22705f86a9254b9321bd69e9ffe35263b4846d54aba197c64882adcb8c543f2383c1e41284b321ea64
@@ -5403,22 +5321,11 @@ __metadata:
   linkType: hard
 
 "protobufjs@npm:^7.3.0, protobufjs@npm:^7.5.3":
-  version: 7.5.5
-  resolution: "protobufjs@npm:7.5.5"
-  dependencies:
-    "@protobufjs/aspromise": "npm:^1.1.2"
-    "@protobufjs/base64": "npm:^1.1.2"
-    "@protobufjs/codegen": "npm:^2.0.4"
-    "@protobufjs/eventemitter": "npm:^1.1.0"
-    "@protobufjs/fetch": "npm:^1.1.0"
-    "@protobufjs/float": "npm:^1.0.2"
-    "@protobufjs/inquire": "npm:^1.1.0"
-    "@protobufjs/path": "npm:^1.1.2"
-    "@protobufjs/pool": "npm:^1.1.0"
-    "@protobufjs/utf8": "npm:^1.1.0"
-    "@types/node": "npm:>=13.7.0"
-    long: "npm:^5.0.0"
-  checksum: 10/048898023a38d22f5fc9a1bcf0dcce5cfbcd37fb00753bd72283720eee7e2cb6055b23957542e5bcdc136379af66203a2ddb8d8c39d11f73169bacf07885fedd
+  version: 8.6.1
+  resolution: "protobufjs@npm:8.6.1"
+  dependencies:
+    long: "npm:^5.3.2"
+  checksum: 10/67ed945a9512e145578ab2ee33ce46fcbc51afe9660003a82be09c5ce6821f8d394902279bd086b2851c2edcf32f08591b3403a4e5ebe18aad549bfb6794e553
   languageName: node
   linkType: hard
 
@@ -6434,13 +6341,6 @@ __metadata:
   languageName: node
   linkType: hard
 
-"undici-types@npm:~7.19.0":
-  version: 7.19.2
-  resolution: "undici-types@npm:7.19.2"
-  checksum: 10/05c34c63444c8caca7137f122b29ed50c1d7d05d1e0b2337f423575d3264054c4a0139e47e82e65723d09b97fcad6d8b0223b3550430a9006cc00e72a1e035bf
-  languageName: node
-  linkType: hard
-
 "unpipe@npm:~1.0.0":
   version: 1.0.0
   resolution: "unpipe@npm:1.0.0"