CCD-7561 :: FIX CVE-2026-2950 - bumped lodash to 4.18.1

Dockerfile

@@ -1,4 +1,4 @@
-FROM hmctspublic.azurecr.io/base/node:20-alpine AS base
+FROM hmctsprod.azurecr.io/base/node:20-alpine AS base
 
 ENV PUPPETEER_SKIP_DOWNLOAD=true
 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true
@@ -28,7 +28,7 @@ COPY --chown=hmcts:hmcts package.json yarn.lock ./
 
 
 # ---- Runtime Image ----
-FROM hmctspublic.azurecr.io/base/node:20-alpine AS runtime
+FROM hmctsprod.azurecr.io/base/node:20-alpine AS runtime
 COPY --from=build $WORKDIR .
 
 EXPOSE 3460

charts/ccd-case-activity-api/Chart.yaml

@@ -2,14 +2,14 @@ apiVersion: v2
 description: Helm chart for the HMCTS CCD Case Activity
 name: ccd-case-activity-api
 home: https://github.com/hmcts/ccd-case-activity-api
-version: 1.3.17
+version: 1.3.18
 maintainers:
   - name: HMCTS CCD Dev Team
     email: ccd-devops@HMCTS.NET
 dependencies:
   - name: nodejs
     version: 3.2.0
-    repository: 'oci://hmctspublic.azurecr.io/helm'
+    repository: 'oci://hmctsprod.azurecr.io/helm'
   - name: redis
     version: 24.1.8
     repository: "oci://registry-1.docker.io/bitnamicharts"

charts/ccd-case-activity-api/values.yaml

@@ -8,7 +8,7 @@ redis:
     enabled: false
 
 nodejs:
-  image: 'hmctspublic.azurecr.io/ccd/case-activity-api:latest'
+  image: 'hmctsprod.azurecr.io/ccd/case-activity-api:latest'
   applicationPort: 3460
   aadIdentityName: ccd
   ingressHost: ccd-case-activity-api-{{ .Values.global.environment }}.service.core-compute-{{ .Values.global.environment }}.internal

package.json

@@ -50,7 +50,7 @@
     "ioredis": "^3.1.4",
     "joi": "^17.2.1",
     "jwt-decode": "^2.2.0",
-    "lodash": "^4.17.23",
+    "lodash": "4.18.1",
     "moment": "^2.29.4",
     "morgan": "^1.9.1",
     "nocache": "^2.1.0",
@@ -85,7 +85,7 @@
   },
   "resolutions": {
     "async": "^2.6.4",
-    "lodash": "^4.17.21",
+    "lodash": "4.18.1",
     "lodash.pick": "3.1.0",
     "yargs-parser": "^18.1.2",
     "minimist": "^1.2.6",

yarn-audit-known-issues

@@ -1,5 +1,3 @@
-{"value":"lodash","children":{"ID":1115806,"Issue":"lodash vulnerable to Code Injection via `_.template` imports key names","URL":"https://github.com/advisories/GHSA-r5fr-rjxr-66jc","Severity":"high","Vulnerable Versions":">=4.0.0 <=4.17.23","Tree Versions":["4.17.23"],"Dependents":["ccd-case-activity-api@workspace:."]}}
-{"value":"lodash","children":{"ID":1115810,"Issue":"lodash vulnerable to Prototype Pollution via array path bypass in `_.unset` and `_.omit`","URL":"https://github.com/advisories/GHSA-f23m-r3pf-42rh","Severity":"moderate","Vulnerable Versions":"<=4.17.23","Tree Versions":["4.17.23"],"Dependents":["ccd-case-activity-api@workspace:."]}}
 {"value":"lodash.clone","children":{"ID":"lodash.clone (deprecation)","Issue":"This package is deprecated. Use structuredClone instead.","Severity":"moderate","Vulnerable Versions":"4.5.0","Tree Versions":["4.5.0"],"Dependents":["ioredis@npm:3.2.2"]}}
 {"value":"lodash.pick","children":{"ID":"lodash.pick (deprecation)","Issue":"This package is deprecated. Use destructuring assignment syntax instead.","Severity":"moderate","Vulnerable Versions":"3.1.0","Tree Versions":["3.1.0"],"Dependents":["ioredis@npm:3.2.2"]}}
 {"value":"path-to-regexp","children":{"ID":1115573,"Issue":"path-to-regexp vulnerable to Denial of Service via sequential optional groups","URL":"https://github.com/advisories/GHSA-j3q9-mxjg-w52f","Severity":"high","Vulnerable Versions":">=8.0.0 <8.4.0","Tree Versions":["8.2.0"],"Dependents":["router@npm:2.2.0"]}}

yarn.lock

@@ -1518,7 +1518,7 @@ __metadata:
     jasmine-node: "npm:3"
     joi: "npm:^17.2.1"
     jwt-decode: "npm:^2.2.0"
-    lodash: "npm:^4.17.23"
+    lodash: "npm:4.18.1"
     mocha: "npm:7"
     mock-require: "npm:^3.0.3"
     moment: "npm:^2.29.4"
@@ -4394,10 +4394,10 @@ __metadata:
   languageName: node
   linkType: hard
 
-"lodash@npm:^4.17.21":
-  version: 4.17.23
-  resolution: "lodash@npm:4.17.23"
-  checksum: 10/82504c88250f58da7a5a4289f57a4f759c44946c005dd232821c7688b5fcfbf4a6268f6a6cdde4b792c91edd2f3b5398c1d2a0998274432cff76def48735e233
+"lodash@npm:4.18.1":
+  version: 4.18.1
+  resolution: "lodash@npm:4.18.1"
+  checksum: 10/306fea53dfd39dad1f03d45ba654a2405aebd35797b673077f401edb7df2543623dc44b9effbb98f69b32152295fff725a4cec99c684098947430600c6af0c3f
   languageName: node
   linkType: hard